none
Give a group Managed Service Account access to Win32Shutdown on a remote computer RRS feed

  • Question

  • I have a powershell script that we use to shutdown all members of an AD security group remotely:

    $computers = Get-ADGroupMember -identity "ShutdownGroup"
    
    ForEach ($computer in $computers) {
    
    $client = $Computer.Name
    
    if (Test-Connection -Computername $client -BufferSize 16 -Count 1 -Quiet) {(gwmi win32_operatingsystem -ComputerName $client).Win32Shutdown(12)} }



    We want to run this script as a scheduled task using a group managed service account (gmsa). This is the output of the script when run as our gmsa:

    gwmi : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    At C:\Scripts\WOL-Shutdown\Shutdown_Test.ps1:7 char:77
    + if (Test-Connection -Computername $client -BufferSize 16 -Count 1 -Quiet)
    {(gwmi ...
    +
    ~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

    This is telling us our gmsa doesn't have the necessary access to run gwmi. Our gmsa has the following access rights to our test machine we are trying to shutdown:

    • Local Security Policy > Security Settings > Local Polices > User Rights Assignment > Force Shutdown from a remote system
    • Local Security Policy > Security Settings > Local Polices > User Rights Assignment > Shutdown the system

    I have also given our gmsa Full Read and Write access to CIMV2 using WMI Control. 

    The script is running from our Server 2012 R2 Domain Controller, and the client machine we are trying to shutdown is windows 10 pro. We do not want to give the gmsa local admin privileges for obvious reasons.

    I think the problem is our gmsa doesn't have the right permissions on WMI to achieve shutting down the machine. Can anyone help?

    Monday, September 24, 2018 1:25 PM

All replies

  • Hi, 

    Thanks for your post in our forum. 

    Hope the following information can help you.

    gwmi : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

    The error is 0x80070005 – E_ACCESS_DENIED,

    Possible issue:

    ==============

    Access denied by DCOM security.  The user does not have remote access to the computer through DCOM. Typically, DCOM errors occur when connecting to a remote computer with a different operating system version.

    Solution:

    =========

    Give the user Remote Launch and Remote Activation permissions in dcomcnfg. Right-click My Computer-> Properties Under COM Security, click "Edit Limits" for both sections. Give the user you want remote access, remote launch, and remote activation. Then go to DCOM Config, find "Windows Management Instrumentation", and give the user you want Remote Launch and Remote Activation. For more information, see Connecting Between Different Operating Systems

    Setting DCOM Security to Allow a User to Access a Computer Remotely

    https://docs.microsoft.com/en-us/windows/desktop/WmiSdk/securing-a-remote-wmi-connection#setting-dcom-security-to-allow-a-user-to-access-a-computer-remotely

    • Also you can try to add the user(s) or group(s) to the Local "Distributed COM Users" group on the machine you are trying to shutdown remotely.

    Hope above information can help you.

    Best Regards,

    Otto Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 25, 2018 3:55 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Otto Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 28, 2018 3:11 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Otto Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 1, 2018 5:20 AM
    Moderator