(I really wish my boss wouldn't ask about this type of stuff at noon on a Friday, when I have to leave by 4PM ...)
Anyway, what he wants to do: he wants our techs to be able to use a domain account, log into domain member servers, run Windows Update, *and* then be able to tell it to reboot. And he does NOT want to add this domain account to local Administrators group. (don't ask, it's a long story) I *think* I can do this with a GPO ---------------- *Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Right Assignment > Force shutdown from a remote system* Simply add account(s) in question to this policy and they will be able to reboot servers remotely. ---------------- Problem is, I haven't tested this yet, and he (ideally) wants this in place so the techs can install windows updates on Sunday. And no way do I want to roll this out to all production servers, without testing it first (which I don't have time to do, before I have to leave today) Is this the best way to give a domain user only the right to reboot a server, without giving them any other rights? (I have a GPO that assigns WSUS settings via OU and group membership; I could either add it to that one, or make a new, and assign it to that same OU and group membership)
