Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 15, 2017 6:47 PM
Hello,
I have disabled access to the command prompt in GPO.
User Configuration/Administrative Templates/System, enabled "Prevent access to the command prompt"
However, users are still able to run command in the search button at the task bar.
What other settings need to be set in GPO to prevent users from running commands?
Thanks.
All replies (4)
Thursday, March 16, 2017 3:04 AM
Hi Annabelle Lee,
Is this a domain environment? What is present system version you are using?
I have tested that gpo on a Windows 10.14393.693 Enterprise machine. That gpo will block the command completely. Though I could search the cmd and open it, I will get a notification that the command has been disabled.
Please check the following registry key to verify whether the gpo has been applied to the machine.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD (value "1")
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, March 16, 2017 3:09 AM
Let me clarify my questions...
After the command prompt has been disabled in the GPO, when the user opens up command prompt, it will say "The command prompt has been disabled by your administrator"
However, if I click on the search button on the task bar and type in a command such as "gpupdate /force" as an example, the command will run.
The purpose of disabling the command prompt is so that users can't run any commands but it seems that you don't need the command prompt to run a command.
Are there other settings that can disable this behavior?
Friday, March 17, 2017 3:16 AM
Hi Annabelle Lee,
What is the exact purpose?
The reason why we could run "gpupdate" is that there is an application called "gpupdate.exe" in C:\Windows\System32. Disabling the command line didn't disable the "gpupdate.exe" application.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Sunday, August 11, 2019 11:39 PM
Just want to re-open this forum, also figuring out how to configure or disable this via GPO. Also to check if there's already a fix / solution on this.
The following GPO has been enabled to prevent running command prompt.
User Configuration>Policies>Administrative Templates>Start Menu and Taskbar>Remove Run menu from Start Menu
and
User Configuration>Policies>Administrative Templates>System>Prevent access to the command prompt
But when I run a command on the Start menu>Search bar i can run the following sample command and will open via command prompt but will eventually exits once run command ends (which prove that the policy is working will only execute one command).
gpupdate.exe
ping.exe
Is there a way to disable this in GPO? The purpose of this is to prevent user to run rundll32.exe via search bar. This disable our policy for proxy servers settings.
Thanks,