I faced an issue with a Non-Administrator user account that logs into a AD domain on my VirtualBox lab network – user can successfully login, however, the user cannot Shutdown/Restart their pc, the option is greyed out, only sign out is available.
Why is this the case? Is this the GPO default Domain Policy stopping a user from shutting down their machine? How could I change this to allow a regular user to shut down the PC?
Many thanks,
Greg
This is not by default for a domain user on a domain computer. You need to find what GPO is configuring this setting.
It could be: User Config > Policies > Admin Templates > Start Menu > Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate Commands
Run rsop.msc, and “gpresult /r” from CMD to start troubleshooting.
Paul
Hi Paul, Thanks for your reply. The issue was on my side. The client computer logging onto the domain was using Windows 2016 server OS (i created a regular domain user on my DC to allow logins). I know this wouldn’t be the typical setup but I used both Win Server 2016 to be both a server and another VM of Win Server 2016 to be a client (in virtualbox lab).
I did check those GPO settings on the DC and they were not configured.
I added a Windows 10 client onto the virtual network and there was no problem with the client restarting or shutting down once they had joined the domain.
I guess logging in as a client (on a Windows Server) into a Domain Controller - the option won’t be available to shutdown/restart unless I add the user to ‘Domain Admins’ group. By doing this, the user was able to see shutdown/restart options.
Thanks for your answer,
Greg
Ah - that definitely sheds more light on the situation. By default non-domain admin users can’t even log into a DC.
Have you considered using RSAT so the non domain admin doesn’t need to log in to the DC? Not sure if this fits your use case or not however. https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools
This can be useful if you delegate control of some AD objects to non-domain admin users but don’t want to grant them the Domain Admin group membership. Also useful for things like the DNS Admins group.