In this article, we’ll look at several ways to manage non-administrator user permissions to restart or shut down a Windows workstation or server. By default, non-privileged users can only reboot and shut down desktop versions of Windows, and cannot restart a Windows Server host (the Shutdown and Restart buttons are not available in the Start menu). Is it possible to allow a user to restart Windows Server without local administrator privileges? There is also a reverse task – how to prevent users from restarting a computer with Windows 10 or 11 that is used as an information kiosk, dispatch console, etc.
How to allow or prevent shutdown/reboot option in Windows via GPO?
You can set permissions to restart or shut down Windows shut down the system Parameters in GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. This GPO option allows you to specify which locally logged-on users can shut down the operating system.
Please note that the default restart/shutdown permissions are different for Desktop edition Windows 10/11 and Windows Server edition.
Open the Local Group Policy Editor (gpedit.msc) and navigate to the section specified above. As you can see, members of local groups administrators, users And backup operators Allowed to shutdown/reboot running computers windows 10 or 11,
On Windows Server 2022/2019/2016In college administrators either backup operators You can shutdown or restart the server. This is reasonable, since in most cases a non-admin user should not have the privilege to shut down the server (even by mistake). Just imagine an RDS farm host that frequently shuts down because users accidentally click the “Shutdown” button in the Start Menu…
On Active Directory domain controllers, the rights to shut down Windows are delegated to:
- administrators
- backup operators
- server operators
- print operators
If the user does not have permissions to restart/shutdown the operating system, an error will appear when running the following command:
shutdown –r –t 0
Access is denied.(5)
If you want to allow a specific user (without administrator rights) to restart your Windows Server, you need to add their account to this policy and update the GPO settings on the computer.
ntrights +r SeShutdownPrivilege -u woshub\j.smith
To prevent a user from shutting down or restarting Windows:
ntrights -r SeShutdownPrivilege -u woshub\j.smith
Or, conversely, you can prevent users of workstations running desktop Windows 10/11 editions from restarting computers that perform some kind of server function. In this case, just remove users group by local policy shut down the system,
In the same way, you can prevent (or allow) shutdown/reboot operations for non-administrator users on all computers in a specific organizational unit (OU) of an Active Directory domain by using a domain GPO.
- create grpAllowRestartComputers Users group in AD that you want to grant permission to restart the computer. You can create a new group using the ADUC snap-in (
dsa.msc) or the New-ADGroup PowerShell cmdlet. add users to groups; - Open the Domain Group Policy Management Console (
gpmc.msc, Select the OU with the computers you want to apply the policy to and select Create a GPO in this domain and link it here,
- Set GPO name (gpoAllowReboot) and edit it;
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> User Rights Assignment;
- open the close option, enable the policy, and add your target group (
grpAllowRestartComputers) and built-inAdministratorsGroup;
- Update the GPO settings on the target computers and save the resulting GPO settings
rsop.mscSnap-in. Users in your group can now shutdown or reboot this host; - Options to shutdown and restart the operating system will appear in the user’s Start menu.
Allow remote shutdown/restart without admin permission
You can allow certain non-administrator users to restart your Windows Server remotely shutdown command without granting them local administrator privileges, permission to log on via Remote Desktop (RDP), or local logon permissions (if this sign-in method is not allowed)
To do this, add a user account Force shutdown from remote system Same GPO section in Group Policy Options (user rights assignment,
By default, only administrators can shut down/restart the server remotely. Add a user account to the policy.
ntrights +r SeRemoteShutdownPrivilege -u woshub\j.smith
After this the user will get serimote shutdown privileges and will be able to restart the server remotely using the command:
shutdown -m \\hamb-rds01 -r -f -t 0
or using the Restart-Computer PowerShell cmdlet:
Restart-Computer –ComputerName hamb-rds01 –Force
VERBOSE: Performing the operation "Enable the Remote shutdown access rights and restart the computer." on target ...
If WinRM (Windows Remote Management) is enabled on the remote computer, you can use WSman instead of WMI to connect:
Restart-Computer -ComputerName hamb-rds01 -Protocol WSMan
If the user does not have permission to connect to the WMI namespace, an error will appear:
Restart-Computer : Failed to restart the computer srv-rds1 with the following error message: The WS-Management servicecannot process the request. The WMI service returned an 'access denied' error. .
Disable (hide) the shutdown or restart option from Windows?
You can use Group Policy to hide the Shutdown, Restart, Sleep, and Hibernate options from the sign-in screen and Start menu. This GPO option is called Remove and prevent access to shutdown, restart, sleep, and hibernate commands and located under User Configuration -> Administrative Templates -> Start Menu and Taskbar
After you enable this policy, the user will only be able to disconnect from or use the current session logoff command. The Shutdown, Sleep, and Restart buttons will become unavailable.
You can use some Registry tweaks to hide only a specific item from the Power/Shutdown menu in Windows. For example, you want to hide only the “Shut down” option in the Start menu, but keep “Restart”.
- Open Registry Editor (
regedit.exe, - go for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown,
- replace Value option to 1,
- This will only hide the “Shut Down” option from the Windows Start Menu.
REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" /v "value" /t REG_DWORD /d 1 /f
or using powershell:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" -Name "value" -Value 1
In addition, you can hide other options in the Start menu and Windows sign-in screen:
- just hide restart Options in Windows:
REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart " /v "value" /t REG_DWORD /d 1 /f - to conceal hibernate Option from the Start menu in Windows: R
EG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate" /v "value" /t REG_DWORD /d 1 /f - to conceal Sleep From the Start Menu:
REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep" /v "value" /t REG_DWORD /d 1 /f - to disable completely power button and remove the “Shut down or sign out” option from the WinX menu:
REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton" /v "value" /t REG_DWORD /d 1 /f
If these settings do not work on your computer, check the same registry keys under HKLM\SOFTWARE\Microsoft\PolicyManager\Present\device\start\.
Please note that in Windows Server 2019/2022, after the restart permission is granted to the user, an error may appear:
You don’t have permission to shutdown or restart this computer.
In this case, you need to enable the UAC parameter “User Account Control: Run all administrators in administrator approval mode” in the GPO:
How to know who restarted/shutdown Windows Server?
If you have given permission for a non-administrator user to reboot the computer, you may want to know who restarted Windows Server: a user or one of the administrators.
use event viewereventvwr.msc) to find the shutdown log in Windows. go for windows logs , system and filter the current log by event id 1074,
As you can see, the server restart events are in the log in chronological order. Event details include the restart time, reason, and the user account that restarted the host.
Log Name:SystemSource: User32 EventID: 1074 The process C:\Windows\system32\shutdown.exe (BE-BAK01) has initiated the restart of computer MUN-BAK01 on behalf of user corp\jsmith for the following reason: No title for this reason could be foundReason Code: 0x800000ff Reason Code: 0x500ff Shutdown Type: restart Comment:
You can get information about recent windows shutdown events using the same event id 1076,
The process C:\Program Files\VMware\VMware Tools\vmtoolsd.exe (MUN-BAK1) has initiated the shutdown of computer MUN-BAK1 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown Reason Code: 0x80070000 Shutdown Type: shutdown Comment:
Use the following simple PowerShell script to list the last ten computer restart and shutdown events. This list contains the names of the users and processes from which the reboot was initiated.
Get-EventLog -LogName System |
where {$_.EventId -eq 1074} |select-object -first 10 |
ForEach-Object {
$rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode
if ($_.ReplacementStrings[4]) {
$rv.Date = $_.TimeGenerated
$rv.User = $_.ReplacementStrings[6]$rv.Process = $_.ReplacementStrings[0]$rv.Action = $_.ReplacementStrings[4]$rv.Reason = $_.ReplacementStrings[2]$rv
}
} | Select-Object Date, Action, Reason, User, Process |ft
Leave a Comment