command prompt restriction policy won't work.

[Idontwantspam]

OK, it's another one of those I-want-to-restrict-people-but-it's-not-working things! Yipee!

So here's the deal. I want to prohibit a certain user from using the command prompt using a policy. I'm applying the policy to their HKCU. I go to HKCU\\Software\\Windows\\currentversion\\policies\\system and put in a dword value DisableCMD and change the value to 1. However, when that user opens command prompt, it still works. I could disable them from running cmd.exe, but they're smart enough to use something like command prompt portable or just copy cmd.exe and paste it in a different folder with a different name. So, any ideas why this isn't working? I know the restriction can be made because at school cmd is disabled. Unfortunately.

[Tripredacus]

You can restrict the Users group from opening it, and also have it hidden from the start menu. But you will be hard pressed to stop people from using other methods to opening a command prompt of another type. Let's start this way, what other methods would someone use to get a command prompt on the computer?

1. a USB or floppy drive

2. Download from the internet

For option one, is using an external drive or disk ever a necessity for the target machine? You could say, limit opening executables from drives that aren't the C drive, and do not allow people to save files to anywhere on the C drive but a certain folder. Then have it set that they cannot run executables from that folder.

You could also just rename cmd.exe, and put it into some folder where the users group does not have the ability to access. You could even ResHack to change its icon.

But it sounds like you are targetting a specific person, and not a possible action a group of people could do. I am sure a disciplinary action is necessary in this case!

[SmaugyGrrr]

I don't know much about policies aside from them only being a basic hinderance for technically-minded people, but.....

If you have an anti-virus and have the ability to have a custom definition, try including cmd.exe plus the various cygwin shells. I have no idea if this is actually possible with any AV available - it's just a thought

[Idontwantspam]

Well, you see, I know there's a lot of ways to get around it and run commands. I've spent a lot of time on the issue, actually, since school disables cmd prompt (and everything else, it seems). There is a group policy to "Disable Command Prompt," and at school, with this enabled, opening cmd.exe OR any number of other command window things, like command prompt portable, will result in a command window saying "Command Prompt has been disabled by your administrator. Press any key to continue..." and pressing any key will result in the window closing. I want to know if I can do that somehow.

[Idontwantspam]

Whoops!

I was stupidly putting the value in the wrong key. It belongs in HKCU\Software\Policies\Microsoft\System, I was putting it in HKCU\Software\Microsoft\Current Version\Policies\Microsoft\Windows\System.

Well, at least it works now!

Edited September 15, 2007 by Idontwantspam