How to Prevent Command Prompt Access for Specific Users

Sometimes you may want to prevent a particular user from opening the Command Prompt window (cmd.exe) for a number of valid reasons. This article explains how to prevent specific users from opening the Command Prompt or running Windows batch files.

Prevent Command Prompt Access for Specific Users

Locking down the Command Prompt can be done using NTFS Permissions, by adding a Deny Permission entry (to cmd.exe) for a specific user or group. This can be done using the built-in console tool icacls.exe or the Advanced Security settings dialog.

Method 1: Using ICacls.exe Command-line Utility

From an elevated or Administrator Command Prompt window, and run these commands:

takeown /f cmd.exe
icacls cmd.exe /deny ramesh:RX

block cmd.exe access for a user

.. where “ramesh” is the username who you want to prevent from accessing cmd.exe. For more information on takeown.exe and icacls.exe commands, check out the article Take Ownership of a File or Folder Using Command-Line in Windows.

Method 2: Using the Advanced Permissions Dialog

  1. Open the C:\Windows\System32 folder.
  2. Right-click cmd.exe and click Properties. Alternately, click the Properties button in the ribbon.
    block cmd.exe access for a user
  3. Select the Security tab in the file properties dialog, and click the Advanced button. This opens the Advanced Security Settings dialog.
    block cmd.exe access for a user
  4. By default TrustedInstaller owns cmd.exe. Click “Change” to change the ownership of the file.
    block cmd.exe access for a user
  5. Type “Administrators” and press ENTER.
    block cmd.exe access for a user
  6. You’ll see the following message. Simply close the Advanced Permissions dialog and re-open it.

    If you have just taken ownership of this object, you will need to close and reopen this object’s properties before you can view or change permissions.

  7. The Administrators group is now the owner of the file. You can now add Permission entries as required. Click Change Permissions, which will now change to Add.
    block cmd.exe access for a user
  8. Click Add
    block cmd.exe access for a user
  9. Click Select a principal
  10. Type the user name (e.g., ramesh) and click OK.
    block cmd.exe access for a user
  11. From the Type dialog, select Deny
    block cmd.exe access for a user
  12. Enable the checkboxes for Read, Read & Execute, and click OK.

    This is how the Advanced Security Settings dialog would now look like:
    block cmd.exe access for a user

  13. In the Advanced Security Settings dialog, click OK. You’ll see the following messages. Click Yes to proceed.
    You are setting a deny permissions entry. Deny entries take precedence over allow entries. This means that if a user is a member of two groups, one that is allowed a permission and another that is denied the same permission, the user is denied that permission.
    Do you want to continue?
    You are about to change the permission settings on system folders. This can reduce the security of your computer and cause users to have problems accessing files. Do you want to continue?

Test if it works

To test if the block works, use Run As (or runas.exe) to launch cmd.exe as that particular user.

runas /user:ramesh c:\windows\system32\cmd.exe

That would throw the following error:

Unable to run - cmd.exe → 5: Access is denied

Or simply login to that user account and try to launch cmd.exe. The user “ramesh” will be unable to read or execute the file.

block cmd.exe access for a user

That’s all. You’ve now disabled access to Command Prompt (cmd.exe) for that particular user.

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded in 2005.

Leave a Comment