user rights assignment shutdown the system

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Allow non-admin user to shutdown/reboot Server 2012

Anyone know if a setting exists to allow a non-admin user to shutdown a server?

Obviously I can set the "Allow Server to shutdown without logon" GPO but that is not quite the same thing. I am looking for a way to properly assign the shutdown right to a particular user if possible.

• windows-server-2012
• user-permissions

2 Answers 2

You can assign this in either a GPO or Local Security Policy.

The setting that you're looking for is in Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shutdown the system

• Thanks MDMarra, that was exactly what I was looking for. Even allows for individual users or groups to be added to the list. In my case I added the "Hyper-V Administrators" group to the shutdown list. –  NickC Commented Nov 28, 2012 at 15:16
• Does it only work with shutting down or also with restart? –  Aboodnet Commented Jul 13, 2021 at 18:34

use "force shutdown from a remote system" then you can build a script like shutdown -r -t 120 -m "hostname" to restart the system remotely.

• -r = restart
• -t = time in seconds
• -m = Target here you have to enter IP or hostname

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-server-2012 user-permissions ..

• The Overflow Blog
• How to build open source apps in a highly regulated industry
• Community Products Roadmap Update, July 2024
• Featured on Meta
• We spent a sprint addressing your requests — here’s how it went
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network...

Hot Network Questions

• Where can I place a fire near my bed to gain the benefits but not suffer from the smoke?
• Sitting on a desk or at a desk? What's the diffrence?
• Staying in USA longer than 3 months
• Why should I meet my advisor even if I have nothing to report?
• How to handle a missing author on an ECCV paper submission after the deadline?
• Minimum number of players for 9 round Swiss tournament?
• Is there a generalization of factoring that can be extended to the Real numbers?
• What does it mean if Deutsche Bahn say that a train is cancelled between two instances of the same stop?
• Geometry question about a six-pack of beer
• How does this switch work on each press?
• Any algorithm to do Huffman encoding without using graphs?
• In the UK, how do scientists address each other?
• When did the four Gospels receive their printed titles?
• Who originated the idea that the purpose of government is to protect its citizens?
• What does '\($*\)' mean in sed regular expression in a makefile?
• Why do I see low voltage in a repaired underground cable?
• In equation (3) from lecture 7 in Leonard Susskind’s ‘Classical Mechanics’, should the derivatives be partial?
• Understanding symbol of a latching push switch
• Greek myth about an athlete who kills another man with a discus
• exploded pie chart, circumscribing arc, and text labels
• Why does the Egyptian Hieroglyph M8 (pool with lotus flowers) phonetically correspnd to 'Sh' sound?
• Questions about mail-in ballot
• Line from Song KÄMPFERHERZ
• Word split between two lines is not found in man pages search

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

Preventing users from shutting down specific devices

This week is a short post about the ability to prevent users from shutting down, or restarting, specific devices. That is something already often used for specific servers, like domain controllers, to prevent users from shutting them down. There are, however, also good reasons why that might also be very useful and beneficial on specific devices. Think about devices that host critical business processes that can only be turned off, or restarted, during specific windows. For those devices the user right to shutdown that device, should only be provided to a few trusted users, or administrators. So, not just removing the shutdown, or restart, button, but actually removing the user right to perform a shutdown. Luckily, nowadays there is an easy method for configuring the list of users that are allowed to shutdown a specific Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.

Note : Keep in mind that this post is focussed on the  local  options on the Windows device.

Configuring preventing users from shutting down specific devices

When looking at preventing users from shutting down, or restarting, specific Windows devices,  the UserRights section in the Policy CSP  is the place to look. That section contains many of the different policy settings of the  User Rights Assignment Local Policies , including the  Shut Down The System  ( ShutDownTheSystem ) policy setting. That policy setting can be used to configure the users that are allowed to locally shutdown, or restart, the device. The configuration of that policy setting is available via the Settings Catalog . The following eight steps walk through the creation of a  Settings Catalog  profile that contains the required setting to configure the local shutdown rights, by using the  Shut Down The System  policy setting.

• Open the  Microsoft Intune admin center  portal and navigate to  Devices  >  Windows  >  Configuration profiles
• On the  Windows | Configuration profiles  blade, click  Create  >  New Policy
• On the  Create a profile  blade, provide the following information and click  Create
• Platform : Select  Windows 10 and later  to create a profile for Windows 10 devices
• Profile : Select  Settings catalog  to select the required setting from the catalog
• On the  Basics  page, provide the following information and click  Next
• Name : Provide a name for the profile to distinguish it from other similar profiles
• Description : (Optional) Provide a description for the profile to further differentiate profiles
• Platform : (Greyed out) Windows 10 and later
• On the  Configuration settings  page, as shown below in Figure 1, perform the following actions and click  Next
• Select  User Rights  as category
• Select  Shut Down The System  as setting
• Specify the allowed users and local groups on separate lines (1)

• On the  Scope tags  page, configure the required scope tags and click  Next
• On the  Assignments  page, configure the assignment for the specific devices and click  Next
• On the  Review + create  page, verify the configuration and click  Create

Note : The setting mentions that it’s available for Windows Insiders only, but that’s not the experience so far.

Experiencing users prevented from shutting down specific devices

After configuring the list with users that are allowed to shutdown the device, it’s time to look at the user experience. And there are many things that indicate the behavior and that the configuration is applied. That can be the actual applied configuration, as well as the experience of the user. Pieces of both are shown below in Figure 2. To start with the first, the applied configuration can be verified in the Local Security Policy by looking at Local Policies > User Rights Assignment . That includes the Shut down the system right (1) that includes the configured list of users and local groups that are allowed to shutdown the system. The applied configuration will make sure that the users cannot shutdown, or restart, the device. That can be verified by for example looking at the available power options for the users (2), or the ability to restart the device after the installation of updates (3). Besides that, even command actions will be prevented and give the user an access denied message.

Note : This configuration was successfully tested on the latest Windows Insiders builds and on Windows 11 version 23H2.

More information

For more information about preventing users from restarting Windows, refer to the following docs.

• Shut down the system – security policy setting – Windows Security | Microsoft Learn
• UserRights Policy CSP – Windows Client Management | Microsoft Learn

4 thoughts on “Preventing users from shutting down specific devices”

• Pingback: Microsoft Roadmap, messagecenter en blogs updates van 21-12-2023 - KbWorks
• Pingback: Intune Newsletter - 22nd December 2023 - Andrew Taylor

I don’t suppose you tested this on Win 11 22H2 as well did you by any chance? I’m not having much luck setting it yet, I’ve even tried using a SID rather than domain group name.

Before I dig too deeply I’m unsure if it’s the Windows Insider thing mentioned that isn’t working on 22H2 – but does on 23H2, or if it’s something else.

Hi Steve, I’ve successfully tested it on Windows 11 23H2 and Insider Builds. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• NIST 800-53
• Common Controls Hub

The Force shutdown from a remote system user right must only be assigned to the Administrators group.

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Local Security Policies, System Group Policy Objects, and Active Directory values not updating Secedit.exe Sec.cfg

I am attempting to monitor the status of SeRemoteShutdownPrivilege and SeEnableDelegationPrivilege to determine if they have been updated/changed. When doing so, this configuration file doesn't seem to update. Are there any other locations where a variable would affect "Force shutdown form a remote system" and "Enable computer and user accounts to be trusted for delegation". I have already looked through Microsoft Registry key documentation. Here's the link I referred to: https://www.microsoft.com/en-us/download/details.aspx?id=25250 I have looked into using Get-GPRegistryValue, Get-GPOReport, and Get-GPO. The way I generated Sec.cfg was using "Secedit /export /cfg sec.cfg /log NUL".

Thank you for any help that you can provide.

• active-directory
• windows-server-2016
• group-policy
• security-policy

• Hey @user18638085, I did reproduce this issue and the solution worked for me; do let me know if it solved your problem else share more details so I can troubleshoot? –  Kartik Bhiwapurkar Commented May 2, 2022 at 12:44

• For the ‘Force Shutdown from a Remote System’ setting to apply effectively on a client system, kindly check whether the below group policy regarding this setting has been applied or not by executing the command ‘gpresult /h gpreport.html’ on the elevated command prompt on the client system. In the report, please check whether the above said group policy setting has been applied successfully or not.

Group policy setting: -

On the Group Policy Server, check the below group policy setting by checking the ‘Default domain policy’ or that policy which controls the below setting: -

To forcefully apply the domain group policy settings on the client system, execute the command ‘gpupdate /force’ on an elevated command prompt and restart the client system. Then check the client’s group policy report once again to check whether the setting has been applied or not.

• Also, I would suggest you to please make the above said modifications on a baseline client system through local group policy editor and export the settings in an ‘.inf’ template for installation via powershell script . Check for the below settings information in the ‘.inf’ file and then execute the below command by modifying the values for ‘.inf’ file and ‘.db’ file as appropriate: -

By doing the above, your issue should get resolved.

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged active-directory registry windows-server-2016 group-policy security-policy or ask your own question .

• The Overflow Blog
• How to build open source apps in a highly regulated industry
• Community Products Roadmap Update, July 2024
• Featured on Meta
• We spent a sprint addressing your requests — here’s how it went
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network...
• Policy: Generative AI (e.g., ChatGPT) is banned
• What makes a homepage useful for logged-in users
• The [lib] tag is being burninated

Hot Network Questions

• Why do I see low voltage in a repaired underground cable?
• Any algorithm to do Huffman encoding without using graphs?
• What's the point of Dream Chaser?
• Con permiso to enter your own house?
• Is there a way to do artificial gravity testing of spacecraft on the ground in KSP?
• How does this switch work on each press?
• Staying in USA longer than 3 months
• Does the decision of North Korea sending engineering troops to the occupied territory in Ukraine leave them open to further UN sanctions?
• How to maintain dependencies shared among microservices?
• Why does the Trump immunity decision further delay the trial?
• Imagining Graham's number in your head collapses your head to a black hole
• Is there a drawback to using Heart's blood rote repeatedly?
• Do we know a lower bound or the exact number of 3-way races in France's 2nd round of elections in 2024?
• Wait a minute, this *is* 1 across!
• Word split between two lines is not found in man pages search
• Geometry question about a six-pack of beer
• Plausible reasons for the usage of Flying Ships
• exploded pie chart, circumscribing arc, and text labels
• mirrorlist.centos.org no longer resolve?
• Use of Compile[] to optimize the code to run faster
• Can you help me to identify the aircraft in a 1920s photograph?
• Is it possible to arrange the free n-minoes of orders 2, 3, 4 and 5 into a rectangle?
• Orange marks on ceiling underneath bathroom
• Measure by mass vs. 'Spooned and Leveled'

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Force shutdown from a remote system

• 1 contributor
• Windows 11
• Windows 10

Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting.

This security setting determines which users are allowed to shut down a device from a remote location on the network. This setting allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location.

Constant: SeRemoteShutdownPrivilege

Possible values

• User-defined list of accounts
• Administrators

Best practices

• Explicitly restrict this user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Default values

By default this setting is Administrators and Server Operators on domain controllers and Administrators on stand-alone servers.

The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.

Policy management

This section describes features, tools, and guidance to help you manage this policy.

A restart of the computer is not required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

This policy setting must be applied on the computer that is being accessed remotely.

Group Policy

This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

• Local policy settings
• Site policy settings
• Domain policy settings
• OU policy settings

When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

Any user who can shut down a device could cause a denial-of-service condition to occur. Therefore, this user right should be tightly restricted.

Countermeasure

Restrict the Force shutdown from a remote system user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff.

Potential impact

On a domain controller, if you remove the Force shutdown from a remote system user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Confirm that delegated activities are not adversely affected.

Related topics

• User Rights Assignment

Additional resources

The Daily Show Fan Page

Explore the latest interviews, correspondent coverage, best-of moments and more from The Daily Show.

The Daily Show

S29 E68 • July 8, 2024

Host Jon Stewart returns to his place behind the desk for an unvarnished look at the 2024 election, with expert analysis from the Daily Show news team.

Extended Interviews

The Daily Show Tickets

Attend a Live Taping

Find out how you can see The Daily Show live and in-person as a member of the studio audience.

Best of Jon Stewart

The Weekly Show with Jon Stewart

New Episodes Thursdays

Jon Stewart and special guests tackle complex issues.

Powerful Politicos

The Daily Show Shop

Great Things Are in Store

Become the proud owner of exclusive gear, including clothing, drinkware and must-have accessories.

About The Daily Show