October 13th, 2002, 20:32 PM
Shutdown works but....
! NEWLY DISCOVERED strangeness. Under desperate testing measures, I changed all users to be members of everything. I FINALLY got remote shutdown to work! The **** ONLY **** way the shutdown was successful was to give the GUEST account to be members of everything. Works great at this point! If you remove any of the names on "members of" list, then it goes back to "access denied". Also, no other user, including newly created users with full group membership or the ADMINISTRATOR will authorize a remote shutdown. This is one of the most bizarre things I have ever seen. I would have guessed that maybe I had a Bad SID, or corrupt user database but the behavior is the same throughout the XP network. This is definately one for the think tank.
October 13th, 2002, 21:01 PM
Don't get me wrong or take this as flame, but ...
Your work-around kind of defeats the purpose of an admin policy.
That is not strange at all and does not take any thought. The whole idea of an admin account is to permit or denie access to vital system functions and tasks be it a single PC with multiple users (including guests) and networked PCs (work stations).
You have to ask yourself, "Why would you allow any type of user to execute a remote shutdown?" The reasons are obvious. Now if you have more than one admin and your admin policy allows for more than one admin to execute a remote shutdown (wise) then all you do is share the same password. This is handy if you are in a remote location and want to shutdown your system in the event of planned power outtages (California) or hear of an outside exploit attempt occuring on your network.
I would be more concerned about creating an Admin Policy if you are in a professional environment. If you are digging and exploring in your spare time ... Have Fun Cuz I Can Dig It
Avatar by Brudda EggHead
October 13th, 2002, 21:42 PM
Thank you for your reply Msnwar. I definately understand that this in no means is a workaround, merely stating the only change that would enable the remote shutdown to execute. This is all in an NT/2K/XP test Lab I have developed for my MCSE studies, which is why it bothers me why I would EVEN NEED the Guest account (or any account mind you) wide open to grant remote authority. The XP network is not a member of a Domain and the more I read into Keberos Achitecture, the more it sounds like that most all of the remote security features behave properly when their is a domain model implemented, so I am going to switch the "role" of those workstations so they must log into a domain controller. The Administrators authentication processses is limited otherwise. Thanks! any other thoughts..keep them coming!!
October 13th, 2002, 22:00 PM
did you post the same topic twice?
heres a couple things
Shutdown.exe is a simple command line utility that can:
Log Off the current user
Shutdown (Turn Off) the computer
Restart the computer
Hibernate the computer (note that hibernation has to be enabled!)
Put the computer into Stand By (Sleep)
Shutdown Command - Disable
Computer Configurations/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Shut Down the System/Users/Remove.
There may be certain machines that you do not want to be shut down; for instance, a workgroup print server, or a machine in a kiosk. With this Registry edit, you can take away that option: Start/Run/Regedit
Data Type: REG_DWORD
Shutdown.exe for Windows XP
Copy the line below to Notepad: Name it and save with a JS extension.
The Shutdown Event Tracker provides a simple and standard mechanism you can use to consistently document the reasons for shutting down or restarting your computer. The information provided is recorded in the system log in Event Viewer.
Go to Start/Run/Regedit and navigate to:
Create a new DWORD value or modify the existing value named "ShutdownReasonUI" and set it to "1" to enable shutdown event tracking. When enabled an additional drop-down option box will be displayed with various planned and unplanned shutdown reasons. Restart Windows for the change to take effect.
did you get sp1?
October 13th, 2002, 23:57 PM
I deleted the duplicate post, please do not post duplicate threads.