|You can disable CMD in Group Policy in two steps according to Wes Noonan, our Windows-based network infrastructure security design expert.|
A SearchWindowsSecurity.com reader recently asked Wes: In our domain-based network, we have disabled CMD for all...
of our users in Group Policy. When a user tries to enable CMD via local Group Policy (gpedit.msc), he gets denied due to conflict with network policy. When that user tries to gain access from the registry (modification of the DisableCMD key), however, his CMD is enabled. How can I disable that?
Wes Noonan offered this response:
Disabling CMD in Group Policy is a two-step process. Only administrators have the ability to write to that key. So if your users are indeed administrators, you are in a hard spot since they can undo anything you do. Step one is to make sure that they are not administrators. (In testing with a domain user, I could not add or modify this value.)
Step two is to make sure that the users do not have the Full Control permission on the registry key. If they do, remove the permission or explicitly deny it. Keep in mind, though, that if they are administrators, there is nothing to prevent them from taking ownership and changing the permissions right back.
Deny access to registry editing tools
Another option is to simply prevent access to registry editing tools using Group Policy. This can be done using the User ConfigurationAdministrative ToolsSystemPrevent Access to Registry Editing Tools policy value. If you enable the setting, the user can't open registry editor (or run most other registry editing tools) and thus can't change the registry entry value.
This also strikes me as a bit of a bug on the part of Microsoft. If you have a support contract, you might consider opening an incident with Microsoft and seeing if you can get them to change the functionality.