Privilege question

  • Thread starter Thread starter Rob
  • Start date Start date
R

Rob

Hi,
Is there any way I can give a person permission to ONLY
shutdown or reboot a win2k server, I dont want him to be
able doing anything else.
Thanks-Rob
 
Dear Rob,

Thank you for your post.

I am not very clear about your requirements. Could you let me know more in
detail?

To adjust the Windows 2000 right for a user or group of users, we can use a
Windows 2000 Resource Kit tool called NTRights.exe.

NTRights Syntax:

ntrights {-r Right | +r Right} -u UserOrGroup [-m \\Computer] [-e Entry]
[-?]

In Windows 2000 Resource Kit document, you can get a list of Windows 2000
rights (and their meanings) that can be granted or revoked with NTRights.
For example, SeShutdownPrivilege controls the privilege of shutting down
the system.

I hope the above information helps. Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Rob" <[email protected]>
|Sender: "Rob" <[email protected]>
|Subject: Privilege question
|Date: Tue, 16 Sep 2003 12:18:20 -0700
|Lines: 5
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|Thread-Index: AcN8h0oBSuAmB1jNSHeCDvKcYBZdzQ==
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Newsgroups: microsoft.public.win2000.group_policy
|Path: cpmsftngxa07.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.group_policy:13629
|NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
|X-Tomcat-NG: microsoft.public.win2000.group_policy
|
|Hi,
|Is there any way I can give a person permission to ONLY
|shutdown or reboot a win2k server, I dont want him to be
|able doing anything else.
|Thanks-Rob
|
 
Thanks Joe,
But the main problem is, I dont want this user to be able
doing anything else, just shutdown or rebooting machine.
Rob
 
Dear Rob,

Thank you for your response.

We can use the ntrights utility to grant the user the SeShutdownPrivilege
right using the following command:

ntrights +r SeShutdownPrivilege -u USERNAME

And revoke other rights using commands like the following one:

ntrights -r SeNetworkLogonRight -u USERNAME

(If the user does not have the right, the revoke command may return an
error message which can be ignored.)

Reference:

245207 How to: Determine NTRIGHTS Names and Meanings
http://support.microsoft.com/?id=245207

By the way, could let me know why do you want to only grant a user the
permission to shutdown/restart? The reason why I ask this question is I
think that we cannot use this kind of user account if it only has shutdown
right. Maybe we can use other methods to achieve the same requirements.

Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Rob" <[email protected]>
|Sender: "Rob" <[email protected]>
|References: <[email protected]>
<[email protected]>
|Subject: RE: Privilege question
|Date: Wed, 17 Sep 2003 05:38:02 -0700
|Lines: 80
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|Thread-Index: AcN9GIi915BgAnYFStGJZFgQ+B2dSQ==
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Newsgroups: microsoft.public.win2000.group_policy
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:13734
|NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
|X-Tomcat-NG: microsoft.public.win2000.group_policy
|
|Thanks Joe,
|But the main problem is, I dont want this user to be able
|doing anything else, just shutdown or rebooting machine.
|Rob
|
|>-----Original Message-----
|>Dear Rob,
|>
|>Thank you for your post.
|>
|>I am not very clear about your requirements. Could you
|let me know more in
|>detail?
|>
|>To adjust the Windows 2000 right for a user or group of
|users, we can use a
|>Windows 2000 Resource Kit tool called NTRights.exe.
|>
|>NTRights Syntax:
|>
|>ntrights {-r Right | +r Right} -u UserOrGroup [-m
|\\Computer] [-e Entry]
|>[-?]
|>
|>In Windows 2000 Resource Kit document, you can get a list
|of Windows 2000
|>rights (and their meanings) that can be granted or
|revoked with NTRights.
|>For example, SeShutdownPrivilege controls the privilege
|of shutting down
|>the system.
|>
|>I hope the above information helps. Thanks!
|>
|>Regards,
|>Joe Wu
|>Product Support Services
|>Microsoft Corporation
|>
|>Get Secure! - www.microsoft.com/security
|>
|>====================================================
|>When responding to posts, please "Reply to Group" via
|your newsreader so
|>that others may learn and benefit from your issue.
|>====================================================
|>This posting is provided "AS IS" with no warranties, and
|confers no rights.
|>
|>--------------------
|>|Content-Class: urn:content-classes:message
|>|From: "Rob" <[email protected]>
|>|Sender: "Rob" <[email protected]>
|>|Subject: Privilege question
|>|Date: Tue, 16 Sep 2003 12:18:20 -0700
|>|Lines: 5
|>|Message-ID: <[email protected]>
|>|MIME-Version: 1.0
|>|Content-Type: text/plain;
|>| charset="iso-8859-1"
|>|Content-Transfer-Encoding: 7bit
|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|Thread-Index: AcN8h0oBSuAmB1jNSHeCDvKcYBZdzQ==
|>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>|Newsgroups: microsoft.public.win2000.group_policy
|>|Path: cpmsftngxa07.phx.gbl
|>|Xref: cpmsftngxa07.phx.gbl
|microsoft.public.win2000.group_policy:13629
|>|NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
|>|X-Tomcat-NG: microsoft.public.win2000.group_policy
|>|
|>|Hi,
|>|Is there any way I can give a person permission to ONLY
|>|shutdown or reboot a win2k server, I dont want him to be
|>|able doing anything else.
|>|Thanks-Rob
|>|
|>
|>.
|>
|
 
Well, because some times we have to reboot a server by
somebody which we dont want him to be able doing anything
else.
Rob
-----Original Message-----
Dear Rob,

Thank you for your response.

We can use the ntrights utility to grant the user the SeShutdownPrivilege
right using the following command:

ntrights +r SeShutdownPrivilege -u USERNAME

And revoke other rights using commands like the following one:

ntrights -r SeNetworkLogonRight -u USERNAME

(If the user does not have the right, the revoke command may return an
error message which can be ignored.)

Reference:

245207 How to: Determine NTRIGHTS Names and Meanings
http://support.microsoft.com/?id=245207

By the way, could let me know why do you want to only grant a user the
permission to shutdown/restart? The reason why I ask this question is I
think that we cannot use this kind of user account if it only has shutdown
right. Maybe we can use other methods to achieve the same requirements.

Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Rob" <[email protected]>
|Sender: "Rob" <[email protected]>
|References: <[email protected]>
<[email protected]>
|Subject: RE: Privilege question
|Date: Wed, 17 Sep 2003 05:38:02 -0700
|Lines: 80
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|Thread-Index: AcN9GIi915BgAnYFStGJZFgQ+B2dSQ==
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Newsgroups: microsoft.public.win2000.group_policy
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:13734
|NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
|X-Tomcat-NG: microsoft.public.win2000.group_policy
|
|Thanks Joe,
|But the main problem is, I dont want this user to be able
|doing anything else, just shutdown or rebooting machine.
|Rob
|
|>-----Original Message-----
|>Dear Rob,
|>
|>Thank you for your post.
|>
|>I am not very clear about your requirements. Could you
|let me know more in
|>detail?
|>
|>To adjust the Windows 2000 right for a user or group of
|users, we can use a
|>Windows 2000 Resource Kit tool called NTRights.exe.
|>
|>NTRights Syntax:
|>
|>ntrights {-r Right | +r Right} -u UserOrGroup [-m
|\\Computer] [-e Entry]
|>[-?]
|>
|>In Windows 2000 Resource Kit document, you can get a list
|of Windows 2000
|>rights (and their meanings) that can be granted or
|revoked with NTRights.
|>For example, SeShutdownPrivilege controls the privilege
|of shutting down
|>the system.
|>
|>I hope the above information helps. Thanks!
|>
|>Regards,
|>Joe Wu
|>Product Support Services
|>Microsoft Corporation
|>
|>Get Secure! - www.microsoft.com/security
|>
|>====================================================
|>When responding to posts, please "Reply to Group" via
|your newsreader so
|>that others may learn and benefit from your issue.
|>====================================================
|>This posting is provided "AS IS" with no warranties, and
|confers no rights.
|>
|>--------------------
|>|Content-Class: urn:content-classes:message
|>|From: "Rob" <[email protected]>
|>|Sender: "Rob" <[email protected]>
|>|Subject: Privilege question
|>|Date: Tue, 16 Sep 2003 12:18:20 -0700
|>|Lines: 5
|>|Message-ID: <[email protected]>
|>|MIME-Version: 1.0
|>|Content-Type: text/plain;
|>| charset="iso-8859-1"
|>|Content-Transfer-Encoding: 7bit
|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|Thread-Index: AcN8h0oBSuAmB1jNSHeCDvKcYBZdzQ==
|>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>|Newsgroups: microsoft.public.win2000.group_policy
|>|Path: cpmsftngxa07.phx.gbl
|>|Xref: cpmsftngxa07.phx.gbl
|microsoft.public.win2000.group_policy:13629
|>|NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
|>|X-Tomcat-NG: microsoft.public.win2000.group_policy
|>|
|>|Hi,
|>|Is there any way I can give a person permission to ONLY
|>|shutdown or reboot a win2k server, I dont want him to be
|>|able doing anything else.
|>|Thanks-Rob
|>|
|>
|>.
|>
|

.
 
Dear Rob,

Thank you for your update.

I have analyzed your requirements and I think that we can use the following
method:

1. Create a domain user account. For example, Domain\UserABC.
2. Configure the related group policy object for the server. For example,
if the server is a DC, we can adjust the Domain Controller Security Policy
(which can be accessed in "Administrator Tools". For other member server,
we can use local group policy.

2.1) Edit the related group policy object.
2.2) Browse to "Windows Settings"->"Security Settings"->"Local
Policies"->"User Rights Assignment", double-click "Force shutdown from a
remote system" in the right pane, and add Domain\UserABC.
2.3) Manually impose the group policy settings by running the command below:

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

3. Then the user (Domain\UserABC) can use another Windows 2000 Resource Kit
tool shutdown.exe to remotely restart the server. We can use the following
command:

shutdown.exe \\#.#.#.# /r

Where #.#.#.# is the IP address of the server.

Using this method, even if the user (Domain\UserABC) does not have other
rights on the server (for example, the user cannot logon locally to that
server and has no access to the local NTFS folders on the server), he is
still able to restart the server.

I have tested this method in my lab environment.

I hope you like this method. If there is anything unclear, please feel free
to let me know. Thank you and have a great weekend!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Rob" <[email protected]>
|Sender: "Rob" <[email protected]>
|References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
|Subject: RE: Privilege question
|Date: Thu, 18 Sep 2003 05:49:13 -0700
|Lines: 170
|Message-ID: <[email protected]>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcN940Lu0UWotLU8Sbq1KfMXA6orvA==
|Newsgroups: microsoft.public.win2000.group_policy
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:13802
|NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
|X-Tomcat-NG: microsoft.public.win2000.group_policy
|
|Well, because some times we have to reboot a server by
|somebody which we dont want him to be able doing anything
|else.
|Rob
|
|>-----Original Message-----
|>Dear Rob,
|>
|>Thank you for your response.
|>
|>We can use the ntrights utility to grant the user the
|SeShutdownPrivilege
|>right using the following command:
|>
|>ntrights +r SeShutdownPrivilege -u USERNAME
|>
|>And revoke other rights using commands like the following
|one:
|>
|>ntrights -r SeNetworkLogonRight -u USERNAME
|>
|>(If the user does not have the right, the revoke command
|may return an
|>error message which can be ignored.)
|>
|>Reference:
|>
|>245207 How to: Determine NTRIGHTS Names and Meanings
|>http://support.microsoft.com/?id=245207
|>
|>By the way, could let me know why do you want to only
|grant a user the
|>permission to shutdown/restart? The reason why I ask this
|question is I
|>think that we cannot use this kind of user account if it
|only has shutdown
|>right. Maybe we can use other methods to achieve the same
|requirements.
|>
|>Thanks!
|>
|>Regards,
|>Joe Wu
|>Product Support Services
|>Microsoft Corporation
|>
|>Get Secure! - www.microsoft.com/security
|>
|>====================================================
|>When responding to posts, please "Reply to Group" via
|your newsreader so
|>that others may learn and benefit from your issue.
|>====================================================
|>This posting is provided "AS IS" with no warranties, and
|confers no rights.
|>
|>--------------------
|>|Content-Class: urn:content-classes:message
|>|From: "Rob" <[email protected]>
|>|Sender: "Rob" <[email protected]>
|>|References: <[email protected]>
|><[email protected]>
|>|Subject: RE: Privilege question
|>|Date: Wed, 17 Sep 2003 05:38:02 -0700
|>|Lines: 80
|>|Message-ID: <[email protected]>
|>|MIME-Version: 1.0
|>|Content-Type: text/plain;
|>| charset="iso-8859-1"
|>|Content-Transfer-Encoding: 7bit
|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|Thread-Index: AcN9GIi915BgAnYFStGJZFgQ+B2dSQ==
|>|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|>|Newsgroups: microsoft.public.win2000.group_policy
|>|Path: cpmsftngxa06.phx.gbl
|>|Xref: cpmsftngxa06.phx.gbl
|microsoft.public.win2000.group_policy:13734
|>|NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
|>|X-Tomcat-NG: microsoft.public.win2000.group_policy
|>|
|>|Thanks Joe,
|>|But the main problem is, I dont want this user to be
|able
|>|doing anything else, just shutdown or rebooting machine.
|>|Rob
|>|
|>|>-----Original Message-----
|>|>Dear Rob,
|>|>
|>|>Thank you for your post.
|>|>
|>|>I am not very clear about your requirements. Could you
|>|let me know more in
|>|>detail?
|>|>
|>|>To adjust the Windows 2000 right for a user or group of
|>|users, we can use a
|>|>Windows 2000 Resource Kit tool called NTRights.exe.
|>|>
|>|>NTRights Syntax:
|>|>
|>|>ntrights {-r Right | +r Right} -u UserOrGroup [-m
|>|\\Computer] [-e Entry]
|>|>[-?]
|>|>
|>|>In Windows 2000 Resource Kit document, you can get a
|list
|>|of Windows 2000
|>|>rights (and their meanings) that can be granted or
|>|revoked with NTRights.
|>|>For example, SeShutdownPrivilege controls the privilege
|>|of shutting down
|>|>the system.
|>|>
|>|>I hope the above information helps. Thanks!
|>|>
|>|>Regards,
|>|>Joe Wu
|>|>Product Support Services
|>|>Microsoft Corporation
|>|>
|>|>Get Secure! - www.microsoft.com/security
|>|>
|>|>====================================================
|>|>When responding to posts, please "Reply to Group" via
|>|your newsreader so
|>|>that others may learn and benefit from your issue.
|>|>====================================================
|>|>This posting is provided "AS IS" with no warranties,
|and
|>|confers no rights.
|>|>
|>|>--------------------
|>|>|Content-Class: urn:content-classes:message
|>|>|From: "Rob" <[email protected]>
|>|>|Sender: "Rob" <[email protected]>
|>|>|Subject: Privilege question
|>|>|Date: Tue, 16 Sep 2003 12:18:20 -0700
|>|>|Lines: 5
|>|>|Message-ID: <[email protected]>
|>|>|MIME-Version: 1.0
|>|>|Content-Type: text/plain;
|>|>| charset="iso-8859-1"
|>|>|Content-Transfer-Encoding: 7bit
|>|>|X-Newsreader: Microsoft CDO for Windows 2000
|>|>|Thread-Index: AcN8h0oBSuAmB1jNSHeCDvKcYBZdzQ==
|>|>|X-MimeOLE: Produced By Microsoft MimeOLE
|V5.50.4910.0300
|>|>|Newsgroups: microsoft.public.win2000.group_policy
|>|>|Path: cpmsftngxa07.phx.gbl
|>|>|Xref: cpmsftngxa07.phx.gbl
|>|microsoft.public.win2000.group_policy:13629
|>|>|NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
|>|>|X-Tomcat-NG: microsoft.public.win2000.group_policy
|>|>|
|>|>|Hi,
|>|>|Is there any way I can give a person permission to
|ONLY
|>|>|shutdown or reboot a win2k server, I dont want him to
|be
|>|>|able doing anything else.
|>|>|Thanks-Rob
|>|>|
|>|>
|>|>.
|>|>
|>|
|>
|>.
|>
|
 
Back
Top