Ok, so we already had an account assigned to the Credential Ring. It turns out, that's the first part of the answer. But the second part is that, the account - which doesn't have to be an administrator on the network - does have to be in the "Force shutdown from a remote system" section of the local computer policy. We had mistakenly not added this account to that section of the local computer policy. (We thought we had.) It's now done, and the policy - pushed out via AD GPO - is in place for all the desktops. As an additional, we made a security group in AD, and placed that group in the policy. That way, going forward, if we ever need to have a non-administrative account perform remote restarts, we only need to add them to that AD security group, without having to push the GPO out with any changes.