I see a fun weekend ahead. It seems that you have about 3 hours to test before you leave (as of my email). I'd be more willing to gamble on whatever limited testing results could be obtained vs an internet answer, if the "ideal" goal is to be achieved.
>>Simply add account(s) in question to this policy and they will be able to reboot servers remotely. Yes, but what about the logging on and applying updates part of the equation? Do they already have rights for this?? It might be faster (and probably even more desirable) to change the WSUS policy for the systems in question to patch and reboot themselves on Sunday afternoon, and change it back on Monday.[Seriously, there is no fundamental difference between trusting servers to apply Microsoft patches to themselves vs allowing users who don't normally have access to do the same, other than that I see less chance for mishaps in the former scenario.] Regards, ASB http://XeeMe.com/AndrewBaker Providing Expert Technology Consulting Services for the SMB market… GPG:860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842 On Fri, Jan 20, 2017 12:42 PM, Michael Leone [email protected] wrote: (I really wish my boss wouldn't ask about this type of stuff at noon on a Friday, when I have to leave by 4PM ...) Anyway, what he wants to do: he wants our techs to be able to use a domain account, log into domain member servers, run Windows Update, *and* then be able to tell it to reboot.And he does NOT want to add this domain account to local Administrators group. (don't ask, it's a long story) I *think* I can do this with a GPO ----------------Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Right Assignment > Force shutdown from a remote system Simply add account(s) in question to this policy and they will be able to reboot servers remotely. ---------------- Problem is, I haven't tested this yet, and he (ideally) wants this in place so the techs can install windows updates on Sunday. And no way do I want to roll this out to all production servers, without testing it first (which I don't have time to do, before I have to leave today) Is this the best way to give a domain user only the right to reboot a server, without giving them any other rights? (I have a GPO that assigns WSUS settings via OU and group membership; I could either add it to that one, or make a new, and assign it to that same OU and group membership)
