How can I allow non-administrators to use shutdown.exe?

Question

As per the comments in the accepted answer to this question, I'm having issues running a scheduled task which calls shutdown.exe, even when the user is an administrator. I'm administrating someone else's machine using their main account, so I can't exactly change too much as they like things the way that they are.

What's really strange is that I can only make the task run if:

1. The user is an administrator.
2. They have defined a password.

For some strange reason unknown to me, not only does a user have to be an administrator, but they also must have a password on the account in order for the scheduled task to run. Otherwise, I get access denied errors and the task fails to run.

How can I make this work without having to force the user to define a password for their account?

Essentially, the remaining goal is to have the computer shut down (no matter who is or is not logged in) at 11pm every night.

I run into the following errors below when I try to set the task in the Scheduled Tasks program:

An error has occurred while attempting to set task account information.
The specific error is:
0x8007005: Access is denied.
You do not have permission to perform the requested operation.

For the record, here's my security policy, you can see that my user has the permission to force shutdown and manually shutdown the computer:

Answer 1

The simplest solution would be to configure said scheduled task to run under an Administrator account. You do not need to use the same account as the usually-logged-on user – simply provide different credentials when creating the task.

If you do not want "Administrator" to have a password, you could just create a dedicated account just for the scheduled task. (A limited User account will work as well, if you apply the fix below.)

---

The shutdown.exe program needs SeRemoteShutdownPrivilege to run, instead of the usual SeShutdownPrivilege – my guess is that it uses the same RPC for shutting down both local and remote machines. (This would explain the need for a password, too – by default, only console logins are exempt, which obviously does not include RPC.)

You can grant SeRemoteShutdownPrivilege through secpol.msc → Local Policies → User Rights Assignment, by editing the "Force shutdown from remote system" entry.

• You can create a dedicated account for the task and add it here (best choice).
• For interactive command-line usage by any user, you can add INTERACTIVE.
• For scheduled tasks by any user, add BATCH.

Answer 2

This is an easier solution:

If you want to allow only local users to run %windir%\system32\shutdown.exe -s -t 0, grant the SeRemoteShutdownPrivilege to the group INTERACTIVE. Only local users are members of this group.

How to do it: Run secpol.msc. Open Security Settings \ Local Policies \ User Rights Assignment. Double-click Force shutdown from a remote system in the right pane. Click Add User or Group. Enter the name INTERACTIVE in the text box and click Check names, then click OK, and OK again.

Source: http://blogs.msdn.com/aaron_margosis/archive/2006/01/27/518214.aspx

Answer 3

I see you are still trying to schedule a task on an admin account without a password.

I'm banking on the fact that the only other setting that has to do with blank passwords is the "Limit local account use of blank passwords to console logon only"

Try that setting. It's under Security options, just underneath user right assignments.

Answer 4

There are some restrictions on creating tasks for accounts with blank passwords.

You can create a task which will run shutdown.exe, but you will need to set the "Do not store password" option. This is on Windows 7 SP1, if you are using a different OS please let us know.

For Windows XP, use the command line AT tool:

at 23:00 /every:monday,tuesday,wednesday,thursday,friday,saturday,sunday shutdown /s