Group PolicyWindowsServer2012R2

How to Disable Run Command using Group Policy Editor

Group Policy Editor to Disable Run Command

Run command can be used to execute applications by typing the application name e.g. you can open Notepad from run command by typing “notepad”, you can open Calculator from open command by typing “calc” or open command prompt by typing “cmd”, etc. Similarly you can execute multiple other application. By default it is enabled in all the Operating Systems either client OS or Server OS. However, in some of the Organizations where you want to restrict users to use only predefined applications, you can use disable run command using Group Policy editor.

Group Policy Editor can also be known as Group Policy Management Console (GPMC), GPMC is a Microsoft management console(MMC) snap in, providing a single administrative tool for managing GPs across the enterprise.

[clickToTweet tweet=”How to Disable run using GPMC for all the Domain Users in Organization. #grouppolicy #disablerun” quote=”How to Disable Run for Domain Users”]

Local Group Policy Editor can be opened by typing “GPEDIT.MSC” or “SECPOL.MSC” alternatively open GPMC by typing “GPMC.MSC“.

As we already know and learned in the Group Policy Management and Preferences post that GP can be deployed on Users and Computers but it cannot be deployed on Groups. In addition to that, we also learned that GPOs linked with OU has highest level of preferences in comparison with GPOs linked with Local Computers, Site or Domain.

Before we disable run command using Group Policy editor, first check if domain users are able to see and use it or not. To verify the same login with the domain user on client machine, click on start and click on run or press Windows + R from keyboard. It would open run command and confirms that it is working fine for domain users.

Group Policy Objects

All the settings, restrictions, policies, etc that we deploy for domain users or computers are by using Group Policy Objects. Even it can be used to define password settings, remotely software installation on multiple computers, restrict software, hide or restrict computer drives, etc. GPOs are the collection of settings, created on Domain Controllers and linked to site, domain and organizational units.

Newly created GPOs are like a blank template, we need to define the settings restrictions, etc. To disable run command, we need to run Group Policy management console and then create a GPO and define the settings and link it with the OU that contains the users. It is for users therefore link it with the OU that has users in it.

I am sure you are aware of the face that policies that be deployed to Users and Computers that are part of the OU.

Disable Run Command using Group Policy Editor

1. To start with, we have created Organizational unit with the name “IT” in ‘Active directory Users and Computers’ and added two users(Tu01 & Tu02) to deploy run disable policy on them.

How to apply Rundisable policy (1)
2. To start with, go to Domain Controller, open command prompt and type GPMC.MSC (short name) and hit enter, this would open GPMC or click on Start then click on down arrow and select GPMC, this would run Group Policy Management console.

3. To create GPO, right click on Organizational Unit(IT) and select ‘create a GPO in this domain and linked it here‘. It would create new GPO and link the same with IT OU.

How to apply Rundisable policy (2)

4. In ‘New GPO’ console’ type the name of  GPO, for this practical we’ll give the name “Rundisable”. It can be any name that you want to assign, however I’ll recommend to name it similar to the policies that you’ll be deploying as it would help you in future to identify it.

How to apply Rundisable policy (3)
5. We have created the GPO but we have not defined the settings and restrictions to disable run command using group policy editor, right click on GPO and then click on Edit. It is required to define the settings.

How to apply Rundisable policy (4)

How to Configure Folder Redirection GPO in Server 2012

6. In GPME console extend “User Configuration”, expand Policies, expand  “Administrative Templates Policies“, select “Start Menu and Taskbar”. Right click on “Remove run menu from start menu” then click on edit.

How to apply run disable policy

7. In “Remove run menu from start menu” console default option of “Not Configured” is selected which means that this policy is not configured. By default all the policies are set to Not Configured.

To disable run we need to enable the policy therefore select the “Enabled” option.

Selecting “Disabled” option would disable the “Run Disable Group Policy“.

Apply the policy and then click on ok. Don’t get confused because of “Enabled” and “Disabled” options. Enabled option is to enable the settings and Disabled option is to disable it.

How to apply run disable policy

8. To check if the disable run Group policy is applied or not. Login with domain user, click on start and then click on run or press “Windows + R” from the keyboard. If it doesn’t work then it confirms that setting is deployed successfully.

How to apply run disable policy

9. If you see a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator” confirms that policy is deployed successfully.

How to apply run disable policy

Hope you enjoyed and understood all the steps that we have listed in this articles to deploy disable run Group Policy. Make sure you list and leave any issues that you are facing in the comment section. Besides that list all other settings that you have deployed in your Organization. Friends don’t forget to share, like and tweet this page, it will also help others.

One thought on “How to Disable Run Command using Group Policy Editor

  • Any tweak or alternate to enable Command prompt even when it is disabled using Group Policy ?

Comments are closed.