Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Non Administrator needs server shutdown access

Posted on 2012-04-02
15
442 Views
Last Modified: 2012-06-27
Hello, new guy here on the site, hopfully can get a solid answer from the pros.  :)

I have a user who needs the ability to shutdown / restart a Windows 2003 Citrix server without domain admin rights. I currently have him in the backup operators group, print operators group and server operators group, but he still has no permissions to restart the servers in the domain. When he tries, the only opions available are log off and disconnect.

Since this is a domain account, what can be done to make this happen?  We mainly want him to be able to add printers, and restart our citrix servers when necessary.  

Am I going about this correctly so he can acomplish this task, or is there a better way of going about this?

Thanks,
0
Comment
Question by:kjs00333
  • 6
  • 5
  • 2
  • +2
15 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796101
can they try to shutdown from their own machine using command.
shutdown /m \\machine name
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796123
also on the server you can give permissions
go to Local Secuirty policy
under -> Security Settings-> Local policies-> user Rights Assignment
give permission to user or group under "Shutdown the system"
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 37796135
what if he try command shutdown -i?
This command calls shutdown GUI where he is able to set hostname or IP of machine, action (shutdown, restart, logoff) and delay for chosen action - is this commend allowed for him?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:kjs00333
ID: 37796137
I can have him try and see, but we would prefer he can do it from within an RDP session since he will be already logged in remotely to the Citrix server.
0
 

Author Comment

by:kjs00333
ID: 37796173
I have tried the local policy option but it is greyed out and I cannot add users. However, the group backup operators is listed as a group that is allowed to shut down the system but I think that's a local group, not a domain group.  The user in question is a member of the backup operators group at the domain level. I guess I could go through and add him to that local group as well for each server.

The issue is we have many Citrix servers he will need to access and restart when necessary. Would be much easier if this could be implemened at the domain level versus the local server level.


*EDIT* - adding the domain account to the backup operators group on the local server did nothing. There is still no restart command from the shut down menu.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796270
you can create a small Batch script on the desktop for all users. so incase the user want to shutdown they can run the script.
shutdown /s
0
 

Author Comment

by:kjs00333
ID: 37796315
Yes, but if the user has no permissions to shut down the server from the regular shut down menu, will this command work for a restart using command line?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37796331
first i will want to change my command to shutdown /r so that user restart the machine and not shutdown.
as i think you already have given the permission and seems just the interface is not coming.
Give a try.
0
 
LVL 1

Expert Comment

by:despujols
ID: 37796377
To make this, you can execute an "runas" command in a batch file.

In this case, you must use an admin account. Attention, the password are in clear.

You can use a converter Batch to Exe to hide the batch file and the password

Ex : http://www.battoexeconverter.com/
0
 

Author Comment

by:kjs00333
ID: 37796399
The problem is I would need to make a separate batch file for each individual server in our environment and that is quite a few. There is no way to do this on the domain level with user permission modifications?
0
 
LVL 1

Expert Comment

by:despujols
ID: 37796451
You have, in AD GPO under \Windows parameters\local policies\users right\Shutdown system.

But all users or group who have this right can reboot or SHUTDOWN the server.

I think, it's more secure to use a batch with a log file to know user who have lauched this script.
You need only one batch for all user.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 37798828
Hi.
I have tried the local policy option but it is greyed out and I cannot add users.
Please run rsop.msc at the server to see where that greying originates and change that policy. If needed, make that policy apply to all but this server so you can change it locally.

If that does not work out, use a scheduled task to shutdown/restart the server. Scheduled tasks are files, too, so we can modify ACLs on them. Create a task and use some admins credentials in it. Now modify the ACL so that that very user may read and execute that task.
0
 

Accepted Solution

by:
kjs00333 earned 0 total points
ID: 37805993
Was able to resolve this by using the Citrix access management console, and playing with some of the citrix administrator custom permissions. User is now able to restart the server and the option is no longer hidden.

Thanks all
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37806002
Great....
0
 

Author Closing Comment

by:kjs00333
ID: 37822702
Self - Resolved
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
bios password 8 46
Will DB Backup's  cleanup job will cause Paging ? 6 46
Unable to RDP To cloned xenapp servers 4 139
Help with computer errors 18 126
In a hurry?.. scroll down to "HERE's HOW TO DO IT" Section. Greetings All, I was going to post this as question/solution, but its seems more appropriate as an article considering its length.  I felt it important to illucidate all the details c…
Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question