How do I allow our non-admin support users to reboot a Domain Controller using Remote Desktop

Posted on 2006-05-16
Medium Priority
Last Modified: 2012-05-05
How do I allow our non-domain admins or local admin support users to reboot a Domain Controllers using Remote Desktop

After we apply certain security patches over a weekend, our Level 3 support team needs access to reboot them.  I would like them to use their own accounts to perform this action, while using Remote Desktop.

Is this possible?  Is there a permission I should grant them?  I have already given them access to log on to the DC servers with their accounts.  Is there a hack?

Question by:rmefford
  • 4
  • 3
LVL 33

Expert Comment

ID: 16692060
You can try this...

In control panel -- adminitrators tools --open Termin al services configuration...

Highlight connections....Right click RDP-TCP  and choose properties from the drop down list...

On the permissions tab, highlight Remote Desktop Users...  Give them FULL CONTROL...

However, I don't think this will work as you need administrator rights on the machine to reboot.  Therefore, you might want to look into the http://www.sysinternals.com/ tools to reboot with other credentials...  however, this implies a security problem as you would either have to cache a password or basically give the people administereing the reboot admin rights...

Some servers will shut down when the power button is pressed...(safe shutdown)...  They can walk to the server and do this...  just need physical access..

Some servers like Dell and HP, come with remote management boards that will allow you to remotely reboot the servers.  Dell and HP also have management agents that you can install that will allow you to remotely troubleshoot the server.  Included in this is reboots...  

LVL 33

Expert Comment

ID: 16692076
A better solution might be to have the people who are installing the patches actually perform the reboot.  If you are using SMS or SUS your can force the reboots.
LVL 33

Expert Comment

ID: 16692080
Then have the support desk monitor the server to make sure they actually come back online after the reboot...
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 16692239
We use SMS here, however we do not force the reboot because some of these servers are running production systems, that can only be rebooted at scheduled times or the line stops.  

I already tried your first solution, and that does not work.  Any other ideas?  
LVL 33

Expert Comment

ID: 16692762
sounds like you have the right tool.  SMS can reboot the servers at precise times...  You can even give you 3rd level support team the ability to reboot your systems (even though they don't have the rights to do this from an OS prospective.)

So, in SMS, you can schedule you patches as normal WITHOUT the reboot.

Then you can create a seperate advertisment in SMS to perform a reboot.  Just create a bat file that does nothing.  Create a new package...and new program that targets this empty bat file executable.  Then set the SMS Setting to REBOOT the machine after the program runs.  "SMS Reboots machine".

Now, create an Advertisement that targets your domain controllers (based on collection).  Schedule this advertisement to occur at the proper reboot time.

As an alternative, you can create the Advertisement to run 20 years from now (or some time in the future).  Then in the Advertisement select ALLOW USERS to RUN Program.

Then at the appropriate time, your 3rd level support team can remote desktop to the server. Use this to get a console remote control:  

Start Run    mstsc.exe /v: ServerDCNamehere /console

They can then go into the control panel --> RUN ADVERTISED PROGRAMS  And then choose to run the reboot advertisment...  This will reboot the machine...


Author Comment

ID: 16693092
I understand how SMS works, and that is not the issue here, my level 3's are do not use SMS and I don't want to start asking them.

I just want to know if there is a way, any way I can setup Remote Desktop to allow domain users to reboot a domain controller.  There has to be a hack or setting in the registry for Terminal Services.


Accepted Solution

dmccurdy51 earned 2000 total points
ID: 16693816
First of all I would not do this.  DCs are for Domain Administrators.  Make him a Domain Admin or do the work yourself.

1.a. to grant access to RDP.
    Start/Programs/Admin Tools/Terminal Services Configuration
      Right click on RDP and select properties.
      Goto Security Tab
      Add group and grant them user access.
  b. You may need the logon locally permission as well.

2. Second you will need to modify the Local security policy to allow reboot.
   Open "local security policy"  browse to
       Local Policies
          User Rights Assignment
             Shutdown the system

Personally I would grant them "Force shutdown from remote system" and have them reboot it remotely.

Author Comment

ID: 16699253
That worked!  Thanks!

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question