How to Prevent Access to the Command Prompt GPO
Take control by limiting access
3 min. read
Published on
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
If you’re in an organization setting or manage computers on a domain, you may need to prevent or limit access to the Command Prompt through a GPO setting.
We can all acknowledge how the Command Prompt is a powerful feature when it comes to system administration but in the hands of a wrong person, it can be catastrophic.
Apart from unauthorized access, disabling it can also help secure loopholes that can be exploited by malware, and help enforce administrative policies in an organization.
However, if it’s just you but you’re having issues like CMD keeps popping up, you can start and stop some processes using the command line.
How do I remove access to Command Prompt in Group Policy?
- Hit the Windows + R keys to open the Run console.
- Type gpedit.mscย in the dialog box and hit Enterย to open the Group Policy Editor.r
- Navigate to the following path:ย
User Configuration > Administrative Templates > System
. - Find the Prevent access to the command promptย option on the right-hand side pane and double-click on it.
- Selectย Enabledย in the top-left corner then click Apply and OK buttons.
- Restart your PC for the changes to take effect.
If you’d like to re-enable Command Prompt, change the setting to Not Configured in step 5. Elsewhere, the Group Policy may fail to apply or the Group Policy keeps reverting. In such cases, you can also use the Registry Editor to prevent access to the Command Prompt.
- Remember toย create a restore pointย orย backup the registryย before making any edits.
- Hit the Windows + R keys to open the Run console.
- Type regedit in the dialog box and hit Enterย to open the Registry Editor.
- Navigate to the following path:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
- Double-click on System but if unavailable, right-click on an empty space, select New > Key and name it as System.
- Next, click on it again and select New > DWORD (32-bit) Value, name it as DisableCMD.
- Double-click on Disable CMD and in the Value data, type in 1 and hit OK.
Now, anyone who attempts to turn the Command Prompt might get the IT administrator limited access message or some settings are managed by your organization.
While preventing access to the Command Prompt reduces the attack surface area, it also has its drawbacks. If you had an issue that you needed to troubleshoot using the Command Prompt, you’ll be unable to execute any commands.
Still, you can use other command line tools with more advanced features.
That’s all we had for this article but let us know some of the benefits or disadvantages you have experienced first-hand from preventing access to the Command Prompt in the comment section below.
User forum
0 messages