Disable Command Prompt using Group Policy (GPO)

Photo of author
Jatin Makhija
0

This blog post will guide you on how to disable Command Prompt using Group Policy (GPO), a powerful administrative tool for managing Windows environments at scale. IT administrators often need to restrict command prompt access to prevent users from executing potentially harmful commands, modifying system settings, or bypassing security policies.

There are multiple ways to disable or block command prompt on a Windows device. Let’s take a look at the few of the options:

Disable Command Prompt using Group Policy

Follow below steps to disable command prompt using a Group policy.

  • Login to a domain controller and open Group Policy Management Console (gpmc.msc).
  • Right-click on Group Policy objects folder and select New to create a new GPO.
  • Provide a Name of the new GPO.
Create a new GPO to disable command prompt
  • Right-click on the newly created GPO (Disable Command Prompt) and select Edit.
Edit Disable Command Prompt GPO
  • Navigate to User Configuration > Policies > Administrative Templates > System. On the right-hand side find a policy setting Prevent access to the commmand prompt. Right-click on it and select Edit.
Right click Edit Disable Command Prompt GPO
  • Select Enabled and for Disable the command prompt script processing also? option select No.
  • Prevent access to the command prompt: This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. Enable this policy setting.
  • Disable the command prompt script processing also?: Selecting Yes will prevent the computer from running batch files, logon, logoff, startup, or shutdown batch file scripts. Keep that No for now unless you are sure that you want to block batch files and other logon/logoff script execution.
Enable Prevent access to the command prompt
  • GPO has been created, Now link to an OU containing users on which you want to apply this group policy. Right-click on the OU > select Link an Existing GPO and then select the GPO Disable Command Prompt.
Link Disable Command Prompt GPO
  • GPO has been linked with Users OU. All users part of this OU will be blocked from accessing command prompt on their domain joined PCs.
Disable Command Prompt GPO linked

End User Experience

Once the GPO is applied successfully, Users who are part of the Users OU will no longer be able to access the command prompt on their PC. Users will get an error message: Disable Command Prompt GPO. Press any key to continue.

Disable Command Prompt GPO

Troubleshooting

If a user is still able to open the Command Prompt, it could be that the GPO has not yet been applied. By default, GPO refreshes occur every 90 minutes. To speed up the process, open the Command Prompt (while it’s still accessible) and execute the gpupdate /force command.

If you want, you can easily modify group policy default refresh interval by using a setting called Set Group Policy refresh interval for computers. Similarly, for user configuration settings, utilize the Set Group Policy refresh interval for users setting. Refer to the link for more details: How to Modify Group Policy Refresh Interval.

Leave a Comment

Step-by-Step guides for Setup/Troubleshooting/Configuration solutions on Intune, Microsoft 365, Powershell, Windows, Azure, and other Cloud technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Let's Connect!