-1

I'm a System Administrator, and here at the company there are some users that have local administrator accounts in their PC'S. I need to restart some PC's in our Domain to complete a Software deployment.

As funny as this seems, there's a particular user with a local Administrator account that refuses to restart his computer. I asked him politely but he instead challenged me to try it.

Well so far I've been unable to do it. From CMD shutdown commands to trying to connect to that computer's services, everything has failed. Apparently he disabled RPC related services and some more stuff making this a hard challenge. Even through the Domain privileges the task seems impossible.

Can someone lend me a hand here? How can I force a remote shutdown?

EEAA
  • 108,414
  • 18
  • 172
  • 242
Jose Perez
  • 1
  • 1
    This is a personnel problem. Get your boss involved with his boss. Technology cannot solve this problem. – Wesley May 22 '15 at 21:16
  • 2
    @Wesley I beg to differ. [Technology solved personnel problems long ago.](http://i.stack.imgur.com/v8GHn.jpg) – Michael Hampton May 22 '15 at 21:18
  • @MichaelHampton Is a LART really "technology" though? =) – Wesley May 22 '15 at 21:19
  • 4
    `1.` Go to his PC and restart it using the power button. `2.` Take this issue to management and/or your HR department. – joeqwerty May 22 '15 at 21:20
  • @Wesley Yes, it's technology. And while it's certainly old, it's still useful... – Michael Hampton May 22 '15 at 21:20
  • You could set fire to the building and make sure the new laptops have all the required softwate. Just make sure to spread the software updates far enough apart to make repeated arson worthwile. Gasoline can get expensive. – Reaces May 22 '15 at 21:49
  • 1
    It's important for staff to understand that "their" computer does not belong to them, nor is it "yours". It belongs to the company, and it's your job to maintain it. I had a user nearly get physical when i told him the IT policy guys wanted an audit client on "his" workstation. – Andy May 23 '15 at 00:35
  • @Andy When it comes to the "who owns the corporate PC - the answer must be the IT staff. Any other answer causes all sorts of expense to fix ITSM issues. – Jim B May 24 '15 at 00:22
  • 1
    don't play this game, you will lose. hand this user to the boss making clear that the computer is not under your controll so may be unprotected, not patched, may lose data and a potential issue for all the network (viruses & co). these are users that you should avoid: next time he will pose you a bigger challenge if you don't stop him. the bigger the challenge the higher the risk for you to get caught wasting paid work time for personal issues (i suppose it is not your job to play challenges with users). – Paolo May 25 '15 at 08:01

3 Answers3

6

If that computer is part of an Active Directory domain then create a Scheduled Task to reboot the computer. Make it for a time in the very near future. The user won't know what hit 'em.

(But seriously, escalating this kind of war is not going to end well for anyone. Management / leadership needs to be involved.)

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • Yes, it is part of the domain. I'll try this and let you know. And yes I understand escalating this won't end well ... That's why I think some users just shouldn't have Admin rights. Thanks. – Jose Perez May 22 '15 at 22:00
  • I might suggest removing his local admin status and changing the password on all local accounts for good measure. Also getting the scheduled task to enable rpc etc – Drifter104 May 22 '15 at 22:03
2

Does your employer have an Acceptable Use Policy (AUP) which covers employee use of computers? It might contain terms like Prohibited activities include: Circumvention of technical, administrative, or process controls" which he is breaking.

Depending on what your company does, how big it is, how casual everyone is, all matters. But if you as a company work on sensitive information, then your contracts might require that all workstations have up to date antivirus and patches, and if you can't connect remotely then you can't audit and uphold that.

If you have software that's very fussy about versions, if you can't connect remotely then you can't make sure every computer has the right version and it puts the company at risk of data corruption.

If you have any kind of specialist, expensive software - medical, legal, CAD - it probably has quite strict licensing agreements, and if you can't connect then you can't audit to make sure all software is licensed and no unlicensed software is being used.

If he is abusing the rights granted to him, and in any way putting the company at risk by doing so, you probably should raise it with your manager, his manager, or HR with a view to reminding him of the AUP and why it applies, regardless of whether you can find a clever way to force a reboot.

And you might find yourself responsible for enforcing the AUP, e.g. blocking his access to file shares and email, locking his account.

If none of the above applies and it's a very casual workplace, block his account and access to email. When he can't do any work and his manager starts to notice, and he calls up for support, ask if he's tried rebooting, and make it work again when he does.

TessellatingHeckler
  • 5,676
  • 3
  • 25
  • 44
0

If he has blocked you the first step would be: Override his settings by enforcing a policy and whitelist remote communications and management from the local subnet or specific IP address you will be issuing the commands from. In the policy you can ID one computer. You would enable those features in the firewall config portion of the policy. You fire the script upon login to the domain.

If he has not fully locked you out the shutdown command is:

shutdown /r /m \\computername /f

to get the full command line options type shutdown /? on any windows computer.

After you get access I would demote his account since he shows he cannot be trusted with that level of access. To determine what applications need Admin access you can use MACT Microsoft Application Compatibility Toolkit. This may eliminate the reason for his local admin access

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Tom Clancy
  • 129
  • 3