Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Enable shutdown of a machine with local admin account

Status
Not open for further replies.
fox007ss

fox007ss

Technical User
Mar 1, 2003
15
AU
We have a server here that is used by our web developers, they have local admin access to the machine but are unable to shut the server down due to domain security policy. Because this option is enforced by group policy i can not change it even when logged in as a domain admin. Obviously i do not want to give the devlopers domain admin access, and do not want to have to create a new ou for one machine. Does anyone have any ideas on how i could do this.
 
Sort by date Sort by votes
How can't they shutdown the server. Don't they have access to it from the start menu?

What if they start up a command prompt and type shutdown?
 
Upvote 0 Downvote
They can not shut down because the domain security policy only allows domain admins to shut down a server, if anyone not in the domain admin group tries the option is either grayed out such as with the restart now or later prompts after installing an option, or simply does not show up if they go to the start menu. They get an access denied message if they type shutdown within a cmd prompt.
 
Upvote 0 Downvote
Only way I can think of to do this is to compile a script using AutoIT.

In AutoIT you can specify a user to run a command as. You can then compile the script so that users can't see what the password is.

The only problem with that is that they will then have a universal shutdown command for your domain!

Creating a new OU is probably your safest bet. It's what I would do.
 
Upvote 0 Downvote
Thats probably what im going to have to do, but i really don't want to. i suppose i could create a scheduled task with no time stamp as an domain admin and have them run that.
 
Upvote 0 Downvote
You don't mention where that GPO is applied. Why not create another GPO that grants them the right to shutdown? Toss their servers in an OU, apply your new GPO to the OU, and you're done.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
I know i can do that, but its something my boss doesn't want us to do. They only have one dev box the rest of them are virtual servers that are not members of our domain. It is a domain level GPO.
 
Upvote 0 Downvote
fox007ss said:
I know i can do that, but its something my boss doesn't want us to do.
Click to expand...

Well, there you have it. Your boss seems to have the answer.

I think if you read many of the deployment whitepapers and other online resources, you'd find that the solutions mentioned here are within Microsoft's best practices.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
266
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
318
goombawaho
goombawaho
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
454
gbaughma
gbaughma
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
122
hairlessupportmonkey
hairlessupportmonkey
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
134
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top