4

I'm using Windows Server 2012, and I want to disable the cmd and the PowerShell for the clients. I've searched in the Group Policies but i didn't find where I can do this. Please can somebody help me?

krusty
  • 103
  • 1
  • 1
  • 8
  • for run powershell script you should change execution policy when you configure execution policy in group policy user can not run script for change setting Computer Configuration -> Administrative Templates-> Windows Components-> Windows PowerShell and configure the Turn On Script Execution setting->allow only signed script "script must have digital signature for running " – Soheil Apr 17 '15 at 15:16
  • @SoheilHashemi - this is not a security measure as the user can still run a powershell prompt and set the execution policy back to unrestricted... – Milney Dec 13 '18 at 15:09

2 Answers2

6

Disable access to powershell:

In the Group Policy window for those users, on the left-hand side, scroll down to User Configuration > Administrative Templates > System > Don’t run specified Windows applications.

In the properties window that opens, click the “Enabled” option and then click the “Show” button.

In the “Show Contents” window add --> powershell.exe

jortiexx
  • 217
  • 2
  • 8
Carlos Tenorio Pérez
  • 549
  • 5
  • 16
  • Be aware though... user can just copy and rename the .exe to get round this. AppLocker with signatures is only way I know of for sure... – Milney Dec 13 '18 at 15:08
1

User Cfg - Admin Templates - System - Prevent access to the command prompt

Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer.

If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.

Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services.

I have no idea about powershell anything.

Patrick
  • 265
  • 1
  • 5
  • 19
Trigger
  • 75
  • 2
  • 3
    There is no security here, this is only an inconvience. If batch is still allowed then you can write a 4 line batch program as a interactive command prompt. Commands still run as in `cmd /c dir`. It takes 3 minutes to implement a basic command prompt in vbscript/jscript (using notepad) or most other languages. – Trigger Apr 17 '15 at 21:45
  • more info: https://www.top-password.com/blog/disable-powershell-with-software-restriction-policies-gpo/ – JPatel Oct 19 '19 at 11:14