How can I allow non-administrators to use shutdown.exe?

The simplest solution would be to configure said scheduled task to run under an Administrator account. You do not need to use the same account as the usually-logged-on user – simply provide different credentials when creating the task.

If you do not want "Administrator" to have a password, you could just create a dedicated account just for the scheduled task. (A limited User account will work as well, if you apply the fix below.)


The shutdown.exe program needs SeRemoteShutdownPrivilege to run, instead of the usual SeShutdownPrivilege – my guess is that it uses the same RPC for shutting down both local and remote machines. (This would explain the need for a password, too – by default, only console logins are exempt, which obviously does not include RPC.)

You can grant SeRemoteShutdownPrivilege through secpol.mscLocal PoliciesUser Rights Assignment, by editing the "Force shutdown from remote system" entry.

  • You can create a dedicated account for the task and add it here (best choice).
  • For interactive command-line usage by any user, you can add INTERACTIVE.
  • For scheduled tasks by any user, add BATCH.

I see you are still trying to schedule a task on an admin account without a password.

I'm banking on the fact that the only other setting that has to do with blank passwords is the "Limit local account use of blank passwords to console logon only"

Try that setting. It's under Security options, just underneath user right assignments.


This is an easier solution:

If you want to allow only local users to run %windir%\system32\shutdown.exe -s -t 0, grant the SeRemoteShutdownPrivilege to the group INTERACTIVE. Only local users are members of this group.

How to do it: Run secpol.msc. Open Security Settings \ Local Policies \ User Rights Assignment. Double-click Force shutdown from a remote system in the right pane. Click Add User or Group. Enter the name INTERACTIVE in the text box and click Check names, then click OK, and OK again.

Source: http://blogs.msdn.com/aaron_margosis/archive/2006/01/27/518214.aspx