Sometimes you may want to prevent a particular user from opening the Command Prompt window (cmd.exe) for a number of valid reasons. This article explains how to prevent specific users from opening the Command Prompt or running Windows Batch files.
How to Block Command Prompt Access for Specific Users
Locking down the Command Prompt can be done using NTFS Permissions, by adding a Deny Permission entry (to cmd.exe) for a specific user or group. This can be done using the built-in console tool
ICacls.exe or the Advanced Security settings dialog.
Method 1: Using ICacls.exe Command-line Utility
From an elevated or Administrator Command Prompt window, and run these commands:
takeown /f cmd.exe icacls cmd.exe /deny ramesh:RX
.. where “ramesh” is the username who you want to prevent from accessing cmd.exe. For more information on takeown.exe and icacls.exe commands, check out article Take Ownership of a File or Folder Using Command-Line in Windows.
Method 2: Using the Advanced Permissions Dialog
Right-click cmd.exe and click Properties. Alternately, click the Properties button in the ribbon.
Select the Security tab in the file properties dialog, and click the Advanced button. This opens the Advanced Security Settings dialog.
TrustedInstaller owns cmd.exe. Click “Change” to change the ownership of the file.
Type “Administrators” and press ENTER.
You’ll see the following message. Simply close the Advanced Permissions dialog and re-open it.
If you have just taken ownership of this object, you will need to close and reopen this object’s properties before you can view or change permissions.
Administrator group is now the owner of the file. You can now add Permission entries as required.
Click Change Permissions, which will now change to Add.
Click Select a principal
Type the user name (e.g., ramesh) and click OK.
From the Type dialog, select Deny
Enable the checkboxes for Read, Read & Execute, and click OK.
This is how the Advanced Security Settings dialog would now look like:
In the Advanced Security Settings dialog, click OK. You’ll see the following messages. Click Yes to proceed.
You are setting a deny permissions entry. Deny entries take precedence over allow entries. This means that if a user is a member of two groups, one that is allowed a permission and another that is denied the same permission, the user is denied that permission.
Do you want to continue?
You are about to change the permission settings on system folders. This can reduce the security of your computer and cause users to have problems accessing files. Do you want to continue?
To test if the block works, use Run As (or runas.exe) to launch cmd.exe as that particular user.
runas /user:ramesh c:\windows\system32\cmd.exe
That would throw the following error:
Or simply login to that user account and try to launch cmd.exe. The user “ramesh” will be unable to read or execute the file.
That’s all. You’ve now disabled access to Command Prompt (cmd.exe) for that particular user.
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.