User Rights Assignment Shutdown The Systems

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Description

Determines which users logged on locally to the computer can shut down the operating system using the Shut Down command.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

The default groups that have this right on each platform are:

  • Workstations and Servers

    • Administrators

    • Backup Operators

    • Power Users

    • Users

  • Domain Controllers

    • Account Operators

    • Administrators

    • Backup Operators

    • Server Operators

    • Print Operators

Related Policies

Top Of Page

You can't effectively deny rights to local administrators, since regardless of what GPO you apply, they can always override it at least temporarily by editing the registry. They can also remove the computer from the domain.

In general, you shouldn't use or distribute the local administrator accounts in an environment requiring top-down administrative control such as this. The best policy is to keep those passwords within a database (or software designed for this purpose such as Hitachi ID Privileged Access Manager, which I used to work on); the passwords should only be used when necessary to re-establish the domain relationship or similar, and use of them should be auditable.

It's unfortunate that your application requires such access. You could consider determining what access it actually requires, and giving it that instead; most applications do not actually need administrator access.

If your only goal is to prevent inadvertent shutdowns, you can certainly set to exclude them, but be aware that this will not prevent a knowledgeable user from intentionally shutting it down. I believe this policy applies to RDP interactive sessions, but not to the command (which has an option to target a remote host); that is the domain of the GPO option.

0 thoughts on “User Rights Assignment Shutdown The Systems

Leave a Reply

Your email address will not be published. Required fields are marked *