Windows Server

Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

By June 3, 2020No Comments

In this post we will look on how to manage non-admin user permissions to restart or shutdown of Windows computers or servers. By default, non-privileged users can restart or shutdown only desktop Windows versions, and cannot restart a Windows Server (shutdown and restart buttons are not available in the Start menu). Is it possible to allow a user without local administrator privileges to restart Windows Server? There is also an inverse task — how to prevent users from restarting a Windows 10 computer used as an information kiosk, a dispatcher console, etc.

Allow/Prevent Shutdown and Reboot Options for Windows Users via GPO

You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.

Please note that the default restart/shutdown permissions for desktop Windows 10 and Windows Server editions are different.

Open the Local Group Policy Editor (gpedit.msc) and go to the section specified above. As you can see, the members of local groups AdministratorsUsers and Backup Operators have the permissions to shutdown/reboot a computer running Windows 10.

Shut down the system - allow user to shutdown/restart windows via gpo

On Windows Server 2019/2016/2012 R2/2012/2008 R2/2008 only Administrators or Backup Operators can shutdown or restart a server. It is reasonable and sound, since in most cases a non-admin user must not have the privileges to shutdown a remote server (even if it happens occasionally). Just imagine an RDSH server that is often shut down since users accidentally click on the “Shutdown” button in the Start menu…

However, there is no rule without exception. So if you want to allow a non-privileged user to restart your Windows Server, just add their accounts to this policy. You can also grant the permissions to start/stop/restart the services for non-admin users.

Or, vice versa, you want to prevent users of desktop Windows 10 editions from restarting the computer that fulfills some server function. In this case, just remove Users group from Shut down the system local policy.

In the same way you can prevent (or allow) shutdown/reboot for all computers in the specific OU of your Active Directory domain using the domain policy.

In the domain Group Policy editor (gpmc.msc), create a new policy Prevent_Shutdown, configure the parameters of your “Shut down the system” policy according to your requirements and assign it to the OU containing computers or servers.

Allow Remote Shutdown/Restart without Admin Permissions

You can also allow some users to restart your Windows Server remotely using the shutdown command without granting them local administrator privileges or the right to log on to your server using RDP.

To do it, add a user account to the Force shutdown from a remote system policy in the same GPO section (User Rights Assignment).

By default, only administrators can shutdown the server remotely. Add a user account to the policy.

gpo to allow remote windows restart: Force shutdown from a remote system

After that the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using this command:

shutdown -m \\rds-sh-01 -r -f -t 0

How to Remove Shutdown/Restart Options in Windows 10?

Also, there is a special policy that allows to remove the Shutdown, Restart and Hibernate options from the Start screen or Start menu. The policy is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located in the following GPO section: User Configuration -> Administrative Templates -> Start Menu and Taskbar.

Group Policy: Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands - remove Options in Windows 10 Start Menu

After you enable this policy, a user will be able only to disconnect the current session. The Shutdown, Sleep and Restart buttons will become unavailable.

start menu

How to Find Out Who Restarted/Shutdown a Windows Server?

After you have granted a user the privileges to restart your servers, you may want to know who restarted a server: a user or one of the administrators.

To do it, use the Event Viewer (eventvwr.msc) log. Go to Windows Logs -> System and filter the log by the Event ID 1074.

filte events by 1074 restart event id

As you can see, there are the events of server restart in the log in the chronological order. The event description shows the restart time, the reason and the account that restarted the server.

Log Name:System
Source: User32
EventID: 1074
The process C:\Windows\system32\shutdown.exe (rds-sh-01) has initiated the restart of computer rds-sh-01 on behalf of user contoso.com\[email protected] for the following reason: No title for this reason could be found
Reason Code: 0x800000ff
Shutdown Type: restart
Comment:
EventID: 1074 The process C:\Windows\system32\shutdown.exe has initiated the restart of computer on behalf of user for the following reason: Reason Code: 0x800000ff Shutdown Type: restart

In the same way, you can get the information about latest Windows shutdown events. To do it, filter the logs by the Event ID 1076.

Leave a Reply