Post: (Computer newspaper) full manual for applying Windows XP group policies (Figure omitted)

Source: Internet
Author: User
Tags change settings network function

Windows XP Group Policy Application manual
Sun Yuan Zhang Yan Appendix

Most computer users use some third-party tools to manage computers, or even manually modify the registry. In fact, the Windows XP Group Policy has integrated these functions, and the Group Policy and related tools can fully implement the functions we need.

I. Group Policy Basics
1. What is a group policy?
The Registry is a database that stores system software and application software configurations in Windows systems. As Windows functions become richer and richer, more and more configuration items are in the registry, and many configurations can be customized, however, these configurations are distributed in every corner of the Registry. If they are manually configured, you can imagine how difficult and complicated it is. The group policy integrates important configuration functions of the system into various configuration modules for users to directly use, so as to facilitate computer management.

To put it simply, the Group Policy setting is to modify the configuration in the registry. Of course, group policies use a better management and organization method to manage and configure the settings of various objects, which is far more convenient and flexible than manually modifying the registry and has more powerful functions.

2. version of the Group Policy
For Windows 9x/NT users, they all know the concept of "System Policy". In fact, group policies are advanced extensions of system policies, it is developed from the "System Policy" of Windows 9x/NT and has more Management Templates, more flexible setting objects and more functions, currently, it is mainly used in Windows 2000, XP, and 2003 operating systems.

The operating mechanism of early system policies is to define specific POL (usually config. pol) files through policy management templates. When a user logs on, it will overwrite the Setting Value in the registry. Of course, the System Policy Editor also supports modification of the current registry, and also supports connection to a network computer and settings of its Registry.

The Group Policy and its tool directly modify the current registry. Obviously, the network function of Windows 2000/XP/2003 is its biggest characteristic, so its network function is naturally indispensable, therefore, the group policy tool can also enable the computer on the network for configuration, or even open an Active Directory (Active Directory) object (that is, site, domain or organization unit) and set it. This was previously not possible with the "System Policy Editor" tool.

Of course, the basic principles of system policies and group policies are to modify the corresponding configuration items in the Registry to configure the computer, but some of their operating mechanisms have changed and expanded.

3. Run the Group Policy in Windows XP
In Windows 2000/XP/2003, the Group Policy program is installed by default. In the "Start" menu, click the "run" option, in the displayed dialog box, enter "gpedit. MSC "and OK to run the Group Policy. 1.

 

Using the above method, the Group Policy object opened is the current computer. to configure other computer Group Policy objects, you need to open the Group Policy as an independent MMC Management Unit:

(1) Open the Microsoft Console (you can directly enter "MMC" in the "run" dialog box of the "Start" menu and click "OK ).

(2) Click the "File> Add/delete Management Unit" menu command, and click "add" in the displayed dialog box.

(3) In the "available independent management units" dialog box, click the "Group Policy" option and then click the "add" button.

(4) In the select group policy object dialog box, click the Local Computer option to edit the local computer object, or click browse to find the desired group policy object.

(5) Click "finish". The Group Policy Management Unit opens the Group Policy object to be edited.

(6) locate the option to be changed in the left pane, right-click the option to be changed in the right pane, and click the "properties" command to open its properties dialog box, select "enabled", "Not Configured", and "disabled" to manage computer policies.

4. Management Templates in group policies
Contains several ADM files in Windows 2000/XP/2003. These files are text files and are called "Management Templates". They provide policy information for projects in the "Management Templates" folder in the control tree of the Group Policy Management Unit.

In Windows 2000/XP/2003, the default admin. ADM management template is located in the INF folder of the system folder and contains four template files installed by default:

(1) system. ADM: it is installed in "Group Policy" by default for system settings.

(2) inetres. ADM: it is installed in group policy by default and used for Internet Explorer (IE) policy setting.

(3) wmplayer. ADM: used for Windows Media Player settings.

(4) Conf. ADM: Used For netmeeting settings.

In the policy management console, you can add a "Policy template" multiple times. Let's take a look at the specific operations:

First, run the "Group Policy" program, select "Computer Configuration" or "manage template" under "user configuration", right-click and select the "Add/delete template" command, then, click "add" in the displayed dialog box and select an ADM file in the displayed dialog box. Click the OPEN button to open the selected script file in the System Policy Editor and wait for the user to execute.

Return to the main interface of the "Group Policy" editor, open the "local computer policy → user configuration → manage template" option in the directory, and then click the corresponding directory tree, the configuration items generated by the newly added management template are displayed.

Note: The following operations are performed in Windows XP.

2. personalize my computer
1. Delete the "document" menu item in the "Start" menu
In computers that are used by multiple users, some users do not want other users to see the documents or other information they have edited. Therefore, to delete the "document" menu item used to record historical documents, we can modify the Group Policy.

Location:/user configuration/management template/taskbar and Start Menu/

When this setting is enabled, the system saves the "document" shortcut, but does not display them in the "document" menu. If you disable this setting later or set it to not configured, the "document" shortcut saved before and when the setting takes effect will appear in the "document" menu item. 2.

 

Note: This setting does not prevent Windows programs from displaying shortcuts in recently opened documents.

In addition, you can set to automatically clear the history of recently opened documents when you exit the system.

Location:/user configuration/management template/taskbar and Start Menu/

If this policy is disabled, the system deletes the shortcut when the user exits. Therefore, when a user logs on, the Document menu on the "Start" menu is always empty. If this setting is disabled or not configured, the document shortcut is retained, and the document menu appears identical when the user logs on to the system.

Note: The system saves the document shortcut in the user configuration file in the/Documents and Settings/<User Name>/recent folder.

2. Delete the "run" menu item from the "Start" menu.
In the Start menu, you can enter a program name to start the program. You can delete the "run" menu item from the "Start" menu.

Location:/user configuration/management template/taskbar and Start Menu/

If this setting is enabled, the following changes occur:

(1) the "run" command is deleted from the "Start" menu.

(2) The new task (run) command is deleted from the task manager.

(3) Prevent users from entering the following items in the IE address bar:

UNC path: // <Server>/<share>.

Access the local drive, for example, C :.

Access the local folder, for example,/temp>.

At the same time, the "run" dialog box cannot be displayed using win + R keys. If this setting is disabled or not configured, you can access the "Start" menu, the "run" command of the task manager, and use the IE Address Bar.

Note: this policy only affects the specified interface. It does not prevent users from using other methods to run the program.

3. Weight Loss from the "Start" menu
If you think that the "Start" menu in Windows is too bloated, you can delete unnecessary menu items from the "Start" menu by setting the Group Policy.

Location:/user configuration/management template/taskbar and Start Menu/

In the right pane of the Group Policy, "delete user folders from the" Start "menu", "access and link to the" Windows Update "page", "delete a public application group from the" Start "menu, and" start "menu are provided. delete "My Documents" icon and other configuration items. You only need to enable the policy corresponding to the undesired menu items.

4. Hide and disable all projects on the desktop
This policy deletes icons, shortcuts, and Other Default and user-defined projects from the desktop.

Location:/user configuration/management template/desktop/

Deleting icons and shortcuts in this policy does not prevent users from starting programs or opening projects represented by icons and shortcuts in another way.

5. Do not save user settings when exiting
This policy prevents users from saving some changes to the desktop.

Location:/user configuration/management template/desktop/

If you enable this setting, you can make some changes to the desktop, but some changes, such as the location of the comparison mark and window opening, the location and size of the taskbar cannot be saved after the user logs out.

6. enable/disable "Active Desktop)
The Active Desktop is a Windows 98 (or later version) or an advanced feature that comes with IE 4.0 installed. Its biggest feature is that you can set wallpaper in various image formats, you can even display webpages as wallpaper. But for security and performance considerations, sometimes we need to disable this feature (and Prevent Users From enabling it ).

Location:/user configuration/management template/desktop/Active Desktop

Tip: If you enable both "enable active desktop" and "Disable Active Desktop", the "Disable Active Desktop" setting will be ignored. If the "Disable Active Desktop and Web View" setting (in "user configuration/management template/Windows component/Windows Resource Manager") is enabled, Active Desktop is disabled, both policies are ignored.

7. Delete shared documents from my computer
When a Windows user is in a workgroup, A "shared document" icon appears in "other locations" and "other files stored on this computer" in the Web View of Windows Resource Manager. With this setting, you can choose not to display these items.

Location:/user configuration/management template/Windows Components/Windows Resource Manager/

If this setting is enabled, the shared documents folder is not displayed in the Web View or on my computer. If this setting is disabled or not configured, when a user is part of a working group, the shared document folder is displayed as a Web View or in my computer.

8. Do not move deleted files to the recycle bin"
When a file or folder in Windows Resource Manager is deleted, the copy of the file or folder will be placed in the "recycle bin. With this policy, you can change this behavior.

Location:/user configuration/management template/Windows Components/Windows Resource Manager/

If this setting is enabled, files or folders deleted using Windows resource manager will not be placed in the recycle bin, so they will be permanently deleted. If this setting is disabled or not configured, files or folders deleted using Windows Resource Manager are stored in the recycle bin.

Iii. System Settings Using group policies
1. The welcome screen is not displayed at login.
To speed up computer startup, we can use the Group Policy to hide the Windows XP welcome screen every time a user logs on.

Location:/user configuration/management template/system/

To display the welcome screen, choose Start> program> attachment> system tools, and then click Start. To not display the welcome screen without specifying the settings, clear the "show at the beginning" option in the check box on the welcome screen.

Note: This setting appears in the "Computer Configuration" and "user configuration" folders. If this setting is configured, the settings in Computer Configuration take precedence over those in user configuration.

2. Configure the driver to find the location
By default, Windows searches for drivers from local installations, floppy drives, disc drives, Windows Update, and other locations. When this configuration finds the new hardware, Windows will search for the driver location.

Location:/user configuration/management template/system/

If this setting is enabled, you can delete any of the three positions by checking the check boxes related to the location name. If this setting is disabled or not configured, Windows searches for drivers from local installations, floppy drives, disc drives, Windows Update, and other locations.

3. Disable automatic playback.
Once you insert a media file into the drive, it starts to read data from the drive automatically. This causes the setting file of the program and the music on the audio media to start immediately. This policy disables the automatic operation function.

Location:/user configuration/management template/system/

If you start this setting, you can also disable auto run on the CD-ROM drive or on all drives.

Note: This setting appears in the "Computer Configuration" and "user configuration" folders. If both settings are configured, the settings in Computer Configuration take precedence over those in user configuration.

In addition, this setting does not prevent automatic playing of music CD.

4. Run only licensed Windows Applications
This policy can restrict Windows programs that users can run.

Location:/user configuration/management template/system/

If you enable this setting, you can only run the programs that you add to the "List of applications allowed to run.

This setting can only prevent users from starting programs from Windows Resource Manager. You cannot start programs in other ways, such as the task manager. If you can access the Command Prompt window, this setting cannot prevent you from starting programs that are not allowed to run in Windows Resource Manager from the command window.

Note: required ). 3.

 

5. Delete the Task Manager
When we press CTRL + ALT + DEL at the same time, the "Windows Task Manager" dialog box is displayed. Task Manager allows users to start or stop programs, monitor computer performance, view and monitor all running programs (including system services) on computers) search for program execution file names and change the priority of program running. Here, we can delete the Task Manager through the Group Policy.

Location:/user configuration/management template/system/CTRL + ALT + DEL option/

If this setting is enabled and the user tries to start the task manager, a message is displayed, which indicates that this operation is disabled by a policy.

6. Delete the "Change Password" option
This policy prevents you from changing the system password through the task manager.

Location:/user configuration/management template/system/CTRL + ALT + DEL option/

This setting disables the "Change Password" button on the Windows Security Settings dialog box. However, you can change the password when prompted by the system. When the administrator asks that the new password be voided, the system will prompt the user to enter the new password.

7. Windows Messenger is not allowed.
Windows XP comes with a chat Tool Windows Messenger. However, we may also install MSN Messenger in the system. This policy allows you to Disable Windows Messenger.

Location:/user configuration/management template/Windows Components/Windows Messenger

If this policy is enabled, Windows Messenger does not run. If this policy is disabled or not configured, Windows Messenger can be used.

Note: If this policy is enabled, remote assistance cannot use Windows Messenger. In addition, this policy will also appear in "Computer Configuration. If both settings are configured, the settings in Computer Configuration take precedence over those in user configuration.

8. Disable system restoration.
System Restoration is a powerful feature integrated in Windows XP/2003. It backs up the changed files and data while the system is running, system Restoration allows you to restore your computer to a previous state without losing your personal data files. By default, the system restore is on.

However, the cost of this function is also quite large, and the system performance will be significantly reduced, and the disk space will also be occupied. We strongly recommend that you disable this function for computers with low configurations.

Location:/computer configuration/management template/system/System Restore/disable System Restore

After this setting is enabled, you can disable the system restoration function and cannot access the "System Restoration wizard" or "configuration interface ".

4. Adjust Internet access Settings Using group policies
1. Disable Import and Export of favorites
You are prohibited from using the import/export wizard menu item to import or export the favorites link.

Location:/user configuration/management template/Windows Components/Internet Explorer

If this policy is enabled, the "Import/Export wizard" menu item cannot import/export favorites links and cookies. If this function is disabled or not configured, you can click the "Import and Export" menu item on the "file" menu, and then run the "Import/Export wizard ", import/Export ie favorites.

Note: If this policy is enabled, you can still view the "Import/Export wizard". However, when you click the "finish" button, a message indicating that this function has been disabled is displayed.

2. Disable the settings for changing the "advanced" tab.
Do not change the settings on the "advanced" tab in the "Internet Options" dialog box.

Location:/user configuration/management template/Windows Components/Internet Explorer

If this policy is enabled, you cannot change advanced Internet settings, such as security, multimedia, and printing. You cannot select the check boxes on the "advanced" tab or clear the check boxes. If this policy is disabled or not configured, you can select or clear the settings on the "advanced" tab.

If you set the "Disable Advanced page" policy in/user configuration/management template/Windows Components/Internet Explorer/Internet control panel, you do not need to set this policy, because the "Disable Advanced page" policy deletes the "advanced" tab on the interface.

3. Use the "Automatic Detection" attribute for dial-up connections
Automatically checks whether the browser uses DHCP (Dynamic Host Configuration Protocol) or the DNS server to customize the browser when it is started for the first time. This policy specifies the automatic detection configuration for the user's dial-up settings.

Location:/user configuration/management template/Windows Components/Internet Explorer

If this setting is enabled, automatic detection configures the user's dialing settings. If this configuration is disabled or not configured, automatic detection does not configure your dialing settings unless specified by the user.

4. Disable the Internet Connection Wizard
You are prohibited from running the Internet Connection Wizard.

Location:/user configuration/management template/Windows Components/Internet Explorer

If this policy is enabled, the "Create connection" button on the "connection" tab in the "Internet Options" dialog box is grayed out. You cannot click the "connect to Internet" icon on the desktop or click "Start> program> attachment> communication", and then click "Internet Connection Wizard" to run the Internet Connection Wizard. If this policy is disabled or not configured, you can change the connection settings by running the Internet Connection Wizard.

Note: this policy is similar to the "Disable connection page" policy in the \ User Configuration \ management template \ Windows component \ Internet Explorer \ Internet control panel, the latter will delete the "connection" tab on the interface. Deleting the Connections tab from the interface does not prevent you from running the Internet Connection Wizard from the desktop or the Start Menu.

5. Disable the form auto-completion Function
Disable IE to automatically complete the form. For example, enter the name or password you have previously entered on the webpage.

Location:/user configuration/management template/Windows Components/Internet Explorer

If this policy is enabled, the "form" check box is grayed out. Click the "Automatic completion" button on the "content" tab in the "Internet Options" dialog box to display the "form" check box. If this policy is disabled or not configured, you can enable automatic form completion.

The "forbidden content page" policy in/user configuration/management template/Windows component/Internet Explorer/Internet Control Panel takes precedence over this policy. If the "Disable content page" policy is enabled, the policy is ignored, because the "Disable content page" policy will delete the "content" tab in the "Internet Explorer properties" dialog box in "Control Panel.

Note: If you enable this policy after using a browser that enables the form auto-completion function, the content in the form that you have used the form auto-completion function is not cleared.

6. Configure media browsing bar attributes
The media browser bar allows the Administrator to enable or disable the media browser bar and set automatic playback by default.

Location:/user configuration/management template/Windows Components/Internet Explorer

If the media browser bar is disabled, you cannot display the media browser bar. The automatic playback function is also disabled. When you click a link in IE, the default media client in the system will play the content. If the media browser bar is enabled or not configured, you can display and hide the media browser bar.

The administrator can enable or disable the automatic playback function. This setting is only applied when the media browser bar is enabled. If selected, the media browser bar automatically displays and plays media content when you click a Media Link. If this option is not selected, the default media client on the system will play the content.

7. Disable the shortcut menu
Shortcut menus are not allowed when you right-click IE.

Location:/user configuration/management template/Windows Components/Internet Explorer/browser menu

If this policy is enabled, the shortcut menu does not appear when the user points to the web page and right-click the page. If this policy is disabled or not configured, you can use the shortcut menu.

8. Customize the title bar of IE
We can use the Group Policy to customize the text that appears in the title bar of IE and Oe. The OE title bar is updated regardless of whether the software package contains Oe Or whether OE is installed on your computer.

Location:/user configuration/management template/Windows Settings/Internet Explorer Maintenance/browser user interface/browser title

In the displayed dialog box, select the "Custom title bar" option and type the expected text in the "title bar text" box.

Note: When selecting a bitmap, ensure the contrast between the color and text. This ensures a higher degree of readability for users.

9. Custom ie tool button
We can use this policy to personalize the toolbar that appears in IE, giving you some flexibility and design opportunities. The available elements include the toolbar background and Icon appearance used for Standard toolbar buttons (such as "Search" and "History.

Location: \ User Configuration \ management template \ Windows Settings \ Internet Explorer Maintenance \ browser user interface \ browser toolbar custom

In the displayed dialog box, click the Add button. In the displayed dialog box, in the toolbar title (required) box, type the text that appears when you hover your mouse over the toolbar button. The title or label of the button must be specified. The recommended maximum length is 10 characters.

In the "toolbar operations (required as a script or executable file)" box, type the name of the script or executable file, or click the "Browse" button to find the file. You must specify the script file or executable file to run when you click the toolbar button.

In the toolbar color icon (required) box, type the name of the file indicating that the button is active, or click browse to find the file. You must specify the color icon of the button displayed on the toolbar. The icon consists of a 20*20 pixel image of activity and inactivity.

In the "toolbar grayscale icon (required)" box, type the grayscale icon file name and position displayed on the toolbar of the black and white monitor, or click the "Browse" button to find the file. The grayscale icon displayed on the toolbar must be specified.

Select the "by default, this button should be displayed on the toolbar" check box to display the toolbar buttons in the user's browser by default.

5. Use group policy settings to optimize the network environment
1. Disable access to network connection component attributes
The "Local Connection Properties" dialog box contains a list of network components used for connection. To view or change component properties, click the component name and then click "properties" under the component list, as shown in figure 4. This policy determines whether users can change the component attributes used by network connections. It determines whether to enable the "attribute" button for network connection components.

 

Location:/user configuration/management template/Network/network connection/

If you enable this setting (and enable "enable network connection settings for the Administrator"), the "attribute" button is disabled for the administrator. No matter whether the "enable network connection settings for Administrators" is enabled or not, you cannot access the connection components. If "enable network connection settings for Administrators" is disabled or not configured ".

If this setting is disabled or not configured, the "properties" button is enabled for the user.

2. Disable TCP/IP Advanced Configuration
Determine whether you can configure TCP/IP Settings.

Location:/user configuration/management template/Network/network connection/

If you enable this setting (and enable "enable network connection settings for Administrators"), disable "Internet Protocol (TCP/IP)" for all users (including administrators) the "advanced" button in the Properties dialog box. Therefore, you cannot open the "Advanced TCP/IP Settings" dialog box and modify the IP settings (such as DNS and WINS server information ). If this setting is disabled, the "advanced" button is enabled, and all users can open the "Advanced TCP/IP Settings" dialog box.

Note: This setting will be replaced by the settings of the Access prohibited connection attribute or connection component attribute. If you set these policies to the "Access Denied Connection Properties" dialog box or the "properties" button for connecting components, you cannot access the "advanced" button for TCP/IP configuration. Regardless of the settings, non-administrator users do not have the permission to access the TCP/IP advanced configuration for network connections. Before the user leaves the system, changing this setting from "enable" to "not configured" does not enable the "advanced" button.

3. Do not add or delete components for network connections or remote access connections.
The "Install" button opens the dialog box for adding network components. Click the detach button to delete the selected component from the component list. The "Install" and "Uninstall" Buttons appear in the "properties" dialog box for connection. These buttons are on the "General" tab and "network" tab. This policy determines whether the administrator can add or delete network components used for network connections or remote access connections.

Location:/user configuration/management template/Network/network connection/

If you enable this setting (and enable "enable network connection settings for Administrators"), the "Install" and "Uninstall" buttons for connecting components are disabled, you are not allowed to access the network components in the Windows component wizard. If this setting is disabled or not configured, the "Install" and "Uninstall" buttons for connecting components in the "Network Connection" folder are enabled. Similarly, you can access the network components in the Windows component wizard.

4. Disable access to network connection attributes
Right-click the "Network neighbors" icon and you can see the "properties" menu item in the shortcut menu that opens the Network Connection Properties dialog box. This policy determines whether users can change the network connection properties.

Location:/user configuration/management template/Network/network connection/

If you enable this setting (and enable "enable network connection settings for Administrators"), the "properties" menu item is disabled for all users, and you cannot open the "Connection Properties" dialog box. If this setting is disabled or not configured, the "attribute" menu item appears when you right-click the "Network Neighbor" icon. Similarly, when you select this connection, the "properties" menu item on the "file" menu is enabled.

Note: This setting takes precedence over the availability settings of the functions in the "Local Area Connection Properties" dialog box. If this setting is enabled, you cannot use any function in the Properties dialog box of the network connection.

5. Change the attributes of all remote access connections.
This policy is used to determine whether users can view and change the properties of remote access connections available to all users on the computer. This setting determines whether to enable the "properties" menu item and whether the "Remote Access Connection property" dialog box is available to users.

Location:/user configuration/management template/Network/network connection/

If this setting is enabled, the "attribute" menu item appears when you right-click the icon used for Remote Access Connection. Similarly, when any user selects a connection, "attribute" appears on the "file" menu ". If you disable this setting (and enable "enable network connection settings for Administrators"), the "properties" menu item is disabled, and users (including administrators) cannot open the Remote Access Connection dialog box. If this setting is not configured, only the administrator can modify the attributes of all users for remote access.

Note: This setting takes precedence over the availability settings of the functions in the Operation Remote Access Connection Properties dialog box. If this setting is disabled, you cannot use any function in the Properties dialog box for remote access to the connection.

6. Enable Windows XP Network connection settings for the Administrator
This policy determines whether existing settings in Windows XP apply to administrators. By default, the "Network Connection" group settings in Windows XP do not allow administrators to use the function.

Location:/user configuration/management template/Network/network connection/

If this setting is enabled, settings that already exist in Windows XP can prevent administrators from using certain functions. These settings include: "rename the network connection or Remote Access Connection capabilities available to all users", "prohibit access to network connection component attributes", "prohibit access to remote access to connection component attributes", and "Access capabilities of Advanced TCP/IP configuration, advanced settings on the "forbidden access advanced menu", "adding or deleting components used for network connection or Remote Access Connection", and "forbidden ""Access Network Connection Properties", "Disable or disable network connection components", "change the Remote Access Connection Properties of all users", and "Disable Changing the properties of dedicated remote access connections" "prohibit the deletion of remote access connections", "Delete the ability of all users to remotely access connections", "prohibit connections and disconnect remote access connections", and "enable/disable network connections" "prohibit access to the New Connection Wizard", "prohibit rename dedicated Remote Access Connection", "Disable access to the dial-up parameter selection items on the advanced menu", and "disable viewing the status of active connections ". When this setting is enabled, the above settings are valid for the Administrator's behavior. If this setting is disabled or not configured, the preceding setting does not apply to administrators.

Note: This setting is used when the Group Policy objects that are applying these settings contain both Windows 2000 and Windows XP computers, in addition, the same network connection policy action must be performed between all Windows 2000 and Windows XP computers.

Vi. well-maintained System Security
1. prevent access to the disk drive from my computer
This policy prevents users from using my computer to access the content of the selected drive.

Location:/user configuration/management template/Windows Components/Windows Resource Manager/

If this setting is enabled, you cannot view the content of the drive selected in my computer or Windows Resource Manager. At the same time, it cannot use the run dialog box, the image network drive dialog box, or the Dir command to view the directories on these drives. To use these settings, select one or more drives. To allow access to all drive directories, disable this setting or select the do not restrict drive option.

Note: The drive icon will still appear on my computer, but if you double-click the icon, a message Interpretation Setting will appear to prevent this operation. At the same time, this setting does not prevent users from using programs to access local and network drives.

2. Disable "logout" and "shutdown"
After the computer is started, if you do not want the user to shut down or log out, you can set the Group Policy.

Location:/user configuration/management template/taskbar and Start Menu/

This setting deletes the Shutdown option from the Start menu and disables the Shutdown option in the Windows Task Manager dialog box (Press CTRL + ALT + DEL to display this dialog box ). In addition, although this setting can prevent users from shutting down windows, it cannot prevent users from using other third-party tools to shut down Windows.

Tip: If you enable the "deregister" policy on the "delete start" menu, you can also delete the "display logout" item from "" start "menu options. The result is that you cannot restore the "logout <username>" project to the "Start" menu (you can only manually modify the registry ). This setting only affects the Start Menu. It does not affect the "logout" option in the "Windows Security" dialog box (you must enable the "Delete and block access to the" shutdown "command at the same time), and does not prevent users from logging out using other methods.

3. block access to the command prompt
The Command Prompt window (cmd.exe ). This setting also determines whether the batch file (. CMD and. BAT) can run on the computer.

Location:/user configuration/management template/system/

If this setting is enabled, the user tries to open the command window and the system displays a message explaining the setting to block this operation.

Note: If the computer uses the login, logout, start or close batch file scripts, it does not prevent the computer from running batch files, nor does it prevent terminal service users from running batch files.

4. Disable access to the registry editing tool
This policy disables regedit.exe to disable the Windows Registry Editor.

Location:/user configuration/management template/system/

If this setting is enabled and the user tries to start the Registry Editor, messages indicating that the setting disables such operations will appear. To prevent users from using other system management tools, use the "run only licensed Windows Applications" policy settings.

5. Forbidden Access Control Panel
The control panel allows users to configure their computers, add or delete programs, and change settings. This policy is used to enable control.exe, the program file of the Panel. You cannot start the control panel or run any control panel project.

Location:/user configuration/management template/control panel/

This policy also removes the control panel menu item from the Start menu, and also removes the control panel folder from Windows Resource Manager. If you want to select a "Control Panel" item from the "properties" option in the right-click shortcut menu, a message is displayed, indicating that this setting prevents this operation.

6. Hide the specified control panel program
This policy removes projects (such as displayed) and folders on the control panel from the control panel and the Start Menu. It can delete the control panel projects that are included in Windows XP, or the control panel projects that you add to the system.

Location:/user configuration/management template/control panel/

To hide a control panel project, click "enabled" in the displayed dialog box, and then click "show". In the displayed dialog box, click the Add button and enter the project name, such as NCPA. cpl (used for network ). To hide a folder, enter the folder name, for example, "font ".

This setting only affects the Start menu and control panel window. It does not prevent users from using the "run" dialog box to Run Control Panel projects.

Note: To find the file name of the Control Panel project, find the extension of the. Cpl file name in the/system32 directory.

7. Password-protected screen saver
This policy determines whether the Screen Saver used on the computer is password-protected.

Location:/user configuration/management template/control panel/display/

If you enable this setting, all screen saver programs are password-protected. If you disable this setting, password protection cannot be set on any screen saver. This setting also disables the "password protection" check box of "Screen Saver" in "display" in "Control Panel" to prevent users from changing password protection policies. If you do not configure this policy, the user chooses to set password protection on each screen saver.

Note: This setting is only available when Screen Saver is specified on the computer.

7. Use group policies to improve Windows entertainment Functions
1. Prevent searching of CD and DVD media information
This policy prevents Windows Media Player 9.0 from retrieving media information about CDs and DVDs from the Internet at runtime. In addition, the "Privacy Options" tab in the "first-time use" dialog box and the "retrieve CD and DVD media information from the Internet" check box in the "privacy" tab of the player are not selected and unavailable.

Location:/user configuration/management template/Windows Components/Windows Media Player

If this policy is not configured or disabled, you can change the settings of the "retrieve CD and DVD media information from Internet" check box.

2. Prevent searching of media information in music files
This policy prevents Windows Media Player 9.0 from automatically obtaining media information about music files (such as Windows Media Audio (WMA) and MP3) from the Internet. In addition, in the "privacy" and "Media repository" tabs of the first-time use dialog box and player, "retrieve missing media information from the Internet to update music files (WMA and MP3 files) "are not selected and unavailable.

Location:/user configuration/management template/Windows Components/Windows Media Player

If this policy is not configured or disabled, you can change the setting of the "retrieve missing media information from the Internet to update music files (WMA and MP3 files)" check box.

3. Specify the Streaming Media Protocol
This policy specifies that you can use the Protocol selected in the "Settings" tab to receive streaming media from the Windows Media Server. This policy also specifies that the "Multicast" check box can be selected on the "Settings" tab to receive multicast streams.

If the "UDP" check box is selected on the "Settings" tab and the "UDP port" box is empty, Windows Media Player uses the default port to play content from the Windows Media Server. If the "UDP" check box is not selected, the information in the "UDP port" box is ignored.

If no protocol is selected and this policy is enabled, content from the Windows Media Server cannot be played.

Location:/user configuration/management template/Windows Components/Windows Media Player/Network

If this policy is enabled or disabled, the stream protocol section on the player network tab is unavailable. If the "Hide network" tab policy is enabled, the entire "network" tab is hidden. If this policy is disabled, the player cannot receive streaming media from the Windows Media Server. If it is necessary to control the type of received streaming media, it is recommended to use other methods, such as firewall. If this policy is not configured and the "Hide network" tab policy is not enabled, you can change the settings in the "stream protocol" section of the "network" tab.

4. Configure the HTTP Proxy
This policy specifies the HTTP Proxy Server settings. If this policy is enabled, You must select a proxy type (automatic detection, custom, or browser proxy settings ). The system automatically checks proxy settings. Use the unique proxy server settings. Using browser proxy settings means using browser proxy settings.

If you select a custom proxy server type, you must specify other options on the "Settings" tab, because the proxy server has no default settings. If you select "Automatic Detection" or "Browser", you can ignore these options.

The "Configure" button on the player "network" tab is invalid for HTTP, so the proxy server cannot be configured. If the "Hide network tab" policy is enabled, the entire "network" option card is invisible.

If the "Streaming Media Protocol" policy is enabled and HTTP is not selected, this policy is ignored.

Location:/user configuration/management template/Windows Components/Windows Media Player/Network

If this policy is disabled, the HTTP Proxy Server cannot be used and the user cannot configure the HTTP proxy server. If this policy is not configured, you can configure the HTTP Proxy Server settings.

5. Configure the MMS Proxy Server
This policy specifies the proxy server settings for the MMS protocol. If this policy is enabled, You must select a proxy type (automatic detection or custom ). "Automatic Detection" indicates that the system automatically detects proxy server settings. "Custom" indicates the unique proxy server settings.

If you select the "Custom" proxy type, you must specify other options on the "Settings" tab. Otherwise, the default settings are used. If you select automatic detection, these options are ignored.

The "Configure" button on the player "network" tab is unavailable and the Protocol cannot be configured. If the "Hide network" tab policy is enabled, the entire "network" tab is hidden.

If the "Streaming Media Protocol" policy is enabled and "Multicast" is not selected, this policy is ignored.

Location:/user configuration/management template/Windows Components/Windows Media Player/Network

If this policy is disabled, the MMS proxy server cannot be used, and you cannot configure the MMS proxy server settings. If this policy is not configured, you can configure the MMS proxy server settings.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.