Group Policy : Restrict Command Prompt Access


If you want to restrict command prompt access to users, the easiest way is to use a group policy object in your active directory environment. This will allow you to disable access to the command prompt to several users in just a few clicks.

To disable command prompt using group policy, first logon to a domain controller or a computer with RSAT installed. In the policy, navigate to our Group Policy Management inside of Administrative Tools.

Next navigate to Users Configuration > Policies > Administrative Templates > System. Once inside of the System folder, right click on the policy titled Prevent access to command prompt. Once inside, Enable the policy.

A new option will appear in the options section. To disable scripting processes, select “Yes” from the drop-down. If the option is “Yes”, all logon or log off scripts will not run. If the option is “No, only access to the command prompt will be disabled and logon and logoff scripts will run.

Click Apply and OK. Last apply the policy to the desired organizational unit.

To verify the policy is being applied, logon to a computer using an account that has the group policy object applied. If the policy is being applied, a message saying, “The command prompt has been disabled by your administrator.”

To apply the new setting to the computer, restart the machine.