I do this so our NOC can patch/reboot and the GPO setting I use is “allow system shutdown” and that GPO does nothing else. Also, you’ll want to add BUILTIN\Administrators and Domain Admins to that GPO or else ONLY the group specified in the GPO can reboot the system. Don’t ask how I know :).
Dave From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Friday, January 20, 2017 9:43 AM To: [email protected] Subject: [NTSysADM] Adding *only* reboot right for domain user to a local host, remotely ... (I really wish my boss wouldn't ask about this type of stuff at noon on a Friday, when I have to leave by 4PM ...) Anyway, what he wants to do: he wants our techs to be able to use a domain account, log into domain member servers, run Windows Update, *and* then be able to tell it to reboot. And he does NOT want to add this domain account to local Administrators group. (don't ask, it's a long story) I *think* I can do this with a GPO ---------------- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Right Assignment > Force shutdown from a remote system Simply add account(s) in question to this policy and they will be able to reboot servers remotely. ---------------- Problem is, I haven't tested this yet, and he (ideally) wants this in place so the techs can install windows updates on Sunday. And no way do I want to roll this out to all production servers, without testing it first (which I don't have time to do, before I have to leave today) Is this the best way to give a domain user only the right to reboot a server, without giving them any other rights? (I have a GPO that assigns WSUS settings via OU and group membership; I could either add it to that one, or make a new, and assign it to that same OU and group membership)
