Introduction to group policies

1. What is group policy?
(1) What are the functions of a group of policies?

When it comes to group policies, you have to raise the registry. The Registry is a database that stores system and application software configurations in Windows. As Windows functions become more and more abundant, there are more and more configuration items in the registry. Many configurations can be customized, but these configurations are released in every corner of the Registry. If they are manually configured, you can think about how difficult and complicated it is. The group policy integrates important configuration functions of the system into various configuration modules for management personnel to use directly, so as to facilitate computer management.

To put it simply, the Group Policy is to modify the configuration in the registry. Of course, group policies use a more sophisticated management and organization method to manage and configure the settings of various objects, which is far more convenient and flexible than manual modification of the Registry and has more powerful functions.

(2) version of Group Policy

Most Windows 9X/NT users may have heard of the concept of "System Policy", while most of us now hear the name "group policy. In fact, group policies are more advanced extensions of system policies. They are developed from the "system policies" of Windows 9X/NT, it has more Management Templates, more flexible setting objects, and more functions. Currently, it is mainly used in Windows 2000/XP/2003 systems.

The operating mechanism of early system policies is to define specific. POL (usually Config. pol) files through policy management templates. When a user logs on, it will overwrite the Setting Value in the registry. Of course, the System Policy Editor also supports modification of the current registry, and also supports connection to a network computer and settings of its Registry. The Group Policy and its tool directly modify the current registry. Obviously, the network function of Windows 2000/XP/2003 is its biggest characteristic, and its network function is naturally indispensable, therefore, the group policy tool can enable and configure a computer on the network, or even open an Active Directory object (that is, a site, domain, or organizational unit. This was previously not possible with the "System Policy Editor" tool.

The basic principles of system policies and group policies are to modify the corresponding configuration items in the Registry to achieve the purpose of configuring the computer, but some of their operating mechanisms have changed and expanded.

2. Management Templates in group policies

The Windows 2000/XP/2003 directory contains several. adm files. These files are text files called "Management Templates", which provide policy information for the group policy management template project.

In Windows 9X, the default admin. adm management template is saved in the same folder of the Policy Editor. In the Windows 2000/XP/2003 system folder, the inf folder contains four template files installed by default, which are:

1) System. adm: it is installed in group policy by default for System settings.
2) Inetres. adm: it is installed in "Group Policy" by default and used for setting Internet Explorer policies.
3) Wmplayer. adm: used for Windows Media Player settings.
4) Conf. adm: Used For NetMeeting settings.

In the Group Policy console of Windows 2000/XP/2003, you can add a "Policy template" multiple times. In Windows 9X, only one policy template can be opened currently. The following describes how to use a Policy template. First, use the following in the Windows 2000/XP/2003 Group Policy console:
First, run the "Group Policy" program, select "Computer Configuration" or "management template" under "user configuration", right-click, select "Add/delete template" in the pop-up menu ".

Click the Add button and select the. adm file in the displayed dialog box. Click the OPEN button to open the selected script file in the System Policy Editor and wait for the user to execute.

Return to the main interface of the "Group Policy" editor, open the "Local Computer Policy> User Configuration> management template" directory, and then click the corresponding directory tree, the configuration items generated by the newly added management template are displayed. (to facilitate the operations on the instances later in this article, we recommend that you add other template files except the default template files ).

Let's take a look at the Group Policy Editor in Windows 9X. Select "close" in the "file" menu in the Group Policy Editor to close the current script, and then select "template" in the "options" menu"

Click the open template button. In the displayed dialog box, select the corresponding. adm file and click the OPEN button. Then, open the selected script file in the editor and wait for the user to execute.

Iii. Running Group Policy

(1) Windows 9X Policy Editor

Policy editing tools are divided into two types by operating system. One is the Windows 2000/XP/2003 Group Policy Management Console, which has been installed by default during system installation; another type is Windows Firewall and Poledit. inf, Windows. adm files.

If the Windows 9X system uses the following method, you can perform a formal installation process.

1. on the control panel, double-click the "Add/delete programs" icon, click the "Install Windows" tab, and then click the "Install from disk" option.
2. In the "Install from disk" dialog box, click "Browse" and specify the toolseskitetadminpoledit directory of the Windows 9X installation disc.
3. Click "OK" and then click "OK" in the dialog box.
4. In the "Install from disk" dialog box, select the "System Policy Editor" and "Group Policy" check boxes, and then click the "Install" button.

After the installation is complete, click "run" command item, enter poledit, and click "OK". The administrator can use the System Policy Editor in two different ways: registry mode and policy file mode.

1. Use the System Policy Editor as a registry. In the System Policy Editor file menu, click open registry editor, and double-click the corresponding local user or local computer icon. It depends on which part of the Registry you want to edit. When using the registry, you can directly edit the registry of a local or remote computer. In this way, the changes will be immediately reflected. After the modification, you must shut down and restart the computer for the modification to take effect.

2. Use the System Policy Editor as a policy file. In the System Policy Editor file menu, click New or open to open a policy file. When using the policy file method, you can create and modify the system policy file (POL) for other computers. In this way, the Registry is indirectly modified. This change will be reflected after the policy file is downloaded during user login. When editing the setting value as a policy file, you can click a registry option to view one of the three possible states: Select, clear, and gray. Each time you select an option, the next possible status is displayed cyclically, which is different from selecting a standard check box. The standard check box only has two options: select or clear.

If additional information is required for a setting value, an editing control is displayed at the bottom of the default user attribute dialog box. Generally, if you select a policy and do not want to use it forcibly, clear the check box to cancel the policy.

(2) Windows 2000/XP/2003 Group Policy console

For Windows 2000/XP/2003, the Group Policy program is installed by default. In the "Start" menu, click the "run" command and enter gpedit. msc and OK to run the program

Using the above method, the Group Policy object opened is the current computer. If you need to configure other computer Group Policy objects, you need to open the Group Policy as an independent console administrator, the procedure is as follows:

1) Open the Microsoft Console (you can directly enter MMC in the "run" dialog box of the "Start" menu and press enter to run the console program ).
2) on the File menu, click Add/delete snap-in ".
3) on the "independence" tab, click "add ".
4) in the "available independent management units" dialog box, click "Group Policy" and then click "add ".
5) in the select group policy object dialog box, click Local Computer to edit the local computer object, or click browse to find the desired group policy object.
6) Click "finish", click "close", and then click "OK ". The Group Policy Management Unit opens the Group Policy object to be edited.

For computer systems that do not contain domains, only the "computer" label is displayed on the page in step 1, but there are no other tag items.

Through the above method, we can use the powerful network configuration function of the Windows 2000/XP/2003 Group Policy System to make the Administrator's work easier and more efficient.

The Policy Editor configuration items in Windows 9X are in three states: "selected, cleared, and dimmed, the Windows 2000/XP/2003 Group Policy Management Console also has three statuses, but the name has changed. They are: enabled, not configured, and disabled.

Iv. desktop settings

Windows desktops, like our desks, need to be organized and cleaned frequently, and the Group Policy is like our Secretary, making desktop management easy. Let's take a look at several practical configuration instances:

Location: "Group Policy console> User Configuration> management template> desktop"

1. Hide the Desktop System icon (Windows 2000/XP/2003)

Although the system icon function on the desktop can be hidden by modifying the registry, it is troublesome and risky. The group policy configuration method can be used to achieve this goal conveniently and quickly.

For example, to hide the "Network Neighbor" and "Internet Explorer" icons on the desktop, you only need to enable the "hide the 'Network neighbor 'icon on the desktop" and "hide the Internet Explorer icon on the desktop" options in the right pane. If you want to hide all the icons on the desktop, you only need to enable "hide and disable all projects on the desktop; after the "delete my documents" icon on the desktop "and" delete my computer "icon on the desktop are enabled, the "my computer" and "My Documents" icons will disappear from your desktop. Similarly, if you want to remove the "recycle bin" icon, you only need to enable the "delete recycle bin from desktop" policy item.

2. Do not save the desktop settings when exiting (Windows 2000/XP/2003)

This policy prevents users from saving some changes to the desktop. If you enable this policy, you can still change the desktop, but some changes, including the location of the subject, the location and size of the taskbar, cannot be saved after the user logs out, however, shortcuts on the taskbar can always be saved.

In the right pane, enable the policy option "do not save settings when exiting.

3. Disable the "Clear desktop wizard" function (Windows XP/2003)

The clear desktop wizard automatically runs on your computer every 60 days to clear desktop icons that are not frequently used or never used by users. If this policy is enabled, the "clean up desktop wizard" is blocked. If you disable or do not configure this setting