The script itself is not so complicated. It just reads computer names from the file given as a script parameter and then tries to reboot each computer using WMI. The reason why I want to share it is that usually for such operations we use a user account, which has administrative rights at the target system. But for such routine and bulk operations we would rather need a user account with pretty restricted rights in order to prevent unauthorized operations to be performed. In this case regular user with a standard rights won't help us.
First let me remind how to shutdown a computer using scripting. We get a WMI object Win32_OperatingSystem and call Win32Shutdown method of the object. To call this method we need to have a right to shutdown a computer. But to get the access to this method we need to get an object. To get an object we need to get an access to the WMI namespace. It means we need to have permissions on required WMI namespace. WMI is a DCOM object, so in order to get an acces to the WMI we need to have a permissions to access DCOM on remote computer.
So, in order to allow standard user account to be used for remote computer shutdown we have to perform following steps:
1. Grant DCOM remote launch and activation permissions for a user.
2. Allow user Access to a specific WMI namespace. In our case it's a namespace \root\cimv2
3. Grant for the user a Force shutdown from a remote system right.
So, let's go it step by step:
Granting DCOM remote launch and activation permission
- Run DCOMCNFG. Alternative way can be an opening Component Services from Administrative Tools or running mmc and adding Component Services snap-in. The result will be same
- Expand Component Services and then expand Computers. Perhaps you won't find a lot of computers. Just one, which we need
- Open properties of My Computer
- Move to the tab COM Security
- Click on the button Edit Limits in the Access Permissions section.
- Ensure either Everyone or ANONYMOUS LOGON has Remote Access permission. Usually Everyone has both Local and Remote Access permissions, so there is nothing to do but verify.
- Click on the button Edit Limits in the Launch and Activation Permissions section
- Add a necessary user and grant for him Remote Launch and Remote Activation permissions
That should be enough for allowing you user remotely activate and launch DCOM. Now we need to get an access to the WMI namespace to get Win32_OperatingSystem object.
Allowing users access to a specific WMI namespace
- Open Computer Management
- Expand Services and Applications
- Click on the WMI Control and then open its properties.
- Move to the Security tab
- Expand Root, select CIMV2 and click Security button
- Add necessary user and grant him Remote Enable permission. This permission is enough, so it's not necessary to grant all permissions
So now user can access and launch the DCOM object remotely and can get a WMI object from the namespace \root\cimv2. The only thing left to do is to allow user to shutdown the computer remotely.
Granting user Shutdown computer remotely right
- Run secpol.msc. If computers are domain members then it's necessary to do using group policies. What is more preferable way because in this case there is no need to do it on each computer
- Expand Security Settings. In GPO Security Settings are in Computer Configuration\Windows Settings
- Expand Local Policies and then expand User Rights Assignment
- Find Force shutdown from a remote system, open it and add necessary user.
That's all now run the script and enjoy.
