Would you like to learn how to use a group policy to prevent access to the command prompt on Windows? In this tutorial, we will show you how to create a group policy to disable access to the DOS command prompt.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 10
• Windows 7

Hardware List:

The following section presents the list of equipment used to create this tutorial.

Every piece of hardware listed above can be found at Amazon website.

Tutorial GPO - Prevent access to the Command prompt

On the domain controller, open the group policy management tool.

Windows 2012 - Group Policy Management

Create a new group policy.

Windows 2012 - Group Policy Objects

Enter a name for the new group policy.

Windows - Add GPO

In our example, the new GPO was named: MY-GPO.

On the Group Policy Management screen, expand the folder named Group Policy Objects.

Right-click your new Group Policy Object and select the Edit option.

Windows - Edit GPO

On the group policy editor screen, expand the User configuration folder and locate the following item.

Copy to Clipboard

Access the folder named System.

GPO - Disable command prompt

Enable the item named Prevent access to the command prompt.

Optionally, you can disable the command prompt script processing.

GPO - Prevent command prompt access

To save the group policy configuration, you need to close the Group Policy editor.

Congratulations! You have finished the GPO creation.

Tutorial GPO - Disable access to the Command prompt

On the Group policy management screen, you need to right-click the Organizational Unit desired and select the option to link an existent GPO.

Windows-2012-Applocker application

In our example, we are going to link the group policy named MY-GPO to the root of the domain.

GPO- tutorial linking

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers.

On a remote computer, try to open a DOS command prompt.

GPO - Disable command prompt access

In our example, we used a GPO to prevent access to the DOS command prompt.