WIN2003 Group Policy Detailed

Group Policy is the primary tool for administrators to define and control programs, network resources, and operating system behavior for users and computers. You can set up various software, computer, and user policies by using Group Policy. For example, you can use Group Policy to remove icons from the desktop, customize the Start menu, and simplify Control panel. In addition, you can add scripts that run on your computer (when your computer starts or stops, and when a user logs on or off), and you can even configure Internet Explorer.

This article focuses on the application of the local Group Policy for Windows XP Professional. Group Policy can have two settings for the local computer: Local Computer Configuration and local User configuration.

First, the basic knowledge of Group Policy

Group Policy is the primary tool for administrators to define and control programs, network resources, and operating system behavior for users and computers. You can set up various software, computer, and user policies by using Group Policy. For example, you can use Group Policy to remove icons from the desktop, customize the Start menu, and simplify Control panel. In addition, you can add scripts that run on your computer (when your computer starts or stops, and when a user logs on or off), and you can even configure Internet Explorer.

This article focuses on the application of the local Group Policy for Windows XP Professional. Group Policy can have two settings for the local computer: Local Computer Configuration and local User configuration. The settings for all policies are saved to the related items in the registry. The settings for the computer policy are saved to the registry's HKEY_LOCAL_MACHINE dependencies, and the user's policy settings are saved to the HKEY_CURRENT_USER dependencies.

There are two ways to access local Group Policy: The first method is command-line; The second method is implemented by selecting the GPE plug-in in the MMC console.

1. Command line start of Group Policy Editor

You can start the Windows XP Group Policy Editor by simply clicking the "start" → "run" command, typing "gpedit.msc" in the open field in the Run dialog box, and then clicking OK. (Note: This "Group Policy" program is located in "C:\WINNT\SYSTEM32" and the file name is "Gpedit.msc".) )

In the Open Group Policy window, you can see that the left pane is a tree-structured control object, and the right pane is a specific policy that you can set for a configuration on the left. In addition, you may have noticed that the local computer policy in the left pane consists of two large subkeys, computer Configuration and User Configuration, and some of the items in both are duplicates, including software settings, Windows Settings, and so on. So what is the difference between setting the same item under different subkeys? The "Computer Configuration" Here is set up for system configuration across the computer, and it works for all users on the current computer, while user Configuration sets the system configuration for the current user and works only for the current user. For example, both provide settings for the Disable AutoPlay feature. If this feature is selected in Computer Configuration, then all users ' disc autorun functions will fail, and if this feature is selected in User Configuration, then only the user's CD autorun feature is disabled and other users are unaffected. This should be noted when setting up.

2. Open Group Policy as a standalone MMC snap-in

To open the Group Policy Editor in an MMC console by selecting the GPE plug-in, the following methods are available:

(1) Click Select "Start" → "Run", type "mmc" in the pop-up dialog box, and click OK to press the button. Open the Microsoft Management Console window. As shown in Figure 2.

(2) Select the Add/Remove snap-in command under the File menu.

(3) On the Standalone tab of the Add/Remove Snap-in window, click Add.

(4) Pop-up the Add Standalone Snap-in dialog box and select the Group Policy option in the Available Standalone Snap-in list, and click the Add button.

(5) Because the Group Policy is applied to the local computer, in the Select Group Policy Object dialog box, click Local Computer, edit the local computer object, or find the desired Group Policy object by clicking Browse.

(6) Click "Finish" → "close" → "OK" button, the Group Policy snap-in opens the Group Policy object to edit.

Special NOTE: If you want to save the Group Policy console and you want to be able to choose to open the Group Policy object from the command line in the console, in the Select Group Policy Object dialog box, select the Allow the change the focus of the team policy snap-in when starting from the command line check box.

Delete and disable related options for the taskbar and Start menu

In the local computer policy, expand the user configuration → administrative templates → task bar and Start Menu Branch, in the right pane, and provide the taskbar and Start menu policies for the task bar.

1, to the "Start" menu thin thin body

If you feel that Windows XP's Start menu is too bloated, you can remove unwanted menu items from the Start menu. In the right pane, you provide the Remove public program group from the Start menu, the My Documents icon, document menu, Network Connections, Favorites menu, Search menu, Help command, run menu, My Pictures icon, my music icon, and My Network Places icon, and so on, are policies. You can simply turn on the policy for the menu item that you do not want. Now to remove the My Documents icon for example, the following steps are:

(1) In the Policy list pane, double-click the "Remove my document icon from the Start Menu" setting option.

(2) In the Settings tab of the pop-up window, select the Enabled radio button, and then click OK to press the button.

2, to protect your personal privacy

For some security needs, such as not wanting to know which pages you have browsed and which files have been opened, you can only enable the two policies in the right pane, "Do not keep records of recently opened documents" and "Clear records of recently opened documents when exiting".

3, the protection of "taskbar" and "Start" Menu settings

If you don't want to let others change the taskbar and Start menu settings, you can only enable the "block changes" taskbar in the right pane and the Start menu ' settings ' and ' prevent access to the context menu for the taskbar ' two policy entries. This way, when you right-click the taskbar and click Properties, an error message appears indicating that a setting prohibits the operation.

4, prohibit "cancellation" and shutdown

When the computer is started, if you do not want this user to perform shutdown and logoff again, you must turn on the "unregister" and "Remove and block access shutdown" commands in the right pane on the "Remove from the Start menu" two policies.

Tip: If you delete Logoff on the Start menu, the Log off username > item does not appear on the Start menu. This setting also removes the show logoff item from the Start menu option. As a result, you cannot restore the logout user name > Project to the Start menu.

Deletion and disabling of desktop related options

Windows XP desktop is just like your desk, sometimes you need to organize and clean, with the Group Policy Editor, this work will be easy, you just in the ' local computer ' policy, the gradual expansion of the user Configuration → "Administrative Templates" → "desktop" branch, You can display the appropriate policy options in the right pane.

1, hide the desktop System icon

If you hide the System icon on the desktop, the traditional method is to modify the registry through the way to achieve, this is bound to cause a certain degree of risk, the use of Group Policy Editor, you can quickly and easily achieve this goal.

To hide the Network Places and Internet Explorer icons on your desktop, you can turn on the "Hide My Network Neighborhood icon on the desktop" and "Hide Internet Explorer icons on the desktop" Two policy options in the right-hand pane; If you hide all the icons on your desktop , just turn on the "Hide and disable all items on the desktop" option, and when the "delete My Documents on desktop" icon and "delete My Computer icon on desktop" two options are enabled, "My Computer and My Documents icon will disappear from your desktop; If you don't like it on the desktop Recycle Bin This icon, you can also delete it, by using the "remove Recycle Bin from the desktop" policy entry enabled.

2, prohibit some changes to the desktop

If you do not want others to change the settings on your computer's desktop at will, enable the "Do not save settings when exiting" option in the right-hand pane. When you enable this setting, other users can make some changes to the desktop, but some changes, such as the icon and the location of the open window, the location and size of the taskbar, cannot be saved after the user logs off.

Prohibit access to the control Panel

If you do not want other users to access the computer's control panel, you simply run the Group Policy Editor (Gpedit.msc) and expand the ' local computer ' policy → ' user Configuration ' → ' admin templates ' → ' Control Panel ' branch in the left pane, and then "Disable access Control Panel" in the right pane Policy enabled.

This setting prevents the Control Panel program file (Control.exe) from starting. As a result, others will not be able to start Control Panel (or run any Control Panel items). In addition, this setting removes Control Panel from the Start menu. This setting also removes the Control Panel folder from Windows Explorer.

Special NOTE: If you want to select a control Panel item from the context menu's property item, a message appears stating that the setting prevents this action.

V. Prevent users from using the Add or Remove Programs

In Control Panel, the Add or Remove Programs item allows you to install, uninstall, fix, and add and remove Windows XP features and components, as well as a wide range of Windows programs. Programs that are published or assigned to a user appear in Add or Remove Programs. If you prevent other users from installing and uninstalling programs, enable the Remove Add/Remove Programs policy option in the right pane of the ' local computer ' policy → user Configuration → administrative templates → Control Panel branch.

Enabling this setting removes Add or Remove Programs from the Control Panel and removes the Add or Remove Programs item from the menu; This setting does not prevent users from installing or uninstalling programs with other tools and methods.

Vi. setting user permissions in Windows XP

When multiple people share a single computer, set user rights in Windows XP, follow these steps:

1, run the Group Policy Editor Program (Gpedit.msc).

2, in the left pane of the Editor window, expand Computer configuration → Windows settings → security settings → local policy → user Rights Assignment branch.

3, double-click the user rights need to change. Click Add, and then double-click the user account that you want to assign permissions to. Click OK twice in succession to press the button.