run a batch file

  • Thread starter Thread starter Admin
  • Start date Start date
A

Admin

I have a group police applied inot my domain and I deny any one to run a
"cmd.exe" program
but some users define a batch file "test.bat" and he insert a cmd.exe into
it and he run the batch
my question is how can I deny any one to run a batch
 
Try these.

User Config\Administrative Templates\System\

Prevent access to the command prompt
"Prevents users from running the interactive command prompt, Cmd.exe. This
setting also determines whether batch files (.cmd and .bat) can run on the
computer. If you enable this setting and the user tries to open a command
window, the system displays a message explaining that a setting prevents the
action. Note: Do not prevent the computer from running batch files if the
computer uses logon, logoff, startup, or shutdown batch file scripts, or for
users that use Terminal Services."

Run only allowed Windows applications
"Limits the Windows programs that users have permission to run on the
computer. If you enable this setting, users can only run programs that you
add to the List of Allowed Applications. This setting only prevents users
from running programs that are started by the Windows Explorer process. It
does not prevent users from running programs such as Task Manager, which are
started by the system process or by other processes. Also, if users have
access to the command prompt, Cmd.exe, this setting does not prevent them
from starting programs in the command window that they are not permitted to
start by using Windows Explorer. Note: It is a requirement for third-party
applications with Windows 2000 or later certification to adhere to this
setting. Note: To create a list of allowed applications, click Show, click
Add, and then enter the application executable name (e.g., Winword.exe,
Poledit.exe, Powerpnt.exe)."

Don't run specified Windows applications
"Prevents Windows from running the programs you specify in this setting. If
you enable this setting, users cannot run programs that you add to the list
of disallowed applications. This setting only prevents users from running
programs that are started by the Windows Explorer process. It does not
prevent users from running programs, such as Task Manager, that are started
by the system process or by other processes. Also, if you permit users to
gain access to the command prompt, Cmd.exe, this setting does not prevent
them from starting programs in the command window that they are not permitted
to start by using Windows Explorer. Note: To create a list of disallowed
applications, click Show, click Add, and then enter the application
executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe)."

BR,
Denis
 
Back
Top