Posted filed under 70-410, Microsoft MCSA.

  • From the Domain Controller, open command prompt and type GPMC.MSC (short name) and hit enter, this would open GPMC or click on Start then click on down arrow and select Group Policy Management.

  • We select Organizational Unit with the name “Sales” in ‘Active directory Users and Computers’. We will deploy run disable policyon the Sales OU such that none of the members have access to the Run command in windows.
  • To createthe GPO, right click on Organizational Unit (Sales) and select ‘create a GPO in this domain and linked it here‘. It would create newGPO and link the same with Sales OU.


group policy editor1



  • In ‘New GPO’ console type a name for the GPO, for this lab we will give the name“Rundisable”


group policy editor



  • We have created theGPObut we have not defined the settings and restrictions.  To disable run command using group policy editor, right click on GPO and then click on Edit.


group policy editor3



In GPME console extend “User Configuration”, expand Policies, expand  “Administrative Templates Policies“, select “Start Menu and Taskbar”. Right click on “Remove run menu from start menu” then click on edit.



group policy Editor 4




  • In “Remove run menu from start menu” console, the default option of “Not Configured” is selected. Todisable runwe need to enable the policy, therefore, select the “Enabled” option. Selecting “Disabled” option would disable the “Run Disable Group Policy”.  Apply the policy and then click on OK. Don’t get confused because of the “Enabled” and “Disabled” options. Enabled option is to enable the policy, and Disabled option is to disable the policy.


group policy editor 5



  • To check if the run disabled policy is applied or not’ log in with as a domain user, click on start and then click on run or press “Windows + R” from the keyboard.


group policy editor6



  • If you see a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator” confirms that policy is deployed successfully.


group policy editor 7


  • The group policy applies to all users in the Sales OU. Suppose we do not want this policy to apply to user Sales3. So we need to deny this policy from being applied to user Sales3.  Select Delegation tab from the Rundisable policy, select Advanced…, click Add from the settings pane, finally add user Sales3 in the object box and select Check Names to confirm the user object.  Click OK.


group policy editor8



Select user name Sale3 and scroll Permissions for Sales3 down to Apply Group Policy and check the Deny box.



group policy editor 9



Make sure to run the gpupdate /force from the command prompt and test the policy from the client logged in as user Sales3.  Another way is to execute gpupdate /force from the run command:



group policy editor 10




User Sales1 and Sales2 should not be able to execute the run command, however, user Sales3 should now be able to do so.



To Become Microsoft Certified please Check out This Link;




Also published on Medium.

Comments are closed.