Disable cmd and PowerShell on Windows Server 2012 for clients - cmd

I'm using Windows Server 2012, and I want to disable the cmd and the PowerShell for the clients. I've searched in the Group Policies but i didn't find where I can do this. Please can somebody help me?

Disable access to powershell:
In the Group Policy window for those users, on the left-hand side, scroll down to User Configuration > Administrative Templates > System > Don’t run specified Windows applications.
In the properties window that opens, click the “Enabled” option and then click the “Show” button.
In the “Show Contents” window add --> powershell.exe

User Cfg - Admin Templates - System - Prevent access to the command prompt
Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services.
I have no idea about powershell anything.

Related

How to use AutoHotKey to launch Visual Studio 2015 when it requires interaction with the UAC prompt in Windows 10

I have VS2015 set up so that it always runs as administrator (a la something like this https://superuser.com/a/468056/48346).
Now I want to create an AHK script to launch Visual Studio and run a few UI / Keyboard commands to get it ready for me - I want this script to run at login but that's a later problem.
The Null solution is obviously to turn UAC off, but I don't want to do that.
So far I'm stuck on the way the UAC prompt always grabs the whole screen and I can't use AHK to click the "yes" button or send any keyboard commands to press enter or something like that. I guess this is the whole point of the UAC prompt, not to allow anything to do it for me.
Is there no way to open VS without the UAC prompt showing? I'd need to open a specific solution file, so if it's possible from the command line, the solution file would need to be included in the command so that it opens.
So far I've tried the AHK command RunAs, but I couldn't get that to work - my personal user is a domain user that's a member of the admin group on my local machine. I tried creating a specific runner account with admin privileges and use the RunAs command with that, but that didn't work. I get an access is denied when I run this AHK code:
RunAs, runner, password, LocalComputer-Name
Run, %comspec% /k "start c:\Users\myacc\Documents\path\solution.sln"
The runner account is in the Administrators group on my local machine, which has full access to the folder where the solution file is stored including the file itself - so I don't understand why access is denied.
Is this not possible?
Ps. I'd ask this question on the AHK forum, but registering there seems to not send any confirmation email at all (no, it's not in my spam folder), so I can't post it there.
The answer is to schedule a task that runs with the highest privileges to run the script at logon. The problem I was really having was to construct and debug the script - running a task each time was cumbersome. So to debug the script, just right-click the script and select "Run as administrator". Then the UAC prompt will pop up before the script starts running but not during the script. Then when the script is ready, just schedule a task to run at logon and check the "Run with highest privileges" option for the task. Then you can try the task by right-clicking the newly created task and selecting run, then you will see it run without the UAC prompt.
My final version of the script just opens the solution file using Run, no RunAs required - the scheduled task is set to run as my user, with the highest privileges.
Run, %comspec% /c "start c:\Users\myacc\path\solution.sln"

VBS: Display message on logon screen

It is possible to set up Windows so that it displays verbose messages during startup or shutdown.
I'm writing a VBScript procedure which will be ran at startup and I would like to display a meaning message instead of the default "Running startup scripts".
How to achieve this in VBS?
You need to use Windows administrative tools which allow you to configure start up for specific users or users group to execute anything on start-up, shutdown even change their backgrounds. Network policy maybe useful for that as well if you are on domain controlled environment.
Also you can use MSCONFIG on a single system to add or define what ever you want to run at startup, for as long as it is valid windows program.
Once you configured what script to run use Windows console (run that under wscript.exe) to execute your VBS file with what ever you want to put there (with wscript you will get dialog with your text in it).
Usually it should look like
Wscript.Echo "Meaningful message goes here"
If you run that under cscript.exe you'll get output in your console window.

BGInfo error occurred opening the Default Desktop registry key

Running the very nice BGInfo tool to uniquely identify various computers. However, in trying to run on Windows 2008 Server R2, I am getting following error:
"An error occured opening the Default Desktop registry key. Please ensure the current user has rights to change the Logon Desktop settings: Access is denied."
The program is started via a shortcut placed in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup", and that shortcut is specifying a .BGI configuration file (versus reading settings from the Registry). Thoughts on why the error happens for user other than the Administrator?
On a more in-depth level, I am curious if anyone knows why BGInfo must open the "default desktop registry key" and what it is updating in the "logon desktop settings" (phrase in quotes taken from the original error message)?
BGInfo needs to update the registry to set a default login desktop for all RDP users.
You need to run BGInfo with elevated privileges initially. That can be done as described by creed929 or by right-clicking on bginfo.exe and running as administrator. Once the settings are saved, subsequent user logins will not need the elevated privilege to see the BGInfo background.
From an administrator account. I was able to right click on bginfo.exe. Go to Compatibility tab and check the Run this program as an administrator. This seemed to then allow me to apply the settings without the Default Desktop registry key error.

Stop CMD from always opening with administrator privileges

No matter how I open it, cmd.exe always opens with admin privileges. How can I open it without? Is there some registry setting missing? Even if I open it directly from the run dialog or by double clicking in the system32 folder it still opens with admin privs.
Thanks.
Found out I was missing a registry key. In HKEY_CLASSES_ROOT\Directory\shell\cmd I was missing the String Value "Extended". Added this back in and restarted the machine got rid of the defaulting to admin privileges.
EDIT: I had UAC turned off for my profile (to stop incessant "are you sure you want to open this .exe" warnings), and turning that back on has stopped cmd always running with greater privileges.
After some unclear actions (switch UAC on/off ?) I ended up in the same situation as described above:
Cmd.exe always starts in Adminstration mode.
Linking in VS failed with the message:
Project : error PRJ0003 : Error spawning 'C:\windows\system32\cmd.exe'.
The Properties | Compatibility tab is greyed out, so switching this off seems impossible (Compatibility modes cannot be set on this program because it is part of this version of Windows).
To recover from this situation you have to edit the registry to remove the RUNASADMIN preferences that is associated with cmd.exe.
The 'RUNASADMIN' preference is stored in these registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Delete the values named c:\windows\system32\cmd.exe and you are back in business !
Kees
Right click on the cmd.exe, select properties and check the compatibility tab. Is the Run this program as an administrator checkbox checked?
This is only happening because you're logged in as a user with administrative privileges.
Since doing so defeats the entire Windows security model, you shouldn't be doing that in the first place. Create a standard user account and log in with that, instead. The command prompt should then not open with administrative privileges since you don't have administrative privileges.
If, as a standard user, you need to open a command prompt with administrative privileges, you'll need to right-click on the shortcut and select the "Run as Administrator" option (just look for the UAC shield). You'll need to provide sufficient credentials to authenticate yourself as an administrator, and then you'll have the authority to wreak whatever havoc you wish.
Found a way to run as a specific user even when UAC is turned off from http://www.sevenforums.com/general-discussion/235987-run-cmd-exe-given-user-administrator-command-line.html
This is the way to start cmd.exe as any user. Replace "username" with the correct one:
cmd.exe> runas /user:username "cmd.exe"
Right click on the cmd shortcut, navigate to properties, select advanced options and uncheck the 'Run as admin' option.
Check this video for better understanding - https://www.youtube.com/watch?v=3Mxh5TNSIl8&list=PLg8CURsOKswrzPs9fMhnmdy9TP7AkOOX1&index=1

Win7: What's the difference between starting Windows Explorer in Admin Mode vs. cmd.exe in Admin mode?

I am currently using a VB-Skript, which is used to start a setup.exe file, which requires administrative privilleges in order to be installed correctly, if it is not started as an administrator it will return a corresponding error message. Both the script and the setup are located on a window share that is located in a network classified as "Worokplace" in Win7 (32 Bit).
I have the foloowing strange effect, which I do not understand:
I run explorer.exe as "Administrator", and start the script by doubleclicking, which results in a final errormessage that setup.exe requires administrative privileges in order to run. I thought that when I run explorer.exe as Administrator, all other processes started within will have the same privileges.
I tried the same by starting cmd.exe as an Administrator, run the vbs by simply typing myscript.vbs, and the installation succeeds.
Obviously, the same script started from explorer with administrative rights and started from cmd.exe with administrative right finally gets different privilleges, which is what I do not understand at all. Can anybody please explain what's going on there?
Thanks alot
Any process can start a child process, and the parent process can choose what environment (including access rights) the child process will run in. The difference is simply that cmd.exe allows child processes to inherit its own environment, while explorer.exe will only apply administrator privileges if it has been told to do so, either by right-click and 'Run as administrator' or by editing the properties of a shortcut.
The bottom line is simply that they are coded that way.

Resources