Correct, but what I am saying is that LocalSystem is automatically a member of builtin\administrators.
You can see it yourself if you open a command prompt as localsystem and type whoami or sectok. F:\DEV\cpp\SecTok>sectok SecTok V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) November 2001 User: S-1-5-18 - NT AUTHORITY\SYSTEM Group: S-1-1-0 - Everyone Group: S-1-5-11 - NT AUTHORITY\Authenticated Users Group: S-1-5-32-544 - BUILTIN\Administrators -----Original Message----- From: Medeiros, Jose [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 4:37 PM To: [email protected] Subject: RE: [ActiveDir] Shutdown script not working. Hi Joe, Peter is right. I just built a new 2003 server and the default local security policy does not give the local system account the rights to shut down the system. The default settings on a 2000 / 2003 server are only the administrator, backup operator and power users who have such rights. I'll just create a GPO and give the local system account the rights to shut down the system. ( I attached a screen capture ). Regards, Jose Medeiros ---------------------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Tuesday, May 10, 2005 12:11 PM To: [email protected] Subject: RE: [ActiveDir] Shutdown script not working. Local System should have rights to shutdown the local machine unless someone took away the administrator group's rights to shutdown the machine. Doing it remotely would require granting shutdown privs for the machine account of the machine running the AT service on the security policy of the remote machine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, May 10, 2005 1:53 PM To: [email protected] Subject: Re: [ActiveDir] Shutdown script not working. A script run under the user context of the account that invokes it. Commands invoked by the at command use the user context specified in services (as Alain pointed out), which is by default Local System So if you use the at command you have two possibilities. 1) Change the 'Log on as' for the Task Scheduler to another user context 2) Add the necessary user right to Local System Account (provided you do not need access to another machine.) To invoke a script under another user context you can use the runas command. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
