Re: opsys.win32shutdown doesn't work on Domain controllers



"Torgeir Bakken (MVP)" wrote:

> Brandon McCombs wrote:
>
> > hello,
> > I have a script that runs when a user logs in that checks to see whether
> > they are logged in already somewhere else by keeping track of the
> > workstation name in a custom attribute I created in AD. Based on the
> > logic I use if the user is being detected as having logged in somewhere
> > already they are immediately logged off using WMI's opsys.win32shutdown
> > class. I just simply use the EWX_LOGOFF flag and it works great.
> > Unfortunately with strict government requirements that I have to follow
> > I also have to restrict administrators to this same situation which in
> > and of itself isn't difficult to do until this script attempts to log
> > them off of a domain controller if a DC happens to be their 2nd logon
> > attempt. I get an error on the opsys.win32shutdown line when the script
> > runs on a domain controller and it won't log the user off then. I tried
> > using the FORCE flag but that didn't help. From what I've read it is
> > possible to reboot *any* machine this way but is it not possible to log
> > someone off a domain controller this way? The error code I get back is
> > 80041001 which is one of the generic errors that is of no help
> > whatsoever.
> Hi,
>
> See if adding some additional privileges helps:
>
> sComputer = "."
> Set oWMI = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate,(Shutdown,RemoteShutdown,Debug)}!\\" _
> & sComputer & "\root\cimv2")
>
>

I sent a friend of mine the script I use and also a script that I found online
and it seems that rebooting and shutting down a domain controller works just fine
but the damn logoff does not work on a DC which is of course the functionality I
need. WHy wouldn't a logoff with the same script work on a workstation but not on
a DC and is there a workaround to log someone off of a domain controller
automatically that can not be cancelled?

thanks

.

Relevant Pages

  • Re: Users last logon info from logon script
    ... >> This script shows the local computer time when the users log on. ... > ' Because the lastLogon attribute is not replicated, ... Then, for each Domain Controller, ADO is used to search the ... > Dim objRootDSE, strConfig, objConnection, objCommand, strQuery ...
    (microsoft.public.security)
  • Re: Display All Locked Accounts in an OU
    ... > I have this script below I used from its source ... > particular OU and its sub-ou's for locked out accounts. ... you need only look at one domain controller. ... > Dim objRootDSE, strConfig, objConnection, objCommand, strQuery ...
    (microsoft.public.windows.server.scripting)
  • List users not logged onto domain for over X number of days
    ... I found a great script by ... ' Because the lastLogon attribute is not replicated, ... Then, for each Domain Controller, ADO is used to search the ... Dim strDNSDomain, objShell, lngBiasKey, lngBias, k, arrstrDCs ...
    (microsoft.public.windows.server.scripting)
  • Can someone help modify this VBScript
    ... how to modify this script to fit my needs. ... ' Because the lastLogon attribute is not replicated, ... Then, for each Domain Controller, ADO is used to search the ... Dim strDNSDomain, objShell, lngBiasKey, lngBias, k, arrstrDCs ...
    (microsoft.public.scripting.vbscript)
  • Re: garbage computer accounts
    ... that is why I use this great script. ... ' Controller in the domain must be queried to find the latest LastLogon ... Then, for each Domain Controller, ADO is used to search the ... Dim strDNSDomain, objShell, lngBiasKey, lngBias, k, arrstrDCs ...
    (microsoft.public.scripting.wsh)
Loading