user rights assignment shutdown the system

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Shut down the system - security policy setting

• 1 contributor

Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.

This security setting determines if a user who is logged on locally to a device can shut down Windows.

Shutting down domain controllers makes them unable to do things like process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing sign-in requests for new passwords, which are done by the primary domain controller (PDC) emulator master.

The Shut down the system user right is required to enable hibernation support, to set the power management settings, and to cancel a shutdown.

Constant: SeShutdownPrivilege

Possible values

• A user-defined list of accounts
• Not defined

Best practices

• Ensure that only Administrators and Backup Operators have the Shut down the system user right on member servers. And that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks won't be negatively affected.
• The ability to shut down domain controllers should be limited to a few trusted administrators. Even though a system shutdown requires the ability to sign in to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Default values

By default this setting is Administrators, Backup Operators, Server Operators, and Print Operators on domain controllers, and Administrators and Backup Operators on stand-alone servers.

The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.

Policy management

This section describes features, tools, and guidance to help you manage this policy.

A restart of the computer isn't required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy

This user right doesn't have the same effect as Force shutdown from a remote system . For more information, see Force shutdown from a remote system .

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

• Local policy settings
• Site policy settings
• Domain policy settings
• OU policy settings

When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

The ability to shut down domain controllers should be limited to a few trusted administrators. Although the Shut down the system user right requires the ability to sign in to the server, you should be careful about which accounts and groups you allow to shut down a domain controller.

When a domain controller is shut down, it can't process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing sign-in requests for new passwords, which are performed by the PDC master.

For other server roles, especially roles where non-administrators have rights to sign in to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers.

Countermeasure

Make sure that only the Administrators and Backup Operators groups are assigned the Shut down the system user right on member servers. And make sure that only the Administrators group is assigned the user right on domain controllers.

Potential impact

The impact of removing these default groups from the Shut down the system user right could limit the delegated abilities of assigned roles in your environment. Confirm that delegated activities aren't adversely affected.

Related articles

• User Rights Assignment

Additional resources

  Windows OS Hub / Windows 10 / Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

How to allow or prevent shutdown/reboot options in windows via gpo, allow remote shutdown/restart without admin permissions, disable (hide) shutdown or restart options from windows, how to find out who restarted/shutdown a windows server.

You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. This GPO option allows you to specify which locally logged-on users can shut down an operating system.

Please note that the default restart/shutdown permissions for desktop versions of Windows 10/11 and Windows Server editions are different.

Open the Local Group Policy Editor ( gpedit.msc ) and navigate to the section specified above. As you can see, the members of local groups Administrators , Users and Backup Operators have the permission to shutdown/reboot a computer running Windows 10 or 11 .

On Windows Server 2022/2019/2016 , only Administrators or Backup Operators can shut down or restart the server. It is reasonable, since in most cases a non-admin user must not have the privileges to shutdown a server (even accidentally). Just imagine an RDS farm host that is often shuts down since users accidentally click on the “Shutdown” button in the Start menu…

On Active Directory domain controllers, the rights to shut down Windows are delegated to:

• Administrators
• Backup Operators
• Server Operators
• Print Operators

If the user does not have permission to restart/shutdown the operating system, then an error will appear when running the following command:

shutdown –r –t 0

You can manually grant permissions to shut down the computer locally using the legacy ntrights tool from the Windows Server 2003 Resource Kit:

ntrights +r SeShutdownPrivilege -u woshub\j.smith

To prevent a user from shutting down or restarting Windows:

ntrights -r SeShutdownPrivilege -u woshub\j.smith

Or, vice versa, you can prevent users of workstations running the desktop Windows 10/11 edition from restarting the computer that performs some kind of server function. In this case, just remove Users group from the local policy Shut down the system .

In the same way, you can prevent (or allow) shutdown/reboot operations for non-admin users on all computers in a specific Organizational Unit (OU) of an Active Directory domain using a domain GPO.

• Create the grpAllowRestartComputers user group in AD, to whom you want to grant the permissions to restart computers. You can create a new group using the ADUC snap-in ( dsa.msc ) or the New-ADGroup PowerShell cmdlet.  Add users to the group;

• Set the GPO name ( gpoAllowReboot ) and edit it;
• Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> User Rights Assignment;

• Update the GPO settings on the target computers and check the resulting GPO settings with the rsop.msc snap-in. Users in your group can now shut down or reboot this host;

To do it, add a user account to the Force shutdown from a remote system Group Policy option in the same GPO section ( User Rights Assignment ).

By default, only administrators can shutdown/restart the server remotely. Add a user account to the policy.

ntrights +r SeRemoteShutdownPrivilege -u woshub\j.smith

After that, the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using the command:

Or using the Restart-Computer PowerShell cmdlet:

Restart-Computer –ComputerName hamb-rds01 –Force

If WinRM (Windows Remote Management) is enabled on the remote computer, you can use WSman instead of WMI to connect:

Restart-Computer -ComputerName hamb-rds01 -Protocol WSMan

If the user does not have permission to connect to the WMI namespace, an error will appear:

You can use Group Policy to hide the Shutdown, Restart, Sleep and Hibernate options from the sign-in screen and Start Menu. This GPO option is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located under User Configuration -> Administrative Templates -> Start Menu and Taskbar

After you enable this policy, a user will be able only to disconnect the current session or use the logoff command. The Shutdown, Sleep and Restart buttons will become unavailable.

You can use some registry tweaks to hide only a specific item from the Power/Shutdown menu in Windows. For example, you want to hide only the “Shut down” option in the Start menu, but keep “Restart”.

• Open the Registry Editor ( regedit.exe );
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown ;

REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" /v "value" /t REG_DWORD /d 1 /f

Or using PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" -Name "value" -Value 1

Also, you can hide other options in the Start Menu and Windows sign-in screen:

• Hide only thr Restart option in Windows: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart " /v "value" /t REG_DWORD /d 1 /f
• Hide Hibernate option from Start Menu in Windows: R EG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate" /v "value" /t REG_DWORD /d 1 /f
• Hide Sleep from the Start Menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep" /v "value" /t REG_DWORD /d 1 /f
• To completely disable the Power button and remove the “Shut down or sign out” option from WinX menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton" /v "value" /t REG_DWORD /d 1 /f

Please note that in Windows Server 2019/2022, after assigning restart permission to a user, an error may appear:

In this case, you need to enable the UAC parameter “User Account Control: Run all administrators in Admin Approval Mode” in the GPO:

If you have granted permission to reboot a computer for a non-admin user, you may want to know who restarted a Windows Server : a user or one of the administrators.

Use the Event Viewer ( eventvwr.msc ) to search for shutdown logs in Windows. Go to Windows Logs -> System and filter the current log by the Event ID 1074 .

As you can see, there are server restart events in the log in chronological order. The event description includes the restart time, the reason, and the user account that restarted the host.

You can get information about recent Windows shutdown events using the same Event ID 1076 :

Use the following simple PowerShell script to list the last ten computer restart and shutdown events. This list contains the names of the users and processes from which the reboot was initiated.

Get-EventLog -LogName System | where {$_.EventId -eq 1074} |select-object -first 10 | ForEach-Object { $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode if ($_.ReplacementStrings[4]) { $rv.Date = $_.TimeGenerated $rv.User = $_.ReplacementStrings[6] $rv.Process = $_.ReplacementStrings[0] $rv.Action = $_.ReplacementStrings[4] $rv.Reason = $_.ReplacementStrings[2] $rv } } | Select-Object Date, Action, Reason, User, Process |ft

Fix: Can’t Extend Volume in Windows

Fix: windows needs your current credentials pop-up message, related reading, how to enable and configure wake-on-lan (wol) in..., fix: your it administrator has limited access to..., fix: remote desktop (rdp) session freezes (disconnects) on..., how to create, delete, and manage system restore..., upgrading to windows 11 on unsupported hardware.

So sad that there’s no option to disable only shutdown. I have a need to allow user to restart their machines but not shutdown.

FYI you can hide shutdown from the start menu using HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown

Thanks, but even so an advanced user would know to turn it off using other ways.

Thank you MT.. this helped..

On Windows 11, this did work, however, a user who is blocked from restarting/shutting down in this way, can still press Control-Alt-Delete and has the restart/shutdown option in the lower right hand corner. Is there a way to remove that, too?

I just actually tried it from a “non-privileged” account. The good news is that although the options appear, they don’t actually work. 🙃

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

WinSecWiki  > Security Settings  > Local Policies  > User Rights

User Rights Assignments

Although in this section they are called user rights, these authority assignments are more commonly called privileges.

Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments. In particular this means you should be cognizant of rights assignments on member servers which may easily differ from the rights assignments you find on your domain controllers. To centrally control user rights assignments on computers throughout your domain use group policy.

• Logon rights
• Admin equivalent rights
• Tracking user rights with the security log
• User rights in-depth
• Access this computer from the network
• Act as part of the operating system
• Add workstations to domain
• Adjust memory quotas for a process
• Allow log on locally
• Allow logon through Terminal Services
• Back up files and directories
• Bypass traverse checking
• Change the system time
• Create a pagefile
• Create a token object
• Create global objects
• Create permanent shared objects
• Debug programs
• Deny access to this computer from the network
• Deny logon as a batch job
• Deny logon as a service
• Deny logon locally
• Deny logon through Terminal Services
• Enable computer and user accounts to be trusted for delegation
• Force shutdown from a remote system
• Generate security audits
• Impersonate a client after authentication
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Log on as a batch job
• Log on as a service
• Manage auditing and security log
• Modify firmware environment values
• Perform volume maintenance tasks
• Profile single process
• Profile system performance
• Remove computer from docking station
• Replace a process level token
• Restore files and directories
• Shut down the system
• Synchronize directory service data
• Take ownership of files and other objects

Child articles:

• Logon Rights
• Admin Equivalent Rights
• Tracking User Rights with the Security Log
• User Rights In-Depth

Back to top

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

Preventing users from shutting down specific devices

This week is a short post about the ability to prevent users from shutting down, or restarting, specific devices. That is something already often used for specific servers, like domain controllers, to prevent users from shutting them down. There are, however, also good reasons why that might also be very useful and beneficial on specific devices. Think about devices that host critical business processes that can only be turned off, or restarted, during specific windows. For those devices the user right to shutdown that device, should only be provided to a few trusted users, or administrators. So, not just removing the shutdown, or restart, button, but actually removing the user right to perform a shutdown. Luckily, nowadays there is an easy method for configuring the list of users that are allowed to shutdown a specific Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.

Note : Keep in mind that this post is focussed on the  local  options on the Windows device.

Configuring preventing users from shutting down specific devices

When looking at preventing users from shutting down, or restarting, specific Windows devices,  the UserRights section in the Policy CSP  is the place to look. That section contains many of the different policy settings of the  User Rights Assignment Local Policies , including the  Shut Down The System  ( ShutDownTheSystem ) policy setting. That policy setting can be used to configure the users that are allowed to locally shutdown, or restart, the device. The configuration of that policy setting is available via the Settings Catalog . The following eight steps walk through the creation of a  Settings Catalog  profile that contains the required setting to configure the local shutdown rights, by using the  Shut Down The System  policy setting.

• Open the  Microsoft Intune admin center  portal and navigate to  Devices  >  Windows  >  Configuration profiles
• On the  Windows | Configuration profiles  blade, click  Create  >  New Policy
• On the  Create a profile  blade, provide the following information and click  Create
• Platform : Select  Windows 10 and later  to create a profile for Windows 10 devices
• Profile : Select  Settings catalog  to select the required setting from the catalog
• On the  Basics  page, provide the following information and click  Next
• Name : Provide a name for the profile to distinguish it from other similar profiles
• Description : (Optional) Provide a description for the profile to further differentiate profiles
• Platform : (Greyed out) Windows 10 and later
• On the  Configuration settings  page, as shown below in Figure 1, perform the following actions and click  Next
• Select  User Rights  as category
• Select  Shut Down The System  as setting
• Specify the allowed users and local groups on separate lines (1)

• On the  Scope tags  page, configure the required scope tags and click  Next
• On the  Assignments  page, configure the assignment for the specific devices and click  Next
• On the  Review + create  page, verify the configuration and click  Create

Note : The setting mentions that it’s available for Windows Insiders only, but that’s not the experience so far.

Experiencing users prevented from shutting down specific devices

After configuring the list with users that are allowed to shutdown the device, it’s time to look at the user experience. And there are many things that indicate the behavior and that the configuration is applied. That can be the actual applied configuration, as well as the experience of the user. Pieces of both are shown below in Figure 2. To start with the first, the applied configuration can be verified in the Local Security Policy by looking at Local Policies > User Rights Assignment . That includes the Shut down the system right (1) that includes the configured list of users and local groups that are allowed to shutdown the system. The applied configuration will make sure that the users cannot shutdown, or restart, the device. That can be verified by for example looking at the available power options for the users (2), or the ability to restart the device after the installation of updates (3). Besides that, even command actions will be prevented and give the user an access denied message.

Note : This configuration was successfully tested on the latest Windows Insiders builds and on Windows 11 version 23H2.

More information

For more information about preventing users from restarting Windows, refer to the following docs.

• Shut down the system – security policy setting – Windows Security | Microsoft Learn
• UserRights Policy CSP – Windows Client Management | Microsoft Learn

4 thoughts on “Preventing users from shutting down specific devices”

• Pingback: Microsoft Roadmap, messagecenter en blogs updates van 21-12-2023 - KbWorks
• Pingback: Intune Newsletter - 22nd December 2023 - Andrew Taylor

I don’t suppose you tested this on Win 11 22H2 as well did you by any chance? I’m not having much luck setting it yet, I’ve even tried using a SID rather than domain group name.

Before I dig too deeply I’m unsure if it’s the Windows Insider thing mentioned that isn’t working on 22H2 – but does on 23H2, or if it’s something else.

Hi Steve, I’ve successfully tested it on Windows 11 23H2 and Insider Builds. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Contribute to the Windows forum! Click  HERE  to learn more  💡

March 14, 2024

Contribute to the Windows forum!

Click  HERE  to learn more  💡

Top Contributors in Windows 7: Bill Smithers  -  Canadian Tech  -  LemP   ✅

March 11, 2024

Top Contributors in Windows 7:

Bill Smithers  -  Canadian Tech  -  LemP   ✅

• Search the community and support articles
• Search Community member

Ask a new question

Is there a setting I can enable to prevent users from shutting down the computer?

How to prevent Shut Down

How do you set a computer or a user to prevent from shutting down the computer.? I got an account that has full admin and it's doing a Windows Backup, but the other user is allowed to force shut down since the other user is still log-in (locked). Is there a way to prevent a user not to shut down the computer if an other user is logged in? I know there's a settings where you can change the Start Menu, but it's not good enough. Alan

Report abuse

I would suggest you to follow these methods and check.

If you have Windows 7 Ultimate or Professional Editions follow Method 1, if you have Windows 7 Home Premium or lower editions go to Method 2.

Method 1: Change the group policy settings and see.

You can configure the policy setting that determines which users can shut down the local computer. Browse to the following location within the Group Policy Management Console (GPMC),

Click Start Button, Type gpedit.msc in the search field.

Browse to the following location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Shut Down the System

Double Click on Shut down the System , Select the user group you want to Disable and hit Remove > Apply > OK.

Simply restart your PC and log in from users account to check whether Disable and Remove Shutdown feature is working.

a.     We have to Disable and Remove Shutdown option using Registry Editor.   Open Registry Editor, go to following path: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

b.     Select Explorer in the left-hand pane, right click in the right-hand pane and select New >DWORD; then name it as NoClose.

c.     Double click on NoClose and change the Hex Value to 1; Click OK and Close Registry Editor.

d.     Restart, you will be able to Disable and Remove Shutdown in Windows 7 Home Premium or lower in this way.

Hope this helps!

6 people found this reply helpful

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Replies (3) 

Question info.

• Ease of access
• Norsk Bokmål
• Ελληνικά
• Русский
• עברית
• العربية
• ไทย
• 한국어
• 中文(简体)
• 中文(繁體)
• 日本語

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Prevent local admins from shutting down RDS server

One of the clients I manage runs an RDS environment on Windows Server 2008 R2 servers which users log onto to work. I need to prevent users allowing applications to restart these servers, the kicker is that they are all Local Admins (due to the requirements of the application that they run). What GP(s) would you recommend be applied to solve this? I currently have the following set:

Computer Config > Policy > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut down the system.

Only allowing Domain Admins to shut down the system, I believe this is only applying to local shutdowns, not remote.

• windows-server-2008-r2
• group-policy

• Stopping local shutdowns is not good practice to me, and that dang power button/cord is still there. You should allow someone local to shutdown/restart as a last resort at least...who knows the network card might blow, the switch fries itself –  gwillie Aug 19, 2015 at 8:21

2 Answers 2

Yes, this policy determines which users who are logged on locally to the computer can shut it down.

See description on the Explain tab:

You may also look at another policy in this location (i.e. under User Rights Assignment:) - Force shutdown from a remote system .

Administrators are members by default.

Removing Administrators from both policies - would disallow them to shutdown the RDS host, either locally or remotely.

• I had found this GP (the second) but one of the guys above me swore that all we needed was the current GP (the first). Thank you for confirming what I though (not sarcastic, still new to the IT field so wanted some backup before proceeding). –  Mickycampbell Aug 19, 2015 at 22:51

You can't effectively deny rights to local administrators, since regardless of what GPO you apply, they can always override it at least temporarily by editing the registry. They can also remove the computer from the domain.

In general, you shouldn't use or distribute the local administrator accounts in an environment requiring top-down administrative control such as this. The best policy is to keep those passwords within a database (or software designed for this purpose such as Hitachi ID Privileged Access Manager, which I used to work on); the passwords should only be used when necessary to re-establish the domain relationship or similar, and use of them should be auditable.

It's unfortunate that your application requires such access. You could consider determining what access it actually requires, and giving it that instead; most applications do not actually need administrator access.

If your only goal is to prevent inadvertent shutdowns, you can certainly set Local Security Policy/Local Policies/User Rights Assignment/Shut Down the System to exclude them, but be aware that this will not prevent a knowledgeable user from intentionally shutting it down. I believe this policy applies to RDP interactive sessions, but not to the shutdown command (which has an option to target a remote host); that is the domain of the Force shutdown from a remote system GPO option.

• 'Higher end' stuff like command line and registry edits I am not worried about (it may seem gung-ho but it is because I have to describe how to find a computer name to most of the people there so I can connect with our remote support software). I am mainly attempting to prevent inadvertent shutdowns, such has a prompt from MSE to restart the system. –  Mickycampbell Aug 19, 2015 at 22:40

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-server-2008-r2 group-policy rds ..

• The Overflow Blog
• Will antitrust suits benefit developers?
• Are long context windows the end of RAG?
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network

Hot Network Questions

• How to properly secure harden SSH in 2024?
• RStudio + LaTeX template: compilation error undefined control sequence -- how to debug this myself?
• Scene from The Hitchhiker's Guide to the Galaxy where Arthur fails to explain how Earth technology works
• Should there be consequences or penalty when such mistakes published?
• How to acknowledge "hints" in a math thesis?
• Implementing guard trace/ring in PCB design for opamp having high impedance input
• Child in a dystopian city who had to forage for food
• Feudali“zmie” or feudali“źmie”?
• Which episodes are the scenes depicting the "worst things Rick did to make sure someone else survived" from?
• What is the History, Context, and Implications of the Term "Moonspeak"?
• Current Rating in Common Mode Choke
• Problem compiling derivative of expression
• With the recent security issue with xz, what should we do before using Homebrew again?
• What shape should the PCB edge have for this USB connector?
• Reference for Teichmuller spaces of punctured surfaces
• Buck converter PCB design
• Video game from the film “Murder Story” (1989)
• Why are Group health insurance premiums smaller?
• Is there something in international law that you can't bomb the embassy of country X in country Y (to kill a HV target) if you're at war with both?
• Should I cut or detach a ground wire for a light fixture to remove it?
• HOA fees before my house is ready
• Flip counters in a grid so that they alternate in color
• What does "Funnies" refer to?
• Did Esau ever “break Jacob's yoke from his neck”? (Genesis 27:40)

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to prevent remote users from shutting down/rebooting the Windows? [duplicate]

Is it there any way to prevent remote users from shutting down/rebooting the Windows.

• remote-desktop

Open secpol.msc from the Run menu to open "Local Security Policy", from there navigate to Security Settings -> Local Policies -> User Rights Assignment . In that subfolder find the option for Shut down the system and add the group named Console Logon to the list then remove the other groups from the list.

This will have the affect of only allowing people who can physically log on to the console session to be able to shutdown the computer.

Not the answer you're looking for? Browse other questions tagged windows remote-desktop shutdown .

• The Overflow Blog
• Will antitrust suits benefit developers?
• Are long context windows the end of RAG?
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network
• Google Cloud will be Sponsoring Super User SE

Hot Network Questions

• Relationship between the squares of first n natural numbers and first n natural odd numbers.
• How exactly did the sailor survived getting sucked into an engine?
• What is the History, Context, and Implications of the Term "Moonspeak"?
• Behaviour of Functions in Sourced Scripts
• How to acknowledge "hints" in a math thesis?
• Feudali“zmie” or feudali“źmie”?
• How does one "ride on the brake beam"?
• Flip counters in a grid so that they alternate in color
• Child in a dystopian city who had to forage for food
• What were the most common software distribution formats for MacOS Classic?
• Should there be consequences or penalty when such mistakes published?
• How is this possible: a moon with A) large apparent size B) that spins C) spins in a 5:1 spin-orbit resonance?
• Recreate image with GraphicsGrid
• Buck converter PCB design
• Drawing a set partition
• Can the universe be unpredictable but still have only one possible history?
• How could March 30th 2024 be followed by the 1st?
• Why is the imperfect tense used here instead of the present tense?
• Circles crossing every cell of an 8x8 grid
• Implementation of Monte-Carlo Integration
• What's role of software verification in modern software engineering
• Issue expanding variable with multiple wildcards in bash shell script with mv / rename
• Add annotation to a table without changing the column width
• In The Martian, Mark keeps the largest potatoes for his food supply and replants the smaller ones. Doesn't this cultivate smaller potatoes?

Tim’s Tech Blurbs

Tim’s tech ramblings about Intune, Modern Management, Powershell and every thing else.

How to move Windows 10 User Rights Assignment to Endpoint Manager / Intune

Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)

If you ask the Security team, the answer is a yes. We should set them.

Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.

First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.

Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.

Now we check the local account and we get S-1-5-113.

So Lets set up a polcy. Lets open Endpoint Mananger.

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile

Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.

Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.

Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)

Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.

Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.

You should also do the testing on a test machine. Just in case you lock your self out.

How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.

Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk . It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege

Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.

Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college

Published by Tim Wood

Privacy overview.

• NIST 800-53
• Common Controls Hub

The Force shutdown from a remote system user right must only be assigned to the Administrators group.