opsys.win32shutdown doesn't work on Domain controllers

hello,
I have a script that runs when a user logs in that checks to see whether
they are logged in already somewhere else by keeping track of the
workstation name in a custom attribute I created in AD. Based on the
logic I use if the user is being detected as having logged in somewhere
already they are immediately logged off using WMI's opsys.win32shutdown
class. I just simply use the EWX_LOGOFF flag and it works great.
Unfortunately with strict government requirements that I have to follow
I also have to restrict administrators to this same situation which in
and of itself isn't difficult to do until this script attempts to log
them off of a domain controller if a DC happens to be their 2nd logon
attempt. I get an error on the opsys.win32shutdown line when the script
runs on a domain controller and it won't log the user off then. I tried
using the FORCE flag but that didn't help. From what I've read it is
possible to reboot *any* machine this way but is it not possible to log
someone off a domain controller this way? The error code I get back is
80041001 which is one of the generic errors that is of no help
whatsoever.

thanks

Brandon McCombs wrote:

Quote:

> hello,
> I have a script that runs when a user logs in that checks to see whether
> they are logged in already somewhere else by keeping track of the
> workstation name in a custom attribute I created in AD. Based on the
> logic I use if the user is being detected as having logged in somewhere
> already they are immediately logged off using WMI's opsys.win32shutdown
> class. I just simply use the EWX_LOGOFF flag and it works great.
> Unfortunately with strict government requirements that I have to follow
> I also have to restrict administrators to this same situation which in
> and of itself isn't difficult to do until this script attempts to log
> them off of a domain controller if a DC happens to be their 2nd logon
> attempt. I get an error on the opsys.win32shutdown line when the script
> runs on a domain controller and it won't log the user off then. I tried
> using the FORCE flag but that didn't help. From what I've read it is
> possible to reboot *any* machine this way but is it not possible to log
> someone off a domain controller this way? The error code I get back is
> 80041001 which is one of the generic errors that is of no help
> whatsoever.

Hi,

See if adding some additional privileges helps:

sComputer = "."
Set oWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Shutdown,RemoteS hutdown,Debug)}!\\" _
& sComputer & "\root\cimv2")



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

"Torgeir Bakken (MVP)" wrote:

Quote:

> Brandon McCombs wrote:
>

Quote:

> Hi,
>
> See if adding some additional privileges helps:
>
> sComputer = "."
> Set oWMI = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate,(Shutdown,RemoteS hutdown,Debug)}!\\" _
> & sComputer & "\root\cimv2")
>
>

I didn't think that would work and it did not. Considering the privilege should
be the same for the workstaitons as the server I don't see why I would need to do
any impersonation to log a user off of a domain controller. I should have been
getting different errors as well if it was a permission issue, instead I was
getting a general error that was of no help. Any other ideas?

Is it even possible to run win32shutdown with EWX_LOGOFF to log someone off of a
domain controller?

"Torgeir Bakken (MVP)" wrote:

Quote:

> Brandon McCombs wrote:
>

Quote:

> Hi,
>
> See if adding some additional privileges helps:
>
> sComputer = "."
> Set oWMI = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate,(Shutdown,RemoteS hutdown,Debug)}!\\" _
> & sComputer & "\root\cimv2")
>
>

I sent a friend of mine the script I use and also a script that I found online
and it seems that rebooting and shutting down a domain controller works just fine
but the damn logoff does not work on a DC which is of course the functionality I
need. WHy wouldn't a logoff with the same script work on a workstation but not on
a DC and is there a workaround to log someone off of a domain controller
automatically that can not be cancelled?

thanks