Win server 2008 user policies rights...

[retroborg]

Good day,
I have a Windows Server 2008 Standard Service Pack 2.
I want to create a user that will have the minimum rights and will only be able to login in the server and shut it down in case of a power failure, so that it will not continue running on the UPS power.

I searched through the default list of groups to choose which one to make him a member of, but none of them seem to have limited enough rights. Even backup operators can run some applications in the server control panel, accessories, as well as view the Hard disk & partitions, which is something I do not want.

So how do I edit the rights of that specific user?
I searched though here:

Start:
gpedit.msc
Local Group Policy Editor
User Configuration
Administrative templates
System
User Profiles

But I did not find where I could edit that specific user's rights.

Please any help will be highly appreciated.
Thanks in advance

[Jay]

is this a local user or a domain user?

User rights are changed through AD if on the domain and via local users if its not.

[blueball]

Safest way is to use "shutdown /i" from a command prompt on a remote PC and then use the shutdown GUI that appears to select the correct server and shut it down.

Just give rights to the user's AD profile to do this rather than giving login access to the physical box.

See here for rights. All the user needs is 'shut down system' and 'log on as a batch job' for the task to run.

[retroborg]

This windows Server 2008, basically only acts as a file server, it shares a folder to 5 clients, but none of the clients are installed in the server's domain. Its a workgroup consisting of 5 clients and 1 server.

So I will not be able to login into server from a client's command prompt. When I run "shutdown /i" and then try to search the domain for the server name, it says AD service is not available.
I don't want to setup any domain or add any of these clients onto it.

So is there any other safe way to do this?

[retroborg]

is this a local user or a domain user?

User rights are changed through AD if on the domain and via local users if its not.

Its a user I created in the server using active directory users and computers and is a member of the domain users group.

I'm not aware of any "local" users in a windows server?

I don't see anything in the AD concerning user rights for that specific user. If i press right click on the user & "properties", I see various options and I can change what group it will belong to, but no user right policies...

[Jay]

You could try PSExec

http://technet.microsoft.com/en-us/s.../bb897553.aspx

something like

\\serverip\share\psexec.exe -u -p \\serverip -s cmd.exe /c shutdown -i

-u = username (servername\domain admin name) -p password I advise you don't use the main admin account and instead setup a second domain admin account that you can kill off if needed

Then use http://download.cnet.com/Bat-To-Exe-...-10555897.html

to create an exe (make sure you add a password to be able to run it as this will encrypt the exe and hide the username / password)

The user can then run this to access the shutdown menu on the server without having to know the actual username / password for the server.

[retroborg]

Safest way is to use "shutdown /i" from a command prompt on a remote PC and then use the shutdown GUI that appears to select the correct server and shut it down.

Just give rights to the user's AD profile to do this rather than giving login access to the physical box.

See here for rights. All the user needs is 'shut down system' and 'log on as a batch job' for the task to run.

Also that link you posted
http://msmvps.com/blogs/ad/archive/2...s-defined.aspx

isn't loading...

[Jay]

works fine for me.

[blueball]

works fine for me.

works ok for me as well.

[retroborg]

It says:
"Bad Request (Invalid Hostname)"

[blueball]

It says:
"Bad Request (Invalid Hostname)"

Try "ipconfig /flushdns" in a command prompt and then try again to see if that helps.

You can also try ping it to see if you can reach it.

[blueball]

This windows Server 2008, basically only acts as a file server, it shares a folder to 5 clients, but none of the clients are installed in the server's domain. Its a workgroup consisting of 5 clients and 1 server.

So I will not be able to login into server from a client's command prompt. When I run "shutdown /i" and then try to search the domain for the server name, it says AD service is not available.
I don't want to setup any domain or add any of these clients onto it.

So is there any other safe way to do this?

Dont browse for the server; just use the "add" button and add it by name or preferably IP address.

[retroborg]

Safest way is to use "shutdown /i" from a command prompt on a remote PC and then use the shutdown GUI that appears to select the correct server and shut it down.

Just give rights to the user's AD profile to do this rather than giving login access to the physical box.

See here for rights. All the user needs is 'shut down system' and 'log on as a batch job' for the task to run.

Ok, so...

"Just give rights to the user's AD profile"

Do you mean I should do this in the "Local Security Policy"? Or somewhere else?

So I typed secpol.msc in Start -> Local Security Policies -> Local Policies -> User Rights Assignment

But when I try to add the user in the "shut down the system" & "log on as a batch job", the "Add User or Group" & "Remove"buttons are grayed out.
In fact they're disabled in most of the available rights of the list!

Something like this:



Here it gives a solution:

http://www.chicagotech.net/Security/gpgrayedout.htm

http://www.chicagotech.net/netforums...php?f=4&t=6205

"Cause: the domain group policy or other policy override the local policy.
Resolution: Modify the domain policy or the policy which overrides the local policy."

"You need to either set the domain policy to "not configured" to change the "allow log on locally" on the machines or you just change the domain policy in question."

But I have not been able to find and do this so far.
How and where do I do this exactly, as I might need in the future to add other users in the rights...

Please do excuse my ignorance in this specific matter...

Thanks in advance.

[blueball]

If I understand you correctly the server is part of a domain. If I have got that right then you will need to add the setting on the server using the "domain controller security policy // local policies // user rights assignment" option. You will, I guess, have to create domain accounts on the server that the users can use from their PCs to actually do this - sorry but I can't think of another way of doing it.

I would create a group called "Shutdown Operators" and give it the necessary rights then create a user in that group.

[retroborg]

Yes the server is part of a domain (It's the domain controller). I have all ready created some domain user accounts and a group called “Shutdown Operators” and I added one user to it.

But where exactly is the:

"domain controller security policy // local policies // user rights assignment" option ?

The only places I found 2 similar paths / options are in:

Local group Policy Editor (gpedit.msc)
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"



And in:

Local Security Policy (secpol.msc)
Security Settings\Local Policies\User Rights Assignment



But in both the "Add User or Group" & "Remove" are grayed out / disabled.
So I can not add any group or user to allow them to shutdown the server.

I have to note that I am logged into the Server as the Administrator.


The solutions given in the previous links I posted are not very clear...

http://www.chicagotech.net/Security/gpgrayedout.htm

http://www.chicagotech.net/netforums...php?f=4&t=6205

"Cause: the domain group policy or other policy override the local policy.
Resolution: Modify the domain policy or the policy which overrides the local policy."

"You need to either set the domain policy to "not configured" to change the "allow log on locally" on the machines or you just change the domain policy in question."

[blueball]

Go to "control panel". Then select "Administrative Tools". You will find domain controller security policy in there.