How can Non-Domain Admins logon to a DC?

Posted on 2012-09-19
Medium Priority
Last Modified: 2012-09-20
Hi guys,

We have several Divisions all over the country, each with their own Windows 2008 Server AD Domain Controllers (all with the Global Catalog Role installed).

How can I give the LAN Administrators on-site RDP Access to the Servers to shut them down? (or at least another method of shutting them down remotely from another Server using the shutdown.exe command or using RSAT or something)

We regularly get situations where power goes down, UPS wants to die on them and they need to shut down their on Servers to avoid a catastrophy and they cannot shut it down themselves.

Thanks for helping with this one.

Question by:ReinhardRensburg
  • 4
  • 3
  • 2
  • +2

Author Comment

ID: 38416633
Sorry, I forgot to add a very important bit of detail: I want then to  be able to shut down the DC's without making them a member of the Domain Admins or Enterprise Admins group.... :)
LVL 88

Expert Comment

ID: 38416794
You should have the UPS properly setup. A UPS that has been properly setup and configured on the servers will shut them down gracefully automatically (after a certain threshold time without power) if there is a power failure. Check the manuals of the UPS for further details.

Apart from that most servers from manufacturers like DELL or HP have a module installed (iDRAC in DELL's, Lights-Out in HP's), to which you can logon to if the server itself is running or not (via a web-browser). These modules allow you to shut a server down, or power it on etc. Depending on the version of the module you can also have further functions, like a console view which shows you the server's Post display and change BIOS entries etc. So check your Server's manuals on those modules and configure them, and if there aren't any such modules already installed in your servers, most manufacturer's have options available to add them.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Expert Comment

ID: 38416864
If the Admins have physical access to the PC's they can always short-press the power button to request a shutdown via the APCI interface.  If the servers have IPMI/iLO boards in them they can remotely press the power button.

We have a similar set up to you with local admins responsible for local servers and UPS infrastructure.  Installing many different UPS agents was deemed to be an overhead that we did not want to commit to.  The DC's are managed by a small team.  Out of core hours the local IT admins are allowed to press the power button should they so wish - after all, they are the ones that are going to get the support calls if someone cannot log on.

Hope this helps


Author Comment

ID: 38416890
Hi rindi,

Thanks for the tips and advice on how to manage and setup our UPS's etc. and manage our site, that is not what I want to know, just as a matter of interest: it is a huge UPS and Generator driving the entire building, not a little mickey mouse 10kVa Rackmount APC that has a LAN and USB Port to plug into a Server so that it can shut-down the Server.

The reason for wanting to shut-down the DC is actually irrelevant to my question (not always because the power is off), I just want to know from a technical point of view how one gives rights in Active Directory to a normal AD users so that this user has the appropriate rights to shut-down the DC with his AD Account, and not how to plug in and configure my UPS Units onsite.
LVL 88

Expert Comment

ID: 38416921
I can't really follow the reason above for not setting up the UPS properly. It should be easy for any server Admin to do the setup. Also, if the UPS isn't setup properly, how will you be informed about the health of the batteries? Another thing, what happens if the power failure happens when no Admin is on-site, for example in the middle of the night? No one will know about the failure and the Servers will just shut-off ungracefully once the batteries are empty. I therefore see absolutely no reason to not use the functions a UPS provides. You might as well go without them...
LVL 88

Expert Comment

ID: 38416942
The use the iDRAC or ILO or whatever your server has to shut it down remotely. You can setup those for those users you want and don't need to do it via Active Directory. They just need to logon to that system.

Expert Comment

ID: 38417192
If you are using the "default domain controllers policy", the following groups are allowed to shut down a DC:
server operators
print operators
backup operators
You can of course create a new group and add this to a new GPO that you link to the
domain controllers OU. You find the policy setting here:

Computer Configuration
        Windows Settings
            Security Settings
                Local Policies/User Rights Assignment
                    Shut down the system

Author Comment

ID: 38417372
Hi MMe12,

Thanks for the info, that sounds like the stuff I am looking for. If an AD User is part of the "Server Operators" Security group would this by any chance also give them the required rights to also login to the DC (when standing in from of the Server) in order to go "Start -> Shut down" or would this only enable them to do it remotely from another PC?

What I am trying to get at is that I want my LAN Administrators to be able to login to their own DC on-site, mainly to shut it down, but also to be able to login to it for other reasons if they need to, but not to then have full rights in "AD Users and Computers" (so almost a case of letting them into the Server but with no "Domain Admin" rights, only the rights that their AD Account had before they could login onto the DC itself.

If it does not make sense then here's more info. to try and explain my scenario:

I have a division 400 KM from me, the LAN administrator there has one Domain Controller on-site, he had to shut it down the other day to add another Hard Drive to it because one internal HDD failed on us and he had to replace it, he could not get into the DC (logging into it when standing in front of it) in order to shut down, he could then also not login to it afterwards in order to go into the Array Utility to check that it picked up the new HDD and it's rebuilding the RAID to it. (So I want to give them more control of their own DCs but not more rights in AD itself) - so what ever he can do within RSAT at the moment (only admin his divisional OU's and users) must stay like that but he must also be able to logon at the Console of the DC.


Accepted Solution

MMe12 earned 2000 total points
ID: 38417617
Hi Reinhard,

at the same policy level I outlined above you'll find the user right "Allow log on locally" which is by default domain controllers policy granted to Administrators, Backup Operators, Account Operators, Server Operators and Print Operators.

It should work the way you want if you create a new group for the desired users and add this to the appropriate policy settings within a new GPO linked to the Domain Controllers' OU. This will of course change the user rights on all domain controllers, not just the ones you might want to restrict them to!

To have different user rights on different DCs you'd either have to use local policies on each desired DC, or (my favorite approach) create different GPOs per each group of DCs and then use security filtering (using the DCs computer accounts or security groups with DCs as members) for these GPOs to only apply to the DCs you want.

I hope I explained it sufficiently, ich könnte es vielleicht besser auf Deutsch erklären ;-)


Author Closing Comment

ID: 38418006
Awesome, thanks MMe12! Exactly what I wanted to find out :) You rock!

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question