Blocking Command Prompt with Group Policy

[sebbywebby]

Hi,

I am trying to block access to command prompt on local Windows 7 Machines. When I block them using Group Policy Editor it also block the local admin account.

Anyway around this? I don't really want to disable and enable group policy everytime i need to user command prompt on the local admin account.

[glennda]

Hi,

I am trying to block access to command prompt on local Windows 7 Machines. When I block them using Group Policy Editor it also block the local admin account.

Anyway around this? I don't really want to disable and enable group policy everytime i need to user command prompt on the local admin account.

are you using the local security policy? or are you running it from the domain group policy?

[mcourtman]

Hi,

I'd block it using Group Policy but apply a filter so it doesn't apply to your admin account.

Matt

[nephilim]

disable the run and cmd command, then remove it from the start menu from the mandatory profile, then throw in the GPO that CMD can only be run by an administrator...job done. What we did here and works perfectly

[glennda]

are you using the local security policy? or are you running it from the domain group policy?

my response with this is that if you are running as a Domain GPO i would set it to a specific OU group (such as students/staff) but let admins run it etc. if you run it as a domain gpo it should not stop local admins having access to cmd as they domain gpos should not stop this as you are logging in locally

[burgemaster]

Does GP stop the creation of shortcuts to these???
If I remember you need to use "Software Respriction Policies" to stop them creating shortcuts to: cmd.exe, command.com, etc

[sebbywebby]

Hi,

Thanks you all for your replies.

I forgot to mention that the computers are not on a domain and so I will need to use local group policies.

[kili]

my response with this is that if you are running as a Domain GPO i would set it to a specific OU group (such as students/staff) but let admins run it etc. if you run it as a domain gpo it should not stop local admins having access to cmd as they domain gpos should not stop this as you are logging in locally

Yes I agree this is what we do . Create a specific GPO for your students this gives you much greater control over your GPO's We have 3 one for teachers one for students and one for office admin staff.

[maxvre]

Hi Sebby,
I haven't fully tested this but I believe it answers your question.
The Microsoft Management Console allows you to create separate local GPOs for the computer, administrator/s and non-administrator users.
Type mmc.exe in start/run and you can build a custom console. Go to File menu - add/remove snap-in. Scroll down the list that appears and select "Group Policy Object Editor". Click the ADD button. The default object is the local computer settings GPO that gets created. Select that and click FINISH to add it to the console. Now go and add group policy object editor again, this time click "BROWSE" and select the USERS tab. Now you can select "administrators" as the local GPO to be created. Click OK / Finish. Now do it again and this time select "non-administrators". Click OK / Finish. So now you have 3 local GPOs in the right window of your console.

You can double click these and create separate group policy settings for administrators, non-administrators and the computer.
Be sure to save your custom console in the administrative tools folder when logged in as an administrator.
You'll be doing all this logged in as an administrator anyway so just click File / Save As.

These local policies "should" be applied to the correct user groups upon local login.
The actual GPO objects are created in a hidden group policy folder in the system32 folder.

As I said you'll need to test this as I have seen it but never have had to use it as we use a domain/server set up instead of local policies.