Not sure if this is the best way to achieve this but here is the background and the goal.
BACKGROUND We are a small business. Sometimes myself or the other person who is capable of dealing with an email outage is not available.... Usually it is as simple as restarting the old and tired out exchange box to bring it back online... this is obviously a temporary fix till I can get to the cause of the particular outage. But the idea is to limit the downtime caused by this to our call center.
GOAL: I want to setup a one time use Admin account. OR write a scrip that allows the user to simply restart the server.
Understand this users current account is limited to just a domain user not an admin of any type.
Additional Information Idea with a one time use account is the user can use it once. Log in make changes and once they are done and logged out the account is then locked out or has its password change or is disabled. Anything to stop them from using it a second time. This way there is some accountability to the user to use it only for emergencies and for its intended purpose and not as a easy way to adjust their limited account or install software among other things.
As for the script I understand that due to the limited permission on standard users this user would be unable using their current permission to do a PSSHUTDOWN.EXE on the exchange box remotely. So we would have to come up with a good method in order to allow the user to do a restart. Should be a simple VB script which is not the issue. My issue is creating some form of security allowing them to type in just maybe a password to have the process commence. Bonus points if you can include stopping of services in the script. things like I can fill in the others once I see how you implement the first one. net stop "Microsoft Exchange Information Store"
I feel the second plan seems a lot safer. This way I can just use security by obscurity. Not tell him the RDP port and not have him actually on the system but more so just using a password to activate the restart.
So assistance in this is greatly appreciated. Or alternative suggestions are always welcome.
Using PowerShell I think this should work though I haven't tested this at all for obvious reasons. I suggest create an exchange administrator account, add it to the exchange server's local admin group. Give this account full permissions in AD over itself (I'm actually not sure if user account by default are able to disable themselves). Then save the PowerShell script below on the network and put a shortcut CMD file to it on the desktop of whoever is going to run it. Show them how to use the "Run as a different user" feature (hold shift when right clicking). The CMD file just needs:
powershell . \\server\share\script.ps1
The PowerShell script can be quite short:
The user(s) can have the password as once this script is run it will disable the account until you or a user with appropriate credentials can re-enable it.
Additionally, for security purposes, you may want to put that new account into policy to prevent it from logging on interactively or otherwise. In a GPO applied to [perhaps all workstations and server]: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Deny log on locally and Deny log on through Remote Desktop Services
It's kludgy, but this just might work...
Set up a scheduled task on some other machine set to launch psshutdown via a specific user. Grant your lackey enough rights to launch the task. Don't give it a schedule. When Exchange needs to get tickled, they can right-click-run it.
The down side is that they can do this at any time, but this is all they can do.