I am trying to block access to command prompt on local Windows 7 Machines. When I block them using Group Policy Editor it also block the local admin account.
Anyway around this? I don't really want to disable and enable group policy everytime i need to user command prompt on the local admin account.
I'd block it using Group Policy but apply a filter so it doesn't apply to your admin account.
disable the run and cmd command, then remove it from the start menu from the mandatory profile, then throw in the GPO that CMD can only be run by an administrator...job done. What we did here and works perfectly
Does GP stop the creation of shortcuts to these???
If I remember you need to use "Software Respriction Policies" to stop them creating shortcuts to: cmd.exe, command.com, etc
Thanks you all for your replies.
I forgot to mention that the computers are not on a domain and so I will need to use local group policies.
I haven't fully tested this but I believe it answers your question.
The Microsoft Management Console allows you to create separate local GPOs for the computer, administrator/s and non-administrator users.
Type mmc.exe in start/run and you can build a custom console. Go to File menu - add/remove snap-in. Scroll down the list that appears and select "Group Policy Object Editor". Click the ADD button. The default object is the local computer settings GPO that gets created. Select that and click FINISH to add it to the console. Now go and add group policy object editor again, this time click "BROWSE" and select the USERS tab. Now you can select "administrators" as the local GPO to be created. Click OK / Finish. Now do it again and this time select "non-administrators". Click OK / Finish. So now you have 3 local GPOs in the right window of your console.
You can double click these and create separate group policy settings for administrators, non-administrators and the computer.
Be sure to save your custom console in the administrative tools folder when logged in as an administrator.
You'll be doing all this logged in as an administrator anyway so just click File / Save As.
These local policies "should" be applied to the correct user groups upon local login.
The actual GPO objects are created in a hidden group policy folder in the system32 folder.
As I said you'll need to test this as I have seen it but never have had to use it as we use a domain/server set up instead of local policies.
Last edited by maxvre; 6th December 2010 at 03:37 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)