DC Lowest Shutdown Permission Available To Grant

https://technet.microsoft.com/en-us/library/Cc756898(v=WS.10).aspx

I've reviewed the above article but it's not quite clear or I have not found what I'm looking for. I need to grant a Domain User another permission that has enough to access the Domain Controller and shut the server down. Is this possible without granting them complete access?

September 1st, 2015 2:47pm

Hi,

I suggest you assign this user right Force shutdown from a remote system to specific users/group, then shut down the Domain Controller remotely using Shutdown.exe.

More information for you:

Force shutdown from a remote system

https://technet.microsoft.com/en-us/library/cc782573(v=ws.10).aspx

User Rights

https://technet.microsoft.com/en-us/library/dd349804(v=ws.10).aspx#BKMK_23

Shutdown

https://technet.microsoft.com/en-us/library/bb491003.aspx

Best Regards,

Amy

Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2015 10:50pm

Hi Amy,

These users would have direct access to access the KVM switch and switch to the DC and any other servers. The thought would be if an outage occurs they would be able to visit the server room and shut down each server safely connected by the battery backup. Therefore, I'd like to offer the best solution.  

September 7th, 2015 7:54pm

Hi,

These users would have direct access to access the KVM switch and switch to the DC and any other servers. The thought would be if an outage occurs they would be able to visit the server room and shut down each server safely connected by the battery backup.

In that case, assigning user rights Allow log on locally and Shut down the system would be enough.

Best Regards,

Amy

Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 9:59pm

Hi Amy,

Could you offer the appropriate steps to accomplish this task? For example, I noticed that if I go to the DC server and attempt to update the local group policy as opposed through GPO Management... it will already have a list of security groups and it will not let me to enter new entries. Now, if I go through the GPO snap in | expand the domain | Default Domain Policy | etc... I have the ability to define these policy settings and add a selected group of users or groups. However... I only want to apply this to a specific number of servers. 

The keyword would be specific servers and not all. 

You've been very helpful and I look forward to your reply. A step by step instruction would be appreciated. Would the solution be creating a new GPO and applying it to the appropriate servers only? The other server to consider is the Domain Controller which exists in the DC OU. Simply, update the default dc gpo? Just want to make sure it doesn't create unseen issues.





  • Edited by IT Wisdom 10 hours 38 minutes ago
September 11th, 2015 4:09pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics