Solved

disable the command prompt and regedit, mmc, ipconfig, .............

Posted on 2006-10-24
19
2,102 Views
Last Modified: 2008-01-09
Hi experts,

I am installing standalone 50 pcs in a lab and I want to disable the run in the startmenu. but the user in poweruser mode can go to the windows\system32 to run the command prompt (cmd). I want to disable them to use the command prompt and not allow them to run these commands:  regedit, mmc, ipconfig,.............................!! However I want to those commands in admin mode !
any suggestions ? Thanks !

Mike
0
Comment
Question by:mmccy
  • 7
  • 5
  • 2
  • +3
19 Comments
 
LVL 9

Expert Comment

by:olifarago
ID: 17794770
Will the machines be setup on a domain? If so you can use the group policy "Disable the Command Prompt" in [User Configuration\Administrative Templates\System] to control it?

Will this help?

Oli
0
 
LVL 38

Expert Comment

by:younghv
ID: 17794840
If you're going to use an 'image' to stand up these 50, you can configure the first one to meet your standard, then clone the rest.

One manual way to do this is to modify the 'permissions' on each of those commands so that only the 'Administrator' Group has "Execute" permissions.

There may be some simpler tweaks up at Kelley's Korner - I'll look around and post back if I find any.


Vic
0
 
LVL 2

Expert Comment

by:Rob_991
ID: 17795316
Even if the machines are not on a domain, Use the local Policy

Start --> Run gpedit.msc

This is the local Group Policy for the machine..

Look in User configuartion and Administrative Templates... most of the stuff you want to stop should be in there... Anything else you want to do you can find by using a search engine for disable registry access "Group Policy" and this should point you in the right direction!

0
 
LVL 2

Expert Comment

by:Rob_991
ID: 17795359
Hmm just read your post again... You might want to read this first

http://support.microsoft.com/kb/307882

Might be worth it so that the Admin user keeps all his access!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17796070
I have read that article, but never tried it to see if it truly works. Usually by default local policy affects all accounts on the machine. So what I always do, is to lock the systems down via registry mods for the current user (with the temp user as an admin for this process), copy the registry over to the default user profile, and that way any new user gets the default profile with teh reg hacks in place. Make sure you have already created the administrator profile though, which is usually created at first logon....
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17796073
Dont forget to remove the admin access when done. Then they are ready to image with your choice of tools....
0
 

Author Comment

by:mmccy
ID: 17796419
I agree with younghv's method !
and see if there are some other better methods !!
Thanks !
0
 
LVL 38

Expert Comment

by:younghv
ID: 17796531
mmccy,
I've been looking at the various 'tweak' kinds of sites and can't yet find a way to automate the configuration you want.

Still looking,

Vic
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
ID: 17796798
Here is another easy way to do it under the HKCU method..

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"DisallowRun"=dword:00000001

then....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
create string vlaues for
"1"="ipconfig.exe"
"2"="cmd.exe.exe"
"3"="mmc.exe.exe"
"4"="compmgmt.msc.exe"
"5"="etc.exe"
"6"="etc.exe"
"7"="etc.exe"
"8"="etc.exe"
"9"="etc.exe"
"10"="etc.exe"
"11"="etc.exe"
"12"="etc.exe"
"13"="etc.exe"
"14"="etc.exe"
"15"="etc.exe"
"16"="etc.exe"

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93501.mspx?mfr=true

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:mmccy
ID: 17796981
how about if I run these commands in administrator account ?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17797048
What I was thinking, is creating the modifications and gettign the user profiles ready for deployment, and copy that registry over to teh default user profile, that way any users created thereafter will be locked down...
0
 
LVL 15

Expert Comment

by:Ryan_R
ID: 17800946
Here's a great way to do what you want. Go to www.freshdevices.com and get yourself FreshUI.  It's a bit like GPO, but what you can do is set it up so that users can't run any programs called "cmd.exe" and so on, and you can password protect access to the program so that only password-bearers can change these settings. You can also export (and import) these settings to a file. So you could keep this file hidden on the HDD or on your USB and when you want full control just import your custom settings from the file, and then import the other settings when you're done. It's been a while since i used it (and it's always being updated with new features), but it may be that the settings are only applied to the user that's logged on (meaning you don't have to worry about importig/exporting settings if you log on as admin).

Hope this helps,

Ryan R
0
 
LVL 38

Expert Comment

by:younghv
ID: 17801888
johnb -
Can't you just modify the HK_Users ".default" (while logged in as local admin) to effect these changes on all subsequent users?

Vic
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17803145
Sure, I wouldnt see whay not...The ntuser.dat from Default user is just a preference.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17956432
I thought there were some very valid ideas in this thread.....

mmccy


Nothing worked for you?
0
 
LVL 38

Expert Comment

by:younghv
ID: 17956442
mmccy,
Come on back in here and let's finish this thing.

Vic
0
 
LVL 38

Expert Comment

by:younghv
ID: 17956536
johnb - I like the way you think.

Vic
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17956590
:)

Great minds think alike!!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
XP won't boot 27 132
window s 8 to 10 err 9 114
Cannot Upgrade Microsoft Installer on Windows 2000 29 57
Windows print sharing 1 51
Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now