Solved

disable the command prompt and regedit, mmc, ipconfig, .............

Posted on 2006-10-24
19
2,139 Views
Last Modified: 2008-01-09
Hi experts,

I am installing standalone 50 pcs in a lab and I want to disable the run in the startmenu. but the user in poweruser mode can go to the windows\system32 to run the command prompt (cmd). I want to disable them to use the command prompt and not allow them to run these commands:  regedit, mmc, ipconfig,.............................!! However I want to those commands in admin mode !
any suggestions ? Thanks !

Mike
0
Comment
Question by:mmccy
  • 7
  • 5
  • 2
  • +3
19 Comments
 
LVL 9

Expert Comment

by:olifarago
ID: 17794770
Will the machines be setup on a domain? If so you can use the group policy "Disable the Command Prompt" in [User Configuration\Administrative Templates\System] to control it?

Will this help?

Oli
0
 
LVL 38

Expert Comment

by:younghv
ID: 17794840
If you're going to use an 'image' to stand up these 50, you can configure the first one to meet your standard, then clone the rest.

One manual way to do this is to modify the 'permissions' on each of those commands so that only the 'Administrator' Group has "Execute" permissions.

There may be some simpler tweaks up at Kelley's Korner - I'll look around and post back if I find any.


Vic
0
 
LVL 2

Expert Comment

by:Rob_991
ID: 17795316
Even if the machines are not on a domain, Use the local Policy

Start --> Run gpedit.msc

This is the local Group Policy for the machine..

Look in User configuartion and Administrative Templates... most of the stuff you want to stop should be in there... Anything else you want to do you can find by using a search engine for disable registry access "Group Policy" and this should point you in the right direction!

0
 
LVL 2

Expert Comment

by:Rob_991
ID: 17795359
Hmm just read your post again... You might want to read this first

http://support.microsoft.com/kb/307882

Might be worth it so that the Admin user keeps all his access!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17796070
I have read that article, but never tried it to see if it truly works. Usually by default local policy affects all accounts on the machine. So what I always do, is to lock the systems down via registry mods for the current user (with the temp user as an admin for this process), copy the registry over to the default user profile, and that way any new user gets the default profile with teh reg hacks in place. Make sure you have already created the administrator profile though, which is usually created at first logon....
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17796073
Dont forget to remove the admin access when done. Then they are ready to image with your choice of tools....
0
 

Author Comment

by:mmccy
ID: 17796419
I agree with younghv's method !
and see if there are some other better methods !!
Thanks !
0
 
LVL 38

Expert Comment

by:younghv
ID: 17796531
mmccy,
I've been looking at the various 'tweak' kinds of sites and can't yet find a way to automate the configuration you want.

Still looking,

Vic
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
ID: 17796798
Here is another easy way to do it under the HKCU method..

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"DisallowRun"=dword:00000001

then....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
create string vlaues for
"1"="ipconfig.exe"
"2"="cmd.exe.exe"
"3"="mmc.exe.exe"
"4"="compmgmt.msc.exe"
"5"="etc.exe"
"6"="etc.exe"
"7"="etc.exe"
"8"="etc.exe"
"9"="etc.exe"
"10"="etc.exe"
"11"="etc.exe"
"12"="etc.exe"
"13"="etc.exe"
"14"="etc.exe"
"15"="etc.exe"
"16"="etc.exe"

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93501.mspx?mfr=true

0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:mmccy
ID: 17796981
how about if I run these commands in administrator account ?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17797048
What I was thinking, is creating the modifications and gettign the user profiles ready for deployment, and copy that registry over to teh default user profile, that way any users created thereafter will be locked down...
0
 
LVL 15

Expert Comment

by:Ryan_R
ID: 17800946
Here's a great way to do what you want. Go to www.freshdevices.com and get yourself FreshUI.  It's a bit like GPO, but what you can do is set it up so that users can't run any programs called "cmd.exe" and so on, and you can password protect access to the program so that only password-bearers can change these settings. You can also export (and import) these settings to a file. So you could keep this file hidden on the HDD or on your USB and when you want full control just import your custom settings from the file, and then import the other settings when you're done. It's been a while since i used it (and it's always being updated with new features), but it may be that the settings are only applied to the user that's logged on (meaning you don't have to worry about importig/exporting settings if you log on as admin).

Hope this helps,

Ryan R
0
 
LVL 38

Expert Comment

by:younghv
ID: 17801888
johnb -
Can't you just modify the HK_Users ".default" (while logged in as local admin) to effect these changes on all subsequent users?

Vic
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17803145
Sure, I wouldnt see whay not...The ntuser.dat from Default user is just a preference.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17956432
I thought there were some very valid ideas in this thread.....

mmccy


Nothing worked for you?
0
 
LVL 38

Expert Comment

by:younghv
ID: 17956442
mmccy,
Come on back in here and let's finish this thing.

Vic
0
 
LVL 38

Expert Comment

by:younghv
ID: 17956536
johnb - I like the way you think.

Vic
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17956590
:)

Great minds think alike!!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Migration of Exchange mailbox can be done with the ExProfre.exe tool. But at times, when the ExProfre.exe tool migrates the Exchange Server user profile, it results in numerous synchronization problems. Synchronization error messages appear in the e…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now