Disable Command Prompt

[Guest]

I have been attempting to disable the command prompt on a Guest PC, and I
looked up directions online of how to go into the registry, but I haven't
been able to find what I'm looking for to be able to disable the command
prompt in the registry. Can anyone help me out?

 

[Malke]

I have been attempting to disable the command prompt on a Guest PC,
and I looked up directions online of how to go into the registry, but
I haven't been able to find what I'm looking for to be able to disable
the command
prompt in the registry. Can anyone help me out?

What are you trying to do? Limit what a visitor can do on your computer?
First of all, don't use the Guest user account. This is a system
account that enables people without local user accounts to log on and
do some work. Guest runs with elevated privileges and that is why it is
usually disabled. Make a "Visitors" Limited account instead.

You can set very fine-grained permissions and restrictions to user
accounts in XP Pro with the Group Policy Editor (Start>Run>gpedit.msc).
If you don't have Pro, look at either MVP Doug Knox's Security Console
or the MS Shared Computer Toolkit:

http://www.dougknox.com
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Malke

 

[M. Burnett [MVP]]

The easiest way to block it is to set the permissions on cmd.exe to not
allow certain users to execute it. Note that this will also disable the
ability to run batch files.

There is also this registry key:

Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
Value: DisableCMD
Type: REG_DWORD

0 - enable cmd
1 - disable cmd and batch files
2 - disable cmd but allow batch files



Mark

 

[Guest]

The problem I"m having when I goto the registry, is I go to
HKEY_CURRENT_USER\Software\Policies\Microsoft

But after that there isn't anything else. My only option is
systemcertificates and there is nothing in that folder.

I'm running XP sp2 on a Domain and I'm logged in as the administrator of the
pc and I'm also in the administrator group as well.

I could also attempt to make the account a limited account.

 

[M. Burnett [MVP]]

You would have to create the remaining keys in the path by
right-clicking, selecting New, then select Key. Create a key for
Windows, then one for System after that. Then, right-click, select New,
then DWORD value. Name that value DisableCMD. Double-click on it and set
the value you want.

Mark

 

[Steven L Umbach]

For XP Pro use Group Policy and go to user configuration\administrative
templates\system to disable command prompt. You may also want to remove
command.com from the computer or restrict access to that binary.

Steve

 

[Guest]

Thanks so much, I was able to figure out how to do it both ways. This may
sound like a dumb question, but I was looking at the group policy in detail
and noticed there are several settings you can change. We are upgrading to
Win server 2003 soon and if apply changes to the group policy on the domain
controller or the server with 2003 (such as setting the screensaver, etc)
does those settings automaticaly take place over the entire network or are
there additional steps I need to take first??

 

[Steven L Umbach]

If you have a domain controller you can configure Group Policy at the domain
or Organizational Unit level and it will apply to all users or computers as
the case may be that are under the scope of management of that GPO. For
instance if you configure a "user configuration" setting such as you did it
could potentially apply to all users in the domain if configured on a GPO
linked to the domain container or if you did it on an OU it would apply only
to user accounts in that OU and possibly child OU's if no other conflicting
setting was applied in a GPO linked to a child OU.

Steve