Looks right, but they might possibly also need the "shut down the system" right as well...
Sent from my slightly schizophrenic, but rather cool, BlackBerry Android From: oozerd...@gmail.com Sent: 20 January 2017 5:49 p.m. To: ntsysadm@lists.myitforum.com Reply to: ntsysadm@lists.myitforum.com Subject: [NTSysADM] Adding *only* reboot right for domain user to a local host, remotely ... (I really wish my boss wouldn't ask about this type of stuff at noon on a Friday, when I have to leave by 4PM ...) Anyway, what he wants to do: he wants our techs to be able to use a domain account, log into domain member servers, run Windows Update, *and* then be able to tell it to reboot. And he does NOT want to add this domain account to local Administrators group. (don't ask, it's a long story) I *think* I can do this with a GPO ---------------- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Right Assignment > Force shutdown from a remote system Simply add account(s) in question to this policy and they will be able to reboot servers remotely. ---------------- Problem is, I haven't tested this yet, and he (ideally) wants this in place so the techs can install windows updates on Sunday. And no way do I want to roll this out to all production servers, without testing it first (which I don't have time to do, before I have to leave today) Is this the best way to give a domain user only the right to reboot a server, without giving them any other rights? (I have a GPO that assigns WSUS settings via OU and group membership; I could either add it to that one, or make a new, and assign it to that same OU and group membership)
