How to Block Command Prompt Access for Specific Users

Sometimes you may want to prevent a particular user from opening the Command Prompt window (cmd.exe) for a number of valid reasons. This article explains how to prevent specific users from opening the Command Prompt or running Windows Batch files.

How to Block Command Prompt Access for Specific Users

Locking down the Command Prompt can be done using NTFS Permissions, by adding a Deny Permission entry (to cmd.exe) for a specific user or group. This can be done using the built-in console tool ICacls.exe or the Advanced Security settings dialog.

Method 1: Using ICacls.exe Command-line Utility

From an elevated or Administrator Command Prompt window, and run these commands:

takeown /f cmd.exe
icacls cmd.exe /deny ramesh:RX

block cmd.exe access for a user

.. where “ramesh” is the username who you want to prevent from accessing cmd.exe. For more information on takeown.exe and icacls.exe commands, check out article Take Ownership of a File or Folder Using Command-Line in Windows.


Method 2: Using the Advanced Permissions Dialog

Open the C:\Windows\System32 folder.

Right-click cmd.exe and click Properties. Alternately, click the Properties button in the ribbon.

block cmd.exe access for a user

Select the Security tab in the file properties dialog, and click the Advanced button. This opens the Advanced Security Settings dialog.

block cmd.exe access for a user

By default TrustedInstaller owns cmd.exe. Click “Change” to change the ownership of the file.

block cmd.exe access for a user

Type “Administrators” and press ENTER.

block cmd.exe access for a user

You’ll see the following message. Simply close the Advanced Permissions dialog and re-open it.

If you have just taken ownership of this object, you will need to close and reopen this object’s properties before you can view or change permissions.

Administrator group is now the owner of the file. You can now add Permission entries as required.

Click Change Permissions, which will now change to Add.

block cmd.exe access for a user

Click Add

block cmd.exe access for a user

Click Select a principal

Type the user name (e.g., ramesh) and click OK.



block cmd.exe access for a user

From the Type dialog, select Deny

block cmd.exe access for a user

Enable the checkboxes for Read, Read & Execute, and click OK.

This is how the Advanced Security Settings dialog would now look like:

block cmd.exe access for a user

In the Advanced Security Settings dialog, click OK. You’ll see the following messages. Click Yes to proceed.

You are setting a deny permissions entry. Deny entries take precedence over allow entries. This means that if a user is a member of two groups, one that is allowed a permission and another that is denied the same permission, the user is denied that permission.
Do you want to continue?

You are about to change the permission settings on system folders. This can reduce the security of your computer and cause users to have problems accessing files. Do you want to continue?

To test if the block works, use Run As (or runas.exe) to launch cmd.exe as that particular user.

runas /user:ramesh c:\windows\system32\cmd.exe

That would throw the following error:

Unable to run – cmd.exe => 5: Access is denied

Or simply login to that user account and try to launch cmd.exe. The user “ramesh” will be unable to read or execute the file.

block cmd.exe access for a user

That’s all. You’ve now disabled access to Command Prompt (cmd.exe) for that particular user.

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.

Leave a Comment