disable the command prompt and regedit, mmc, ipconfig, .............

Hi experts,

I am installing standalone 50 pcs in a lab and I want to disable the run in the startmenu. but the user in poweruser mode can go to the windows\system32 to run the command prompt (cmd). I want to disable them to use the command prompt and not allow them to run these commands:  regedit, mmc, ipconfig,.............................!! However I want to those commands in admin mode !
any suggestions ? Thanks !

Mike
mmccyAsked:
Who is Participating?
 
johnb6767Connect With a Mentor Commented:
Here is another easy way to do it under the HKCU method..

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"DisallowRun"=dword:00000001

then....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
create string vlaues for
"1"="ipconfig.exe"
"2"="cmd.exe.exe"
"3"="mmc.exe.exe"
"4"="compmgmt.msc.exe"
"5"="etc.exe"
"6"="etc.exe"
"7"="etc.exe"
"8"="etc.exe"
"9"="etc.exe"
"10"="etc.exe"
"11"="etc.exe"
"12"="etc.exe"
"13"="etc.exe"
"14"="etc.exe"
"15"="etc.exe"
"16"="etc.exe"

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93501.mspx?mfr=true

0
 
olifaragoCommented:
Will the machines be setup on a domain? If so you can use the group policy "Disable the Command Prompt" in [User Configuration\Administrative Templates\System] to control it?

Will this help?

Oli
0
 
younghvCommented:
If you're going to use an 'image' to stand up these 50, you can configure the first one to meet your standard, then clone the rest.

One manual way to do this is to modify the 'permissions' on each of those commands so that only the 'Administrator' Group has "Execute" permissions.

There may be some simpler tweaks up at Kelley's Korner - I'll look around and post back if I find any.


Vic
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
Rob_991Commented:
Even if the machines are not on a domain, Use the local Policy

Start --> Run gpedit.msc

This is the local Group Policy for the machine..

Look in User configuartion and Administrative Templates... most of the stuff you want to stop should be in there... Anything else you want to do you can find by using a search engine for disable registry access "Group Policy" and this should point you in the right direction!

0
 
Rob_991Commented:
Hmm just read your post again... You might want to read this first

http://support.microsoft.com/kb/307882

Might be worth it so that the Admin user keeps all his access!
0
 
johnb6767Commented:
I have read that article, but never tried it to see if it truly works. Usually by default local policy affects all accounts on the machine. So what I always do, is to lock the systems down via registry mods for the current user (with the temp user as an admin for this process), copy the registry over to the default user profile, and that way any new user gets the default profile with teh reg hacks in place. Make sure you have already created the administrator profile though, which is usually created at first logon....
0
 
johnb6767Commented:
Dont forget to remove the admin access when done. Then they are ready to image with your choice of tools....
0
 
mmccyAuthor Commented:
I agree with younghv's method !
and see if there are some other better methods !!
Thanks !
0
 
younghvCommented:
mmccy,
I've been looking at the various 'tweak' kinds of sites and can't yet find a way to automate the configuration you want.

Still looking,

Vic
0
 
mmccyAuthor Commented:
how about if I run these commands in administrator account ?
0
 
johnb6767Commented:
What I was thinking, is creating the modifications and gettign the user profiles ready for deployment, and copy that registry over to teh default user profile, that way any users created thereafter will be locked down...
0
 
Ryan_RIT Systems AdministratorCommented:
Here's a great way to do what you want. Go to www.freshdevices.com and get yourself FreshUI.  It's a bit like GPO, but what you can do is set it up so that users can't run any programs called "cmd.exe" and so on, and you can password protect access to the program so that only password-bearers can change these settings. You can also export (and import) these settings to a file. So you could keep this file hidden on the HDD or on your USB and when you want full control just import your custom settings from the file, and then import the other settings when you're done. It's been a while since i used it (and it's always being updated with new features), but it may be that the settings are only applied to the user that's logged on (meaning you don't have to worry about importig/exporting settings if you log on as admin).

Hope this helps,

Ryan R
0
 
younghvCommented:
johnb -
Can't you just modify the HK_Users ".default" (while logged in as local admin) to effect these changes on all subsequent users?

Vic
0
 
johnb6767Commented:
Sure, I wouldnt see whay not...The ntuser.dat from Default user is just a preference.
0
 
johnb6767Commented:
I thought there were some very valid ideas in this thread.....

mmccy


Nothing worked for you?
0
 
younghvCommented:
mmccy,
Come on back in here and let's finish this thing.

Vic
0
 
younghvCommented:
johnb - I like the way you think.

Vic
0
 
johnb6767Commented:
:)

Great minds think alike!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.