1

Not sure if this is the best way to achieve this but here is the background and the goal.

BACKGROUND We are a small business. Sometimes myself or the other person who is capable of dealing with an email outage is not available.... Usually it is as simple as restarting the old and tired out exchange box to bring it back online... this is obviously a temporary fix till I can get to the cause of the particular outage. But the idea is to limit the downtime caused by this to our call center.

GOAL: I want to setup a one time use Admin account. OR write a scrip that allows the user to simply restart the server.

Understand this users current account is limited to just a domain user not an admin of any type.

Additional Information Idea with a one time use account is the user can use it once. Log in make changes and once they are done and logged out the account is then locked out or has its password change or is disabled. Anything to stop them from using it a second time. This way there is some accountability to the user to use it only for emergencies and for its intended purpose and not as a easy way to adjust their limited account or install software among other things.

As for the script I understand that due to the limited permission on standard users this user would be unable using their current permission to do a PSSHUTDOWN.EXE on the exchange box remotely. So we would have to come up with a good method in order to allow the user to do a restart. Should be a simple VB script which is not the issue. My issue is creating some form of security allowing them to type in just maybe a password to have the process commence. Bonus points if you can include stopping of services in the script. things like I can fill in the others once I see how you implement the first one. net stop "Microsoft Exchange Information Store"

I feel the second plan seems a lot safer. This way I can just use security by obscurity. Not tell him the RDP port and not have him actually on the system but more so just using a password to activate the restart.

So assistance in this is greatly appreciated. Or alternative suggestions are always welcome.

Campo
  • 1,609
  • 17
  • 33

2 Answers2

2

Using PowerShell I think this should work though I haven't tested this at all for obvious reasons. I suggest create an exchange administrator account, add it to the exchange server's local admin group. Give this account full permissions in AD over itself (I'm actually not sure if user account by default are able to disable themselves). Then save the PowerShell script below on the network and put a shortcut CMD file to it on the desktop of whoever is going to run it. Show them how to use the "Run as a different user" feature (hold shift when right clicking). The CMD file just needs:

powershell . \\server\share\script.ps1

The PowerShell script can be quite short:

# Stop the service
(get-wmiobject win32_service -filter "name='Spooler'" -computername ComputerName).StopService()

# check service status
# Add a While loop if needed
(get-wmiobject -query "select * from win32_service where name='Spooler'" -computername ComputerName).state # this will return the state of the named service


restart-computer -computername ExchangeServerName

# Import ActiveDirectory module
Import-Module active*

# disable the account
# substitute $username with the newly created account
# or perhaps with $env:USERNAME using RunAs might work right...
set-user $username -Enabled $false

The user(s) can have the password as once this script is run it will disable the account until you or a user with appropriate credentials can re-enable it.

Additionally, for security purposes, you may want to put that new account into policy to prevent it from logging on interactively or otherwise. In a GPO applied to [perhaps all workstations and server]: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Deny log on locally and Deny log on through Remote Desktop Services

Jordan W.
  • 1,423
  • 1
  • 13
  • 20
2

It's kludgy, but this just might work...

Set up a scheduled task on some other machine set to launch psshutdown via a specific user. Grant your lackey enough rights to launch the task. Don't give it a schedule. When Exchange needs to get tickled, they can right-click-run it.

The down side is that they can do this at any time, but this is all they can do.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • I do like this. Very smart way to implement. Very simple. Guess we can do this and add in all the services too. Only concern is timing everything..... Maybe best to just restart and let Windows deal with stopping the services. Sucks to have to do that as the Server is a DC and Exchange which causes delays on shutdown. – Campo Jan 31 '11 at 20:23
  • You could just add a bunch of "net stop" commands before the final "shutdown /r /t 0" command in the batch file, per sysadmin1138's suggestion. This would reduce the time AD is down. – Jeff McJunkin Jan 31 '11 at 20:38
  • Just tried this out (obviously on test machine). Works brilliantly! I think what I should do is combine this with your suggestions from @Sysadmin1138's suggestion then we are good to roll. Make a batch file and run the net stop prior and then the reboot. Will it pause till the services or stopped or move them to be stopped first as it shutsdown? Either is fine as long as the shutdown does not supersede that which then causes the stops in the wrong order due to AD.... THANKS! – Campo Jan 31 '11 at 20:55
  • @Campo Glad to see the kludge worked! – sysadmin1138 Jan 31 '11 at 21:25
  • Just wondering if multiple netstops will work simultaneously or in sequence. What happens if one fails? Will this happen prior to the shutdown. Or, will this all happen at shutdown essentially queuing the services to stop in the proper order? – Campo Feb 01 '11 at 01:49
  • I used this method of Schedule tasks. But made it simpler. Set a Schedule task on the server to run a script that stops all services then reboots. Set a schedule task on workstation to execute scheduled task on server. Both only run when called. – Campo Feb 16 '11 at 15:03