Latest Windows System Group Policy Application Skills

Source: Internet
Author: User
Tags gpupdate

System group policies are almost one of the essential tools for network management by network administrators. I believe many people are familiar with the conventional application skills of this tool. However, I have always believed that as long as we are careful and attentive, we will constantly explore new application techniques from system group policies. If you don't believe it, let's take a look at the following content. I believe they will help you enter a new "Realm" of application "!

Smart limitsProgram, Beware of "self-locking"

On Windows server, there is a group policy project named "only allow Windows applications to run". Once you enable the project and restrict the running of the specified program, therefore, no matter whether you add gpedit in the "only programs allowed" list or not. MSC Command, as long as the Group Policy item "only allow Windows applications to run" takes effect, the system's group policy will automatically "self-lock", even if you use "gpedit. the MSC command cannot open the system group policy editing window! Is there a way to restrict the running of applications and prevent system group policies from being "self-locked? The answer is yes. You can follow the steps below:

First, click "start"/"run" command. In the pop-up system run box, enter the string command "gpedit. MSC, click OK to open the system group policy editing window;

Expand "user configuration", "management template", and "system" projects in the window, and in the subwindow on the right of the corresponding "system" project, double-click the "run only licensed Windows Applications" option. In the displayed window, select the "enabled" option. Then, you will see that the "show" button is automatically activated in the corresponding window, click the "show" button, and then click the "add" button in the subsequent window, enter the name of the application to be run in the Add settings box, and click OK;

Next, do not close the Group Policy editing window immediately. Then, open the system running dialog box and execute "gpedit. MSC "command, now you will find that the system group policy editing program is no longer running! However, fortunately, the Group Policy editing window is not closed before. Now you can continue in the Group Policy editing window and double-click the "only allow running Windows Applications" project you just set, then, in the pop-up policy settings window, select the "not configured" option, and click the "OK" button to limit the running of the application, it can also prevent the system group policy from being "self-locked.

Tip: if you add the specified application name to the "only allow running Windows Applications" list and close the Group Policy editing window, you can perform the following steps for restoration:

Restart the server system. During the startup process, press the F8 function key until the System Startup menu appears, and then execute the "safe mode with command line prompts" command, switch the server system to the command line prompt status;

Run the mmc.exe string command directly at the command prompt. On the pop-up System Console interface, click the "file" menu item, and click the "Add/delete Management Unit" option from the drop-down menu, click the "independent" tag in the subsequent window, and then click "add" on the tag page shown in 1;


Next, click "Group Policy", "add", "complete", "close", and "OK" to add a new Group Policy console; in the future, you will be able to re-open the Group Policy editing window, and then follow the settings above to achieve the goal of limiting the running of applications and Preventing System group policies from being "self-locked.

Remove "self-locking" as needed"

In addition to the policy to restrict the application to run, many operations can enable the Group Policy to be "self-locked" inadvertently. If the Group Policy is "self-locked" due to other factors, how can we easily remove it? In fact, all group policy settings are based on the system registry>, so the settings of any branch of the Group Policy will be reflected in the corresponding branch of the Registry; therefore, we can easily crack the "self-locking" Phenomenon of the Group Policy by modifying the registry:

Click Start or run. In the displayed system running dialog box, enter the string command regedit and click OK to open the registry editing window;

In this window, expand the Registry branch HKEY_CURRENT_USER \ SOFTWARE \ Policies \ Microsoft \ MMC \ {8fc0b734-a0e1-11d1-a7d3-2017f87571e3}, and in the area on the right of the window shown in 2, you will see a "restrict_run" key value;


Double-click the key value, open a Value Setting window, enter the number "0", and click "OK". After that, when you open the system operation dialog box again, and execute "gpedit. MSC "command, you will find the self-locking group policy editing window, now can be easily opened.

Policy changes take effect immediately

For Windows 2003 domain and Windows 2000 domain, the new security policy cannot take effect immediately after the default security policy of the domain is modified, generally, it takes about 5 to 15 minutes for Windows to automatically update the settings in system group policies. Is there a way for the modified security policy to take effect immediately for the user or client? The answer is yes. You can follow these steps:

For Windows 2000 domains, if you want to make the new computer policy take effect immediately, you can click "start"/"run" to open the system running dialog box, enter the string command "cmd" and click "OK" to switch the Windows system to MS-DOS mode;

Then, at the doscommand prompt, enter the string command "SeCEdit/refreshpolicy machine_policy/enforce" and click the Enter key. The new security policy will take effect immediately;

If you want the new user policy to take effect immediately, you only need to execute the string command "SeCEdit/refreshpolicy user_policy/enforce" at the doscommand prompt.

For Windows 2003 domains, if you want to make the new computer policy take effect immediately, you can click "start"/"run" to open the system running dialog box, enter the string command "cmd" and click "OK" to switch the Windows system to MS-DOS mode;

Then, at the doscommand prompt, enter the string command "gpupdate/Target: Computer" and click the Enter key. The new security policy will take effect immediately;

If you want the new user policy to take effect immediately, you only need to execute the string command "gpupdate/Target: User" at the doscommand prompt. If you want to update both the computer policy and user policy, you can directly execute the string command "gpupdate.

Different users and permissions

Maybe your server contains many users, but to protect the security of the server, you want these users to have different access control permissions on the server, so that in the future when the server encounters an accident, you can quickly find users with different permissions. To assign different access control permissions to different users, you only need to set the server group policy. The specific configuration steps are as follows:

Click Start or run. In the displayed system run box, enter the string command gpedit. MSC, click OK to open the system group policy editing window;

In this window, expand "Computer Configuration", "Windows Settings", "Security Settings", "Local Policy", and "User Rights Assignment;

In the window area on the right of the corresponding "User Rights Assignment" project, you will see multiple rights available for assignment, as shown in 3. For example, if you only want AAA users to remotely access the content on the server through a network connection, but do not allow them to log on to the server locally to write content or execute applications in it, you can double-click the "Deny local Logon" permission;


In the setting window that opens, click "add", select the account name corresponding to the AAA user, and click "add ", in this way, AAA users can only access the content on the server through a remote network in the future.

Similarly, you can assign local logon control permissions to BBB users, and assign ownership of files or other objects to CCC users. Once different control permissions are assigned to different users, you will be able to manage and control users based on different permission levels in the future. For example, if you find that someone uploads illegal information to the server and wants to investigate it when the server is not connected to the network, you can easily exclude AAA users, after all, AAA users do not have such "committing crimes "!

Protection settings to avoid conflicts

In the LAN, the IP address of the workstation is often modified at will, resulting in IP conflict, thus affecting the LAN operation efficiency. Although there are many ways to avoid IP address conflicts, it is not difficult to find some methods for some cainiao users? In fact, with the help of the Group Policy function, you can easily limit the LAN workstation's network configuration parameters to be modified at will, so as to effectively avoid conflicts between IP addresses in the network:

Click Start or run. In the displayed system run box, enter the string command gpedit. MSC, click OK to open the system group policy editing window;

Expand the "user configuration", "management template", "network", and "network and dial-up connections" policy items in the window, in the window area on the right of the corresponding "network and dial-up connection" policy, double-click the "allow TCP/IP Advanced Settings" item;

In the settings window shown in figure 4, select the "Disable" option and click "OK, when a wks user opens the TCP/IP attribute setting window in the future, he or she will find that he or she cannot enter the "advanced" setting window to modify the wks IP address or other network parameters, as a result, IP addresses in the LAN are not prone to conflicts.


Strengthen review and stay away from attacks

By default, the Windows 2003 Server does not enable any security audit method to protect the security of the server. Obviously, this poses a great security risk to the server. To avoid server attacks, you only need to "get started" with the Group Policy on the server to enable and use the security audit policy to protect the security of the server:

Click Start or run. In the displayed system run box, enter the string command gpedit. MSC, click OK to open the system group policy editing window;

Place the cursor on the Policy Branch of the "Computer Configuration", "Windows Settings", "Security Settings", "Local Policy", and "Audit Policy" groups, under the "Audit Policy" branch, you will see that you need to specify multiple audit events, as shown in Figure 5;


Double-click the "Policy Change" item. In the pop-up setting window, if the "successful" option is selected, the server will review the successful operations of all events in the future, if the "failed" option is selected, the server will review all failed events in the future;

In order to know the security risks of the server as soon as possible, we usually need to review the successful and failed operations of system events, logon events, account logon events, and account management events, in this way, even some operation records that have been attacked but have not been successfully recorded by the server will be automatically recorded by the server. In the future, we will carefully analyze the records to find out the security risks, and take timely remedial measures to ensure the security of the server; for "Object Access" events, "Directory Service Access" events, "privileged use" events, etc., generally as long as the audit of their failure operations, to capture attack records.

Once the audit function is enabled for the relevant events through the Group Policy, the server will save all audit records of the relevant events to the system's "Event Viewer" in the future, in the future, as long as you open the log Content in time and carefully analyze the records, you can find out whether the server is under attack at this time.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.