How to set common Group Policies

Failure phenomena:

Group Policy app Settings Daquan

First, the Desktop project settings

1. Hide unnecessary desktop icons

2. Prohibit changes to the desktop

3. Enable or disable active desktops

4. Give the Start menu weight loss

5. Protect the Taskbar and Start Menu settings

Second, hide or suppress control Panel items

1. Disable access to the Control Panel

2. Hide or disable the Add/Remove Programs item

3. Hide or suppress the "display" item

Third, System project settings

1. Do not display the Welcome screen interface at login

2. Disable Registry Editor

3. Turn off the system AutoPlay function

4. Turn off Windows Automatic Updates

5. Delete Task Manager

Iv. hiding or deleting items in Windows XP Explorer

1. Delete "Folder Options"

2. Hide the "Manage" menu item

Five, IE browser project settings

1. Restrict the save function of IE browser

2. Lose weight to the toolbar

3. Add a shortcut to the IE toolbar

4. Let IE plugin no longer harass you

5. Protect your personal privacy

6. Disable modifying the homepage of IE browser

7. Disable Import and Export favorites

Vi. system security/sharing/Permissions settings

1. Password Policy

2. User Rights Assignment

3. File and folder settings auditing

4. Windows 98 access to Windows XP shared directory rejected issues resolved

5. Block access to the command prompt

6. Block access to registry editing tools

Solution:

First, the Desktop project settings

In the left window of Group Policy, expand User Configuration---Administrative Templates---Desktop node to see all the settings for the desktop. The primary role of this node is to manage the user's right to use the desktop and hide the desktop icon.

1. Hide unnecessary desktop icons

Some shortcuts on the desktop can be easily removed, but to remove the default icons like my Computer, Recycle Bin, My Network Places, you need to rely on Group Policy. For example, to delete My Documents, just set it up in the delete My Documents icon on my desktop. To hide the Network Places and Internet Explorer icons on your desktop, you can turn on the "Hide My Network Places on the desktop" and "Hide Internet Explorer icons on the desktop" Two policy options in the right pane, if you hide all icons on the desktop , as long as "hide and disable all items on the desktop" is enabled; when the "delete My Documents on desktop" and "delete My Computer icons on desktop" two options are enabled, the "My Computer" and "My Documents" icons will disappear from your desktop, if you don't like them on the desktop Recycle Bin "This icon, then you can also delete it, specifically by the" remove Recycle Bin from the desktop "policy entry enabled.

2. Prohibit changes to the desktop

Group Policy can be used to prevent others from changing the desktop for certain settings. The Prevent users from changing the My Documents path entry prevents users from changing the path to the My Documents folder. The prohibit adding, dragging, dropping, and closing toolbars for taskbar item prevents users from adding or removing the taskbar from the desktop. When you double-click Enable "Do not save settings on exit", users will not be able to save changes to the desktop. Finally, double-clicking the "Hide and disable all items on desktop" setting item will remove icons, shortcuts, and other default and user-defined items from the desktop, and even the desktop context menu will be disabled.

3. Enable or disable active desktops

With the Active Desktop item, you can set the various properties of the active desktops to suit your needs. The Enable Active Desktop item enables the Active Desktop and prevents users from disabling it. The Active Desktop wallpaper item specifies the desktop wallpaper to be displayed on all users ' desktops. Enabling the "Do not allow changes" item prevents users from changing the Active Desktop configuration.

4. Give the Start menu weight loss

The Windows XP Start menu has many menu items that can be removed by Group Policy that are not needed. Provides policies for deleting a common program group from the Start menu, the My Documents icon, the document menu, the network Connections, the Favorites menu, the Search menu, the Help command, the Run menu, the My Pictures icon, the My Music icon, and the My Network Places icon. Simply enable the policy for the menu item that you don't want. To remove the "My Documents" icon from the Start menu, take a look at how to do this: double-click the "Remove My Documents from the Start Menu" item in the right window, click "Enabled" in the Settings tab of the Pop-up dialog, then "OK" on the Start menu, "My Documents" The icon will be hidden.

5. Protect the Taskbar and Start Menu settings

If you don't want to let others change the settings of the taskbar and Start menu, just turn on the block changes taskbar and Start Menu settings and prevent access to the taskbar's context menu in the right pane for two policy items. This way, when you right-click the taskbar and click Properties, an error message appears, prompting the message that a setting prohibits this operation.

Second, hide or suppress control Panel items

The Control Panel project settings described here refer to the settings of the Configuration Control Panel program, which are primarily used to hide or suppress control Panel items. In the left window of Group Policy, expand User Configuration---Administrative Templates---Control Panel items to see all the settings and child nodes under the Control Panel node.

1. Disable access to the Control Panel

If you do not want other users to access the computer's control panel, you can simply run the Group Policy Editor (Gpedit.msc), expand the local computer policy in the left pane---User Configuration---Administrative Templates---Control Panel Branch, and then the right pane Disable access Control Panel policy enabled. This setting prevents the start of the Control Panel program file (Control.exe). As a result, others will not be able to start Control Panel (or run any Control Panel items). In addition, this setting removes the Control Panel from the Start menu. This setting also removes the Control Panel folder from Windows Explorer.

2. Hide or disable the Add/Remove Programs item

Expand Add/Remove Programs item: After you double-click the Remove Add/Remove Programs program setting item, the Add/Remove Programs item in Control Panel is removed. In addition, there are 3 pages in the Add or Remove Programs dialog box: Change or Remove Programs, add new programs, add/Remove Windows components, and when you go to the Add new program page, you will find 3 options: "Add a program from a CD-ROM or floppy disk," " Microsoft Add programs and add programs from the network, if you want these specific pages or options to be hidden, you can enable the corresponding hide feature directly in the Group Policy Add/Remove Programs item.

3. Hide or suppress the "display" item

Expand the display item to discover that this is the same as the previous item to hide the tabs in the Display Properties dialog box. This

, for example, when you double-click Enable Hide Desktop tab, the desktop item no longer appears in the display window. In addition, here the user can also enable "Remove Display in Control Panel", so in Control Panel double-click open "Display" Item, a dialog box prompts you: System administrator prohibits the use of the "Display" Control Panel.

4. Other

Custom Control Panel Program: "Hide specified control Panel programs" or "show only specified control Panel programs", and follow the prompts to hide or show Control Panel items. Expand Display---Desktop themes item, double-click to enable remove theme options, block Selection window and button style, Disable the Select Font size item to prevent others from changing the theme, window, and button styles, fonts. Expand the Printers item, and double-click Enable Prevent Add printer or prevent deletion of printers to prevent other users from adding or removing printers. Finally, the control Panel will not start by enabling the Disable access Control Panel directly under Control Panel.

Third, System project settings

This is set in the User Configuration---Administrative Templates---system. The setting of the system in Group Policy involves many projects such as login, power Management, Group Policy, script and so on, and the following sections are sorted out in close contact with us:

1. Do not display the Welcome screen interface at login

Windows 2000 and Windows XP systems have a welcome screen by default when they log on, but they can be removed by Group Policy, although they are beautiful but cumbersome and extend the logon time. Double-click the "Do not show welcome screen at logon" under the System node, and the Welcome screen will be hidden each time the user logs on.

2. Disable Registry Editor

To prevent others from modifying the registry, you can disallow access to the Registry Editor in Group Policy. After you double-click Enable the block access to Registry Editor entry under the System node, when a user tries to start the Registry Editor, the system prompts: registered edits have been disabled by the administrator (Figure 16). In addition, if your registry Editor is locked, you can also double-click this setting and click the "Not Configured" item in the "Settings" tab of the popup dialog box so that your registry is unlocked. If you want to prevent users from using other registry editing tools to open the registry, double-click Enable run only licensed Windows applications.

3. Turn off the system AutoPlay function

Once you insert the disc into the CD drive, Windows XP starts reading the optical drive and launches the associated application. This has brought us a lot of trouble at some point, although it has facilitated our work. Under the System node, there is an entry for the Turn off AutoPlay setting, double-click it and click Enabled in the Settings tab of the Pop-up dialog box, and select the CD-ROM launcher or all drives item in the Turn off AutoPlay box.

Note: This setting does not prevent the music CD from playing automatically.

4. Turn off Windows Automatic Updates

Whenever a user connects to Internet,windows XP, it searches for available updates on the user's computer and, depending on the configuration, prompts the user when the downloaded component is ready for installation or before it is downloaded. If you don't like Bill Boss's attitude, you can turn off this feature by using Group Policy. Simply double-click the Windows Automatic Updates setting item under the System node, click Disabled in the Pop-up dialog box, and then OK.

5. Delete Task Manager

If the Windows XP user has canceled the "Use Welcome screen" item, if you press the "Ctrl+alt+del" key at the same time, a "Windows Security" dialog box will appear with "Lock Computer", "Logoff", "Shut Down", "Change Password", "Task Manager", "Cancel" 6 function buttons. Everyone knows that every button here plays a key role in the system. To prevent others from working, these buttons can be masked through Group Policy. Find "Ctrl+alt+del Options" under "System", double-click Enable "Remove Task Manager", "Remove" Lock Computer "," Delete Change Password "," Remove logout "item can be blocked the Windows Security dialog box," Task Manager "," Lock the Computer "," Change Password ", "Cancel" 4 function buttons. Note: the "logoff", "Shutdown" two menu items are masked in the user Configuration---Administrative Templates---Taskbar and start Menu node.

Iv. hiding or deleting items in Windows XP Explorer

Resource managers have always been the most important tool in Windows systems, and how to manage resources efficiently and securely has always been a relentless pursuit of computer users. Expand User Configuration---Administrative Templates---Windows Components---Windows Explorer items, and you can see all the settings under the Windows Explorer node. Let's take a look at how the Resource Manager personalization is implemented through Group Policy

1. Delete "Folder Options"

Folder Options is an important menu item in the Explorer that allows you to modify how files are viewed, and edit how the file types are opened. Once we have set it up ourselves, to prevent others from changing it, you can delete this menu item and you can do this by double-clicking the Remove Folder Options menu from the Tools menu.

2. Hide the "Manage" menu item

In the shortcut menu that appears in Explorer, right-click My Computer, you have a manage menu item that opens a Computer Management window that contains many tools, such as Event Viewer, Local Users and groups, Device Manager, Disk Management, and so on. To protect your computer from unintentional destruction by others, you can block this menu item by double-clicking the Manage items item on the Hide Windows Explorer context menu.

3. Other items are hidden

Also hide the drive you specified by enabling "Hide these specified drives in My Computer". You can also block out the entire network item by enabling ' Network Places ' without ' whole networks '. Double-click Enable Remove CD burning feature to remove the CD burning feature that comes with Windows XP. Double-click Enable "Do not move deleted files to the Recycle Bin" then delete the files later will not go to the Recycle Bin directly deleted. Of course there are a lot of projects here are not mentioned, we can according to the needs of their own discussion, appropriate configuration.

Five, IE browser project settings

In the left window of Group Policy, expand User Configuration---Administrative Templates---Windows Components---Internet Explorer items, and in the right window you will see all the settings and child nodes under the Internet Explorer node. IE is a Windows XP-brought web browser, but also the majority of users of the browser, but its security is also criticized, the following through Group Policy to "transform" it.

1. Restrict the save function of IE browser

When many people share a computer, in order to keep the hard disk clean, the browser needs to save the function to restrict use, then how to do it? Select User Settings---Administrative Templates---windows components

---Internet Explorer---The browser menu branch, and then the File menu in the right pane: Disable Save As ... menu item, File menu: Disable Save As Page menu item, View menu: Disable ' source file ' menu item ', ' and ' ' ' Disable the context menu "and other policy items are enabled. In addition, if you do not want other people to make changes to the settings of IE, you just have the "Tools" menu: Disable the ' Internet Options ... ' policy enabled. In addition, other items can be disabled in this pane, depending on your individual needs.

2. Lose weight to the toolbar

If you want to hide the tool buttons in the toolbar, choose User Settings---Administrative Templates---windows Components---Internet Explorer---Toolbars branch, and then double-click the Configure toolbar buttons button in the right pane to pop up the Configure the toolbar Button Properties window, select the Enabled radio button on the Settings tab, tick the check boxes in the list that you want to display in front of the button name, and then uncheck the boxes in front of them to hide some of the buttons. Then click OK to press the button

3. Add a shortcut to the IE toolbar

I don't know if you have noticed, many software will add an icon on the IE toolbar after installation and click it to enable the program. In fact, using Group Policy to add a shortcut to any program on the IE toolbar, here is an example of how to add an ICQ startup icon. Expand Browser User interface under Internet Explorer Maintenance, double-click the browser toolbar customizations setting, click the Add button in the Pop-up dialog box, and in the toolbar title of the Browser toolbar button Information dialog box, type: ICQ, in toolbar actions Enter D:funicqliteicqlite.exe, then choose a "color icon" and "grayscale icon", of course, you can also use Exescope and so on to extract the ICQ icon). After clicking OK, an ICQ icon will be in the IE toolbar!

4. Let IE plugin no longer harass you

When we usually surf the web, we always pop up some tips like "whether to install Flash plugin" or "Install 3721 Network Name", just as annoying as the advertisement window. In fact, we can prevent this prompt from appearing in Group Policy by enabling the "Disable automatic installation of Internet Explorer components" under the Internet Explorer node. However, this feature is sometimes useful, so consider it before you disable it.

5. Protect your personal privacy

In general, you can learn about previously viewed Web pages and files by clicking the History button on the IE toolbar. For the sake of secrecy, you can double-click the "Do not keep records of recently opened documents" and "purge Recent documents on exit" Two settings under the Internet Explorer node, so that clicking the history button on the IE toolbar disappears all of the history page records that you have visited.

6. Disable modifying the homepage of IE browser

If you don't want others to make changes to your page, enable the Disable Change home settings setting under the Internet Explorer node to prevent others from changing your page. You can also block several menu items in IE by accessing the browser menu and enabling the settings. Finally, under the Internet Control Panel node, you can also hide some of the tabs in the Internet Options dialog box.

If this policy is enabled, the settings for the home area of the General tab of the Internet Options dialog box in IE browser will be dimmed.

Special NOTE: If you set the "Disable general pages" policy in the "User Configuration"---Administrative Templates---Windows components---internet Explorer---the Internet Control Panel, you do not have to set this policy because the General page is disabled The policy removes the General tab on the interface.

7. Disable Import and Export favorites

Prevents users from importing or exporting favorite links using the Import/Export Wizard menu item. User Configuration Administrative Templates for Windows Components Internet Explorer.

If you enable this policy, the Import/Export Wizard menu item will not be able to import/export favorite links and cookies. If you disable this feature or do not configure it, users can import/export favorites in IE by clicking the Import and Export menu item on the File menu, and then running the Import/Export Wizard.

Note: If you enable this policy, users can still view the Import/Export Wizard, but when the user clicks the Finish button, a prompt stating that the feature has been disabled will appear.

Vi. system security/sharing/Permissions settings

Since its own computer, security has been the focus of attention, Windows XP is no exception. In Group Policy, system security configuration is generally done in the Computer Configuration---Windows Settings---security settings.

1. Password Policy

This policy is configured in the account policy---the Password Policy node. Password is a major security risk, you can set the minimum password length by Group Policy: double-click the Enable password must meet complexity requirements setting item, and then double-click the Minimum password length setting item to set the minimum password length to 8 or greater in the Pop-up dialog box. In this way, the account password must be entered more than 8, security is much higher.

2. User Rights Assignment

Expand Local Policies---the User Rights Assignment node, and in the right window you will see all the settings under the User Rights Assignment node. Assigning user rights appropriately can solve some strange problems, such as a friend who uses a Windows XP system on a local area network to find a strange phenomenon, that is, even if you enable the Guest user and give permission, users of other Win9x operating systems on the LAN will not be able to access windows Shared resources in the XP system. This issue can be resolved by modifying the settings in Group Policy by double-clicking the Deny access to this computer from the network setting item under the User Rights Assignment node, clicking Guest in the Pop-up dialog box, and then click Delete, and then finalize. You can also add many permissions to users under the User Rights Assignment node, such as adding remote shutdown permissions to guest, and adding permissions to the average user to change the system time.

3. File and folder settings auditing

Windows XP Professional can use audit trails to track user accounts, logon attempts, system shutdowns or restarts, and similar events that are used to access files or other objects. Auditing files and folders (only for NTFS file systems) guarantees the security of files and folders. Before an audit occurs, you must use Group Policy to specify the type of event to audit. The steps to set up auditing for files and folders are as follows.

A. Click to select Start---Run command, type the Gpedit.msc command in the Run dialog box that pops up, and then click OK to press the button; You can also create a shortcut on your desktop.

B. In the Group Policy window that pops up, expand Computer Configuration in the right pane---Windows Settings---security settings---Local Policies branch, and then select the Audit Policy option under that branch.

C. In the right pane, double-click the "Audit object access" option, and in the pop-up "Local Security policy settings" window, tick the "success" and "failed" checkboxes in the "Local Policy settings" box. As shown in Figure 12. Then click OK to press the button

D. Right-click the file (or folder) you want to audit. Select the Properties command for the shortcut menu, and then select the Security tab in the Pop-up window.

E. Click the Advanced button, and then select the Auditing tab.

F. Select your actions as appropriate:

(1) If you set up an audit for a new group (or user), click the Add button, type the new user name in the Name box, and then click OK to open the Audit Entry dialog box.

(2) To view (or change) an existing group (or user) audit, select the user name, and then click the View/Edit button.

(3) To delete an existing group (or user) audit, select the user name, and then click Delete to press the button.

G. If necessary, select where you want to audit in the Apply to list in the Audit Items dialog box (the Apply to list is only valid for folders).

H. If you want to prohibit files and subfolders in the directory tree from inheriting these auditing entries, select the Apply these auditing items only to objects and/or containers within this container check box.

If the check box under Access in the Audit Entry dialog box is dimmed, or if the Delete button is not available in the Access Control Settings dialog box, then the audit from the parent folder has been inherited.

It is important to note that a user who must be a member of the Administrators group or who has the Manage auditing and security log permission in Group Policy can audit a file or folder. Before Windows XP audits files, folders, you must enable Audit object access in the audit policy in Group Policy. Otherwise, when you finish setting up file, folder auditing, an error message is returned, and the files and folders are not audited. The Event Viewer allows you to check for successful or failed attempts to access audited files and folders.

4. Windows 98 access to Windows XP shared directory rejected issues resolved

In a local area network, you can often encounter problems with Windows 2000-equipped computers that have shared directories and computers with Windows 98 that are inaccessible. This can be found on Microsoft's official web page, prompting the guest user to open Windows 2000. However, after Windows XP came out, the same problem faced, some people found that this method is not the spirit of the network to access the Windows XP shared directory is not necessarily allowed. What is the reason? This problem has also bothered me for several days, and then inadvertently found the answer to the question, perhaps this is a bug in Windows XP? When the system guest user is turned on, run the Group Policy Editor program in the local Computer policy---computer Configuration--- Windows Settings---Security settings---Local Policies---user Rights Assignment---Deny access to this computer from the network, you can see the Guest user! If you delete the guest user here, So other computers can see the shared directory of this computer from their network Places.

5. Block access to the command prompt

Prevents the user from running the Command Prompt window (Cmd.exe). This setting also determines whether the batch files (. cmd and. bat) can be run on the computer. Location: User Configuration Management Template system If you enable this setting, the user tries to open the

The window, the system displays a message explaining that the settings are blocking this operation. Note: If your computer uses a logon, logoff, startup, or shutdown batch file script, it does not prevent the computer from running batch files, nor does it prevent users who use Terminal Services from running batch files.

6. Block access to registry editing tools

The policy disables Regedit.exe to disable the Windows Registry Editor. This can be a great way to prevent malicious code on the Web page from tampering with IE. Location: User Configuration Administrative Template system if this setting is enabled and the user tries to start the Registry Editor, the message explaining that the setting prevents such operations will appear. To prevent users from using other system administration tools, use the "Run only licensed Windows applications" policy setting.

Add

1. Group Policy cannot be used after a program is banned

You can restore the settings by restarting the computer, pressing the F8 key when the boot menu appears, selecting the Safe Mode with Command prompt option in the Windows Advanced Options menu, and then running mmc.exe at the command prompt. In the console window that opens, tap file---Add/Remove Snap-in---Add---Group Policy---add---finish---close---ok, now you have added a Group Policy console, then change the original settings back and then re-enter Windows.

2. Delete a shared document from My Computer

When a Windows user is in a workgroup, a Shared Documents icon appears in the Windows Explorer Web view in other locations and other files stored on this computer. With this setting, you can choose not to display these items. Local Computer Policy---> User Configuration---> Administrative Templates--->windows component--->windows Explorer if you enable this setting, the Shared Documents folder will not appear in Web view or in My computer. If you disable this setting or do not configure it, when the user is part of a workgroup, the Shared Documents folder appears in Web view or in computer.

Note:

1. Group Policy does not exist on the Home Edition WINDOWSS system;

2. Group Policy settings are risky, please note that the backup data is submitted.