Protecting the server from undesired user interventions

Hello, I am preparing a windows server 2019 for company users, and need to restrict their accesses to the scope of their work. For reasons of security of the server I will not allow them to install programs themselves, nor to access the C: drive with the system programs, nor to shut down the server, etc… I already have implemented a nice list of restrictions, but I don’t find how to avoid the start menu to give them access to apps like “Server Manager” and “Window Power Shell”. I tried via creating Group Policy Objects → user configuration → policies → administrative templates - > System → Don’t run specified windows applications. Then in the the list of disallowed applications, I filled in “Server Manager”, but it does not work (they still can run the program). Probably I did not fill in the correct name, but the problem is that it does not indicate a list to choose from, so I get stuck with trial and error to fill in the correct name. Am I on a wrong track or does anyone know which program name to fill in? Thanks!

Hi @robert.frans

Try entering the following executables:

ServerManager.exe
cmd.exe
powershell.exe

Let us know if that works for you.

Ricardo

Hi Ricardo, I tried as you said, but they still have the ability to run these programs. Do you know of any other way? Thanks

I’ll be checking Robert.

Hi @robert.frans

I checked the settings in the lab, and the way you are doing it should work, just by entering the executables on the list.

Check the following link. It is Windows 10 but I did it on a member server configuring the GPO in AD.
How to disable PowerShell on Windows 10

Another way to do it is by creating a Software Restriction GPO. I did it for PowerShell only and it seems to be working (not executing or running PowerShell) as a regular user.
How to Disable PowerShell with Group Policy

In both cases, I have applied the GPO to the domain users folder.

Ricardo