+ Post New Thread
Results 1 to 9 of 9
Windows 7 Thread, Blocking Command Prompt with Group Policy in Technical; Hi, I am trying to block access to command prompt on local Windows 7 Machines. When I block them using ...
  1. #1

    Join Date
    Nov 2010
    Location
    London
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question Blocking Command Prompt with Group Policy

    Hi,

    I am trying to block access to command prompt on local Windows 7 Machines. When I block them using Group Policy Editor it also block the local admin account.

    Anyway around this? I don't really want to disable and enable group policy everytime i need to user command prompt on the local admin account.

  2. #2

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    Quote Originally Posted by sebbywebby View Post
    Hi,

    I am trying to block access to command prompt on local Windows 7 Machines. When I block them using Group Policy Editor it also block the local admin account.

    Anyway around this? I don't really want to disable and enable group policy everytime i need to user command prompt on the local admin account.
    are you using the local security policy? or are you running it from the domain group policy?

  3. #3

    Join Date
    Dec 2010
    Location
    Chatteris, Cambridgeshire
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi,

    I'd block it using Group Policy but apply a filter so it doesn't apply to your admin account.

    Matt

  4. #4

    featured_spectre's Avatar
    Join Date
    Nov 2008
    Posts
    12,505
    Thank Post
    1,684
    Thanked 2,054 Times in 1,491 Posts
    Blog Entries
    2
    Rep Power
    464
    disable the run and cmd command, then remove it from the start menu from the mandatory profile, then throw in the GPO that CMD can only be run by an administrator...job done. What we did here and works perfectly

  5. #5

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    Quote Originally Posted by glennda View Post
    are you using the local security policy? or are you running it from the domain group policy?
    my response with this is that if you are running as a Domain GPO i would set it to a specific OU group (such as students/staff) but let admins run it etc. if you run it as a domain gpo it should not stop local admins having access to cmd as they domain gpos should not stop this as you are logging in locally

  6. #6

    Join Date
    Aug 2007
    Posts
    851
    Thank Post
    106
    Thanked 66 Times in 47 Posts
    Rep Power
    27
    Does GP stop the creation of shortcuts to these???
    If I remember you need to use "Software Respriction Policies" to stop them creating shortcuts to: cmd.exe, command.com, etc

  7. #7

    Join Date
    Nov 2010
    Location
    London
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi,

    Thanks you all for your replies.

    I forgot to mention that the computers are not on a domain and so I will need to use local group policies.

  8. #8

    Join Date
    Jun 2010
    Posts
    198
    Thank Post
    9
    Thanked 25 Times in 24 Posts
    Rep Power
    22
    Quote Originally Posted by glennda View Post
    my response with this is that if you are running as a Domain GPO i would set it to a specific OU group (such as students/staff) but let admins run it etc. if you run it as a domain gpo it should not stop local admins having access to cmd as they domain gpos should not stop this as you are logging in locally
    Yes I agree this is what we do . Create a specific GPO for your students this gives you much greater control over your GPO's We have 3 one for teachers one for students and one for office admin staff.

  9. #9

    Join Date
    Aug 2009
    Posts
    5
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi Sebby,
    I haven't fully tested this but I believe it answers your question.
    The Microsoft Management Console allows you to create separate local GPOs for the computer, administrator/s and non-administrator users.
    Type mmc.exe in start/run and you can build a custom console. Go to File menu - add/remove snap-in. Scroll down the list that appears and select "Group Policy Object Editor". Click the ADD button. The default object is the local computer settings GPO that gets created. Select that and click FINISH to add it to the console. Now go and add group policy object editor again, this time click "BROWSE" and select the USERS tab. Now you can select "administrators" as the local GPO to be created. Click OK / Finish. Now do it again and this time select "non-administrators". Click OK / Finish. So now you have 3 local GPOs in the right window of your console.

    You can double click these and create separate group policy settings for administrators, non-administrators and the computer.
    Be sure to save your custom console in the administrative tools folder when logged in as an administrator.
    You'll be doing all this logged in as an administrator anyway so just click File / Save As.

    These local policies "should" be applied to the correct user groups upon local login.
    The actual GPO objects are created in a hidden group policy folder in the system32 folder.

    As I said you'll need to test this as I have seen it but never have had to use it as we use a domain/server set up instead of local policies.
    Last edited by maxvre; 6th December 2010 at 03:37 PM.



SHARE:
+ Post New Thread

Similar Threads

  1. Group Policy Blocking Flash
    By FN-GM in forum Windows Server 2008
    Replies: 8
    Last Post: 13th October 2009, 11:06 AM
  2. blocking .exes using group policy
    By Neville in forum Windows
    Replies: 2
    Last Post: 8th May 2009, 01:37 PM
  3. Copying Command prompt to clipboard
    By russdev in forum Windows
    Replies: 10
    Last Post: 21st April 2009, 08:39 AM
  4. Prevent Student Access To Command Prompt
    By DaveP in forum How do you do....it?
    Replies: 13
    Last Post: 21st March 2007, 12:37 PM
  5. Blocking Batch Files using Group Policy in Server 2003
    By markwilliamson2001 in forum Windows
    Replies: 13
    Last Post: 4th October 2005, 06:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •