Announcement

Collapse
No announcement yet.

Logged in user not allowed to reboot machine

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Logged in user not allowed to reboot machine

    Hi all,

    I am trying to allow our users to reboot their computers using "shutdown -r" through a shortcut on their desktop. The reason for this is that we have removed the Shut Down icon in the start menu, logon screen and the Windows Security dialog, as we do not want them to be able to shut the systems down. This is enforced via a GPO.

    In the same GPO, I have defined the policy

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system

    and entered <domain>\Domain Users and Administrators

    However, when a user runs the shortcut, the system does not reboot. If they enter the command in a command prompt they receive the message "A required privilege is not held by the client."

    Can anyone suggest what I need to do to allow users to reboot the local system, without granting them the permission to reboot other systems on the network? I could bundle a runas statement inside an encrypted VBS but I want the current user's username to be reflected in the event logs in case of problems.

    Windows XP Pro SP3, Windows SBS 2003 Standard DC, Windows Server 2003 R2 Standard member server
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

  • #2
    Re: Logged in user not allowed to reboot machine

    For using the tool shutdown.exe the user need "Shut down the system" as wel as "Remote Shutdown" privileges! You do not want users on the network to have the latter privilege for obvious reason.

    Use a vbscript for the users in order to allow them to shutdown or reboot their computer by clicking a shortcut - (or from within a batch that they can run via command line). The user then just need "Shut down the system" privilege (=default on Workstations and member Servers).

    http://forums.petri.com/showpost.php...02&postcount=9
    Code:
    ' //////////////////////////////////////////////////////////////////////////
    '##########################################################################
    '#
    '#  Usage: shortcut to,
    '#  path\shutdown.vbs [/l | /s | /r] [/f]           ( <- users see 'Edit' in contextmenu)
    '#  or, wscript.exe //nologo path\shutdown.vbs [/l | /s | /r] [/f]    (runs hidden)
    '#  or, cscript.exe //nologo path\shutdown.vbs [/l | /s | /r] [/f]  (run in dosbox)
    '#
    '#  Switches:
    '#    Use " /l"  for a logoff
    '#    Use " /r"  for a reboot
    '#    Use " /s"  for a shutdown
    '#    Use " /f"  (optional) forces running applications
    '#               to close without warning.
    '#
    '#               alt usage " /r:force" or " /s:force"
    '#
    '##########################################################################
    
    Const EWX_LOGOFF   = 0
    Const EWX_REBOOT   = 2
    Const EWX_SHUTDOWN = 1
    Const EWX_POWEROFF = 8
    Const EWX_FORCE    = 4
    
    ' http://www.microsoft.com/technet/scriptcenter/resources/tales/sg0704.mspx
    Set args = WScript.Arguments.Named
    
    Select Case True
      Case args.Exists("l")
         If args.Exists("f") = True Then
           iCmd = EWX_LOGOFF + EWX_FORCE
         ElseIf LCase(args.Item("l")) = "force" Then
           iCmd = EWX_LOGOFF + EWX_FORCE
         Else
           iCmd = EWX_LOGOFF
         End If
      Case args.Exists("r")
         If args.Exists("f") = True Then
           iCmd = EWX_REBOOT + EWX_FORCE
         ElseIf LCase(args.Item("r")) = "force" Then
           iCmd = EWX_REBOOT + EWX_FORCE
         Else
           iCmd = EWX_REBOOT
         End If
      Case args.Exists("s")
         If args.Exists("f") = True Then
           iCmd = EWX_SHUTDOWN + EWX_FORCE
         ElseIf LCase(args.Item("s")) = "force" Then
           iCmd = EWX_SHUTDOWN + EWX_FORCE
         Else
           iCmd = EWX_SHUTDOWN
         End If
      Case Else wscript.quit
    End Select
    
    Shutdown iCmd
    
    wscript.sleep 5000 : wscript.quit(0)
    
    
    Sub Shutdown(sAction)
        On Error Resume Next
        With GetObject("winmgmts:" & _
             "{impersonationLevel=impersonate,(Shutdown)}!" _
             & "root\cimv2")
          Set colOperatingSystems = .ExecQuery _
             ("Select CSName from Win32_OperatingSystem",,48)
        End With
        For Each oOS in colOperatingSystems
           oOS.Win32Shutdown(sAction)
        Next
    End Sub
    EDIT Oct 26: The shutdown script now runs only with command line switches


    \Rems
    Last edited by Rems; 26th October 2008, 16:22.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Logged in user not allowed to reboot machine

      That worked perfectly, thank you
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment

      Working...
      X