Script to automatically shutdown and restart a Windows XP computer on Domain - Permission Denied

I have a .bat batch file of these commands to shut down a lab of computers and a second batch file to restart them. I use the following command:
shutdown -s -m \\computername -t 0

This works very well since I am under the group "Domain Admins" because I have full power over the domain. I have teachers responsible for each computer lab, and I would appreciate them using the scripts too so they can close up shop at the end of the day. They try to run the script and get "Access Denied / Permission Denied" errors. They are part of the "users" group and do not have permission to shutdown computers remotely. How can I make it so they can remotely shutdown/restart comptuers and not give them admin priviledges? Also, they must not have priviledges to installs apps, so power users may be out too.

I abdolutely do not want to schedule the computers shutdown because there is no pattern in shutdown times.

thx
LVL 2
atkfrg56Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tmackCommented:
set up a local policy to allow them the remote shutdown privilege..
0
Nirmal SharmaSolution ArchitectCommented:
>>>This works very well since I am under the group "Domain Admins"

I assume you are running Domain Controller and they are member of Domain Controller..so you need to configure this right in Default Domain Policy and you do not need to setup local policy...if you set local policy and set anything in Default Domain Policy the settings will be overridden by Default Domain Policy. So better you set this in Default Domain Policy.

1. Create a group called "ShutDownGroup"
2. Add all members to this Group.
3. Open Active Directory Users And Computers
4. Right click on domain_name.com > Property > Group Policy > Click "Default Domain Policy" > Edit > and then navigate to the following location: -

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\ and then edit the following policy :-

"Shutdown the system" > add the group you created "ShutDownGroup".

5. Now Close it and return to Group Policy Tab.
6. goto Security Tab of Group Policy and then set the following permissions: -

Remove the following group: -
Authenticated Users.

Add the following group: -
ShutDownGroup.

Set the following permissions for this group: -

Read and Apply Group Policy.

7. Finally click Apply and ok.
8. Now restart your all client computers.

Now try they can shutdown it.

Let me know.

Thanks
SystmProg
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atkfrg56Author Commented:
tmack ,
could you be more specific please...there are lots of group polices I could use. Could you locate the 'remote shutdown policy' for me please, I am unable to find it.

SystmProg ,
I gave your idea a shot before I posted because I found it in the ee archive relating to another issue. I found that this setting didnt changes any settings with remote shutdowns...but it did change the shutdown permissions for the user logged onto the computer locally. A user not in the shutdown group, such as anyone not in the 'teachers' group I used instead of 'shutdowngroup' could only 'log out' of the computers when they clicked on shutdown instead of 'restart, hibernate, standby, shutdown'. This even applied to the local administrator which is a local account and not on the domain.
I am going to follow your directions specifically when I get back to the office for another try though, I could have messed stuff up along the way.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Nirmal SharmaSolution ArchitectCommented:
Ok give it a try and let me know.

You can also look at another tool which will assist you in creating the batch script and its absloutely free: -
To get this tool, point your browser to this link http://www.beyondlogic.org/consulting/remoteprocess/BeyondExec.htm 

Another freeware proggy also: -
http://www.beyondlogic.org/solutions/shutdown/shutdown.htm

I think there is one more command line switch you are missing 'shutdown -s -f -m \\computer'.

Let me know.

Thanks
SystmProg
0
atkfrg56Author Commented:
Hmm, I gave it another shot and it appears to have no effect on remote scripts, only controls local machine. This is really strange, because I cant think of a logical way to get it done via windows 1st party applications.
0
Nirmal SharmaSolution ArchitectCommented:
Does the group policy thing work?
0
atkfrg56Author Commented:
Naw, cant get the group policy method to work. My last post was explaining it.
0
Nirmal SharmaSolution ArchitectCommented:
Hi,
Sorry for late response....Did you solve the problem?
0
atkfrg56Author Commented:
SystmProg,
I still cant get it to work. I will give you the points for your efforts when this closes...doubt anyone will get the solution.
thx
0
tmackCommented:
this would be under your "local security setting"'s for the PC  and then go to "local policies" then "user rights assignments" and then "force shutdown from a remote system" add your users to that and you should be good to go.

T
0
atkfrg56Author Commented:
tmack,
I cannot get that option to work either. Instead of 'Access Denied' I get "not privilidged to use this command".



I gave up on this, and we now have an .asp script that a user logs in and the user has buttons to run pre-defined scripts on the server. We can track who uses the scripts (an added feature) and only the users we want can run them. Works very nice, its all windows, and i have the power i need.

 Points will be split 200/300 for efforts. thx
0
Nirmal SharmaSolution ArchitectCommented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.