This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Shut down the system - security policy setting
- 1 contributor
Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
This security setting determines if a user who is logged on locally to a device can shut down Windows.
Shutting down domain controllers makes them unable to do things like process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing sign-in requests for new passwords, which are done by the primary domain controller (PDC) emulator master.
The Shut down the system user right is required to enable hibernation support, to set the power management settings, and to cancel a shutdown.
Constant: SeShutdownPrivilege
Possible values
- A user-defined list of accounts
- Not defined
Best practices
- Ensure that only Administrators and Backup Operators have the Shut down the system user right on member servers. And that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks won't be negatively affected.
- The ability to shut down domain controllers should be limited to a few trusted administrators. Even though a system shutdown requires the ability to sign in to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Default values
By default this setting is Administrators, Backup Operators, Server Operators, and Print Operators on domain controllers, and Administrators and Backup Operators on stand-alone servers.
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
Policy management
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Group Policy
This user right doesn't have the same effect as Force shutdown from a remote system . For more information, see Force shutdown from a remote system .
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
- Local policy settings
- Site policy settings
- Domain policy settings
- OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Vulnerability
The ability to shut down domain controllers should be limited to a few trusted administrators. Although the Shut down the system user right requires the ability to sign in to the server, you should be careful about which accounts and groups you allow to shut down a domain controller.
When a domain controller is shut down, it can't process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing sign-in requests for new passwords, which are performed by the PDC master.
For other server roles, especially roles where non-administrators have rights to sign in to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers.
Countermeasure
Make sure that only the Administrators and Backup Operators groups are assigned the Shut down the system user right on member servers. And make sure that only the Administrators group is assigned the user right on domain controllers.
Potential impact
The impact of removing these default groups from the Shut down the system user right could limit the delegated abilities of assigned roles in your environment. Confirm that delegated activities aren't adversely affected.
Related articles
- User Rights Assignment
Additional resources
Windows OS Hub / Windows 10 / Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows
Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows
How to allow or prevent shutdown/reboot options in windows via gpo, allow remote shutdown/restart without admin permissions, disable (hide) shutdown or restart options from windows, how to find out who restarted/shutdown a windows server.
You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. This GPO option allows you to specify which locally logged-on users can shut down an operating system.
Please note that the default restart/shutdown permissions for desktop versions of Windows 10/11 and Windows Server editions are different.
Open the Local Group Policy Editor ( gpedit.msc ) and navigate to the section specified above. As you can see, the members of local groups Administrators , Users and Backup Operators have the permission to shutdown/reboot a computer running Windows 10 or 11 .
On Windows Server 2022/2019/2016 , only Administrators or Backup Operators can shut down or restart the server. It is reasonable, since in most cases a non-admin user must not have the privileges to shutdown a server (even accidentally). Just imagine an RDS farm host that is often shuts down since users accidentally click on the “Shutdown” button in the Start menu…
On Active Directory domain controllers, the rights to shut down Windows are delegated to:
- Administrators
- Backup Operators
- Server Operators
- Print Operators
If the user does not have permission to restart/shutdown the operating system, then an error will appear when running the following command:
shutdown –r –t 0
You can manually grant permissions to shut down the computer locally using the legacy ntrights tool from the Windows Server 2003 Resource Kit:
ntrights +r SeShutdownPrivilege -u woshub\j.smith
To prevent a user from shutting down or restarting Windows:
ntrights -r SeShutdownPrivilege -u woshub\j.smith
Or, vice versa, you can prevent users of workstations running the desktop Windows 10/11 edition from restarting the computer that performs some kind of server function. In this case, just remove Users group from the local policy Shut down the system .
In the same way, you can prevent (or allow) shutdown/reboot operations for non-admin users on all computers in a specific Organizational Unit (OU) of an Active Directory domain using a domain GPO.
- Create the grpAllowRestartComputers user group in AD, to whom you want to grant the permissions to restart computers. You can create a new group using the ADUC snap-in ( dsa.msc ) or the New-ADGroup PowerShell cmdlet. Add users to the group;
- Set the GPO name ( gpoAllowReboot ) and edit it;
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> User Rights Assignment;
- Update the GPO settings on the target computers and check the resulting GPO settings with the rsop.msc snap-in. Users in your group can now shut down or reboot this host;
To do it, add a user account to the Force shutdown from a remote system Group Policy option in the same GPO section ( User Rights Assignment ).
By default, only administrators can shutdown/restart the server remotely. Add a user account to the policy.
ntrights +r SeRemoteShutdownPrivilege -u woshub\j.smith
After that, the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using the command:
Or using the Restart-Computer PowerShell cmdlet:
Restart-Computer –ComputerName hamb-rds01 –Force
If WinRM (Windows Remote Management) is enabled on the remote computer, you can use WSman instead of WMI to connect:
Restart-Computer -ComputerName hamb-rds01 -Protocol WSMan
If the user does not have permission to connect to the WMI namespace, an error will appear:
You can use Group Policy to hide the Shutdown, Restart, Sleep and Hibernate options from the sign-in screen and Start Menu. This GPO option is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located under User Configuration -> Administrative Templates -> Start Menu and Taskbar
After you enable this policy, a user will be able only to disconnect the current session or use the logoff command. The Shutdown, Sleep and Restart buttons will become unavailable.
You can use some registry tweaks to hide only a specific item from the Power/Shutdown menu in Windows. For example, you want to hide only the “Shut down” option in the Start menu, but keep “Restart”.
- Open the Registry Editor ( regedit.exe );
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown ;
REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" /v "value" /t REG_DWORD /d 1 /f
Or using PowerShell:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" -Name "value" -Value 1
Also, you can hide other options in the Start Menu and Windows sign-in screen:
- Hide only thr Restart option in Windows: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart " /v "value" /t REG_DWORD /d 1 /f
- Hide Hibernate option from Start Menu in Windows: R EG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate" /v "value" /t REG_DWORD /d 1 /f
- Hide Sleep from the Start Menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep" /v "value" /t REG_DWORD /d 1 /f
- To completely disable the Power button and remove the “Shut down or sign out” option from WinX menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton" /v "value" /t REG_DWORD /d 1 /f
Please note that in Windows Server 2019/2022, after assigning restart permission to a user, an error may appear:
In this case, you need to enable the UAC parameter “User Account Control: Run all administrators in Admin Approval Mode” in the GPO:
If you have granted permission to reboot a computer for a non-admin user, you may want to know who restarted a Windows Server : a user or one of the administrators.
Use the Event Viewer ( eventvwr.msc ) to search for shutdown logs in Windows. Go to Windows Logs -> System and filter the current log by the Event ID 1074 .
As you can see, there are server restart events in the log in chronological order. The event description includes the restart time, the reason, and the user account that restarted the host.
You can get information about recent Windows shutdown events using the same Event ID 1076 :
Use the following simple PowerShell script to list the last ten computer restart and shutdown events. This list contains the names of the users and processes from which the reboot was initiated.
Get-EventLog -LogName System | where {$_.EventId -eq 1074} |select-object -first 10 | ForEach-Object { $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode if ($_.ReplacementStrings[4]) { $rv.Date = $_.TimeGenerated $rv.User = $_.ReplacementStrings[6] $rv.Process = $_.ReplacementStrings[0] $rv.Action = $_.ReplacementStrings[4] $rv.Reason = $_.ReplacementStrings[2] $rv } } | Select-Object Date, Action, Reason, User, Process |ft
Fix: Can’t Extend Volume in Windows
Fix: windows needs your current credentials pop-up message, related reading, how to enable and configure wake-on-lan (wol) in..., fix: your it administrator has limited access to..., fix: remote desktop (rdp) session freezes (disconnects) on..., how to create, delete, and manage system restore..., upgrading to windows 11 on unsupported hardware.
So sad that there’s no option to disable only shutdown. I have a need to allow user to restart their machines but not shutdown.
FYI you can hide shutdown from the start menu using HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown
Thanks, but even so an advanced user would know to turn it off using other ways.
Thank you MT.. this helped..
On Windows 11, this did work, however, a user who is blocked from restarting/shutting down in this way, can still press Control-Alt-Delete and has the restart/shutdown option in the lower right hand corner. Is there a way to remove that, too?
I just actually tried it from a “non-privileged” account. The good news is that although the options appear, they don’t actually work. 🙃
Leave a Comment Cancel Reply
Notify me of followup comments via e-mail. You can also subscribe without commenting.
Current ye@r *
Leave this field empty
WinSecWiki > Security Settings > Local Policies > User Rights
User Rights Assignments
Although in this section they are called user rights, these authority assignments are more commonly called privileges.
Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments. In particular this means you should be cognizant of rights assignments on member servers which may easily differ from the rights assignments you find on your domain controllers. To centrally control user rights assignments on computers throughout your domain use group policy.
- Logon rights
- Admin equivalent rights
- Tracking user rights with the security log
- User rights in-depth
- Access this computer from the network
- Act as part of the operating system
- Add workstations to domain
- Adjust memory quotas for a process
- Allow log on locally
- Allow logon through Terminal Services
- Back up files and directories
- Bypass traverse checking
- Change the system time
- Create a pagefile
- Create a token object
- Create global objects
- Create permanent shared objects
- Debug programs
- Deny access to this computer from the network
- Deny logon as a batch job
- Deny logon as a service
- Deny logon locally
- Deny logon through Terminal Services
- Enable computer and user accounts to be trusted for delegation
- Force shutdown from a remote system
- Generate security audits
- Impersonate a client after authentication
- Increase scheduling priority
- Load and unload device drivers
- Lock pages in memory
- Log on as a batch job
- Log on as a service
- Manage auditing and security log
- Modify firmware environment values
- Perform volume maintenance tasks
- Profile single process
- Profile system performance
- Remove computer from docking station
- Replace a process level token
- Restore files and directories
- Shut down the system
- Synchronize directory service data
- Take ownership of files and other objects
Child articles:
- Logon Rights
- Admin Equivalent Rights
- Tracking User Rights with the Security Log
- User Rights In-Depth
Back to top
All about Microsoft Intune
Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more
Preventing users from shutting down specific devices
This week is a short post about the ability to prevent users from shutting down, or restarting, specific devices. That is something already often used for specific servers, like domain controllers, to prevent users from shutting them down. There are, however, also good reasons why that might also be very useful and beneficial on specific devices. Think about devices that host critical business processes that can only be turned off, or restarted, during specific windows. For those devices the user right to shutdown that device, should only be provided to a few trusted users, or administrators. So, not just removing the shutdown, or restart, button, but actually removing the user right to perform a shutdown. Luckily, nowadays there is an easy method for configuring the list of users that are allowed to shutdown a specific Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.
Note : Keep in mind that this post is focussed on the local options on the Windows device.
Configuring preventing users from shutting down specific devices
When looking at preventing users from shutting down, or restarting, specific Windows devices, the UserRights section in the Policy CSP is the place to look. That section contains many of the different policy settings of the User Rights Assignment Local Policies , including the Shut Down The System ( ShutDownTheSystem ) policy setting. That policy setting can be used to configure the users that are allowed to locally shutdown, or restart, the device. The configuration of that policy setting is available via the Settings Catalog . The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to configure the local shutdown rights, by using the Shut Down The System policy setting.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create > New Policy
- On the Create a profile blade, provide the following information and click Create
- Platform : Select Windows 10 and later to create a profile for Windows 10 devices
- Profile : Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name : Provide a name for the profile to distinguish it from other similar profiles
- Description : (Optional) Provide a description for the profile to further differentiate profiles
- Platform : (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next
- Select User Rights as category
- Select Shut Down The System as setting
- Specify the allowed users and local groups on separate lines (1)
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment for the specific devices and click Next
- On the Review + create page, verify the configuration and click Create
Note : The setting mentions that it’s available for Windows Insiders only, but that’s not the experience so far.
Experiencing users prevented from shutting down specific devices
After configuring the list with users that are allowed to shutdown the device, it’s time to look at the user experience. And there are many things that indicate the behavior and that the configuration is applied. That can be the actual applied configuration, as well as the experience of the user. Pieces of both are shown below in Figure 2. To start with the first, the applied configuration can be verified in the Local Security Policy by looking at Local Policies > User Rights Assignment . That includes the Shut down the system right (1) that includes the configured list of users and local groups that are allowed to shutdown the system. The applied configuration will make sure that the users cannot shutdown, or restart, the device. That can be verified by for example looking at the available power options for the users (2), or the ability to restart the device after the installation of updates (3). Besides that, even command actions will be prevented and give the user an access denied message.
Note : This configuration was successfully tested on the latest Windows Insiders builds and on Windows 11 version 23H2.
More information
For more information about preventing users from restarting Windows, refer to the following docs.
- Shut down the system – security policy setting – Windows Security | Microsoft Learn
- UserRights Policy CSP – Windows Client Management | Microsoft Learn
4 thoughts on “Preventing users from shutting down specific devices”
- Pingback: Microsoft Roadmap, messagecenter en blogs updates van 21-12-2023 - KbWorks
- Pingback: Intune Newsletter - 22nd December 2023 - Andrew Taylor
I don’t suppose you tested this on Win 11 22H2 as well did you by any chance? I’m not having much luck setting it yet, I’ve even tried using a SID rather than domain group name.
Before I dig too deeply I’m unsure if it’s the Windows Insider thing mentioned that isn’t working on 22H2 – but does on 23H2, or if it’s something else.
Hi Steve, I’ve successfully tested it on Windows 11 23H2 and Insider Builds. Regards, Peter
Leave a Comment Cancel reply
Notify me of follow-up comments by email.
Notify me of new posts by email.
This site uses Akismet to reduce spam. Learn how your comment data is processed .
Contribute to the Windows forum! Click HERE to learn more 💡
March 14, 2024
Contribute to the Windows forum!
Click HERE to learn more 💡
Top Contributors in Windows 7: Bill Smithers - Canadian Tech - LemP ✅
March 11, 2024
Top Contributors in Windows 7:
Bill Smithers - Canadian Tech - LemP ✅
- Search the community and support articles
- Search Community member
Ask a new question
Is there a setting I can enable to prevent users from shutting down the computer?
How to prevent Shut Down
How do you set a computer or a user to prevent from shutting down the computer.? I got an account that has full admin and it's doing a Windows Backup, but the other user is allowed to force shut down since the other user is still log-in (locked). Is there a way to prevent a user not to shut down the computer if an other user is logged in? I know there's a settings where you can change the Start Menu, but it's not good enough. Alan
Report abuse
I would suggest you to follow these methods and check.
If you have Windows 7 Ultimate or Professional Editions follow Method 1, if you have Windows 7 Home Premium or lower editions go to Method 2.
Method 1: Change the group policy settings and see.
You can configure the policy setting that determines which users can shut down the local computer. Browse to the following location within the Group Policy Management Console (GPMC),
Click Start Button, Type gpedit.msc in the search field.
Browse to the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Shut Down the System
Double Click on Shut down the System , Select the user group you want to Disable and hit Remove > Apply > OK.
Simply restart your PC and log in from users account to check whether Disable and Remove Shutdown feature is working.
a. We have to Disable and Remove Shutdown option using Registry Editor. Open Registry Editor, go to following path: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
b. Select Explorer in the left-hand pane, right click in the right-hand pane and select New >DWORD; then name it as NoClose.
c. Double click on NoClose and change the Hex Value to 1; Click OK and Close Registry Editor.
d. Restart, you will be able to Disable and Remove Shutdown in Windows 7 Home Premium or lower in this way.
Hope this helps!
6 people found this reply helpful
Was this reply helpful? Yes No
Sorry this didn't help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
Thanks for your feedback.
Replies (3)
Question info.
- Ease of access
- Norsk Bokmål
- Ελληνικά
- Русский
- עברית
- العربية
- ไทย
- 한국어
- 中文(简体)
- 中文(繁體)
- 日本語
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Prevent local admins from shutting down RDS server
One of the clients I manage runs an RDS environment on Windows Server 2008 R2 servers which users log onto to work. I need to prevent users allowing applications to restart these servers, the kicker is that they are all Local Admins (due to the requirements of the application that they run). What GP(s) would you recommend be applied to solve this? I currently have the following set:
Computer Config > Policy > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut down the system.
Only allowing Domain Admins to shut down the system, I believe this is only applying to local shutdowns, not remote.
- windows-server-2008-r2
- group-policy
- Stopping local shutdowns is not good practice to me, and that dang power button/cord is still there. You should allow someone local to shutdown/restart as a last resort at least...who knows the network card might blow, the switch fries itself – gwillie Aug 19, 2015 at 8:21
2 Answers 2
Yes, this policy determines which users who are logged on locally to the computer can shut it down.
See description on the Explain tab:
You may also look at another policy in this location (i.e. under User Rights Assignment:) - Force shutdown from a remote system .
Administrators are members by default.
Removing Administrators from both policies - would disallow them to shutdown the RDS host, either locally or remotely.
- I had found this GP (the second) but one of the guys above me swore that all we needed was the current GP (the first). Thank you for confirming what I though (not sarcastic, still new to the IT field so wanted some backup before proceeding). – Mickycampbell Aug 19, 2015 at 22:51
You can't effectively deny rights to local administrators, since regardless of what GPO you apply, they can always override it at least temporarily by editing the registry. They can also remove the computer from the domain.
In general, you shouldn't use or distribute the local administrator accounts in an environment requiring top-down administrative control such as this. The best policy is to keep those passwords within a database (or software designed for this purpose such as Hitachi ID Privileged Access Manager, which I used to work on); the passwords should only be used when necessary to re-establish the domain relationship or similar, and use of them should be auditable.
It's unfortunate that your application requires such access. You could consider determining what access it actually requires, and giving it that instead; most applications do not actually need administrator access.
If your only goal is to prevent inadvertent shutdowns, you can certainly set Local Security Policy/Local Policies/User Rights Assignment/Shut Down the System to exclude them, but be aware that this will not prevent a knowledgeable user from intentionally shutting it down. I believe this policy applies to RDP interactive sessions, but not to the shutdown command (which has an option to target a remote host); that is the domain of the Force shutdown from a remote system GPO option.
- 'Higher end' stuff like command line and registry edits I am not worried about (it may seem gung-ho but it is because I have to describe how to find a computer name to most of the people there so I can connect with our remote support software). I am mainly attempting to prevent inadvertent shutdowns, such has a prompt from MSE to restart the system. – Mickycampbell Aug 19, 2015 at 22:40
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged windows-server-2008-r2 group-policy rds ..
- The Overflow Blog
- Will antitrust suits benefit developers?
- Are long context windows the end of RAG?
- Featured on Meta
- New Focus Styles & Updated Styling for Button Groups
- Upcoming initiatives on Stack Overflow and across the Stack Exchange network
Hot Network Questions
- How to properly secure harden SSH in 2024?
- RStudio + LaTeX template: compilation error undefined control sequence -- how to debug this myself?
- Scene from The Hitchhiker's Guide to the Galaxy where Arthur fails to explain how Earth technology works
- Should there be consequences or penalty when such mistakes published?
- How to acknowledge "hints" in a math thesis?
- Implementing guard trace/ring in PCB design for opamp having high impedance input
- Child in a dystopian city who had to forage for food
- Feudali“zmie” or feudali“źmie”?
- Which episodes are the scenes depicting the "worst things Rick did to make sure someone else survived" from?
- What is the History, Context, and Implications of the Term "Moonspeak"?
- Current Rating in Common Mode Choke
- Problem compiling derivative of expression
- With the recent security issue with xz, what should we do before using Homebrew again?
- What shape should the PCB edge have for this USB connector?
- Reference for Teichmuller spaces of punctured surfaces
- Buck converter PCB design
- Video game from the film “Murder Story” (1989)
- Why are Group health insurance premiums smaller?
- Is there something in international law that you can't bomb the embassy of country X in country Y (to kill a HV target) if you're at war with both?
- Should I cut or detach a ground wire for a light fixture to remove it?
- HOA fees before my house is ready
- Flip counters in a grid so that they alternate in color
- What does "Funnies" refer to?
- Did Esau ever “break Jacob's yoke from his neck”? (Genesis 27:40)
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
How to prevent remote users from shutting down/rebooting the Windows? [duplicate]
Is it there any way to prevent remote users from shutting down/rebooting the Windows.
- remote-desktop
Open secpol.msc from the Run menu to open "Local Security Policy", from there navigate to Security Settings -> Local Policies -> User Rights Assignment . In that subfolder find the option for Shut down the system and add the group named Console Logon to the list then remove the other groups from the list.
This will have the affect of only allowing people who can physically log on to the console session to be able to shutdown the computer.
Not the answer you're looking for? Browse other questions tagged windows remote-desktop shutdown .
- The Overflow Blog
- Will antitrust suits benefit developers?
- Are long context windows the end of RAG?
- Featured on Meta
- New Focus Styles & Updated Styling for Button Groups
- Upcoming initiatives on Stack Overflow and across the Stack Exchange network
- Google Cloud will be Sponsoring Super User SE
Hot Network Questions
- Relationship between the squares of first n natural numbers and first n natural odd numbers.
- How exactly did the sailor survived getting sucked into an engine?
- What is the History, Context, and Implications of the Term "Moonspeak"?
- Behaviour of Functions in Sourced Scripts
- How to acknowledge "hints" in a math thesis?
- Feudali“zmie” or feudali“źmie”?
- How does one "ride on the brake beam"?
- Flip counters in a grid so that they alternate in color
- Child in a dystopian city who had to forage for food
- What were the most common software distribution formats for MacOS Classic?
- Should there be consequences or penalty when such mistakes published?
- How is this possible: a moon with A) large apparent size B) that spins C) spins in a 5:1 spin-orbit resonance?
- Recreate image with GraphicsGrid
- Buck converter PCB design
- Drawing a set partition
- Can the universe be unpredictable but still have only one possible history?
- How could March 30th 2024 be followed by the 1st?
- Why is the imperfect tense used here instead of the present tense?
- Circles crossing every cell of an 8x8 grid
- Implementation of Monte-Carlo Integration
- What's role of software verification in modern software engineering
- Issue expanding variable with multiple wildcards in bash shell script with mv / rename
- Add annotation to a table without changing the column width
- In The Martian, Mark keeps the largest potatoes for his food supply and replants the smaller ones. Doesn't this cultivate smaller potatoes?
Tim’s Tech Blurbs
Tim’s tech ramblings about Intune, Modern Management, Powershell and every thing else.
How to move Windows 10 User Rights Assignment to Endpoint Manager / Intune
Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)
If you ask the Security team, the answer is a yes. We should set them.
Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.
First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.
Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.
Now we check the local account and we get S-1-5-113.
So Lets set up a polcy. Lets open Endpoint Mananger.
Goto Devices -> Configuration Profiles. Select Add new.
Select “Windows 10 and Later” and Custom in the profile
Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.
Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.
Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)
Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.
Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.
You should also do the testing on a test machine. Just in case you lock your self out.
How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.
Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk . It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege
Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.
Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college
Published by Tim Wood
Privacy overview.
- NIST 800-53
- Common Controls Hub
IMAGES
VIDEO
COMMENTS
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Group Policy. This user right doesn't have the same effect as Force shutdown from a remote system. For more information, see Force shutdown from a remote system.
How to Allow or Prevent Shutdown/Reboot Options in Windows via GPO. You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.This GPO option allows you to specify which locally logged-on users can shut down an ...
1 Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2 Expand open Local Policies in the left pane of Local Security Policy, and click/tap on User Rights Assignment. (see screenshot below step 3) 3 In the right pane of User Rights Assignment, double click/tap on the policy (ex: "Shut down the system") you want to add users and/or ...
1. Press the Win+R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User Rights Assignment, and double click/tap on the Shut down the system policy in the right pane. (see screenshot below) 3.
How to do it: Run secpol.msc. Open Security Settings \ Local Policies \ User Rights Assignment. Double-click Force shutdown from a remote system in the right pane. Click Add User or Group. Enter the name INTERACTIVE in the text box and click Check names, then click OK, and OK again.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut Down the System. Double click on it > Select Users > Press Remove > Apply/OK.
User Rights Assignment; Shut down the system. The Explaination of the privilege: Shut down the system. This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.
a) Open Local Security Policy. b)Expand Local Policies. c) Select User Rights Assignment>Right Pane of User Rights Assignment. d) Double Click on Shut down the system. e) Now select User (s) and /or group (s) that you don't want to be allowed to shut down the computer. KI.
How to add a user group in the "Shut down the system" group policy in Windows Server by CMD or PowerShell. ... SecurityPolicyDsc PSGallery This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments 1.3.2 Indented.SecurityPolicy PSGallery Security management functions and resources 0.0.12 ...
Although in this section they are called user rights, these authority assignments are more commonly called privileges. Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments.
Select User Rights as category; Select Shut Down The System as setting; Specify the allowed users and local groups on separate lines (1) Figure 1: Overview of the configuration settings. On the Scope tags page, configure the required scope tags and click Next; On the Assignments page, configure the assignment for the specific devices and click Next
Click Start Button, Type gpedit.msc in the search field. Browse to the following location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Shut Down the System. Double Click on Shut down the System, Select the user group you want to Disable and hit Remove > Apply > OK.
Hi Everyone, I've applied the following GPO: Computer Configuration/Windows Settings/Security Settings/User Rights Assignment/Shut down the system. The purpose was to prevent people from shutting down the computers. I added domain users that were allowed to shutdown the machines. These users can shutdown the machines locally but they need to be able to shut down the machine remotely. On top ...
I currently have the following set: Computer Config > Policy > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut down the system. Only allowing Domain Admins to shut down the system, I believe this is only applying to local shutdowns, not remote. windows-server-2008-r2. group-policy. rds.
3. Open secpol.msc from the Run menu to open "Local Security Policy", from there navigate to Security Settings -> Local Policies -> User Rights Assignment. In that subfolder find the option for Shut down the system and add the group named Console Logon to the list then remove the other groups from the list.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment/Force shutdown from a remote system To forcefully apply the domain group policy settings on the client system, execute the command 'gpupdate /force' on an elevated command prompt and restart the client system. Then check the client's group ...
Goto Devices -> Configuration Profiles. Select Add new. Select "Windows 10 and Later" and Custom in the profile. Let's enter in a Logical name. "Windows 10 User Rights Assignment" and select Save. Lets Start with "Load and unload device drivers.". Select Add on the next Page. Enter in the name for the setting.
Fix Text (F-69811r1_fix) Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to only include the following groups or accounts: