Solved

disable the command prompt and regedit, mmc, ipconfig, .............

Posted on 2006-10-24
19
2,262 Views
Last Modified: 2008-01-09
Hi experts,

I am installing standalone 50 pcs in a lab and I want to disable the run in the startmenu. but the user in poweruser mode can go to the windows\system32 to run the command prompt (cmd). I want to disable them to use the command prompt and not allow them to run these commands:  regedit, mmc, ipconfig,.............................!! However I want to those commands in admin mode !
any suggestions ? Thanks !

Mike
0
Comment
Question by:mmccy
  • 7
  • 5
  • 2
  • +3
19 Comments
 
LVL 9

Expert Comment

by:olifarago
ID: 17794770
Will the machines be setup on a domain? If so you can use the group policy "Disable the Command Prompt" in [User Configuration\Administrative Templates\System] to control it?

Will this help?

Oli
0
 
LVL 38

Expert Comment

by:younghv
ID: 17794840
If you're going to use an 'image' to stand up these 50, you can configure the first one to meet your standard, then clone the rest.

One manual way to do this is to modify the 'permissions' on each of those commands so that only the 'Administrator' Group has "Execute" permissions.

There may be some simpler tweaks up at Kelley's Korner - I'll look around and post back if I find any.


Vic
0
 
LVL 2

Expert Comment

by:Rob_991
ID: 17795316
Even if the machines are not on a domain, Use the local Policy

Start --> Run gpedit.msc

This is the local Group Policy for the machine..

Look in User configuartion and Administrative Templates... most of the stuff you want to stop should be in there... Anything else you want to do you can find by using a search engine for disable registry access "Group Policy" and this should point you in the right direction!

0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 2

Expert Comment

by:Rob_991
ID: 17795359
Hmm just read your post again... You might want to read this first

http://support.microsoft.com/kb/307882

Might be worth it so that the Admin user keeps all his access!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17796070
I have read that article, but never tried it to see if it truly works. Usually by default local policy affects all accounts on the machine. So what I always do, is to lock the systems down via registry mods for the current user (with the temp user as an admin for this process), copy the registry over to the default user profile, and that way any new user gets the default profile with teh reg hacks in place. Make sure you have already created the administrator profile though, which is usually created at first logon....
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17796073
Dont forget to remove the admin access when done. Then they are ready to image with your choice of tools....
0
 

Author Comment

by:mmccy
ID: 17796419
I agree with younghv's method !
and see if there are some other better methods !!
Thanks !
0
 
LVL 38

Expert Comment

by:younghv
ID: 17796531
mmccy,
I've been looking at the various 'tweak' kinds of sites and can't yet find a way to automate the configuration you want.

Still looking,

Vic
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
ID: 17796798
Here is another easy way to do it under the HKCU method..

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"DisallowRun"=dword:00000001

then....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
create string vlaues for
"1"="ipconfig.exe"
"2"="cmd.exe.exe"
"3"="mmc.exe.exe"
"4"="compmgmt.msc.exe"
"5"="etc.exe"
"6"="etc.exe"
"7"="etc.exe"
"8"="etc.exe"
"9"="etc.exe"
"10"="etc.exe"
"11"="etc.exe"
"12"="etc.exe"
"13"="etc.exe"
"14"="etc.exe"
"15"="etc.exe"
"16"="etc.exe"

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93501.mspx?mfr=true

0
 

Author Comment

by:mmccy
ID: 17796981
how about if I run these commands in administrator account ?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17797048
What I was thinking, is creating the modifications and gettign the user profiles ready for deployment, and copy that registry over to teh default user profile, that way any users created thereafter will be locked down...
0
 
LVL 15

Expert Comment

by:Ryan_R
ID: 17800946
Here's a great way to do what you want. Go to www.freshdevices.com and get yourself FreshUI.  It's a bit like GPO, but what you can do is set it up so that users can't run any programs called "cmd.exe" and so on, and you can password protect access to the program so that only password-bearers can change these settings. You can also export (and import) these settings to a file. So you could keep this file hidden on the HDD or on your USB and when you want full control just import your custom settings from the file, and then import the other settings when you're done. It's been a while since i used it (and it's always being updated with new features), but it may be that the settings are only applied to the user that's logged on (meaning you don't have to worry about importig/exporting settings if you log on as admin).

Hope this helps,

Ryan R
0
 
LVL 38

Expert Comment

by:younghv
ID: 17801888
johnb -
Can't you just modify the HK_Users ".default" (while logged in as local admin) to effect these changes on all subsequent users?

Vic
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17803145
Sure, I wouldnt see whay not...The ntuser.dat from Default user is just a preference.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17956432
I thought there were some very valid ideas in this thread.....

mmccy


Nothing worked for you?
0
 
LVL 38

Expert Comment

by:younghv
ID: 17956442
mmccy,
Come on back in here and let's finish this thing.

Vic
0
 
LVL 38

Expert Comment

by:younghv
ID: 17956536
johnb - I like the way you think.

Vic
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17956590
:)

Great minds think alike!!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question