How to Disable Run Command using Group Policy Editor

Group Policy Editor to Disable Run Command

Run command can be used to execute applications by typing the application name e.g. you can open Notepad from run command by typing “notepad”, you can open Calculator from open command by typing “calc” or open command prompt by typing “cmd”, etc. Similarly you can execute multiple other application. By default it is enable in all the Operating Systems either client OS or Server OS. However, in some of the Organizations where you want to restrict users to use only predefined applications, you can use disable run command using Group Policy editor.

Group Policy Editor can also be known as Group Policy Management Console (GPMC), GPMC is a Microsoft management console(MMC) snap in, providing a single administrative tool for managing GPs across the enterprise. Local Group Policy Editor can be open by typing “GPEDIT.MSC” or “SECPOL.MSC” alternatively open GPMC by typing “GPMC.MSC“.

As we already know and learned in the Group Policy Management and Preferences post that GP can be deployed on Users and Computers but it cannot be deployed on Groups. In addition to that, we also learned that GPOs linked with OU has highest level of preferences in comparison with GPOs linked with Local Computers, Site or Domain.

Before we disable run command using Group Policy editor, first check if domain users are able to see and use it or not. To verify the same login with the domain user on client machine, click on start and click on run or press Windows + R from keyboard. It would open run command and confirms that it is working fine for domain users.

Group Policy Objects

All the settings, restrictions, policies, etc that we deploy for domain users or computers are by using Group Policy Objects. Even it can be used to define password settings, remotely software installation on multiple computers, restrict software, hide or restrict computer drives, etc. GPOs are the collection of settings, created on Domain Controllers and linked to site, domain and organizational units. Newly created GPOs are like a blank template, we need to define the settings restrictions, etc. To disable run command, we need to create a GPO and define the settings and link it with the OU that contains the users. It is for users therefore link it with the OU that has users in it.

Disable Run Command using Group Policy Editor

1. To start with, we have created Organizational unit with the name “IT” in ‘Active directory Users and Computers’ and added two users(Tu01 & Tu02) to deploy run disable policy on them.

How to apply Rundisable policy (1)
2. To start with, go to Domain Controller, open command prompt and type GPMC.MSC (short name) and hit enter, this would open GPMC or click on Start then click on down arrow and select Group Policy Management.

3. To create GPO, right click on Organizational Unit(IT) and select ‘create a GPO in this domain and linked it here‘. It would create new GPO and link the same with IT OU.

How to apply Rundisable policy (2)

4. In ‘New GPO’ console’ type the name of  GPO, for this practical we’ll give the name “Rundisable”

How to apply Rundisable policy (3)
5. We have created the GPO but we have not defined the settings and restrictions to disable run command using group policy editor, right click on GPO and then click on Edit.

How to apply Rundisable policy (4)


6. In GPME console extend “User Configuration”, expand Policies, expand  “Administrative Templates Policies“, select “Start Menu and Taskbar”. Right click on “Remove run menu from start menu” then click on edit.

How to apply run disable policy

7. In “Remove run menu from start menu” console default option of “Not Configured” is selected. To disable run we need to enable the policy therefore select the “Enabled” option. Selecting “Disabled” option would disable the “Run Disable Group Policy“. Apply the policy and then click on ok. Don’t get confused because of “Enabled” and “Disabled” options. Enabled option is to enable the policy and Disabled option is to disable the policy.

How to apply run disable policy

8. To check if the run disabled policy is applied or not. Login with domain user, click on start and then click on run or press “Windows + R” from the keyboard. If it doesn’t work then it confirms that setting is deployed successfully.

How to apply run disable policy


9. If you see a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator” confirms that policy is deployed successfully.


How to apply run disable policy

One thought on “How to Disable Run Command using Group Policy Editor

  • March 2, 2017 at 2:57 pm

    Any tweak or alternate to enable Command prompt even when it is disabled using Group Policy ?

Comments are closed.