Disabling CMD in Group Policy
In our domain-based network, we have disabled CMD for all of our users (Group Policy). When a user tries to enable CMD via local Group Policy (gpedit.msc), they get denied (due to conflict with network policy). When that user tries to gain access from the registry (modification of the DisableCMD key), however, their CMD is enabled. How can I disable that?
I don't know why this happens, but it strikes me as a bit of a bug on the part of Microsoft. If you have a support contract, you might consider opening an incident with Microsoft and seeing if you can get them to change the functionality. As for how to disable it, in looking into that key, only administrators have the ability to write to that key, so if your users are indeed administrators, you are kind of in a hard spot since they can undo anything you do. So step one is to make sure that they are not administrators. (In testing with a domain user, I could not add or modify this value.) Step two is to make sure that the users do not have the Full Control permission on the registry key. If they do, remove the permission or explicitly deny it. Keep in mind, though, that if they are an administrator, there is nothing to prevent them from taking ownership and changing the permissions right back.
Another option is to simply prevent access to registry editing tools using Group Policy. This can be done using the User ConfigurationAdministrative ToolsSystemPrevent Access to Registry Editing Tools policy value. If you enable the setting, the user can't open registry editor (or run most other registry editing tools), and thus can't change the registry entry value.
This was first published in January 2007