Restart script for domain users

TheMSsForum.com: The Microsoft Software Forum

Hi folks,

I'm trying to write a script (still not sure it is the best option though)
to allow our end users to restart their PCs each night. Here is our scenario:

-users do not have access to the command prompt (blocked by GP)
-users do not have access to shutdown or restart the computers (blocked by GP)
-users do not have admin rights
-we want user's to reboot their systems every night without having the
option to shut the machine off

Now here are the two options I think we have, I would prefer the first but
I'm working on the second at the moment:

1) Use group policy to bock access to Shutdown but allow access to Restart.
Alternatively we could do this by a reg hack but I don't have any clue how to
do it either way.

2) Create a script that we can place on each user's Start Menu to reboot the
computer. This script would need to run with elevated privileges (we have an
account we can use which has access to reboot the workstations).

I'm really new to scripting so I'm kind of fumbling my way along here but I
have managed to write a script (with help from a couple sites) that reboots a
test workstation using alternate credentials but the command prompt is not
blocked on that system. When I do block it, the script doesn't work - says
action blocked by policy.

Does anyone have any ideas on how I can go about doing this?

Now my second question on this script. As I need to embed the username and
password in the file, is there any way to prevent users from being able to
view this account information (we have a couple savvy folks).

And my last question (I promise) - when I double-click on the script while
logged in as a regular user (not power user) it doesn't work but if I launch
it from a command prompt it does. When I double click on it as administrator
it works with no problems. How do I get around this?

Any and all help is greatly appreciated!!!!

Thanks in advance,
Nancy
Top

RE: Restart script for domain users by NancyR

NancyR
Thu Dec 29 09:24:20 CST 2005

Small update. There was a glitch on the test box, the script does work when
you double-click on it while logged in as a regular user.

Sorry for the confusion.

Nancy

"Nancy R" wrote:

> Hi folks,
>
> I'm trying to write a script (still not sure it is the best option though)
> to allow our end users to restart their PCs each night. Here is our scenario:
>
> -users do not have access to the command prompt (blocked by GP)
> -users do not have access to shutdown or restart the computers (blocked by GP)
> -users do not have admin rights
> -we want user's to reboot their systems every night without having the
> option to shut the machine off
>
> Now here are the two options I think we have, I would prefer the first but
> I'm working on the second at the moment:
>
> 1) Use group policy to bock access to Shutdown but allow access to Restart.
> Alternatively we could do this by a reg hack but I don't have any clue how to
> do it either way.
>
> 2) Create a script that we can place on each user's Start Menu to reboot the
> computer. This script would need to run with elevated privileges (we have an
> account we can use which has access to reboot the workstations).
>
> I'm really new to scripting so I'm kind of fumbling my way along here but I
> have managed to write a script (with help from a couple sites) that reboots a
> test workstation using alternate credentials but the command prompt is not
> blocked on that system. When I do block it, the script doesn't work - says
> action blocked by policy.
>
> Does anyone have any ideas on how I can go about doing this?
>
> Now my second question on this script. As I need to embed the username and
> password in the file, is there any way to prevent users from being able to
> view this account information (we have a couple savvy folks).
>
> And my last question (I promise) - when I double-click on the script while
> logged in as a regular user (not power user) it doesn't work but if I launch
> it from a command prompt it does. When I double click on it as administrator
> it works with no problems. How do I get around this?
>
> Any and all help is greatly appreciated!!!!
>
> Thanks in advance,
> Nancy
Top

RE: Restart script for domain users by Sebastian

Sebastian
Thu Dec 29 11:22:02 CST 2005

> 2) Create a script that we can place on each user's Start Menu to reboot the
> computer. This script would need to run with elevated privileges (we have an
> account we can use which has access to reboot the workstations).

I think you could execute commands using vbscript under different
credentials by impersonation but it could be difficult to keep the
credentials secret as they are stored in plain text. And even MS Script
Encoder has an very easy to find counterpart *g*

I would try using the scripting language AutoIt, you can then compile and
encrypt a little stand-alone exe-application to execute the shutdown command
under different credentials... (Look out for the built-in functions
"RunAsSet" and "Run")

http://www.autoitscript.com/autoit3/
Top

Re: Restart script for domain users by Al

Al
Thu Dec 29 12:48:12 CST 2005


"Nancy R" <NancyR@discussions.microsoft.com> wrote in message
news:4ED3CC3D-1BC1-4DC2-A942-D87F45A2BC1F@microsoft.com...
> Hi folks,
>
> I'm trying to write a script (still not sure it is the best option though)
> to allow our end users to restart their PCs each night. Here is our
scenario:
>
> -users do not have access to the command prompt (blocked by GP)
> -users do not have access to shutdown or restart the computers (blocked by
GP)
> -users do not have admin rights
> -we want user's to reboot their systems every night without having the
> option to shut the machine off

As an aside, have you managed to keep them from hitting the powerswitch,
unplugging the computer, or getting into the room where the circuit breakers
are located?

> Now here are the two options I think we have, I would prefer the first but
> I'm working on the second at the moment:
>
> 1) Use group policy to bock access to Shutdown but allow access to
Restart.
> Alternatively we could do this by a reg hack but I don't have any clue how
to
> do it either way.

If the GPO is that granular, I agree this would be the best option.

> 2) Create a script that we can place on each user's Start Menu to reboot
the
> computer. This script would need to run with elevated privileges (we have
an
> account we can use which has access to reboot the workstations).
>
> I'm really new to scripting so I'm kind of fumbling my way along here but
I
> have managed to write a script (with help from a couple sites) that
reboots a
> test workstation using alternate credentials but the command prompt is not
> blocked on that system. When I do block it, the script doesn't work -
says
> action blocked by policy.
>
> Does anyone have any ideas on how I can go about doing this?
>
> Now my second question on this script. As I need to embed the username
and
> password in the file, is there any way to prevent users from being able to
> view this account information (we have a couple savvy folks).

IMHO, this is not possible. It is the user's account that needs access to
this information in order to use it to create a session running with the
alternate credentials. The only thing you can do is to obfuscate the
information, but then you lose the ability to accurately measure the risk of
exposure.

/Al


Top

Re: Restart script for domain users by billy

billy
Mon Jan 02 17:22:57 CST 2006

i believe that startup scripts run as system (not as the user), so you
could schedule a reboot for some off hour as part of a startup script.

Top