2

Has something changed in Server 2019?

Under Server 2016 I was able to run this command in a non-elevated prompt:

shutdown /r /t 0

In Server 2019, however, when I attempt to do so I get:

Access is denied.(5)

The command works fine from an elevated prompt. I'm signed in as the same domain admin that I was under Server 2016 (same SID, same domain).

This Q&A asks a similar question, but the answer is proprietary.

Articles like this are readily available:

http://woshub.com/allow-prevent-non-admin-users-reboot-shutdown-windows/

...but I don't want to allow a non-admin user to run the commands. I'm the domain admin and I want that supreme power all to my itty-bitty self. I just don't want to have to wrangle with UAC in order to exercise it.

Under Server 2019, how can I successfully run this command from a non-elevated prompt as I did in Server 2016?

Improve this question

1 Answer 1

Reset to default
1

Windows Server 2016 by default had the following privileges for an Administrator:

  • Shut down the system
  • Remove computer from docking station
  • Change the time zone

But Server 2019 broke some of these permissions. To fix:

  • Run gpedit.msc
  • Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assessments
  • For each of the above listed privileges, ensure that your user account, or Administrators, is included. (A subset of these permissions might be enough.)
  • Do gpupdate /force
  • Logoff and log back on, you should now be able to shutdown and restart.

You could also go the whole route and disable administrators being bothered with UAC.

This policy is named "Run all administrators in Admin Approval Mode" and is found at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > User Account Control. Change the default of "Enabled" to "Disabled".

Improve this answer
4
  • Hm, that's strange... the local Administrators group is already present in all three of those. Administrators, of course, includes the domain admin.
    – InteXX
    Commented Aug 24, 2021 at 21:32
  • It might be worth noting that I'm able to run shutdown /l without elevation. Maybe something changed within the executable.
    – InteXX
    Commented Aug 24, 2021 at 21:36
  • I disabled UAC for administrators, as you suggested, and it accomplishes my goal, but it leaves me with a nervous, unsettled feeling in my belly. It strikes me as throwing the baby out with the bath water. Maybe it's just my imagination.
    – InteXX
    Commented Aug 24, 2021 at 21:52
  • Now isn't that something! I added the domain admin directly to the Shut down the system permission, and it worked. I guess it doesn't spelunk the groups. Go figure.
    – InteXX
    Commented Aug 24, 2021 at 22:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .