opsys.win32shutdown doesn't work on Domain controllers

B

Brandon McCombs

hello,
I have a script that runs when a user logs in that checks to see whether
they are logged in already somewhere else by keeping track of the
workstation name in a custom attribute I created in AD. Based on the
logic I use if the user is being detected as having logged in somewhere
already they are immediately logged off using WMI's opsys.win32shutdown
class. I just simply use the EWX_LOGOFF flag and it works great.
Unfortunately with strict government requirements that I have to follow
I also have to restrict administrators to this same situation which in
and of itself isn't difficult to do until this script attempts to log
them off of a domain controller if a DC happens to be their 2nd logon
attempt. I get an error on the opsys.win32shutdown line when the script
runs on a domain controller and it won't log the user off then. I tried
using the FORCE flag but that didn't help. From what I've read it is
possible to reboot *any* machine this way but is it not possible to log
someone off a domain controller this way? The error code I get back is
80041001 which is one of the generic errors that is of no help
whatsoever.

thanks
 
T

Torgeir Bakken \(MVP\)

Brandon said:
hello,
I have a script that runs when a user logs in that checks to see whether
they are logged in already somewhere else by keeping track of the
workstation name in a custom attribute I created in AD. Based on the
logic I use if the user is being detected as having logged in somewhere
already they are immediately logged off using WMI's opsys.win32shutdown
class. I just simply use the EWX_LOGOFF flag and it works great.
Unfortunately with strict government requirements that I have to follow
I also have to restrict administrators to this same situation which in
and of itself isn't difficult to do until this script attempts to log
them off of a domain controller if a DC happens to be their 2nd logon
attempt. I get an error on the opsys.win32shutdown line when the script
runs on a domain controller and it won't log the user off then. I tried
using the FORCE flag but that didn't help. From what I've read it is
possible to reboot *any* machine this way but is it not possible to log
someone off a domain controller this way? The error code I get back is
80041001 which is one of the generic errors that is of no help
whatsoever.
Hi,

See if adding some additional privileges helps:

sComputer = "."
Set oWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Shutdown,RemoteShutdown,Debug)}!\\" _
& sComputer & "\root\cimv2")
 
B

Brandon McCombs

Torgeir Bakken (MVP) said:
Hi,

See if adding some additional privileges helps:

sComputer = "."
Set oWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Shutdown,RemoteShutdown,Debug)}!\\" _
& sComputer & "\root\cimv2")

I didn't think that would work and it did not. Considering the privilege should
be the same for the workstaitons as the server I don't see why I would need to do
any impersonation to log a user off of a domain controller. I should have been
getting different errors as well if it was a permission issue, instead I was
getting a general error that was of no help. Any other ideas?

Is it even possible to run win32shutdown with EWX_LOGOFF to log someone off of a
domain controller?
 
B

Brandon McCombs

Torgeir Bakken (MVP) said:
Hi,

See if adding some additional privileges helps:

sComputer = "."
Set oWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Shutdown,RemoteShutdown,Debug)}!\\" _
& sComputer & "\root\cimv2")

I sent a friend of mine the script I use and also a script that I found online
and it seems that rebooting and shutting down a domain controller works just fine
but the damn logoff does not work on a DC which is of course the functionality I
need. WHy wouldn't a logoff with the same script work on a workstation but not on
a DC and is there a workaround to log someone off of a domain controller
automatically that can not be cancelled?

thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top