Prevent remote users from shutting down/rebooting the XP/VS Terminal Server
This FAQ describes how to prevent users from shutting down or restarting your server where XP/VS Server is installed.
Basically there are two possibilities to distinguish:
- Hiding the entries “Shut down” and “Restart” in the Start Menu:
If shutdown/restart/suspend/hibernate options are missing in the menu, this does not mean that a normal user does not have the privilege to shut down the machine.The user still ca shut down the computer by using e.g. the shutdown command from command line.
- Open the Local Group Policy Editor: Start -> Run -> Enter gpedit.msc
- Move to User Configuration/ Administrative Templates/ Start Menu and Taskbar
- Enable “Remove and Prevent access to the Shut Down from Start Menu”
- Removing the user’s shutdown-privilege
This is the right and effective way to solve that issue.
Removing the user’s shutdown-privilege
For the following operating systems (except “Home” Editions)
- Windows XP / Vista
- Windows 7, 8, 8.1, 10,11
- Windows Server 2003 (SBS), 2008 (R2), 2012 (R2), 2016, 2019,2022
Log in with administrative rights: Start -> Run -> Enter: secpol.msc (Security Policy Editor).
Move to Local Policy/ User Right Assignment and on the right pane open “Shut down the system”.
This security setting determines which user (who is logged in remotely) has the privilege to shut down the operating system.
Default settings for servers (where XP/VS Server is installed): Administrators and Backup Operators
Removing the user’s shutdown-privilege on Windows Home-Editions
Local Security Policy Editor is not included in Windows Home Edition, like Windows XP Home, Vista Home and Windows 7 Home.
The privilege to shut down the computer is called “SeShutdownPrivilege”. Configuring this privilege is more complicated in Windows Home Editions, because Security Policy Editor is not available.
But there is a solution to modify those settings, but two command line programs are required:
- Microsoft´s accesschk.exe
This program displays the current privileges of users or groups.Download here: http://download.sysinternals.com/Files/accesschk.zip
Information page: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
After downloading copy accesschk.exe from the zip to your windows\system32 directory!Open a command prompt (as Administrator !) and enter the command
- accesschk -a UserOrGroupName *
accesschk -a Users *
- If the privilege should be removed, a program called “ntrights.exe” from the Windows Resource Kit is required.
Download the Windows Resources Kit here: http://www.microsoft.com/downloads/en/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
After successful installation, please copy ntrights.exe (from e.g. C:\Program Files (x86)\Windows Resource Kits\Tools) to C:\Windows\System32 and uninstall Resource Kit afterwards.
Start the command prompt (“Run as Administrator”) and enter the command:
ntrights -u UserOrGroupName -r PrivilegeName
to revoke the privilege from a single user or group:
To verify that the privilege has been revoked use the command:
accesschk -a Users *
“SeShutdownPrivilege” is not listed anymore!