{"id":4122,"date":"2016-09-23T11:49:01","date_gmt":"2016-09-23T06:19:01","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=4122"},"modified":"2020-10-27T03:33:54","modified_gmt":"2020-10-27T03:33:54","slug":"block-command-prompt-particular-user-permissions","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/block-command-prompt-particular-user-permissions\/","title":{"rendered":"How to Prevent Command Prompt Access for Specific Users"},"content":{"rendered":"

Sometimes you may want to prevent a particular user from opening the Command Prompt window (cmd.exe) for a number of valid reasons. This article explains how to prevent specific users from opening the Command Prompt or running Windows batch files.<\/p>\n

Prevent Command Prompt Access for Specific Users<\/h2>\n

Locking down the Command Prompt can be done using NTFS Permissions, by adding a Deny<\/strong> Permission entry (to cmd.exe) for a specific user or group. This can be done using the built-in console tool icacls.exe<\/code> or the Advanced Security settings dialog.<\/p>\n

Method 1: Using ICacls.exe Command-line Utility<\/h3>\n

From an elevated or Administrator Command Prompt<\/a> window, and run these commands:<\/p>\n

takeown \/f cmd.exe\r\nicacls cmd.exe \/deny ramesh:RX<\/pre>\n
\"block<\/p>\n
.. where “ramesh” is the username who you want to prevent from accessing cmd.exe. For more information on takeown.exe and icacls.exe commands, check out the article Take Ownership of a File or Folder Using Command-Line in Windows<\/a><\/i>.<\/p>\n
\n
Method 2: Using the Advanced Permissions Dialog<\/h3>\n
    \n
  1. Open the C:\\Windows\\System32<\/code> folder.<\/li>\n
  2. Right-click cmd.exe and click Properties. Alternately, click the Properties<\/strong> button in the ribbon.
    \n\"block<\/li>\n
  3. Select the Security tab in the file properties dialog, and click the Advanced button. This opens the Advanced Security Settings dialog.
    \n\"block<\/li>\n
  4. By default TrustedInstaller<\/code> owns cmd.exe. Click “Change” to change the ownership of the file.
    \n\"block<\/li>\n
  5. Type “Administrators” and press ENTER.
    \n\"block<\/li>\n
  6. You’ll see the following message. Simply close the Advanced Permissions dialog and re-open it.\n
    If you have just taken ownership of this object, you will need to close and reopen this object’s properties before you can view or change permissions.<\/strong><\/em><\/li>\n
  7. The Administrators group is now the owner of the file. You can now add Permission entries as required. Click Change Permissions<\/strong>, which will now change to Add<\/strong>.
    \n\"block<\/li>\n
  8. Click Add
    \n\"block
    \n<\/strong><\/li>\n
  9. Click Select a principal<\/strong><\/li>\n
  10. Type the user name (e.g., ramesh<\/strong>) and click OK.
    \n\"block<\/li>\n
  11. From the Type<\/strong> dialog, select Deny
    \n\"block
    \n<\/strong><\/li>\n
  12. Enable the checkboxes for Read<\/strong>, Read & Execute<\/strong>, and click OK.\n
    This is how the Advanced Security Settings dialog would now look like:
    \n\"block<\/li>\n
  13. In the Advanced Security Settings dialog, click OK. You’ll see the following messages. Click Yes<\/strong> to proceed.\n
    You are setting a deny permissions entry. Deny entries take precedence over allow entries. This means that if a user is a member of two groups, one that is allowed a permission and another that is denied the same permission, the user is denied that permission.\r\n\r\nDo you want to continue?\r\n\r\nYou are about to change the permission settings on system folders. This can reduce the security of your computer and cause users to have problems accessing files. Do you want to continue?<\/pre>\n<\/li>\n<\/ol>\n
    Test if it works<\/h3>\n
    To test if the block works, use Run As<\/a> (or runas.exe) to launch cmd.exe as that particular user.<\/p>\n
    runas \/user:ramesh c:\\windows\\system32\\cmd.exe<\/pre>\n
    That would throw the following error:<\/p>\n
    Unable to run - cmd.exe → 5: Access is denied<\/pre>\n
    Or simply login to that user account and try to launch cmd.exe. The user “ramesh” will be unable to read or execute the file.<\/p>\n
    \"block<\/p>\n
    That’s all. You’ve now disabled access to Command Prompt (cmd.exe) for that particular user.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Sometimes you may want to prevent a particular user from opening the Command Prompt window (cmd.exe) for a number of valid reasons. This article explains how to prevent specific users from opening the Command Prompt or running Windows batch files.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-4122","post","type-post","status-publish","format-standard","hentry","category-windows"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1520,"url":"https:\/\/www.winhelponline.com\/blog\/open-elevated-command-prompt-windows\/","url_meta":{"origin":4122,"position":0},"title":"How to Open Elevated or Admin Command Prompt in Windows?","author":"Ramesh","date":"March 5, 2007","format":false,"excerpt":"Command Prompt is one of the most used tools in Windows. For tasks requiring administrator privileges, we need to start Command Prompt as administrator (\"elevated\"). This article describes different ways to open an elevated or administrator Command Prompt window. How to Open Elevated or Admin Command Prompt From the Win-X\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"task manager -run command prompt elevated - create new task","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2007\/03\/taskmgr-cmd-elevated.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2007\/03\/taskmgr-cmd-elevated.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2007\/03\/taskmgr-cmd-elevated.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2007\/03\/taskmgr-cmd-elevated.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":4813,"url":"https:\/\/www.winhelponline.com\/blog\/cmd-here-windows-10-context-menu-add\/","url_meta":{"origin":4122,"position":1},"title":"Add “Open command window here” to Context Menu in Windows 10","author":"Ramesh","date":"December 13, 2016","format":false,"excerpt":"In the recent versions of Windows 10 (Creators Update and higher), the \"Open Command Prompt here\" context menu entry has been removed and is replaced by \"Open PowerShell window here\". Microsoft, in an effort to bring the best command line experiences to the forefront for all power users, has made\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"cmdhere context menu icon","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/12\/cmdhere-context-menu.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":9842,"url":"https:\/\/www.winhelponline.com\/blog\/open-command-prompt-current-folder-keyboard-shortcut\/","url_meta":{"origin":4122,"position":2},"title":"Open Command Prompt in Current Folder Using Keyboard Shortcut","author":"Ramesh","date":"June 19, 2019","format":false,"excerpt":"There are at least a couple of ways to open Command Prompt in the current folder path from a folder window. The two widely used options include running cmd.exe from the File Explorer address bar and using the Open Command window here option from the folder background context menu. But,\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"open command prompt in current folder - autohotkey","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/06\/open-cmd-here-autohotkey-3.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/06\/open-cmd-here-autohotkey-3.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/06\/open-cmd-here-autohotkey-3.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/06\/open-cmd-here-autohotkey-3.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":2433,"url":"https:\/\/www.winhelponline.com\/blog\/cascading-menu-jump-lists-issue-windows-10\/","url_meta":{"origin":4122,"position":3},"title":"Cascading Menu and File Explorer Jump Lists Issue in Windows 10","author":"Ramesh","date":"March 28, 2016","format":false,"excerpt":"When you implement Cascading Menus in File Folders (Directory) using the SubCommands or ExtendedSubCommands registry keys in Windows 10, an interesting thing happens. The last item in your Cascading menu gets executed when you right-click Pinned File Explorer shortcut in the Taskbar, and click on a folder in the Jump\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/w10\/cascade1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/w10\/cascade1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/w10\/cascade1.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":28839,"url":"https:\/\/www.winhelponline.com\/blog\/cant-open-cmd-after-uninstalling-python-anaconda\/","url_meta":{"origin":4122,"position":4},"title":"Can’t Open CMD.exe After Uninstalling Python\/Anaconda; Exit Code 1","author":"Ramesh","date":"September 29, 2022","format":false,"excerpt":"After uninstalling Python\/Anaconda on your Windows computer, Command Prompt may not open. When you run cmd.exe, it flashes on the screen and immediately quits. Also, running DISM and SFC (to repair corrupt system files), repairing Windows installation, and running a thorough malware scan may not fix the issue. Also, when\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"vscode cmd.exe error 1","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/09\/vscode-cmd-error-code-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":929,"url":"https:\/\/www.winhelponline.com\/blog\/enable-quick-edit-command-prompt-by-default\/","url_meta":{"origin":4122,"position":5},"title":"How to Enable Quick Edit Mode in the Command Prompt by Default","author":"Ramesh","date":"September 22, 2009","format":false,"excerpt":"You can use the mouse to copy Command Prompt text to the clipboard by enabling the Quick Edit option in Command Prompt shortcut properties. What if you don't use a desktop shortcut to open Command Prompt, and rather run cmd.exe directly? Here is a registry edit which enables Quick Edit\u2026","rel":"","context":"In "Windows"","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/4122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=4122"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/4122\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=4122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=4122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=4122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}