user rights assignment shutdown the system

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Shut down the system - security policy setting

• 1 contributor
• Windows 11
• Windows 10

Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.

This security setting determines if a user who is logged on locally to a device can shut down Windows.

Shutting down domain controllers makes them unable to do things like process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing sign-in requests for new passwords, which are done by the primary domain controller (PDC) emulator master.

The Shut down the system user right is required to enable hibernation support, to set the power management settings, and to cancel a shutdown.

Constant: SeShutdownPrivilege

Possible values

• A user-defined list of accounts
• Not defined

Best practices

• Ensure that only Administrators and Backup Operators have the Shut down the system user right on member servers. And that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks won't be negatively affected.
• The ability to shut down domain controllers should be limited to a few trusted administrators. Even though a system shutdown requires the ability to sign in to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Default values

By default this setting is Administrators, Backup Operators, Server Operators, and Print Operators on domain controllers, and Administrators and Backup Operators on stand-alone servers.

The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.

Policy management

This section describes features, tools, and guidance to help you manage this policy.

A restart of the computer isn't required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy

This user right doesn't have the same effect as Force shutdown from a remote system . For more information, see Force shutdown from a remote system .

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

• Local policy settings
• Site policy settings
• Domain policy settings
• OU policy settings

When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

The ability to shut down domain controllers should be limited to a few trusted administrators. Although the Shut down the system user right requires the ability to sign in to the server, you should be careful about which accounts and groups you allow to shut down a domain controller.

When a domain controller is shut down, it can't process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing sign-in requests for new passwords, which are performed by the PDC master.

For other server roles, especially roles where non-administrators have rights to sign in to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers.

Countermeasure

Make sure that only the Administrators and Backup Operators groups are assigned the Shut down the system user right on member servers. And make sure that only the Administrators group is assigned the user right on domain controllers.

Potential impact

The impact of removing these default groups from the Shut down the system user right could limit the delegated abilities of assigned roles in your environment. Confirm that delegated activities aren't adversely affected.

Related articles

• User Rights Assignment

Additional resources

  Windows OS Hub / Windows 10 / Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

How to allow or prevent shutdown/reboot options in windows via gpo, allow remote shutdown/restart without admin permissions, disable (hide) shutdown or restart options from windows, how to find out who restarted/shutdown a windows server.

You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. This GPO option allows you to specify which locally logged-on users can shut down an operating system.

Please note that the default restart/shutdown permissions for desktop versions of Windows 10/11 and Windows Server editions are different.

Open the Local Group Policy Editor ( gpedit.msc ) and navigate to the section specified above. As you can see, the members of local groups Administrators , Users and Backup Operators have the permission to shutdown/reboot a computer running Windows 10 or 11 .

On Windows Server 2022/2019/2016 , only Administrators or Backup Operators can shut down or restart the server. It is reasonable, since in most cases a non-admin user must not have the privileges to shutdown a server (even accidentally). Just imagine an RDS farm host that is often shuts down since users accidentally click on the “Shutdown” button in the Start menu…

On Active Directory domain controllers, the rights to shut down Windows are delegated to:

• Administrators
• Backup Operators
• Server Operators
• Print Operators

If the user does not have permission to restart/shutdown the operating system, then an error will appear when running the following command:

shutdown –r –t 0

You can manually grant permissions to shut down the computer locally using the legacy ntrights tool from the Windows Server 2003 Resource Kit:

ntrights +r SeShutdownPrivilege -u woshub\j.smith

To prevent a user from shutting down or restarting Windows:

ntrights -r SeShutdownPrivilege -u woshub\j.smith

Or, vice versa, you can prevent users of workstations running the desktop Windows 10/11 edition from restarting the computer that performs some kind of server function. In this case, just remove Users group from the local policy Shut down the system .

In the same way, you can prevent (or allow) shutdown/reboot operations for non-admin users on all computers in a specific Organizational Unit (OU) of an Active Directory domain using a domain GPO.

• Create the grpAllowRestartComputers user group in AD, to whom you want to grant the permissions to restart computers. You can create a new group using the ADUC snap-in ( dsa.msc ) or the New-ADGroup PowerShell cmdlet.  Add users to the group;

• Set the GPO name ( gpoAllowReboot ) and edit it;
• Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> User Rights Assignment;

• Update the GPO settings on the target computers and check the resulting GPO settings with the rsop.msc snap-in. Users in your group can now shut down or reboot this host;

To do it, add a user account to the Force shutdown from a remote system Group Policy option in the same GPO section ( User Rights Assignment ).

By default, only administrators can shutdown/restart the server remotely. Add a user account to the policy.

ntrights +r SeRemoteShutdownPrivilege -u woshub\j.smith

After that, the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using the command:

Or using the Restart-Computer PowerShell cmdlet:

Restart-Computer –ComputerName hamb-rds01 –Force

If WinRM (Windows Remote Management) is enabled on the remote computer, you can use WSman instead of WMI to connect:

Restart-Computer -ComputerName hamb-rds01 -Protocol WSMan

If the user does not have permission to connect to the WMI namespace, an error will appear:

You can use Group Policy to hide the Shutdown, Restart, Sleep and Hibernate options from the sign-in screen and Start Menu. This GPO option is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located under User Configuration -> Administrative Templates -> Start Menu and Taskbar

After you enable this policy, a user will be able only to disconnect the current session or use the logoff command. The Shutdown, Sleep and Restart buttons will become unavailable.

You can use some registry tweaks to hide only a specific item from the Power/Shutdown menu in Windows. For example, you want to hide only the “Shut down” option in the Start menu, but keep “Restart”.

• Open the Registry Editor ( regedit.exe );
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown ;

REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" /v "value" /t REG_DWORD /d 1 /f

Or using PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" -Name "value" -Value 1

Also, you can hide other options in the Start Menu and Windows sign-in screen:

• Hide only thr Restart option in Windows: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart " /v "value" /t REG_DWORD /d 1 /f
• Hide Hibernate option from Start Menu in Windows: R EG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate" /v "value" /t REG_DWORD /d 1 /f
• Hide Sleep from the Start Menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep" /v "value" /t REG_DWORD /d 1 /f
• To completely disable the Power button and remove the “Shut down or sign out” option from WinX menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton" /v "value" /t REG_DWORD /d 1 /f

Please note that in Windows Server 2019/2022, after assigning restart permission to a user, an error may appear:

In this case, you need to enable the UAC parameter “User Account Control: Run all administrators in Admin Approval Mode” in the GPO:

If you have granted permission to reboot a computer for a non-admin user, you may want to know who restarted a Windows Server : a user or one of the administrators.

Use the Event Viewer ( eventvwr.msc ) to search for shutdown logs in Windows. Go to Windows Logs -> System and filter the current log by the Event ID 1074 .

As you can see, there are server restart events in the log in chronological order. The event description includes the restart time, the reason, and the user account that restarted the host.

You can get information about recent Windows shutdown events using the same Event ID 1076 :

Use the following simple PowerShell script to list the last ten computer restart and shutdown events. This list contains the names of the users and processes from which the reboot was initiated.

Get-EventLog -LogName System | where {$_.EventId -eq 1074} |select-object -first 10 | ForEach-Object { $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode if ($_.ReplacementStrings[4]) { $rv.Date = $_.TimeGenerated $rv.User = $_.ReplacementStrings[6] $rv.Process = $_.ReplacementStrings[0] $rv.Action = $_.ReplacementStrings[4] $rv.Reason = $_.ReplacementStrings[2] $rv } } | Select-Object Date, Action, Reason, User, Process |ft

Fix: Can’t Extend Volume in Windows

Fix: windows needs your current credentials pop-up message, related reading, create a multi-os bootable usb flash drive with..., read, modify, and parse json file (object) with..., configure dns scavenging to clean up stale dns..., how to read outlook emails with powershell, hide library and special folders from file explorer....

So sad that there’s no option to disable only shutdown. I have a need to allow user to restart their machines but not shutdown.

FYI you can hide shutdown from the start menu using HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown

Thanks, but even so an advanced user would know to turn it off using other ways.

Thank you MT.. this helped..

On Windows 11, this did work, however, a user who is blocked from restarting/shutting down in this way, can still press Control-Alt-Delete and has the restart/shutdown option in the lower right hand corner. Is there a way to remove that, too?

I just actually tried it from a “non-privileged” account. The good news is that although the options appear, they don’t actually work. 🙃

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

At the edge of tweaking

Advertisement

To Allow Users or Groups to Shut Down Windows 10,

• On the right, double-click the option Shut down the system .

• From the list, select the user account or group to deny log on locally for it. You can select more than one entry at once by holding the  Shift  or  Ctrl  keys and clicking on the items the list.

You are done.

To Prevent Users or Groups from Shutting Down Windows 10,

If your Windows edition doesn't include the  secpol.msc tool, here is an alternative solution.

If your Windows edition doesn't include the  secpol.msc  tool, you can use the  ntrights.exe  tool from  Windows 2003 Resource Kit . Many resource kit tools released for previous Windows versions will run successfully on Windows 10. ntrights.exe is one of them.

The ntrights tool

The ntrights tool allows you to edit user account privileges from the command prompt. It is a console tool with the following syntax.

• Grant a right:  ntrights +r Right -u UserOrGroup [-m \\Computer] [-e Entry]
• Revoke a right:  ntrights -r Right -u UserOrGroup [-m \\Computer] [-e Entry]

The tool supports plenty of privileges which can be assigned to or revoked from a user account or group. Privileges are  case sensitive . To learn more about the supported privileges, type  ntrights /? .

To add ntrights.exe to Windows 10 , read this post: What is the ntrights app and how you can use it . You can place the ntrights.exe file to the C:\Windows\System32 folder to quickly call it.

Revoke Shut Down Right with ntrights

• Open an  elevated command prompt .

Substitute the  SomeUserName portion with the actual user name or group name. The specified user will be prevented from locally signing to Windows 10.

• To undo the change and allow the user to log on locally, execute ntrights -u SomeUserName -r SeShutdownPrivilege

Related articles.

• How to set the default action for the Shutdown dialog in Windows 10
• All ways to restart and shutdown Windows 10
• The Slide-to-Shutdown feature in Windows 10
• Speed up slow shutdown in Windows 10
• Enable Shutdown Event Tracker in Windows 10
• How to Find the Shutdown Log in Windows 10
• How to Clear Pagefile at Shutdown in Windows 10
• Add Shutdown Context Menu in Windows 10
• Create a Shut Down Windows Dialog Shortcut in Windows 10
• Create Shutdown, Restart, Hibernate and Sleep Shortcuts in Windows 10
• Create Slide to Shutdown Shortcut in Windows 10
• How to create a shortcut to the Shut Down Windows dialog in Windows 10
• Abnormal Shutdown Diagnosis in Windows 10
• Close Apps Automatically at Restart, Shut Down, or Sign Out in Windows 10
• Disable Shut Down, Restart, Sleep, and Hibernate in Windows 10

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram , Twitter , and YouTube . View all posts by Sergey Tkachenko

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Privacy Overview

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to add a user group in the "Shut down the system" group policy in Windows Server by CMD or PowerShell

I've read some documentation on Microsoft and other sites. Some of them suggest GPRegistryValue for registry-based policies and other recommended third-party software.

The full path of the key is: "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"

But in my case I cannot use other packages except CMD or PowerShell (UI not available).

• group-policy
• windows-server

• superuser.com/questions/1254253/… and blakedrumm.com/blog/set-and-check-user-rights-assignment might help you for a starting point to play with. –  Vomit IT - Chunky Mess Style Nov 25, 2022 at 21:25
• This is just local security policy settings. What did you search for as this is a common task? powershell 'Local User Rights Management' –  postanote Nov 25, 2022 at 21:37

Windows provides the secedit.exe tool for this and or custom code, as per the link provided in my comment to you.

Also, did you check the mspowershellgallery.com site for modules that assist with local user security policy?

Update as per '@Vomit IT - Chunky Mess Style', suggestion.

The more succinct/elegant option.

FYI --- Update for '@Vomit IT - Chunky Mess Style'. Using the PS_LSA.Wrapper

• 1 @VomitIT-ChunkyMessStyle... update provided. –  postanote Nov 25, 2022 at 21:43
• Oh yeah, now you're talking!!! I saw github examples of that Indented.SecurityPolicy you suggested listed there. I like it! –  Vomit IT - Chunky Mess Style Nov 25, 2022 at 21:55
• 1 Yeppers, I've got a bunch of these I've collected, refactored, and written over the years in different engagements. Even one using the underlying OS PS_LSA Windows library. –  postanote Nov 25, 2022 at 22:06
• Thanks for helping me.The module of 'SecurityPolicy' is available, but when I try to find its modules "Get-Command -Module 'SecurityPolicy'" nothing is listed. Thus, I can't execute 'Add-UserRightsAssignment'. –  Daniel Teodoro Nov 29, 2022 at 13:38
• If you did this Get-Command -Module 'SecurityPolicy' , and you see nothing? If so, that means it's not installed/in your PSModulePath. Did you install the module as I show in my suggested answer? If not, then you need to. Then you use Get-Module -ListAvailable to validate it's on your system. –  postanote Nov 30, 2022 at 6:37

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged powershell group-policy windows-server ..

• The Overflow Blog
• Reshaping the future of API platforms
• Between hyper-focus and burnout: Developing with ADHD
• Featured on Meta
• Our Partnership with OpenAI
• Imgur image URL migration: Coming soon to a Stack Exchange site near you!

Hot Network Questions

• On Pareto functions
• Which comma(s) can I remove in this sentence? I feel like there are too many here but all seem necessary to me
• What does "come the nut-cutting" mean?
• How did White lose all their pieces?
• Why doesn't constant acceleration give me total displacement?
• Where is the mistake in the argument in favor of the (erroneous) claim "every Dedekind cut is a rational cut"?
• Is it bad to branch off data traces into two separate connectors?
• What is Rishi Sunak's reasoning/incentive to talk of a hung parliament, rather than a Labour majority, right now?
• What does "much more shall we be saved" mean in Romans 5:9?
• How do couples "do it" on starships?
• Is science value-free?
• Shortest battleship game, to find number of battleships
• SortedSet.IsSubsetOf not working as expected
• How to implement a control flow analyser?
• Are there countries where defendants are fully compensated for their time if they’re found not guilty?
• Is there any explanation or discussion regarding the change in the Bard class from its AD&D1ed orignal implementation?
• Proof Without Axiom of Choice: Infiniteness of Union
• Efficient C Tokenizer/Lexer in C++
• Remove Wave Patterns from an Image Using Inpainting
• Are my trees dead?
• Series connection of diode and resistor. Why is there a constant voltage across the diode?
• Has a party in the UK ever won parliament while losing the popular vote?
• Double numbers on all matching lines containing text pattern
• Could Android go on PC?

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

Preventing users from shutting down specific devices

This week is a short post about the ability to prevent users from shutting down, or restarting, specific devices. That is something already often used for specific servers, like domain controllers, to prevent users from shutting them down. There are, however, also good reasons why that might also be very useful and beneficial on specific devices. Think about devices that host critical business processes that can only be turned off, or restarted, during specific windows. For those devices the user right to shutdown that device, should only be provided to a few trusted users, or administrators. So, not just removing the shutdown, or restart, button, but actually removing the user right to perform a shutdown. Luckily, nowadays there is an easy method for configuring the list of users that are allowed to shutdown a specific Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.

Note : Keep in mind that this post is focussed on the  local  options on the Windows device.

Configuring preventing users from shutting down specific devices

When looking at preventing users from shutting down, or restarting, specific Windows devices,  the UserRights section in the Policy CSP  is the place to look. That section contains many of the different policy settings of the  User Rights Assignment Local Policies , including the  Shut Down The System  ( ShutDownTheSystem ) policy setting. That policy setting can be used to configure the users that are allowed to locally shutdown, or restart, the device. The configuration of that policy setting is available via the Settings Catalog . The following eight steps walk through the creation of a  Settings Catalog  profile that contains the required setting to configure the local shutdown rights, by using the  Shut Down The System  policy setting.

• Open the  Microsoft Intune admin center  portal and navigate to  Devices  >  Windows  >  Configuration profiles
• On the  Windows | Configuration profiles  blade, click  Create  >  New Policy
• On the  Create a profile  blade, provide the following information and click  Create
• Platform : Select  Windows 10 and later  to create a profile for Windows 10 devices
• Profile : Select  Settings catalog  to select the required setting from the catalog
• On the  Basics  page, provide the following information and click  Next
• Name : Provide a name for the profile to distinguish it from other similar profiles
• Description : (Optional) Provide a description for the profile to further differentiate profiles
• Platform : (Greyed out) Windows 10 and later
• On the  Configuration settings  page, as shown below in Figure 1, perform the following actions and click  Next
• Select  User Rights  as category
• Select  Shut Down The System  as setting
• Specify the allowed users and local groups on separate lines (1)

• On the  Scope tags  page, configure the required scope tags and click  Next
• On the  Assignments  page, configure the assignment for the specific devices and click  Next
• On the  Review + create  page, verify the configuration and click  Create

Note : The setting mentions that it’s available for Windows Insiders only, but that’s not the experience so far.

Experiencing users prevented from shutting down specific devices

After configuring the list with users that are allowed to shutdown the device, it’s time to look at the user experience. And there are many things that indicate the behavior and that the configuration is applied. That can be the actual applied configuration, as well as the experience of the user. Pieces of both are shown below in Figure 2. To start with the first, the applied configuration can be verified in the Local Security Policy by looking at Local Policies > User Rights Assignment . That includes the Shut down the system right (1) that includes the configured list of users and local groups that are allowed to shutdown the system. The applied configuration will make sure that the users cannot shutdown, or restart, the device. That can be verified by for example looking at the available power options for the users (2), or the ability to restart the device after the installation of updates (3). Besides that, even command actions will be prevented and give the user an access denied message.

Note : This configuration was successfully tested on the latest Windows Insiders builds and on Windows 11 version 23H2.

More information

For more information about preventing users from restarting Windows, refer to the following docs.

• Shut down the system – security policy setting – Windows Security | Microsoft Learn
• UserRights Policy CSP – Windows Client Management | Microsoft Learn

4 thoughts on “Preventing users from shutting down specific devices”

• Pingback: Microsoft Roadmap, messagecenter en blogs updates van 21-12-2023 - KbWorks
• Pingback: Intune Newsletter - 22nd December 2023 - Andrew Taylor

I don’t suppose you tested this on Win 11 22H2 as well did you by any chance? I’m not having much luck setting it yet, I’ve even tried using a SID rather than domain group name.

Before I dig too deeply I’m unsure if it’s the Windows Insider thing mentioned that isn’t working on 22H2 – but does on 23H2, or if it’s something else.

Hi Steve, I’ve successfully tested it on Windows 11 23H2 and Insider Builds. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

WinSecWiki  > Security Settings  > Local Policies  > User Rights

User Rights Assignments

Although in this section they are called user rights, these authority assignments are more commonly called privileges.

Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments. In particular this means you should be cognizant of rights assignments on member servers which may easily differ from the rights assignments you find on your domain controllers. To centrally control user rights assignments on computers throughout your domain use group policy.

• Logon rights
• Admin equivalent rights
• Tracking user rights with the security log
• User rights in-depth
• Access this computer from the network
• Act as part of the operating system
• Add workstations to domain
• Adjust memory quotas for a process
• Allow log on locally
• Allow logon through Terminal Services
• Back up files and directories
• Bypass traverse checking
• Change the system time
• Create a pagefile
• Create a token object
• Create global objects
• Create permanent shared objects
• Debug programs
• Deny access to this computer from the network
• Deny logon as a batch job
• Deny logon as a service
• Deny logon locally
• Deny logon through Terminal Services
• Enable computer and user accounts to be trusted for delegation
• Force shutdown from a remote system
• Generate security audits
• Impersonate a client after authentication
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Log on as a batch job
• Log on as a service
• Manage auditing and security log
• Modify firmware environment values
• Perform volume maintenance tasks
• Profile single process
• Profile system performance
• Remove computer from docking station
• Replace a process level token
• Restore files and directories
• Shut down the system
• Synchronize directory service data
• Take ownership of files and other objects

Child articles:

• Logon Rights
• Admin Equivalent Rights
• Tracking User Rights with the Security Log
• User Rights In-Depth

Back to top

• Troubleshooting
• Windows 8.1
• Microsoft Edge

Configure Users Or Groups To Shut Down The System

• Windows Server

If you’re managing a multi-user machine and want to configure which users or group can shut down the machine, this article may interest you. Basically, there are some pre-defined groups only which can shut down the system. For example, if you’re on client OS, users, administrators and backup operators can shut down the machine by default. While if you’re on server OS, only administrators and backup operators can perform shut down job. On a domain controller, only administrators, backup operators, server operators, print operators are allowed to shut down by default.

So this means, different type of Windows OS can be shut down by different pre-defined groups. Now if you plan to assign a specific user or group to shut down the system, you can do so by configuring the dedicated policy setting.

Below mentioned steps will show you how to allow or prevent a user or group to shut down your Windows.

2. Then in Security Policy snap-in window, navigate here:

Security Settings > Local Policies  > User Rights Assignment

3. In the right pane of User Rights Assignment , look out for Shut down the system policy setting. Double click on it. On client editions, you’ll see Administrators , Backup Operators and Users are configured for this system and they can shut down the system. To add a user or group, click on Add User or Group button. For illustration, we’ll show adding authenticated users to this policy.

4. In  Select User or Group window, click on Advanced button.

5.  In next window, click on Find Now first. Then from Search results , pick up the object (user/group) which you want to grant rights to shut down the system. Double click on that Name .

6. Back in previous window, you should have that name added and underlined, so click OK.

7. Finally, the user account or group you’ve chosen is added to Shut down the system policy setting. Click OK, Apply and make changes effective.

Now once the GP engine is updated, you policy should be effective. You can run gpupdate /force command to update the GP engine instantaneously.

You can checkout this video to illustrate above mentioned process:

That’s it!

READ THESE ARTICLES NEXT

Fix: Battery icon Missing From Taskbar in Windows 11

Fix: This app is preventing shutdown in Windows 11

Fix: Sleep Mode not working in Windows 11

Fix: Windows 11 keeps restarting

Leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Save my Name and Email in this browser, for the next time I comment.

LATEST ARTICLES

Delete/Uninstall a Printer in Windows 11/10 23 hours ago

Fix Microsoft Store Keeps Pending Downloads in Windows 11 1 day ago

Windows 11 Preview Build 26212 Released 3 days ago

Fix: Windows Update Page Blank in Windows 11/10 3 days ago

How to change Remote Desktop port in Windows 11 4 days ago

Contribute to the Windows forum! Click  here  to learn more  💡

May 10, 2024

Contribute to the Windows forum!

Click  here  to learn more  💡

Windows 7 Top Forum Contributors: Bill Smithers  -  LemP   ✅

Windows 7 Top Forum Contributors:

Bill Smithers  -  LemP   ✅

Windows 7 Forum Top Contributors: Learn More

Windows 7 Forum Top Contributors:

• Search the community and support articles
• Search Community member

Ask a new question

Is there a setting I can enable to prevent users from shutting down the computer?

How to prevent Shut Down

How do you set a computer or a user to prevent from shutting down the computer.? I got an account that has full admin and it's doing a Windows Backup, but the other user is allowed to force shut down since the other user is still log-in (locked). Is there a way to prevent a user not to shut down the computer if an other user is logged in? I know there's a settings where you can change the Start Menu, but it's not good enough. Alan

Report abuse

Reported content has been submitted​

I would suggest you to follow these methods and check.

If you have Windows 7 Ultimate or Professional Editions follow Method 1, if you have Windows 7 Home Premium or lower editions go to Method 2.

Method 1: Change the group policy settings and see.

You can configure the policy setting that determines which users can shut down the local computer. Browse to the following location within the Group Policy Management Console (GPMC),

Click Start Button, Type gpedit.msc in the search field.

Browse to the following location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Shut Down the System

Double Click on Shut down the System , Select the user group you want to Disable and hit Remove > Apply > OK.

Simply restart your PC and log in from users account to check whether Disable and Remove Shutdown feature is working.

a.     We have to Disable and Remove Shutdown option using Registry Editor.   Open Registry Editor, go to following path: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

b.     Select Explorer in the left-hand pane, right click in the right-hand pane and select New >DWORD; then name it as NoClose.

c.     Double click on NoClose and change the Hex Value to 1; Click OK and Close Registry Editor.

d.     Restart, you will be able to Disable and Remove Shutdown in Windows 7 Home Premium or lower in this way.

Hope this helps!

6 people found this reply helpful

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Replies (3) 

Question info.

• Ease of access
• Norsk Bokmål
• Ελληνικά
• Русский
• עברית
• العربية
• ไทย
• 한국어
• 中文(简体)
• 中文(繁體)
• 日本語

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Prevent local admins from shutting down RDS server

One of the clients I manage runs an RDS environment on Windows Server 2008 R2 servers which users log onto to work. I need to prevent users allowing applications to restart these servers, the kicker is that they are all Local Admins (due to the requirements of the application that they run). What GP(s) would you recommend be applied to solve this? I currently have the following set:

Computer Config > Policy > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut down the system.

Only allowing Domain Admins to shut down the system, I believe this is only applying to local shutdowns, not remote.

• windows-server-2008-r2
• group-policy

• Stopping local shutdowns is not good practice to me, and that dang power button/cord is still there. You should allow someone local to shutdown/restart as a last resort at least...who knows the network card might blow, the switch fries itself –  gwillie Aug 19, 2015 at 8:21

2 Answers 2

Yes, this policy determines which users who are logged on locally to the computer can shut it down.

See description on the Explain tab:

You may also look at another policy in this location (i.e. under User Rights Assignment:) - Force shutdown from a remote system .

Administrators are members by default.

Removing Administrators from both policies - would disallow them to shutdown the RDS host, either locally or remotely.

• I had found this GP (the second) but one of the guys above me swore that all we needed was the current GP (the first). Thank you for confirming what I though (not sarcastic, still new to the IT field so wanted some backup before proceeding). –  Mickycampbell Aug 19, 2015 at 22:51

You can't effectively deny rights to local administrators, since regardless of what GPO you apply, they can always override it at least temporarily by editing the registry. They can also remove the computer from the domain.

In general, you shouldn't use or distribute the local administrator accounts in an environment requiring top-down administrative control such as this. The best policy is to keep those passwords within a database (or software designed for this purpose such as Hitachi ID Privileged Access Manager, which I used to work on); the passwords should only be used when necessary to re-establish the domain relationship or similar, and use of them should be auditable.

It's unfortunate that your application requires such access. You could consider determining what access it actually requires, and giving it that instead; most applications do not actually need administrator access.

If your only goal is to prevent inadvertent shutdowns, you can certainly set Local Security Policy/Local Policies/User Rights Assignment/Shut Down the System to exclude them, but be aware that this will not prevent a knowledgeable user from intentionally shutting it down. I believe this policy applies to RDP interactive sessions, but not to the shutdown command (which has an option to target a remote host); that is the domain of the Force shutdown from a remote system GPO option.

• 'Higher end' stuff like command line and registry edits I am not worried about (it may seem gung-ho but it is because I have to describe how to find a computer name to most of the people there so I can connect with our remote support software). I am mainly attempting to prevent inadvertent shutdowns, such has a prompt from MSE to restart the system. –  Mickycampbell Aug 19, 2015 at 22:40

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-server-2008-r2 group-policy rds ..

• The Overflow Blog
• Reshaping the future of API platforms
• Between hyper-focus and burnout: Developing with ADHD
• Featured on Meta
• Our Partnership with OpenAI
• Imgur image URL migration: Coming soon to a Stack Exchange site near you!

Hot Network Questions

• If the Earth stopped spinning, what's the ideal point for it to stop to ensure the most people survive?
• Official draw rules in the game of American checkers
• What bike components will receive more wear when pulling a 65 lb. trailer?
• What is the maximum contribution allowed to my HSA if my husband is enrolled in a PPO plan, while both my child and I are enrolled in a CDHP/HSA plan?
• Stress pattern in "Little Red Riding Hood"
• How to make a call out after every DML in batch
• why is alpha-linolenic acid "alpha"?
• How can I make this kind of list 1., 1.1, 1.1.1, ... and 1.2, 1.2.1, 1.2.1.1, ...?
• Can you share you got a Major Revision on LinkedIn?
• Efficient C Tokenizer/Lexer in C++
• My master's supervisor and paper co-author is not willing to give a letter of recommendation for PhD admissions?
• Calculating engine air intake per minute
• Can an employee be made to pay back training costs when resigning from the company?
• Java interpreter
• Which comma(s) can I remove in this sentence? I feel like there are too many here but all seem necessary to me
• Where is the mistake in the argument in favor of the (erroneous) claim "every Dedekind cut is a rational cut"?
• Can I swap a gravel wheel with 1x10 cassette for a new road wheel with 1x12?
• Would you correct grading mistakes downwards if there is a mistake in grading?
• Crazy integral with nested radicals and inverse sines
• Proof Without Axiom of Choice: Infiniteness of Union
• Why isn't the CLK input manipulated directly in flip flops?
• The history of ◯ being used to denote zero
• Try Triling ("Triangular-Tiling")
• When in Rome... – a deconstruction sudoku

• NIST 800-53
• Common Controls Hub

The Force shutdown from a remote system user right must only be assigned to the Administrators group.