This is an easier solution:
If you want to allow only local users to run %windir%\system32\shutdown.exe -s -t 0
, grant the "SeRemoteShutdownPrivilege"SeRemoteShutdownPrivilege
to the group "INTERACTIVE"INTERACTIVE
. Only local users are members of this group.
How to do it: Run secpol.mscsecpol.msc
. Open Security Settings \ Local Policies \ User Rights AssignmentSecurity Settings \ Local Policies \ User Rights Assignment
. Double-click "Force shutdown from a remote system"Force shutdown from a remote system
in the right pane. Click "Add User or Group"Add User or Group
. Enter the name INTERACTIVEINTERACTIVE
in the text box and click "Check names"Check names
, then click OKOK
, and OKOK
again.
Source: http://blogs.msdn.com/aaron_margosis/archive/2006/01/27/518214.aspx