How to disable shutdown -i via group policy

We've been having an issue where computers have been logged off or shutdown randomly. I thought it might be shutdown - i but command prompt is disabled. However, we figured out that a student was using visual pro to open command prompt then do a shutdown -i command to remotely mess with machines.

I see there's a way to disable remote shut off via the local security policy, but I haven't been able to locate it in gp.
Thanks for your help!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DonNetwork AdministratorCommented:
It's under  User Configuration > Administrative Templates > Start Menu & Taskbar > Remove And Prevent Access To Shut Down Command.
Try disabling access to the command prompt via Group Policy.

This is located under User Configuration\Administrative Templates\System

Does the student have any elevated privileges?
PapaSmurffAuthor Commented:
Dstewartjr - that will remove shutdown from the Start menu. I don't want the shutdown -i command to run.

Command Prompt is disabled via group policy. The students are apparently able to get into a visual pro command prompt and then run the: shutdown - i command

Students are pretty locked down.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage


Another way to stop a user/student shutting down a machine remotely would be to amend the Security Policy (User Rights Assignment) via GPO to only enable certain people to shutdown machines.

Then when you have found the option double click on it and remove\user-name or user
PapaSmurffAuthor Commented:
Thanks Roshan Ejaz. Not familiar with how to set that up. Can you provide any helpful links?
Thanks again!
Hopefully this link can help you

If it doesn't help let me know and i will post a step by step on how to do it in my test lab.
PapaSmurffAuthor Commented:
Thanks again Roshan Ejaz.  I don't know where to start with that link.. Yeah a step by step would be great!
Log onto the Domain Controller as an administrator/Domain Admin > Open Group Policy Management Console > Ensure the machines which you don't want to be shut down are located within a different OU > Create a new policy and link it here > Open Computer Config > Windows Settings > Security Settings > User Rights Assignment > Select the option Shut Down the system > Activate this policy and then put in there who you want to allow the shut down the system right to.

Once applied restart the target PC, log on as a standard user to test and see if you can shutdown the machine.

I'm not sure about the log off option because I think that would be the minimal required. Lets cross that bridge when we come to it.
PapaSmurffAuthor Commented:
My apologies its been a crazy week. I'll try this and respond when I get a chance to test it out. Thanks a lot!
No problem :)
PapaSmurffAuthor Commented:
Hey Roshan,
 I attempted this this morning, however, I couldn't locate "user rights assignment" in gp. Also, is seems then students wouldn't be able to shutdown any machines. I would like to disable the remote shutdown feature.
the only way to disable remote shutdown would be to ensure they don't have access to shutdown machines, this is defined in the User Rights Assignments.

Below is a screenshot of my test lab with the policy highlighted.

Also this will ensure only certain people can shutdown the systems you apply the policy to.

User Rights Assignment

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PapaSmurffAuthor Commented:
Thanks Roshan. Unfortunately, I'm not going to block access for a local shutdown. Kinda surprised there isn't a remote shutdown option. Thanks again, Ron
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.