Skip navigation

JSI Tip 2998. How can I manage who can use the Windows 2000 CMD prompt?

The Disable the command prompt Group Policy, at User Configuration\Administrative Templates\System, is used to manage who has access to the CMD prompt.

If the policy is left Not configured, you can use Regedt32 to navigate to:


On the Edit menu, Add Value name DisableCMD, as a REG_DWORD data type.

If the DisableCMD value name is missing from the registry, the user can run CMD.exe and batch files.

If the data value is set to 1, the user can NOT run CMD.exe, but the system can run batch files while the user is logged on.

If the data value is set to 2, the user can NOT run CMD.exe, and batch files can NOT be run on the system while the user is logged on.

NOTE: If add DisableCMD, you must also navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Policies\Microsoft\Windows\System

and add DisableCMD there also.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.