NTRIGHTS.EXE came with the NT Resource kit. With it, you
can set a number of local security policy settings. AD
made a lot of that redundant.
SeShutdownPrivilege is one that removes or grants the
option to shut the system down to local users and/or
groups. Removing it means a user can only log out, but
the machine can still be shut down from the login screen.
By controlling this from AD, I can remove or grant the
privilege just by moving machines between OU's.
Ah, you're looking for the user rights assignment! You can edit that in the
group policy editor (Start/Run: GPEDIT.MSC [ENTER])
Expand Computer Configuration, Windows Settings, Security Settings, Local
Policies.
"Shutdown the System" is one of the options under, User Rights Assignment
(towards the bottom) - just add whatever users you want to it.
