Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

How to Allow or Prevent Shutdown/Reboot Option in Windows via GPO?

You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. This GPO option allows you to specify which locally logged-on users can shut down an operating system.

Please note that the default restart/shutdown permissions for desktop versions Windows 10/11 and Windows Server editions are different.

Open the Local Group Policy Editor (gpedit.msc) and navigate to the section specified above. As you can see, the members of local groups Administrators, Users and Backup Operators have the permissions to shutdown/reboot a computer running Windows 10 or 11.

On Windows Server 2022/2019/2016, only Administrators or Backup Operators can shut down or restart the server. It is reasonable, since in most cases a non-admin user must not have the privileges to shutdown a server (even accidentally). Just imagine an RDS farm host that is often shuts down since users accidentally click on the “Shutdown” button in the Start menu…

On Active Directory domain controllers, the rights to shut down Windows are delegated to:

Administrators
Backup Operators
Server Operators
Print Operators

If the user does not have permissions to restart/shutdown the operating system, then an error will appear when running the following command:

shutdown –r –t 0

If you want to allow a specific user (without administrator rights) to restart your Windows Server, you need to add their account to this policy and update the GPO settings on the computer.

You can manually grant permissions to shut down the computer locally using the legacy ntrights tool from the Windows Server 2003 Resource Kit:

ntrights +r SeShutdownPrivilege -u woshub\j.smith

To prevent user from shutting down or restarting Windows:

ntrights -r SeShutdownPrivilege -u woshub\j.smith

Or, vice versa, you can prevent users of workstations running the desktop Windows 10/11 edition from restarting the computer that performs some kind of server function. In this case, just remove Users group from the local policy Shut down the system.

In the same way, you can prevent (or allow) shutdown/reboot operations for non-admin users on all computers in a specific Organizational Unit (OU) of an Active Directory domain using a domain GPO.

Create the grpAllowRestartComputers user group in AD, to whom you want to grant the permissions to restart computers. You can create a new group using the ADUC snap-in (dsa.msc) or the New-ADGroup PowerShell cmdlet. Add users to the group;
Open the domain Group Policy Management Console (gpmc.msc). Select the OU with the computers you want to apply the policy to and select Create a GPO in this domain and Link it here;

Set the GPO name (gpoAllowReboot) and edit it;
Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> User Rights Assignment;
Open the Shut down option, enable the policy, and add your target group (grpAllowRestartComputers) and the

Update the GPO settings on the target computers and check the resulting GPO settings with the rsop.msc snap-in. Users in your group can now shut down or reboot this host;
The options to shutdown and restart the operating system will appear in the user’s Start Menu.

You can also grant the permissions to start/stop/restart the services for non-admin users.

Allow Remote Shutdown/Restart without Admin Permissions

You can allow some non-admin users to restart your Windows Server remotely using the shutdown command without granting them local administrator privileges, permission to log on through Remote Desktop (RDP), or local logon permissions (if this sign-in method is not allowed)

To do it, add a user account to the Force shutdown from a remote system Group Policy option in the same GPO section (User Rights Assignment).

By default, only administrators can shutdown/restart the server remotely. Add a user account to the policy.

You can also grant the SeRemoteShutdownPrivilege using the ntrights command line tool:

ntrights +r SeRemoteShutdownPrivilege -u woshub\j.smith

After that, the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using the command:

shutdown -m \\hamb-rds01 -r -f -t 0

Or using the Restart-Computer PowerShell cmdlet:

Restart-Computer –ComputerName hamb-rds01 –Force

VERBOSE: Performing the operation "Enable the Remote shutdown access rights and restart the computer." on target ...

If WinRM (Windows Remote Management) is enabled on the remote computer, you can use WSman instead of WMI to connect:

Restart-Computer -ComputerName hamb-rds01 -Protocol WSMan

If the user does not have permission to connect to WMI namespace, an error will appear:

Restart-Computer : Failed to restart the computer srv-rds1 with the following error message: The WS-Management servicecannot process the request. The WMI service returned an 'access denied' error. .

In addition, you can use Windows PowerShell Just Enough Administration (JEA) to allow a user to run only certain commands on a remote host.

Disable (Hide) Shutdown or Restart Options From Windows?

You can use Group Policy to hide the Shutdown, Restart, Sleep and Hibernate options from the sign-in screen and Start Menu. This GPO option is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located under User Configuration -> Administrative Templates -> Start Menu and Taskbar

After you enable this policy, a user will be able only to disconnect the current session or use the logoff command. The Shutdown, Sleep and Restart buttons will become unavailable.

You can use some registry tweaks to hide only a specific item from the Power/Shutdown menu in Windows. For example, you want to hide only the “Shut down” option in the Start menu, but keep “Restart”.

Open the Registry Editor (regedit.exe);
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown;
Change the Value option to 1

4. This will hide only the “Shut down” option from the Windows Start Menu

You can set this registry option from the command prompt:

REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" /v "value" /t REG_DWORD /d 1 /f

Or using PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" -Name "value" -Value 1

Also, you can hide other options in Start Menu and Windows sign-in screen:

Hide only Restart option in Windows: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart " /v "value" /t REG_DWORD /d 1 /f
Hide Hibernate option from Start Menu in Windows: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate" /v "value" /t REG_DWORD /d 1 /f
Hide Sleep from Start Menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep" /v "value" /t REG_DWORD /d 1 /f
To completely disable the Power button and remove the “Shut down or sign out” option from WinX menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton" /v "value" /t REG_DWORD /d 1 /f

If these settings don’t work on your computer, check the similar registry keys under HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Start\.

Please note that in Windows Server 2019/2022, after assigning restart permission to a user, an error may appear:

In this case, you need to enable the UAC parameter “User Account Control: Run all administrators in Admin Approval Mode” in the GPO:

How to Find Out Who Restarted/Shutdown a Windows Server?

If you have granted permission to reboot a computer for a non-admin user, you may want to know who restarted a Windows Server: a user or one of the administrators.

Use the Event Viewer (eventvwr.msc) to search for shutdown logs in Windows. Go to Windows Logs -> System and filter the current log by the Event ID 1074.

You can also use the event filters in Event Viewer to view RDP connection logs.

Page updated

Google Sites

Report abuse