I just found out the other day that even non-admin users are able to reboot/shutdown our Windows Server 2012 R2 terminal server. All they have to do is click the windows flag in the lower left, then click the power button and all the regular power options are available to them!
How do I go about restricting that permission?
Use Group Policy.
Create and link a GPO to the OU where the RDSH computer accounts are.
Enable loopback policy processing in merge mode.
Configure the User Configuration setting in the image below.
By default, only administrators have the right to shut down (or reboot) a Windows server. If this is not the case on your server, it is likely that you have existing group policy that changes the default configuration.
Start by checking the local security policy, in case the setting was changed locally. Otherwise, you'll need to locate the GPO that is changing the "Shut down the system" setting and either correct it or add a new GPO to override it, perhaps only for these particular servers depending on your needs.
The relevant policy setting is called "Shut down the system" and can be found in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Shut down the system.