Insufficient privilege to remote shutdown a server

[Guest Alain H. Crispiels]

Hello,

 

A domain user (not an admin) from a WinXP machine has sometimes to restart a

remote member server into the same domain.

 

I've created a local group on that server with the remote shutdown right.

The domain user is member of that local group.

 

Now, from his WinXP, when he's executing the command "shutdown -r -f -m",

he's receiving an error message : "insufficient privilege...".

 

If, just for test, this domain user is also local admin of his WinXP

machine, it's ok.

 

How to permit him to execute this command without to be local admin ?

 

Alain

[Guest Pegasus \(MVP\)]

Re: Insufficient privilege to remote shutdown a server

 

 

"Alain H. Crispiels" <alain@crispiels.be> wrote in message

news:892D91E0-9C96-4AEB-AFC2-9017C5BA8AD5@microsoft.com...

> Hello,

>

> A domain user (not an admin) from a WinXP machine has sometimes to restart

> a

> remote member server into the same domain.

>

> I've created a local group on that server with the remote shutdown right.

> The domain user is member of that local group.

>

> Now, from his WinXP, when he's executing the command "shutdown -r -f -m",

> he's receiving an error message : "insufficient privilege...".

>

> If, just for test, this domain user is also local admin of his WinXP

> machine, it's ok.

>

> How to permit him to execute this command without to be local admin ?

>

> Alain

 

A safe way to do this would be to give the user a "Shutdown"

shortcut which invokes a batch file on his machine. The sole

purpose of the batch file is to leave a semaphore file on the

server, e.g. like so:

echo %date% %time% > \\Server\Semaphore\shutdown.txt

 

On the server you use the Task Scheduler to run the following

batch file once every 5 minutes:

@echo off

if not exist d:\Shares\Semaphore\shutdown.txt goto :eof

del d:\Shares\Semaphore\shutdown.txt

shutdown /.. /.. /..

[Guest Alain H. Crispiels]

Re: Insufficient privilege to remote shutdown a server

 

I'm surprised to see this type of solution !

 

That means that the server executes every minute a batch file just to

control if a text file exists.

 

Is there no possibility to give the right to the domain user to execute for

his WinXP the "shutdown -r" command ?

 

"Pegasus (MVP)" wrote:

>

> "Alain H. Crispiels" <alain@crispiels.be> wrote in message

> news:892D91E0-9C96-4AEB-AFC2-9017C5BA8AD5@microsoft.com...

> > Hello,

> >

> > A domain user (not an admin) from a WinXP machine has sometimes to restart

> > a

> > remote member server into the same domain.

> >

> > I've created a local group on that server with the remote shutdown right.

> > The domain user is member of that local group.

> >

> > Now, from his WinXP, when he's executing the command "shutdown -r -f -m",

> > he's receiving an error message : "insufficient privilege...".

> >

> > If, just for test, this domain user is also local admin of his WinXP

> > machine, it's ok.

> >

> > How to permit him to execute this command without to be local admin ?

> >

> > Alain

>

> A safe way to do this would be to give the user a "Shutdown"

> shortcut which invokes a batch file on his machine. The sole

> purpose of the batch file is to leave a semaphore file on the

> server, e.g. like so:

> echo %date% %time% > \\Server\Semaphore\shutdown.txt

>

> On the server you use the Task Scheduler to run the following

> batch file once every 5 minutes:

> @echo off

> if not exist d:\Shares\Semaphore\shutdown.txt goto :eof

> del d:\Shares\Semaphore\shutdown.txt

> shutdown /.. /.. /..

>

>

>

[Guest Pegasus \(MVP\)]

Re: Insufficient privilege to remote shutdown a server

 

*** See below.

 

"Alain H. Crispiels" <alain@crispiels.be> wrote in message

news:CA67CFB0-D4F8-4B1C-8F22-D740D92DE2C9@microsoft.com...

> I'm surprised to see this type of solution !

 

*** It goes under the heading of "lateral thinking": If the

*** user is not allowed to do something on his own

*** initiative, why not get the server to ask the user

*** whether he wants the server to do that thing?

> That means that the server executes every minute a batch file just to

> control if a text file exists.

 

*** I think once every five or ten minutes would be plenty.

> Is there no possibility to give the right to the domain user to execute

> for

> his WinXP the "shutdown -r" command ?

 

*** If there is then you probably have to give that user far

*** greater access privileges than common sense dictates.

*** Perhaps some other respondent will give you a better

*** answer than I can.

> "Pegasus (MVP)" wrote:

>

>>

>> "Alain H. Crispiels" <alain@crispiels.be> wrote in message

>> news:892D91E0-9C96-4AEB-AFC2-9017C5BA8AD5@microsoft.com...

>> > Hello,

>> >

>> > A domain user (not an admin) from a WinXP machine has sometimes to

>> > restart

>> > a

>> > remote member server into the same domain.

>> >

>> > I've created a local group on that server with the remote shutdown

>> > right.

>> > The domain user is member of that local group.

>> >

>> > Now, from his WinXP, when he's executing the command

>> > "shutdown -r -f -m",

>> > he's receiving an error message : "insufficient privilege...".

>> >

>> > If, just for test, this domain user is also local admin of his WinXP

>> > machine, it's ok.

>> >

>> > How to permit him to execute this command without to be local admin ?

>> >

>> > Alain

>>

>> A safe way to do this would be to give the user a "Shutdown"

>> shortcut which invokes a batch file on his machine. The sole

>> purpose of the batch file is to leave a semaphore file on the

>> server, e.g. like so:

>> echo %date% %time% > \\Server\Semaphore\shutdown.txt

>>

>> On the server you use the Task Scheduler to run the following

>> batch file once every 5 minutes:

>> @echo off

>> if not exist d:\Shares\Semaphore\shutdown.txt goto :eof

>> del d:\Shares\Semaphore\shutdown.txt

>> shutdown /.. /.. /..

>>

>>

>>

[Guest Alain H. Crispiels]

Re: Insufficient privilege to remote shutdown a server

 

Thank you, but I prefer to find how to grant the right to the user to execute

this command without to be a local admin.

 

Thank you

 

"Pegasus (MVP)" wrote:

> *** See below.

>

> "Alain H. Crispiels" <alain@crispiels.be> wrote in message

> news:CA67CFB0-D4F8-4B1C-8F22-D740D92DE2C9@microsoft.com...

> > I'm surprised to see this type of solution !

>

> *** It goes under the heading of "lateral thinking": If the

> *** user is not allowed to do something on his own

> *** initiative, why not get the server to ask the user

> *** whether he wants the server to do that thing?

>

> > That means that the server executes every minute a batch file just to

> > control if a text file exists.

>

> *** I think once every five or ten minutes would be plenty.

>

> > Is there no possibility to give the right to the domain user to execute

> > for

> > his WinXP the "shutdown -r" command ?

>

> *** If there is then you probably have to give that user far

> *** greater access privileges than common sense dictates.

> *** Perhaps some other respondent will give you a better

> *** answer than I can.

>

> > "Pegasus (MVP)" wrote:

> >

> >>

> >> "Alain H. Crispiels" <alain@crispiels.be> wrote in message

> >> news:892D91E0-9C96-4AEB-AFC2-9017C5BA8AD5@microsoft.com...

> >> > Hello,

> >> >

> >> > A domain user (not an admin) from a WinXP machine has sometimes to

> >> > restart

> >> > a

> >> > remote member server into the same domain.

> >> >

> >> > I've created a local group on that server with the remote shutdown

> >> > right.

> >> > The domain user is member of that local group.

> >> >

> >> > Now, from his WinXP, when he's executing the command

> >> > "shutdown -r -f -m",

> >> > he's receiving an error message : "insufficient privilege...".

> >> >

> >> > If, just for test, this domain user is also local admin of his WinXP

> >> > machine, it's ok.

> >> >

> >> > How to permit him to execute this command without to be local admin ?

> >> >

> >> > Alain

> >>

> >> A safe way to do this would be to give the user a "Shutdown"

> >> shortcut which invokes a batch file on his machine. The sole

> >> purpose of the batch file is to leave a semaphore file on the

> >> server, e.g. like so:

> >> echo %date% %time% > \\Server\Semaphore\shutdown.txt

> >>

> >> On the server you use the Task Scheduler to run the following

> >> batch file once every 5 minutes:

> >> @echo off

> >> if not exist d:\Shares\Semaphore\shutdown.txt goto :eof

> >> del d:\Shares\Semaphore\shutdown.txt

> >> shutdown /.. /.. /..

> >>

> >>

> >>

>

>

>

[Guest peeters.tom@gmail.com]

Re: Insufficient privilege to remote shutdown a server

 

On Nov 18, 10:36 am, Alain H. Crispiels <al...@crispiels.be> wrote:

> Thank you, but I prefer to find how to grant the right to the user to execute

> this command without to be a local admin.

>

> Thank you

>

> "Pegasus (MVP)" wrote:

> > *** See below.

>

> > "Alain H. Crispiels" <al...@crispiels.be> wrote in message

> >news:CA67CFB0-D4F8-4B1C-8F22-D740D92DE2C9@microsoft.com...

> > > I'm surprised to see this type of solution !

>

> > *** It goes under the heading of "lateral thinking": If the

> > *** user is not allowed to do something on his own

> > *** initiative, why not get the server to ask the user

> > *** whether he wants the server to do that thing?

>

> > > That means that the server executes every minute a batch file just to

> > > control if a text file exists.

>

> > *** I think once every five or ten minutes would be plenty.

>

> > > Is there no possibility to give the right to the domain user to execute

> > > for

> > > his WinXP the "shutdown -r" command ?

>

> > *** If there is then you probably have to give that user far

> > *** greater access privileges than common sense dictates.

> > *** Perhaps some other respondent will give you a better

> > *** answer than I can.

>

> > > "Pegasus (MVP)" wrote:

>

> > >> "Alain H. Crispiels" <al...@crispiels.be> wrote in message

> > >>news:892D91E0-9C96-4AEB-AFC2-9017C5BA8AD5@microsoft.com...

> > >> > Hello,

>

> > >> > A domain user (not an admin) from a WinXP machine has sometimes to

> > >> > restart

> > >> > a

> > >> > remote member server into the same domain.

>

> > >> > I've created a local group on that server with the remote shutdown

> > >> > right.

> > >> > The domain user is member of that local group.

>

> > >> > Now, from his WinXP, when he's executing the command

> > >> > "shutdown -r -f -m",

> > >> > he's receiving an error message : "insufficient privilege...".

>

> > >> > If, just for test, this domain user is also local admin of his WinXP

> > >> > machine, it's ok.

>

> > >> > How to permit him to execute this command without to be local admin ?

>

> > >> > Alain

>

> > >> A safe way to do this would be to give the user a "Shutdown"

> > >> shortcut which invokes a batch file on his machine. The sole

> > >> purpose of the batch file is to leave a semaphore file on the

> > >> server, e.g. like so:

> > >> echo %date% %time% > \\Server\Semaphore\shutdown.txt

>

> > >> On the server you use the Task Scheduler to run the following

> > >> batch file once every 5 minutes:

> > >> @echo off

> > >> if not exist d:\Shares\Semaphore\shutdown.txt goto :eof

> > >> del d:\Shares\Semaphore\shutdown.txt

> > >> shutdown /.. /.. /..

 

I would create a new organisational unit in my AD and set up a policy

group wich allowes the user to remotely restart the server:

Computer Configuration -> Windows Settings -> Security Settings ->

Local Policies -> User Rights Assignments -> Force shutdown from a

remote system

You might need to add the users to the 'Server Operators' group

[Guest Alain H. Crispiels]

Re: Insufficient privilege to remote shutdown a server

 

Ok for the OU, but that OU will not resolve the issue.

 

For the moment, before to implement an OU and a GPO, I'm trying to find how

to avoid to give too many right to the user.

 

I would like that he's just able to execute the "shutdown.exe" command.

 

You wrote that the user has to be member of the server operators groups.

It's very too dangerous !!!

 

"peeters.tom@gmail.com" wrote:

> On Nov 18, 10:36 am, Alain H. Crispiels <al...@crispiels.be> wrote:

> > Thank you, but I prefer to find how to grant the right to the user to execute

> > this command without to be a local admin.

> >

> > Thank you

> >

> > "Pegasus (MVP)" wrote:

> > > *** See below.

> >

> > > "Alain H. Crispiels" <al...@crispiels.be> wrote in message

> > >news:CA67CFB0-D4F8-4B1C-8F22-D740D92DE2C9@microsoft.com...

> > > > I'm surprised to see this type of solution !

> >

> > > *** It goes under the heading of "lateral thinking": If the

> > > *** user is not allowed to do something on his own

> > > *** initiative, why not get the server to ask the user

> > > *** whether he wants the server to do that thing?

> >

> > > > That means that the server executes every minute a batch file just to

> > > > control if a text file exists.

> >

> > > *** I think once every five or ten minutes would be plenty.

> >

> > > > Is there no possibility to give the right to the domain user to execute

> > > > for

> > > > his WinXP the "shutdown -r" command ?

> >

> > > *** If there is then you probably have to give that user far

> > > *** greater access privileges than common sense dictates.

> > > *** Perhaps some other respondent will give you a better

> > > *** answer than I can.

> >

> > > > "Pegasus (MVP)" wrote:

> >

> > > >> "Alain H. Crispiels" <al...@crispiels.be> wrote in message

> > > >>news:892D91E0-9C96-4AEB-AFC2-9017C5BA8AD5@microsoft.com...

> > > >> > Hello,

> >

> > > >> > A domain user (not an admin) from a WinXP machine has sometimes to

> > > >> > restart

> > > >> > a

> > > >> > remote member server into the same domain.

> >

> > > >> > I've created a local group on that server with the remote shutdown

> > > >> > right.

> > > >> > The domain user is member of that local group.

> >

> > > >> > Now, from his WinXP, when he's executing the command

> > > >> > "shutdown -r -f -m",

> > > >> > he's receiving an error message : "insufficient privilege...".

> >

> > > >> > If, just for test, this domain user is also local admin of his WinXP

> > > >> > machine, it's ok.

> >

> > > >> > How to permit him to execute this command without to be local admin ?

> >

> > > >> > Alain

> >

> > > >> A safe way to do this would be to give the user a "Shutdown"

> > > >> shortcut which invokes a batch file on his machine. The sole

> > > >> purpose of the batch file is to leave a semaphore file on the

> > > >> server, e.g. like so:

> > > >> echo %date% %time% > \\Server\Semaphore\shutdown.txt

> >

> > > >> On the server you use the Task Scheduler to run the following

> > > >> batch file once every 5 minutes:

> > > >> @echo off

> > > >> if not exist d:\Shares\Semaphore\shutdown.txt goto :eof

> > > >> del d:\Shares\Semaphore\shutdown.txt

> > > >> shutdown /.. /.. /..

>

> I would create a new organisational unit in my AD and set up a policy

> group wich allowes the user to remotely restart the server:

> Computer Configuration -> Windows Settings -> Security Settings ->

> Local Policies -> User Rights Assignments -> Force shutdown from a

> remote system

> You might need to add the users to the 'Server Operators' group

>