In this article we will look on how to manage non-admin user permissions to restart or shutdown of Windows computers or servers. By default, non-privileged users can restart or shutdown only desktop Windows versions, and cannot restart a Windows Server (shutdown and restart buttons are not available in the Start menu). Is it possible to allow a user without local administrator privileges to restart Windows Server? There is also an inverse task — how to prevent users from restarting a Windows 10 computer used as an information kiosk, a dispatcher console, etc.
Allow/Prevent Shutdown and Reboot Options for Windows Users via GPO
You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
Please note that the default restart/shutdown permissions for desktop Windows 10 and Windows Server editions are different.
Open the Local Group Policy Editor (gpedit.msc) and go to the section specified above. As you can see, the members of local groups Administrators, Users and Backup Operators have the permissions to shutdown/reboot a computer running Windows 10.
On Windows Server 2016/2012 R2 only Administrators or Backup Operators can shutdown or restart a server. It is reasonable and sound, since in most cases a non-admin user must not have the privileges to shutdown a remote server (even if it happens occasionally). Just imagine an RDSH server that is often shuts down since users accidentally click on the “Shutdown” button in the Start menu…
However, there is no rule without exception. So if you want to allow a non-privileged user to restart your Windows Server, just add their accounts to this policy.
Or, vice versa, you want to prevent users of desktop Windows 10 editions from restarting the computer that fulfills some server function. In this case, just remove Users group from Shut down the system local policy.
In the same way you can prevent (or allow) shutdown/reboot for all computers in the specific OU of your Active Directory domain using the domain policy.
In the domain Group Policy editor (gpmc.msc), create a new policy Prevent_Shutdown, configure the parameters of your “Shut down the system” policy according to your requirements and assign it to the OU containing computers or servers.
Allow Remote Shutdown/Restart without Admin Permissions
You can also allow some users to restart your Windows Server remotely using the shutdown command without granting them local administrator privileges or the right to log on to your server using RDP.
To do it, add a user account to the Force shutdown from a remote system policy in the same GPO section (User Rights Assignment).
By default, only administrators can shutdown the server remotely. Add a user account to the policy.
After that the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using this command:
shutdown -m \\hamb-rds01 -r -f -t 0
How to Remove Shutdown/Restart Options in Windows 10?
Also, there is a special policy that allows to remove the Shutdown, Restart and Hibernate options from the Start screen or Start menu. The policy is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located in the following GPO section: User Configuration -> Administrative Templates -> Start Menu and Taskbar.
After you enable this policy, a user will be able only to disconnect the current session. The Shutdown, Sleep and Restart buttons will become unavailable.
How to Find Out Who Restarted/Shutdown a Windows Server?
After you have granted a user the privileges to restart your servers, you may want to know who restarted a server: a user or one of the administrators.
To do it, use the Event Viewer (eventvwr.msc) log. Go to Windows Logs -> System and filter the log by the Event ID 1074.
As you can see, there are the events of server restart in the log in the chronological order. The event description shows the restart time, the reason and the account that restarted the server.
Log Name:System Source: User32 EventID: 1074 The process C:\Windows\system32\shutdown.exe (BE-BAK01) has initiated the restart of computer BE-BAK01 on behalf of user corp\jsmith for the following reason: No title for this reason could be found Reason Code: 0x800000ff Shutdown Type: restart Comment:
In the same way, you can get the information about latest Windows shutdown events. To do it, filter the logs by the Event ID 1076.
2 comments
So sad that there’s no option to disable only shutdown. I have a need to allow user to restart their machines but not shutdown.
Me too!