New User

For security reasons it’s wise to not work on an Administrator account during your daily work and/or entertainment. In the following steps will be explained how to create a new (limited) user which also has permission to shutdown the computer.

1. In the Start menu click Run and type control userpasswords2.
User Accounts Manager (more advanced via lusrmgmt.msc)

2. In the User Accounts window which comes up click Add, fill in the User name and optionally Full name and Description fields and click Next.
Add New User window

3. Fill in a password twice and click Next.
Enter password twice

4. In the ‘level of access’ screen choose Standard User to create a limited account to work with which is recommended from a security perspective, then click Finish to add the user!
Choose type of user account

Shutdown Permission

5. If you selected Standard User as level of access, you have to give non-Administrator users permission to shutdown the PC. To do this click Run in the menu Start, then type gpedit.msc and click OK. In the Local Group Policy Editor browse to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. In the right pane scroll to Shut down the system.
"Shut down the system" policy in the Group Policy Editor

6. Double click the Shut down the system policy and click Add User or Group.
Add User or Group

7. Enter INTERACTIVE to give all users which can login into the Windows Desktop permission to shut down. If you don’t want to allow all interactive users to shutdown the pc you can also enter the username of the user you want to give permission to shut down. After entering the group or username click OK twice to save the Shutdown policy change.
Allow INTERACTIVE or a user to shutdown the computer

Permission to burn CDs and DVDs

8. Now browse to Computer Configuration -> Administrative Templates -> System -> Removable Storage Access.
Removable Storage Access

9. Double click the CD and DVD: Deny write access policy, set it to Disabled and click OK.
CD and DVD: Deny write acces


Continue to configure Automatic Logon of a user or skip it and continue to remove password restrictions

1 Response

  1. Rick Chavez says:


    Just wanted to congratulate you on your guidelines to convert Windows 2008 R2 into a desktop machine for everyday use. I have gone trough most of them and I found them very useful.

    I also wanted to ask you if you have ran into a situation where you need to create a standard user for a windows 2008 R2 standalone/workstation machine and provide this std user the ability to create and manage other accounts without adding it to the Administrators or backup operators… GPO maybe ?

    Any comments will be greatly appreciated.
    Thank you

Leave a Reply

Select Language »