Sunday 16 April 2017

How to specify credentials to restart or shutdown a remote host with ‘net use’

I recently wanted to shutdown a server on my local network (notably a workgroup) using the Windows shutdown command but encountered an access denied error (or no feedback whatsoever).

I needed to use the administrator credentials of the remote server but shutdown.exe doesn’t accept credentials.

Using ‘net use’ to connect to the IPC$ share on remote host, you can set then call shutdown in that security context:

net use \\hostname\IPC$ mypassword /User:administrator
shutdown /r /t 60 /m \\hostname /f

In the net use command above, replace hostname with the name of your remote host (or maybe an IP address), replace mypassword with the password for the account you’re using, and replace administrator with the name of the local account on the remote host you wish to use (which presumably has the necessary rights to restart or shutdown the server).

In the shutdown command above, replace hostname with the name of your remote host, as per the net use command.

Note: Read the shutdown /? usage. The /r flag will restart the host; change /r to /s if you want to shutdown instead. Other parameters can also be specified. I also typically set the timeout (/t) flag to 0 (zero).

I call both commands back-to-back in a Windows Command Prompt, without running the console as Admin.

See below for a few more tips, links, and PowerShell alternatives.

If you’re used to operating as a domain user you may be asking why any of this is even necessary. It’s necessary in a workgroup context because the remote host has no idea who I am if I just tell it to shutdown from some other computer on the local IP network. It may be possible to an account on one host the necessary privileges on another host but I don’t know for certain and, in my limited experience, this can get hard and weird very quickly!

I used to run a domain controller on my small local network (just for fun) and all of my servers were members of a domain, which made security easy. I got rid of the DC as DHCP and other services were migrated to my internet router and to streamline things. In all regards, having one less server to manage, power, and so on is great. I’ll run a virtualised AD when I need to, e.g. for development purposes).

In addition to a media centre, I also still run a physical file server, primarily for backups. My basic process is to power on the file server once a week to backup the media centre, my laptop, etc and then shut it down again (so the kids don’t fiddle and to keep the noise down).

The backup process is otherwise seamless—the backup services on the file server and clients just pick up where they left off and run to completion without any human interaction (I use CrashPlan and would highly recommend it). I only need to power on the file server and then shut it down.

To shut down, I’d previously connect to the file server via Remote Desktop and then shut down. But that’s too hard. I can tell from the backup client on my laptop when a backup is complete so I just want to quickly shutdown the file server and go to bed.

In a domain environment, I could make sure my domain account was a member of the Administrators group on the file server and then call shutdown.exe from a command prompt on my laptop; without the DC, I need to explicitly provide shutdown.exe with the necessary credentials before actually calling shutdown.exe.

A few other notes: the file server is running Windows Server 2012 and my laptop is running Windows 8.1.

In recent versions of Windows (i.e. 2012+), I’ve read that UAC may interfere with things. You may want to turn it off but can simply add or configure this registry key (I didn’t have to):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy
Data: 1 (to disable) or 0 (to enables filtering)
Type: REG_DWORD (32-bit)

You may need to restart after making this change.

Thank to https://helgeklein.com/blog/2011/08/access-denied-trying-to-connect-to-administrative-shares-on-windows-7/ for this one. See also this Microsoft help article (ID 951016) “Description of User Account Control and remote restrictions in Windows Vista”

Others suggested File and Printer sharing must be allowed in the Windows Firewall.

I believe PowerShell offers similar restart (and stop) commands. I haven’t tried them and can’t say whether they work with the techniques described here but I believe both accept a –credential parameter.

See these references:

https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.management/restart-computer

https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.management/stop-computer