rmefford
asked on
How do I allow our non-admin support users to reboot a Domain Controller using Remote Desktop
How do I allow our non-domain admins or local admin support users to reboot a Domain Controllers using Remote Desktop
After we apply certain security patches over a weekend, our Level 3 support team needs access to reboot them. I would like them to use their own accounts to perform this action, while using Remote Desktop.
Is this possible? Is there a permission I should grant them? I have already given them access to log on to the DC servers with their accounts. Is there a hack?
Help
After we apply certain security patches over a weekend, our Level 3 support team needs access to reboot them. I would like them to use their own accounts to perform this action, while using Remote Desktop.
Is this possible? Is there a permission I should grant them? I have already given them access to log on to the DC servers with their accounts. Is there a hack?
Help
A better solution might be to have the people who are installing the patches actually perform the reboot. If you are using SMS or SUS your can force the reboots.
Then have the support desk monitor the server to make sure they actually come back online after the reboot...
ASKER
We use SMS here, however we do not force the reboot because some of these servers are running production systems, that can only be rebooted at scheduled times or the line stops.
I already tried your first solution, and that does not work. Any other ideas?
I already tried your first solution, and that does not work. Any other ideas?
sounds like you have the right tool. SMS can reboot the servers at precise times... You can even give you 3rd level support team the ability to reboot your systems (even though they don't have the rights to do this from an OS prospective.)
So, in SMS, you can schedule you patches as normal WITHOUT the reboot.
Then you can create a seperate advertisment in SMS to perform a reboot. Just create a bat file that does nothing. Create a new package...and new program that targets this empty bat file executable. Then set the SMS Setting to REBOOT the machine after the program runs. "SMS Reboots machine".
Now, create an Advertisement that targets your domain controllers (based on collection). Schedule this advertisement to occur at the proper reboot time.
As an alternative, you can create the Advertisement to run 20 years from now (or some time in the future). Then in the Advertisement select ALLOW USERS to RUN Program.
Then at the appropriate time, your 3rd level support team can remote desktop to the server. Use this to get a console remote control:
Start Run mstsc.exe /v: ServerDCNamehere /console
They can then go into the control panel --> RUN ADVERTISED PROGRAMS And then choose to run the reboot advertisment... This will reboot the machine...
-later
So, in SMS, you can schedule you patches as normal WITHOUT the reboot.
Then you can create a seperate advertisment in SMS to perform a reboot. Just create a bat file that does nothing. Create a new package...and new program that targets this empty bat file executable. Then set the SMS Setting to REBOOT the machine after the program runs. "SMS Reboots machine".
Now, create an Advertisement that targets your domain controllers (based on collection). Schedule this advertisement to occur at the proper reboot time.
As an alternative, you can create the Advertisement to run 20 years from now (or some time in the future). Then in the Advertisement select ALLOW USERS to RUN Program.
Then at the appropriate time, your 3rd level support team can remote desktop to the server. Use this to get a console remote control:
Start Run mstsc.exe /v: ServerDCNamehere /console
They can then go into the control panel --> RUN ADVERTISED PROGRAMS And then choose to run the reboot advertisment... This will reboot the machine...
-later
ASKER
I understand how SMS works, and that is not the issue here, my level 3's are do not use SMS and I don't want to start asking them.
I just want to know if there is a way, any way I can setup Remote Desktop to allow domain users to reboot a domain controller. There has to be a hack or setting in the registry for Terminal Services.
I just want to know if there is a way, any way I can setup Remote Desktop to allow domain users to reboot a domain controller. There has to be a hack or setting in the registry for Terminal Services.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That worked! Thanks!
In control panel -- adminitrators tools --open Termin al services configuration...
Highlight connections....Right click RDP-TCP and choose properties from the drop down list...
On the permissions tab, highlight Remote Desktop Users... Give them FULL CONTROL...
However, I don't think this will work as you need administrator rights on the machine to reboot. Therefore, you might want to look into the http://www.sysinternals.com/ tools to reboot with other credentials... however, this implies a security problem as you would either have to cache a password or basically give the people administereing the reboot admin rights...
Some servers will shut down when the power button is pressed...(safe shutdown)... They can walk to the server and do this... just need physical access..
Some servers like Dell and HP, come with remote management boards that will allow you to remotely reboot the servers. Dell and HP also have management agents that you can install that will allow you to remotely troubleshoot the server. Included in this is reboots...