Link to home
Create AccountLog in
Avatar of jmdion

asked on

How do I allow a domain machine account to shut down the domain controller with PowerShell

I have this PowerShell script which works Ok to shut down non-DC computers:

      Stop-Computer -ComputerName ACOMPUTERNAME -Force

To make it work I added the machine account where the script runs to the local Administrators group of each target computer.

But for shutting down the domain controller I'm stuck because there's no local Administrators group.

I tried adding the account to the user rights assignements "Force shutdown form a remote system" and "Shutdown the system" in the Default Domain Controllers Policy but that doesn't seem to work.

Is it that the only account that can shut down the DC is the domain Administrator?  Then I would have to use the -Credential parameter and store the credential and it looks complicated and I hoped I wouldn't have to do that.

The servers are Windows Server 2008 R2.
Avatar of Dale Harris
Dale Harris
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of jmdion


Thanks for the reply.

I decided to add the machine account that's running the script to the BuiltIn Administrators Group in AD.

The alternative was to store the password of the domain Aministrator on the calling machine, encrypted, protected, with lots of possibilities of making mistakes because I don't know this stuff well.  I don't think my solution is super unsafe because: (1) it's just my personal network at home and I backup often and (2) In Hacking Exposed Windows they say "We’ve never heard of a case where exploitation of a machine account has resulted in a serious exposure ...".