Group Policy application Settings Encyclopedia
First, desktop project settings
1. Hide unwanted desktop icons
2. Prohibit changes to the desktop
3. Enable or disable Active Desktop
4. To the "Start" menu to lose weight
5. Protect the Taskbar and Start Menu settings
Ii. Hide or disable Control Panel items
1. Prohibit access to the control Panel
2. Hide or disable the "Add/Remove Programs" item
3. Hide or disable "show" items
Third, the System project Setup
1. Do not show welcome screen interface at login
2. Disable Registry Editor
3. Turn off the system auto playback function
4. Turn off Windows Automatic Updates
5. Delete Task Manager
Four, hide or remove items in Windows XP Explorer
1. Delete "Folder Options"
2. Hide the Manage menu item
Five, IE browser project settings
1. Limit the save function of IE browser
2. Lose weight to the toolbar
3. Add a shortcut to the IE toolbar
4. Let IE plugin no longer harass you
5. Protect your personal privacy
6. Prohibit the modification of IE browser's homepage
7. Disable Import and Export favorites
Vi. system security/sharing/permission settings
1. Password Policy
2. User Rights Assignment
3. File and folder Setup auditing
4. Windows 98 access to Windows XP shared directory rejected problem resolution
5. Block access to command prompt
6. Prevent access to registry editing tools
Solution:
First, desktop project settings
In the left window of Group Policy, expand User Configuration---Administrative Templates---the desktop node in turn to see all the settings for the desktop. The main purpose of this node is to manage the user's right to use the desktop and hide the desktop icon.
1. Hide unwanted desktop icons
Some shortcuts on the desktop are easy to remove, but to remove the default icons, such as My Computer, Recycle Bin, and My Network Places, you need to rely on Group Policy. For example, to delete My Documents, simply set it in the delete My Documents icon on the desktop. To hide the Network Places and Internet Explorer icons on your desktop, you can turn on the "Hide My Network Neighborhood icon on the desktop" and "Hide Internet Explorer icons on the desktop" Two policy options in the right-hand pane; If you hide all the icons on your desktop , just turn on the "Hide and disable all items on the desktop" option, and when the "delete My Documents on desktop" icon and "delete My Computer icon on desktop" two options are enabled, "My Computer and My Documents icon will disappear from your desktop; If you don't like it on the desktop Recycle Bin This icon, you can also delete it, by using the "remove Recycle Bin from the desktop" policy entry enabled.
2. Prohibit changes to the desktop
Use Group Policy to prevent others from changing the desktop for some settings. "Prevent users from changing the My document path item prevents users from changing the path to the My Documents folder." The prohibit add, drag, drop, and Close toolbars toolbar item prevents users from adding or removing the taskbar from the desktop. When you double-click enable "Do not save settings on exit", users will not be able to save changes to the desktop. Finally, double-click to enable the "Hide and disable all items on the desktop" setting to remove icons, shortcuts, and all other default and user-defined items from the desktop, and even the right menu of the desktop will be disabled.
3. Enable or disable Active Desktop
With the active Desktop item, you can set various properties of the Active Desktop to suit your needs. The Enable Active Desktop item enables Active Desktop and prevents users from disabling it. The Active Desktop wallpaper item specifies the desktop wallpaper that will be displayed on all users ' desktops. Enabling the "Do not allow changes" item prevents users from changing the Active Desktop configuration.
4. To the "Start" menu to lose weight
The Windows XP Start menu has a lot of menu items that you can remove unwanted by Group Policy. Provides removal of the common program group from the Start menu, My Documents icon, document menu, Network Connections, Favorites menu, Search menu, Help command, run menu, My Pictures icon, my music icon, and My Network Places icon, and so on, are policies. Simply enable the policy for the menu item that you do not want. To remove the "My Documents" icon from the Start menu, take a look at how it's done: in the right window, double-click the delete My Documents icon from the Start menu, click Enabled in the Settings tab of the pop-up dialog box, and then clicking OK, so on the Start menu, "My Documents" The icon will be hidden.
5. Protect the Taskbar and Start Menu settings
If you don't want to let others change the taskbar and Start menu settings, you can turn on the "Prevent changes" taskbar in the right pane and the Start menu ' settings ' and ' prevent access to the context menu for the taskbar ' two policy items. This way, when you right-click the taskbar and click Properties, an error message appears indicating that a setting prohibits the operation.
Ii. Hide or disable Control Panel items
The Control Panel item settings described here refer to the settings for configuring the Control Panel program, primarily for hiding or preventing control Panel items. In the left window of Group Policy, expand User Configuration---Administrative Templates---Control Panel items to see all the settings and child nodes under the Control Panel node.
1. Prohibit access to the control Panel
If you do not want other users to access the computer's control panel, you simply run the Group Policy Editor (Gpedit.msc) and expand the ' local computer ' policy---The User Configuration---Administrative Templates---The Control Panel branch in the left pane, and then the right pane Disable access Control Panel policy enabled. This setting prevents the Control Panel program file (Control.exe) from starting. As a result, others will not be able to start Control Panel (or run any Control Panel items). In addition, this setting removes Control Panel from the Start menu. This setting also removes the Control Panel folder from Windows Explorer.
2. Hide or disable the "Add/Remove Programs" item
Expand Add/Remove Programs item: Double-click the Add/Remove Programs item in Control Panel to delete the item after you enable the delete Add/Remove Programs program. In addition, there are 3 pages in the Add or Remove Programs dialog box: "Change or Remove Programs, add new programs, and Add/Remove Windows Components; When you go to the Add new program page, you will find 3 options:" Add programs from CD-ROM or floppy disk "," from Microsoft Add Programs "and" Add programs from the network ", if you want to hide these specific pages or options, you can enable the appropriate hiding feature directly in the Group Policy Add/Remove Programs entry.
3. Hide or disable "show" items
Expand the display item and discover that this item, like the previous item, hides the tab in the Display Properties dialog box. This
, for example, if you double-click to enable the Hide Desktop tab, the desktop item will no longer appear in the display window. In addition, the user can also enable "Remove Display in Control Panel" so that when you double-click to open the Display item in Control Panel, a dialog box prompts you: The system administrator prevents the Display control Panel from being used.
Custom Control Panel Program: "Hide specified Control Panel program" or "show only specified control Panel program", follow the prompts to hide or show the control Panel items. Expand Display---The Desktop themes item, double-click to enable the delete theme options, block Selection window and button styles, Prevents people from changing themes, windows, and button styles and fonts after you prevent the font size item from being selected. Expand the Printers item, double-click enable Prevent Add printer or prevent delete printer to prevent other users from adding or removing printers. Finally, the Disable Access Control Panel is enabled directly under Control Panel, and the Control Panel will not start.
Third, the System project Setup
This item is set in the User Configuration---Administrative Templates---system. The setting of the system in Group Policy involves many items, such as login, power Management, Group Policy, script, and so on, and the following sections are sorted out as follows:
1. Do not show welcome screen interface at login
Windows 2000 and Windows XP systems have a welcome screen by default when they log on, and although they are beautiful but cumbersome and extend logon hours, they can be dropped by Group Policy. Double-click to enable the "Do not show welcome screen at logon" under the System node, and the Welcome screen will be hidden each time a user logs on.
2. Disable Registry Editor
To prevent others from modifying the registry, you can disable Registry Editor in Group Policy. When you try to start Registry Editor by double-clicking the Block Access Registry Editor entry under the System node, you are prompted that the registered editor has been deactivated by the administrator (Figure 16). In addition, if your registry Editor is locked, you can double-click this setting to select the "Not Configured" item in the "Settings" tab of the pop-up dialog box so that your registry is unlocked. If you want to prevent users from using other registry editing tools to open the registry, double-click Enable "Run only licensed Windows applications".
3. Turn off the system auto playback function
Once you insert the CD into the CD drive, Windows XP starts reading the optical drive and starts the relevant application. In this way, although it has brought convenience to our work, in some cases also brought a lot of trouble. Under the System node, there is an item to turn off AutoPlay, double-click it and click Enabled in the Settings tab of the pop-up dialog box, and select the CD-ROM initiator or all drives item in the Close AutoPlay box.
Note: This setting does not prevent music CDs from playing automatically.
4. Turn off Windows Automatic Updates
Whenever a user connects to Internet,windows XP, it searches for available updates on the user's computer, and prompts the user when the downloaded component is ready for installation or before downloading, depending on the configuration. If you don't like Bill's boss. This is a liberal attitude that can be turned off by Group Policy. Just double-click the Windows Automatic Updates settings item under the System node and select Disabled in the Bouncing dialog box and OK.
If the Windows XP user has canceled the use Welcome screen item, if you press the "Ctrl+alt+del" key at the same time, a Windows security dialog box pops up, which has lock computer, logoff, shutdown, change password, Task Manager, Cancel. 6 function buttons. Everyone knows that every button here plays a key role in the system. To prevent others from operating, you can block these buttons through Group Policy. Find the "Ctrl+alt+del option" under "System", double-click to enable the Delete Task Manager, delete lock computer, delete change password, delete logoff entries to block the Windows Security dialog box, Task Manager, lock Computer, change password, and,, "Cancel" 4 feature buttons. Note: The screen for two menu items, "logout", "Shutdown", under User Configuration---Administrative Templates---taskbar, and the Start menu node.
Four, hide or remove items in Windows XP Explorer
All along, Explorer is the most important tool in Windows system, how to manage resources efficiently and safely has always been the relentless pursuit of computer users. Expand User Configuration---Administrative Templates---Windows Components---Windows Explorer items to see all the settings under the Windows Explorer node. Let's look at how to personalize the Resource Manager through Group Policy
1. Delete "Folder Options"
Folder Options is an important menu item in the Explorer that allows you to modify the way files are viewed and edit how the file types are opened. After we set it up for ourselves, to prevent others from changing at will, you can delete this menu item, and you can do this by double-clicking the "Remove from Tools" menu option menu.
2. Hide the Manage menu item
There is an administration menu item on the shortcut menu that right click My Computer appears in Explorer. This menu item enables you to open a Computer Management window that contains many tools, such as Event Viewer, Local Users and groups, Device Manager, Disk Management, and so on. To protect your computer from other people's unintentional destruction, you can block this menu item by double-clicking on the "Hide admin items" item on the Windows Explorer context menu.
3. Concealment of other items
In addition, you can hide the drive you specified by enabling "Hide these specified drives in My Computer". You can also block the entire network item by enabling the ' Network Neighborhood ' without ' entire networks '. Double-click to enable Remove CD burning feature to remove the CD burning feature from Windows XP. Double-click Enable do not move deleted files to ' Recycle Bin ', then delete the files later without going to the Recycle Bin to delete them directly. Of course, there are a number of projects not mentioned here, you can according to the needs of their own discussion, the appropriate configuration.
Five, IE browser project settings
In the left window of Group Policy, expand User Configuration---Administrative Templates---Windows Components---Internet Explorer entries, and in the right window you can see all the settings and child nodes under the Internet Explorer node. IE is a Web browser with Windows XP, and most users use the browser, but its security is also criticized, the following is through Group Policy to "transform" it.
1. Limit the save function of IE browser
When many people share a computer, in order to keep the hard drive neat, the browser needs to save the function of the use of restrictions, then how to achieve it? Select the user settings---Administrative Templates---windows components
---Internet Explorer---browser menu branch, then, in the right pane, in the ' File ' menu: Disable ' Save as ... ' menu item, ' File ' menu: Disable Save As Web page menu item, ' View ' menu: Disable ' source file ' menu item ' and ' Policy items such as disable context menu are enabled. In addition, if you do not want others to make arbitrary changes to the Internet Explorer settings, you can simply turn on the ' Tools ' menu: Disable ' Internet Options ... ' policy. In addition, you can also disable other items in the pane, depending on your personal needs.
2. Lose weight to the toolbar
If you want to hide the tool buttons in the toolbar, select User Settings---Administrative Templates---windows Components---Internet Explorer---Toolbars branch, and then, in the right pane, double-click the Configure toolbar button policy to eject the " Configure the toolbar Press torsional Properties window, select the Enabled single button on the Settings tab to tick the check box in the list before the name of the button, and to hide some of the buttons, do not tick the check boxes in front of them. Then click OK to press the button
3. Add a shortcut to the IE toolbar
Do not know that you have noticed that many software after the installation of the IE toolbar will be added icon, click it can enable the appropriate program. In fact, you can add a shortcut to any program on the IE toolbar using Group Policy, and here are examples of how to add an ICQ launch icon. Expand the browser user interface under Internet Explorer Maintenance. Double-click the browser toolbar customization settings item, and in the dialog box that comes in, type the Add button in the toolbar title of the Browser toolbar button Information dialog box, and then enter ICQ in the toolbar action Input D:funicqliteicqlite.exe, and then casually choose a "color icon" and "grayscale icon", of course, you can also use Exescope, etc. to extract ICQ icon. After clicking OK, the IE toolbar has an extra ICQ icon!
4. Let IE plugin no longer harass you
We usually surf the web on the Internet, there will always be some pop-up such as "whether to install Flash plugin", "Whether to install 3721 network real name" prompts, just as annoying as advertising window. In fact, we can suppress this hint in Group Policy by enabling the "Disable automatic installation of Internet Explorer components" under the Internet Explorer node. However, sometimes this function is also very good, so before you disable this feature, please give a little thought.
5. Protect your personal privacy
By clicking the History button on the IE toolbar, you can learn about the pages and files that you have previously browsed. For confidentiality, you can double-click to enable the "Do not keep records of recently opened documents" and "clear recently opened document records when exiting" Two settings under the Internet Explorer node. Then click the History button on the IE toolbar and the history pages you visited will disappear.
6. Prohibit the modification of IE browser's homepage
If you don't want others to make changes to your home page, enable the "Disable Change home settings" setting under the Internet Explorer node to prevent people from changing your home page. You can also use the browser menu to enable settings to mask several menu items in IE browser. Finally, under the Internet Control Panel node, you can also hide some of the tabs in the Internet Options dialog box.
If this policy is enabled, the settings for the home area of the General tab in IE Browser are dimmed in the Internet Options dialog box.
Special NOTE: If you set the "Disable regular pages" policy in the User Configuration---Administrative Templates---Windows components---internet Explorer---Internet Control Panel, you do not need to set this policy because the "Disable regular pages" Policy deletes the General tab on the interface.
7. Disable Import and Export favorites
Prevents users from importing or exporting favorite links using the Import/Export Wizard menu item. User Configuration Management templates Windows Components Internet Explorer.
If you enable this policy, the Import/Export Wizard menu item will not be able to import/export favorites links and cookies. If you disable this feature or do not configure it, users can import/export favorites in IE by clicking the Import and Export menu item on the File menu, and then running the Import/Export Wizard.
Note: If you enable this policy, users can still view the Import/Export Wizard, but when the user clicks the Finish button, a message appears indicating that the feature has been disabled.
Vi. system security/sharing/permission settings
Security has been a focus of attention since its own computer, and Windows XP is no exception. In Group Policy, the system security configuration is typically done in the "Computer Configuration"---"Windows Settings"---"Security settings."
This policy is configured in the account policy---the Password Policy node. Password is a major hidden danger of system security, the minimum length of a password (password) can be set by using Group Policy: double-click to enable the password must meet complexity requirements setting, and then double-click the Minimum password length setting to set the minimum password length to 8 or greater in the Bouncing dialog box, This will then set the account password must enter more than 8 digits, security is much higher.
2. User Rights Assignment
Expand Local Policy---the User Rights Assignment node, and in the right window you can see all the settings under the User Rights Assignment node. Appropriate assignment of user rights can solve some strange problems, such as a friend who uses Windows XP on a local area network will often find a strange phenomenon, that is, even if you enable the Guest user and give permissions, users of other Win9x operating systems on the LAN are still unable to access windows Shared resources in the XP system. This problem can be resolved by modifying the settings in Group Policy by double-clicking the "Deny access to this computer from the network" setting under the User Rights Assignment node, selecting "Guest" in the pop-up dialog box, and then clicking Delete to finalize. Under the User Rights Assignment node, you can also add many permissions to the user, such as adding remote shutdown permissions to the guest, and adding permissions to the general user to change the system time.
3. File and folder Setup auditing
Windows XP Professional can use audit trails to access user accounts for files or other objects, logon attempts, system shutdown or restart, and similar events. Auditing files, folders ( NTFS file systems only) can guarantee the security of files and folders. Before auditing occurs, you must use Group Policy to specify the type of event to audit. The steps for setting up auditing for files and folders are as follows.
Note:
1. Group Policy does not exist on the home version of the WINDOWSS system;
2. Group Policy settings are risky, please be careful to submit backup data.
A. Click to select Start---The Run command, type the "gpedit.msc" command in the pop-up Run dialog box, and then click OK to press the button; You can also create a shortcut on the desktop.
B. In the Group Policy window that pops up, expand the Computer Configuration---Windows Settings---security settings---The Local Policies branch in the right pane, and then select the Audit Policy option under that branch.
C. In the right pane, double-click the Audit object access option, and in the Local Security policy Settings window that pops up, tick the success and Failure check boxes in the Local Policy settings box. As shown in Figure 12. and click OK to press the button
D. Right-click the file (or folder) that you want to audit. Select the Properties command for the shortcut menu, and then select the Security tab in the pop-up window.
E. Click the Advanced button, and then select the Auditing tab.
F. Choose your actions as appropriate:
(1) If you set up auditing for a new group (or user), click the Add button, type a new user name in the Name box, and then click OK to press the button to open the Audit Entry dialog box.
(2) To view (or change) an existing group (or user) audit, select the user name, and then click View/Edit.
(3) To delete an existing group (or user) audit, select a user name, and then click Delete to press the button.
g. If necessary, select the place in the Apply to list in the Audit Entries dialog box where you want to audit (the Apply to list is valid only for folders).
H. If you want to prevent files and subfolders in the tree from inheriting these auditing entries, select the Apply these auditing items only to objects and/or containers within this container check box.
If the check box under Access in the Audit Entries dialog box is dimmed, or if the Delete button is unavailable in the Access Control Settings dialog box, auditing from the parent folder is inherited.
Note that you must be a member of the Administrators group or a user who is authorized in Group Policy to have the Manage auditing and security log permission to audit files or folders. Before Windows XP audits files, folders, you must enable Audit object access for Audit policy in Group Policy. Otherwise, when you finish setting up files, folder auditing, you return an error message and the files and folders are not audited. The Event Viewer enables you to check for successful or unsuccessful attempts to access audited files and folders.
4. Windows 98 access to Windows XP shared directory rejected problem resolution
In a local area network, you can often encounter Windows 2000-equipped computers that have shared directories, while Windows 98 computers are inaccessible. This can be found on Microsoft's official web page, prompting you to open Windows 2000 guest users. But when Windows XP comes out, it's the same problem, and some people find that this is not the way, and the shared directory of Windows XP from the Network Neighborhood is not necessarily allowed. Why? This problem also bothered me for several days, and then inadvertently found the answer to the question, perhaps this is a Windows XP bug? When the system guest user is turned on, run the Group Policy Editor program, in the local Computer policy---Computer Configuration---Windows Settings---security settings---Local Policy---user Rights Assignment---Deny access to this computer from the network You can see the guest user! If you delete the guest user here, other computers can view the shared directory of this computer from your network Neighborhood.
5. Block access to command prompt
Prevents the user from running the Command Prompt window (Cmd.exe). This setting also determines whether the batch files (. cmd and. bat) can be run on the computer. Location: User Configuration Admin Template system If this setting is enabled, the user attempts to open the
To the window, the system displays a message explaining that the setting prevents this operation. Note: If your computer uses logon, logoff, startup, or shutdown batch file scripts, it does not prevent the computer from running batch files, nor does it prevent users who use Terminal Services from running batch files.
6. Prevent access to registry editing tools
This policy disables Regedit.exe to disable the Windows Registry Editor. This can largely prevent malicious code on the Web page from tampering with IE. Location: User Configuration Management Template system if this setting is enabled and the user attempts to start Registry Editor, the message that the settings prohibit such actions appears. To prevent users from using other system administration tools, use the "Run only licensed Windows applications" policy setting.
1. Group Policy cannot be used after the program is blocked
You can restore settings by restarting your computer, pressing F8 when the Startup menu appears, selecting the Safe Mode with Command prompt option on the Windows Advanced Options menu, and then running mmc.exe at the command prompt. In the console window that opens, click the file---Add/remove snap-in---Add---Group Policy---add---complete---close---ok, now that you have added a Group Policy console, then change the original settings back, and then re-enter windows.
2. Delete a shared document from My Computer
When a Windows user is in a workgroup, a shared document icon appears in the Windows Explorer Web view in other locations and other files stored on this computer. With this setting, you can choose not to display these items. Local Computer Policy---> User Configuration---> Administrative Templates--->windows components--->windows resource Manager If you enable this setting, the Shared Documents folder will not be displayed as a Web view or appear in My computer. If you disable this setting or do not configure it, the Shared Documents folder will appear as Web view or in computer when the user is part of a workgroup.
