Home > Enterprise Desktop Tips > > Group Policy management: Disabling CMD
Enterprise Desktop Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


Group Policy management: Disabling CMD


Wes Noonan, Contributor
05.01.2007
Rating: -2.60- (out of 5)


Advice for securing Windows
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


[TABLE]

A SearchWindowsSecurity.com reader recently asked Wes: In our domain-based network, we have disabled CMD for all of our users in Group Policy. When a user tries to enable CMD via local Group Policy (gpedit.msc), he gets denied due to conflict with network policy. When that user tries to gain access from the registry (modification of the DisableCMD key), however, his CMD is enabled. How can I disable that?

Wes Noonan offered this response:

Disabling CMD in Group Policy is a two-step process. Only administrators have the ability to write to that key. So if your users are indeed administrators, you are in a hard spot since they can undo anything you do. Step one is to make sure that they are not administrators. (In testing with a domain user, I could not add or modify this value.)

Step two is to make sure that the users do not have the Full Control perm


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


ission on the registry key. If they do, remove the permission or explicitly deny it. Keep in mind, though, that if they are administrators, there is nothing to prevent them from taking ownership and changing the permissions right back.

Deny access to registry editing tools

Another option is to simply prevent access to registry editing tools using Group Policy. This can be done using the User ConfigurationAdministrative ToolsSystemPrevent Access to Registry Editing Tools policy value. If you enable the setting, the user can't open registry editor (or run most other registry editing tools) and thus can't change the registry entry value.

Contact Microsoft

This also strikes me as a bit of a bug on the part of Microsoft. If you have a support contract, you might consider opening an incident with Microsoft and seeing if you can get them to change the functionality.


Rate this Tip
To rate tips, you must be a member of SearchEnterpriseDesktop.com.
Register now to start rating these tips. Log in if you are already a member.




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Enterprise Desktop Security - Virus Protection, Malware Protection, Intrusion Detection
HomeTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts