Announcement

Collapse
No announcement yet.

Restrict Command Prompt

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrict Command Prompt

    Running Windows Server 2003 Terminal Server farm.
    I can restict members from opening command prompt AND can restrict a few members to open it.
    Catch here, when restrict only group to open command prompt, the scripts does not take place using Startup with cmd or bat.
    What I wish to achieve:-
    Give everyone access to open command prompt, when execute open at specific folder location (Already Done)
    When open, they should not be able to change to any other directory or drive. Like CD\, or D:\, ect. The location where it will open is where all executables reside for management, and they should not be able to view anything else except the contents of that folder.GPO already used to hide all drives in Explorer, but this does not apply when oepning command prompt.Any suggestions
    Last edited by Esterhj; 21st November 2008, 13:50. Reason: Spelling mistakes

  • #2
    Re: Restrict Command Prompt

    You can restrict the access to the command prompt by group policy, but still allow logon scripts to run. Scripts cannot be started by the user.

    I think there is no way in restricting access to certain commands like CD, etc. ones access to the command prompt is allowed.

    Maybe software restriction policies can help you?
    Only allow the software they are allowed to run.
    [Powershell]
    Start-DayDream
    Set-Location Malibu Beach
    Get-Drink
    Lay-Back
    Start-Sleep
    ....
    Wake-Up!
    Resume-Service
    Write-Warning
    [/Powershell]

    BLOG: Therealshrimp.blogspot.com

    Comment


    • #3
      Re: Restrict Command Prompt

      KillerBe,

      Thanks for the reply, restriction to command prompt and with script execution done, apologies not mentioned.
      Software Policy, is not what I need, otherwise my list will grow bigger than expected.
      As mentioned their should be away of restricting command prompt from accessing other drives and changing locations. If this cannot be done OR no one thought about it, then I will need to get MS to work on this.

      All, maybe someone with in-depth knowledge of creating a ADM template that will do this, restrict command prompt only to specific path and prohibit chnaging the location.

      Comment


      • #4
        Re: Restrict Command Prompt

        Anyone that can assist here with a solution

        Comment


        • #5
          Re: Restrict Command Prompt

          Hi,

          The Cmd prompt default path is the Users home directory.
          You can change that for your users if you configure the Home folder attribute in the Profile Tab (User Properties) to map to a network drive.
          That way the Cmd prompt will default to that location and the users won't be able to change it.

          Ta
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Restrict Command Prompt

            L4ndy

            Thanks for the effort, as mentioned already redirect the command prompt from opening to another folder.

            Explain:-
            If the user opens the command prompt to the redirected folder let say "C:\Program Files\Support Tools", they should not be able to type CD\ or D: to change the location to read other files or directory structure.

            I need a restriction to prohibit them from changing while in command prompt to different folders or to another volume/drive.

            Hope this clean everything what I need

            Comment


            • #7
              Re: Restrict Command Prompt

              Anyone up for points

              Comment


              • #8
                Re: Restrict Command Prompt

                CD is a built in command. It's not like IPCONFIG or HOSTNAME which are both separate executables, so you won't be able to use NTFS permissions etc to restrict access to it.

                Why do you want to prevent users from using CD? I realise that you have put everything they need into a single directory, but a properly configured system will prevent the user from accessing anything they shouldn't.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Restrict Command Prompt

                  Have you tried my suggestion at all?
                  I've tested it my Lab env and it works as it should. i.e cmd prompt redirected to the specified home folder path in the network.
                  It defaults to Z:\> (The home folder network drive) and users aren't able to change the location.
                  Isn't this what you were after?

                  ta
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Restrict Command Prompt

                    gforceindustries

                    CD - Change Directory - Yes building command - NTFS Permissions used to group that can make use of command line - This works 100%

                    Why Prevent - Some applications installed on this administration farm require the members to be part of the local "Administrators" group, that's why restriction play part of logging down the system fro them not to browse the farm or directories. We all know how administrators works, they want to check what else are on the which is not part of their profile.

                    All restrictions are in place, I just need the cmd when opened to restrict them, from browsing to different directory structures.

                    Comment

                    Working...
                    X