locked
Windows 8的遠端關機問題請教 RRS feed

  • 問題

  • 各位好!

    目前測試用Administrator的帳號可以完成遠端關機的動作

    C:\>net use \\win81update1 /user:administrator Pa$$w0rd
    命令已經成功完成。
    C:\>shutdown -s -f -t 0 /m \\win81update1

    但是換成其他帳號就變成下面這樣

    C:\>net use \\win81update1 /user:golf Pa$$w0rd
    命令已經成功完成。
    C:\>shutdown -s -f -t 0 /m \\win81update1
    win81update1: 存取被拒。(5)

    有測試將golf帳號加入administrators群組-->無效

    有測試設定gpo,讓golf具有「強制從遠端系統進行關閉」的權限-->無效

    請問有什麼方式可以讓非administrator帳號讓遠端電腦重新開機或關機呢? 謝謝~

    2015年3月11日 上午 09:46

解答

  • Hi DannyLee

    這是因為UAC的關係,如果要達成您的需求就必須將UAC關閉。

    When a user who is a member of the Administrators group in Windows® XP or Windows Server 2003 logs on to a computer, that user's token contains the Administrators group SID, and the user has the same permission as the Administrators group. In Windows Server 2008 and Windows Vista, if UAC is enabled, the Administrators SID is still present in the token but is set to Deny only. When performing access control, such an entry in the token is used only to deny access—in other words, to match Deny ACEs. Any Allow ACEs for that SID are ignored. That means that you are not truly an administrator all the time, even if you log on to the computer as one.

    If UAC is disabled, then a user who is a member of the Administrators group has a token containing the Administrators group SID.

    What's New for Access Control in Windows Server 2008


    請記得將對您有幫助的回覆"標示為解答"以幫助其他尋找解答及參與社群討論的朋友們。

    Please remember to click Mark as Answer on the post that helps you. This can be beneficial to other community members reading the thread.

    • 已標示為解答 DannyLee 2015年3月12日 上午 09:02
    2015年3月12日 上午 03:47

所有回覆

  • Hi DannyLee

    這是因為UAC的關係,如果要達成您的需求就必須將UAC關閉。

    When a user who is a member of the Administrators group in Windows® XP or Windows Server 2003 logs on to a computer, that user's token contains the Administrators group SID, and the user has the same permission as the Administrators group. In Windows Server 2008 and Windows Vista, if UAC is enabled, the Administrators SID is still present in the token but is set to Deny only. When performing access control, such an entry in the token is used only to deny access—in other words, to match Deny ACEs. Any Allow ACEs for that SID are ignored. That means that you are not truly an administrator all the time, even if you log on to the computer as one.

    If UAC is disabled, then a user who is a member of the Administrators group has a token containing the Administrators group SID.

    What's New for Access Control in Windows Server 2008


    請記得將對您有幫助的回覆"標示為解答"以幫助其他尋找解答及參與社群討論的朋友們。

    Please remember to click Mark as Answer on the post that helps you. This can be beneficial to other community members reading the thread.

    • 已標示為解答 DannyLee 2015年3月12日 上午 09:02
    2015年3月12日 上午 03:47
  • Hi DannyLee

    這是因為UAC的關係,如果要達成您的需求就必須將UAC關閉。

    When a user who is a member of the Administrators group in Windows® XP or Windows Server 2003 logs on to a computer, that user's token contains the Administrators group SID, and the user has the same permission as the Administrators group. In Windows Server 2008 and Windows Vista, if UAC is enabled, the Administrators SID is still present in the token but is set to Deny only. When performing access control, such an entry in the token is used only to deny access—in other words, to match Deny ACEs. Any Allow ACEs for that SID are ignored. That means that you are not truly an administrator all the time, even if you log on to the computer as one.

    If UAC is disabled, then a user who is a member of the Administrators group has a token containing the Administrators group SID.

    What's New for Access Control in Windows Server 2008


    請記得將對您有幫助的回覆"標示為解答"以幫助其他尋找解答及參與社群討論的朋友們。

    Please remember to click Mark as Answer on the post that helps you. This can be beneficial to other community members reading the thread.

    關閉UAC之後的確可以了,感謝^^
    2015年3月12日 上午 09:02