Preventing command prompt access except by domain admin

1110 pts.
Tags:
command prompt
Command Prompt window
Domain Administration
Domain Administrator
Network security
Network Security Management
Network Security Policies
Can we prevent command prompt access on all servers except for when run by a domain administrator?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi NewmanIT and everyone,

Since W2K3 you ca create a GPO to prevent CMD.exe run.
To do so, create a new/edit an existing one and go to:

user configuration / administrative templates / system
Enable <b>Don’t Run Specified Windows Applications</b>.
Click Show -> Add and type cmd.exe

Don’t forget to apply this GPO to the OU in which are the users you want to prevent cmd.exe access
After finishing, do a gpupdate /force in the client you want to test and verify that a regular user cannot execute cmd.exe.

HTH

Luís

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Subhendu Sen
    Click Start > Run> gpdit.msc > user configuration > administrative templates > system > find prevent access to the command prompt > right click > properties > click enable > ok and reboot. Now activate only Administrator....Open command prompt and type as net user administrator /active:yes OR u can do it another way : Start > Type Control UserPasswords2, then click Advanced & again click Advanced, now select Users and select Administrator and uncheck the the box “Administrator is disabled” Now log out and login as Administrator NOTE: If u want to disable this for a specific user make the change in the registry. Login to the account u want to change and create the following registry entries: HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem DisableCMD dword 0x00000001 to disable command prompt and batch files or DisableCMD dword 0x00000002 to disable command prompt but not batch files Remember these are all related XP / 2003 / For Vista and 7, may change slightly. CAUTION: Before doing anything with registry, it is good practice to take registry backup for safety purpose from File > Export
    29,210 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following