- From the Domain Controller, open command prompt and type GPMC.MSC (short name) and hit enter, this would open GPMC or click on Start then click on down arrow and select Group Policy Management.
- We select Organizational Unit with the name “Sales” in ‘Active directory Users and Computers’. We will deploy run disable policyon the Sales OU such that none of the members have access to the Run command in windows.
- To createthe GPO, right click on Organizational Unit (Sales) and select ‘create a GPO in this domain and linked it here‘. It would create newGPO and link the same with Sales OU.
- In ‘New GPO’ console type a name for the GPO, for this lab we will give the name“Rundisable”
- We have created theGPObut we have not defined the settings and restrictions. To disable run command using group policy editor, right click on GPO and then click on Edit.
In GPME console extend “User Configuration”, expand Policies, expand “Administrative Templates Policies“, select “Start Menu and Taskbar”. Right click on “Remove run menu from start menu” then click on edit.
- In “Remove run menu from start menu” console, the default option of “Not Configured” is selected. Todisable runwe need to enable the policy, therefore, select the “Enabled” option. Selecting “Disabled” option would disable the “Run Disable Group Policy”. Apply the policy and then click on OK. Don’t get confused because of the “Enabled” and “Disabled” options. Enabled option is to enable the policy, and Disabled option is to disable the policy.
- To check if the run disabled policy is applied or not’ log in with as a domain user, click on start and then click on run or press “Windows + R” from the keyboard.
- If you see a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator” confirms that policy is deployed successfully.
- The group policy applies to all users in the Sales OU. Suppose we do not want this policy to apply to user Sales3. So we need to deny this policy from being applied to user Sales3. Select Delegation tab from the Rundisable policy, select Advanced…, click Add from the settings pane, finally add user Sales3 in the object box and select Check Names to confirm the user object. Click OK.
Select user name Sale3 and scroll Permissions for Sales3 down to Apply Group Policy and check the Deny box.
Make sure to run the gpupdate /force from the command prompt and test the policy from the client logged in as user Sales3. Another way is to execute gpupdate /force from the run command:
User Sales1 and Sales2 should not be able to execute the run command, however, user Sales3 should now be able to do so.
To Become Microsoft Certified please Check out This Link;
Also published on Medium.