How can Non-Domain Admins logon to a DC?

Posted on 2012-09-19
Last Modified: 2012-09-20
Hi guys,

We have several Divisions all over the country, each with their own Windows 2008 Server AD Domain Controllers (all with the Global Catalog Role installed).

How can I give the LAN Administrators on-site RDP Access to the Servers to shut them down? (or at least another method of shutting them down remotely from another Server using the shutdown.exe command or using RSAT or something)

We regularly get situations where power goes down, UPS wants to die on them and they need to shut down their on Servers to avoid a catastrophy and they cannot shut it down themselves.

Thanks for helping with this one.

Question by:ReinhardRensburg

    Author Comment

    Sorry, I forgot to add a very important bit of detail: I want then to  be able to shut down the DC's without making them a member of the Domain Admins or Enterprise Admins group.... :)
    LVL 6

    Expert Comment

    LVL 87

    Expert Comment

    You should have the UPS properly setup. A UPS that has been properly setup and configured on the servers will shut them down gracefully automatically (after a certain threshold time without power) if there is a power failure. Check the manuals of the UPS for further details.

    Apart from that most servers from manufacturers like DELL or HP have a module installed (iDRAC in DELL's, Lights-Out in HP's), to which you can logon to if the server itself is running or not (via a web-browser). These modules allow you to shut a server down, or power it on etc. Depending on the version of the module you can also have further functions, like a console view which shows you the server's Post display and change BIOS entries etc. So check your Server's manuals on those modules and configure them, and if there aren't any such modules already installed in your servers, most manufacturer's have options available to add them.
    LVL 7

    Expert Comment

    If the Admins have physical access to the PC's they can always short-press the power button to request a shutdown via the APCI interface.  If the servers have IPMI/iLO boards in them they can remotely press the power button.

    We have a similar set up to you with local admins responsible for local servers and UPS infrastructure.  Installing many different UPS agents was deemed to be an overhead that we did not want to commit to.  The DC's are managed by a small team.  Out of core hours the local IT admins are allowed to press the power button should they so wish - after all, they are the ones that are going to get the support calls if someone cannot log on.

    Hope this helps


    Author Comment

    Hi rindi,

    Thanks for the tips and advice on how to manage and setup our UPS's etc. and manage our site, that is not what I want to know, just as a matter of interest: it is a huge UPS and Generator driving the entire building, not a little mickey mouse 10kVa Rackmount APC that has a LAN and USB Port to plug into a Server so that it can shut-down the Server.

    The reason for wanting to shut-down the DC is actually irrelevant to my question (not always because the power is off), I just want to know from a technical point of view how one gives rights in Active Directory to a normal AD users so that this user has the appropriate rights to shut-down the DC with his AD Account, and not how to plug in and configure my UPS Units onsite.
    LVL 87

    Expert Comment

    I can't really follow the reason above for not setting up the UPS properly. It should be easy for any server Admin to do the setup. Also, if the UPS isn't setup properly, how will you be informed about the health of the batteries? Another thing, what happens if the power failure happens when no Admin is on-site, for example in the middle of the night? No one will know about the failure and the Servers will just shut-off ungracefully once the batteries are empty. I therefore see absolutely no reason to not use the functions a UPS provides. You might as well go without them...
    LVL 87

    Expert Comment

    The use the iDRAC or ILO or whatever your server has to shut it down remotely. You can setup those for those users you want and don't need to do it via Active Directory. They just need to logon to that system.
    LVL 4

    Expert Comment

    If you are using the "default domain controllers policy", the following groups are allowed to shut down a DC:
    server operators
    print operators
    backup operators
    You can of course create a new group and add this to a new GPO that you link to the
    domain controllers OU. You find the policy setting here:

    Computer Configuration
            Windows Settings
                Security Settings
                    Local Policies/User Rights Assignment
                        Shut down the system

    Author Comment

    Hi MMe12,

    Thanks for the info, that sounds like the stuff I am looking for. If an AD User is part of the "Server Operators" Security group would this by any chance also give them the required rights to also login to the DC (when standing in from of the Server) in order to go "Start -> Shut down" or would this only enable them to do it remotely from another PC?

    What I am trying to get at is that I want my LAN Administrators to be able to login to their own DC on-site, mainly to shut it down, but also to be able to login to it for other reasons if they need to, but not to then have full rights in "AD Users and Computers" (so almost a case of letting them into the Server but with no "Domain Admin" rights, only the rights that their AD Account had before they could login onto the DC itself.

    If it does not make sense then here's more info. to try and explain my scenario:

    I have a division 400 KM from me, the LAN administrator there has one Domain Controller on-site, he had to shut it down the other day to add another Hard Drive to it because one internal HDD failed on us and he had to replace it, he could not get into the DC (logging into it when standing in front of it) in order to shut down, he could then also not login to it afterwards in order to go into the Array Utility to check that it picked up the new HDD and it's rebuilding the RAID to it. (So I want to give them more control of their own DCs but not more rights in AD itself) - so what ever he can do within RSAT at the moment (only admin his divisional OU's and users) must stay like that but he must also be able to logon at the Console of the DC.

    LVL 4

    Accepted Solution

    Hi Reinhard,

    at the same policy level I outlined above you'll find the user right "Allow log on locally" which is by default domain controllers policy granted to Administrators, Backup Operators, Account Operators, Server Operators and Print Operators.

    It should work the way you want if you create a new group for the desired users and add this to the appropriate policy settings within a new GPO linked to the Domain Controllers' OU. This will of course change the user rights on all domain controllers, not just the ones you might want to restrict them to!

    To have different user rights on different DCs you'd either have to use local policies on each desired DC, or (my favorite approach) create different GPOs per each group of DCs and then use security filtering (using the DCs computer accounts or security groups with DCs as members) for these GPOs to only apply to the DCs you want.

    I hope I explained it sufficiently, ich könnte es vielleicht besser auf Deutsch erklären ;-)


    Author Closing Comment

    Awesome, thanks MMe12! Exactly what I wanted to find out :) You rock!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
    This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now