Wednesday, October 8, 2008

Prevent Access to Registry Editing Tools and Access to Command Prompt

Prevent Access to Registry Editing Tools

If this setting is enabled and the user tries to start a registry editor, a message appears explaining that a setting prevents the action.
To prevent users from using other administrative tools, use the "Run only allowed Windows applications" setting.

START > RUN > GPEDIT.MSC > USER CONFIGURATION > ADMINISTRATIVE TEMPLATES > SYSTEM > FIND PREVENT ACCESS TO REGISTRY EDITING TOOLS > RIGHT CLICK > PROPERTIES > CLICK ENABLE > OK > REBOOT


Prevent Access to Command Prompt


This setting also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services.

START > RUN > GPEDIT.MSC > USER CONFIGURATION > ADMINISTRATIVE TEMPLATES > SYSTEM > FIND PREVENT ACCESS TO THE COMMAND PROMPT > RIGHT CLICK > PROPERTIES > CLICK ENABLE > OK REBOOT

Note: This will disable the command for all users including the local administrator. If you want to disable this for specific users only (and for XP Home users) make the change in the registry. Login to the account you want to change and create the following registry entries:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\
DisableCMD dword 0x00000001 to disable command prompt and batch files
or
DisableCMD dword 0x00000002 to disable command prompt but not batch files



No comments:

Post a Comment