Windows Group Policy details

Source: Internet
Author: User
Tags network function microsoft website

1. What is group policy?
(1) What are the functions of a group of policies?

When it comes to group policies, you have to raise the registry. The Registry is a database that stores system and application software configurations in windows. As Windows functions become more and more abundant, there are more and more configuration items in the registry. Many configurations can be customized, but these configurations are released in every corner of the Registry. If they are manually configured, you can think about how difficult and complicated it is. The group policy integrates important configuration functions of the system into various configuration modules for management personnel to use directly, so as to facilitate computer management.

To put it simply, the Group Policy is to modify the configuration in the registry. Of course, group policies use a more sophisticated management and organization method to manage and configure the settings of various objects, which is far more convenient and flexible than manual modification of the Registry and has more powerful functions.

(2) version of Group Policy

Most Windows 9x/NT users may have heard of the concept of "System Policy", while most of us now hear the name "group policy. In fact, group policies are more advanced extensions of system policies. They are developed from the "system policies" of Windows 9x/NT, it has more Management Templates, more flexible setting objects, and more functions. Currently, it is mainly used in Windows 2000/XP/2003 systems.

The operating mechanism of early system policies is to define specific. Pol (usually config. pol) files through policy management templates. When a user logs on, it will overwrite the Setting Value in the registry. Of course, the System Policy Editor also supports modification of the current registry, and also supports connection to a network computer and settings of its Registry. The Group Policy and its tool directly modify the current registry. Obviously, the network function of Windows 2000/XP/2003 is its biggest characteristic, and its network function is naturally indispensable, therefore, the group policy tool can enable and configure a computer on the network, or even open an Active Directory object (that is, a site, domain, or organizational unit. This was previously not possible with the "System Policy Editor" tool.

The basic principles of system policies and group policies are to modify the corresponding configuration items in the Registry to achieve the purpose of configuring the computer, but some of their operating mechanisms have changed and expanded.

2. Management Templates in group policies

The Windows 2000/XP/2003 directory contains several. ADM files. These files are text files called "Management Templates", which provide policy information for the group policy management template project.

In Windows 9x, the default admin. ADM management template is saved in the same folder of the Policy Editor. In the Windows 2000/XP/2003 system folder, the INF folder contains four template files installed by default, which are:

1) system. ADM: it is installed in group policy by default for system settings.
2) inetres. ADM: it is installed in "Group Policy" by default and used for setting Internet Explorer policies.
3) wmplayer. ADM: used for Windows Media Player settings.
4) Conf. ADM: Used For netmeeting settings.

In the Group Policy console of Windows 2000/XP/2003, you can add a "Policy template" multiple times. In Windows 9x, only one policy template can be opened currently. The following describes how to use a Policy template. First, use the following in the Windows 2000/XP/2003 Group Policy console:
First Run "Group Policy"ProgramSelect "Computer Configuration" or "user configuration", right click, and select "Add/delete template" in the pop-up menu ".

Click the Add button and select the. ADM file in the displayed dialog box. Click the OPEN button to open the selected script file in the System Policy Editor and wait for the user to execute.

Return to the main interface of the "Group Policy" editor, open the "Local Computer Policy> User Configuration> management template" directory, and then click the corresponding directory tree, the configuration items generated by the newly added management template are displayed. (to facilitate the operations on the instances later in this article, we recommend that you add other template files except the default template files ).

Let's take a look at the Group Policy Editor in Windows 9X. Select "close" in the "file" menu in the Group Policy Editor to close the current script, and then select "template" in the "options" menu"

Click the open template button. In the displayed dialog box, select the corresponding. ADM file and click the OPEN button. Then, open the selected script file in the editor and wait for the user to execute.

Iii. Running Group Policy

(1) Windows 9x Policy Editor

Policy editing tools are divided into two types by operating system. One is the Windows 2000/XP/2003 Group Policy Management Console, which has been installed by default during system installation; the other is the System Policy Editor of Windows 9x, which is not installed during system installation. The program files are stored in the \ tools \ reskit \ netadmin \ poleditdirectory on the Windows installation disk, and the packages include poledit.exe and Poledit. INF, windows. ADM files.

If the Windows 9x system uses the following method, you can perform a formal installation process.

1. on the control panel, double-click the "Add/delete programs" icon, click the "Install Windows" tab, and then click the "Install from disk" option.
2. In the "Install from disk" dialog box, click the "Browse" button and specify the tools \ reskit \ netadmin \ Poledit directory of the Windows 9x installation disc.
3. Click "OK" and then click "OK" in the dialog box.
4. In the "Install from disk" dialog box, select the "System Policy Editor" and "Group Policy" check boxes, and then click the "Install" button.

After the installation is complete, click "run" command item, enter Poledit, and click "OK". The administrator can use the System Policy Editor in two different ways: registry mode and policy file mode.

1. Use the System Policy Editor as a registry. In the System Policy Editor file menu, click open registry editor, and double-click the corresponding local user or local computer icon. It depends on which part of the Registry you want to edit. When using the registry, you can directly edit the registry of a local or remote computer. In this way, the changes will be immediately reflected. After the modification, you must shut down and restart the computer for the modification to take effect.

2. Use the System Policy Editor as a policy file. In the System Policy Editor file menu, click New or open to open a policy file. When using the policy file method, you can create and modify the system policy file (POL) for other computers. In this way, the Registry is indirectly modified. This change will be reflected after the policy file is downloaded during user login. When editing the setting value as a policy file, you can click a registry option to view one of the three possible states: Select, clear, and gray. Each time you select an option, the next possible status is displayed cyclically, which is different from selecting a standard check box. The standard check box only has two options: select or clear.

If additional information is required for a setting value, an editing control is displayed at the bottom of the default user attribute dialog box. Generally, if you select a policy and do not want to use it forcibly, clear the check box to cancel the policy.

(2) Windows 2000/XP/2003 Group Policy console

For Windows 2000/XP/2003, the Group Policy program is installed by default. In the "Start" menu, click the "run" command and enter gpedit. MSC and OK to run the program

Using the above method, the Group Policy object opened is the current computer. If you need to configure other computer Group Policy objects, you need to open the Group Policy as an independent console administrator, the procedure is as follows:

1) Open the Microsoft Console (you can directly enter MMC in the "run" dialog box of the "Start" menu and press enter to run the console program ).
2) on the File menu, click Add/delete snap-in ".
3) on the "independence" tab, click "add ".
4) in the "available independent management units" dialog box, click "Group Policy" and then click "add ".
5) in the select group policy object dialog box, click Local Computer to edit the local computer object, or click browse to find the desired group policy object.
6) Click "finish", click "close", and then click "OK ". The Group Policy Management Unit opens the Group Policy object to be edited.

For computer systems that do not contain domains, only the "computer" label is displayed on the page in step 1, but there are no other tag items.

Through the above method, we can use the powerful network configuration function of the Windows 2000/XP/2003 Group Policy System to make the Administrator's work easier and more efficient.

The Policy Editor configuration items in Windows 9x are in three states: "selected, cleared, and dimmed, the Windows 2000/XP/2003 Group Policy Management Console also has three statuses, but the name has changed. They are: enabled, not configured, and disabled.

Iv. desktop settings

Windows desktops, like our desks, need to be organized and cleaned frequently, and the Group Policy is like our Secretary, making desktop management easy. Let's take a look at several practical configuration instances:

Location: "Group Policy console> User Configuration> management template> desktop"

1. Hide the Desktop System icon (Windows 2000/XP/2003)

Although the system icon function on the desktop can be hidden by modifying the registry, it is troublesome and risky. The group policy configuration method can be used to achieve this goal conveniently and quickly.

For example, to hide the "Network Neighbor" and "Internet Explorer" icons on the desktop, you only need to enable the "hide the 'Network neighbor 'icon on the desktop" and "hide the Internet Explorer icon on the desktop" options in the right pane. If you want to hide all the icons on the desktop, you only need to enable "hide and disable all projects on the desktop; after the "delete my documents" icon on the desktop "and" delete my computer "icon on the desktop are enabled, the "my computer" and "My Documents" icons will disappear from your desktop. Similarly, if you want to remove the "recycle bin" icon, you only need to enable the "delete recycle bin from desktop" policy item.

2. Do not save the desktop settings when exiting (Windows 2000/XP/2003)

This policy prevents users from saving some changes to the desktop. If you enable this policy, you can still change the desktop, but some changes, including the location of the subject, the location and size of the taskbar, cannot be saved after the user logs out, however, shortcuts on the taskbar can always be saved.

In the right pane, enable the policy option "do not save settings when exiting.

3. Disable the "Clear desktop wizard" function (Windows XP/2003)

The clear desktop wizard automatically runs on your computer every 60 days to clear desktop icons that are not frequently used or never used by users. If this policy is enabled, the "clean up desktop wizard" can be blocked. If you disable or do not configure this setting, the "clean up desktop wizard" runs every 60 days according to the default settings.

Open the delete Desktop Cleanup Wizard in the right pane and set the policy options as needed.

4. enable/disable "Active Desktop" (Windows 2000/XP/2003)

"Active Desktop" is an advanced feature installed on Windows 98 (or later) or IE 4.0. The biggest feature is that you can set wallpaper in various image formats, you can even display webpages as wallpaper. However, for the sake of security and performance, sometimes we need to disable this function (and prohibit users from enabling it), which can be easily achieved through policy settings. To enable this policy, open "Disable Active Desktop" in the right pane.

Tip: If you enable both "enable active desktop" and "Disable Active Desktop", the "Disable Active Desktop" setting will be ignored. If the "Disable Active Desktop and Web View" setting (in "user configuration> management template> Windows Components> Windows Resource Manager") is enabled, Active Desktop is disabled, both policies are ignored.

The above describes several group policy configuration items on the desktop. There are also several other group policy configuration items under "Group Policy console> User Configuration> management template> desktop, you can configure it as needed.

5. Customize the "Taskbar" and "start" menus

The related group policy configuration items in the "Taskbar" and "start" menus are displayed. Let's take a look at the specific example:
Location: "Group Policy console> User Configuration> management template> taskbar and Start Menu"

1. Weight Loss from the "Start" menu (Windows 2000/XP/2003)

If the "Start" menu in Windows is too bloated, you can delete unnecessary menu items from the "Start" menu. In the right pane of the Group Policy, provides "delete user folders from the Start Menu", "access and link to 'windows Update'", "delete a public application group from the Start Menu", and "delete a user folder from the Start Menu ". multiple group policy configuration items, such as the 'my docs' icon. You only need to enable the policy corresponding to the undesired menu items.

2. Protect the "Taskbar" and "start" menus (Windows 2000/XP/2003)

If you do not want others to change the settings of the "Taskbar" and "start" menus, you only need to enable the policy items "prohibit modification of 'taskbar and start menu settings" and "prevent access to the context menu of the taskbar" in the right pane of the Group Policy console. In this way, when you right-click the taskbar and click "properties", an error message will appear, and when you right-click the taskbar and the project on the taskbar, for example, the start button, clock, and taskbar button are hidden in the pop-up menu.

3. Disable "logout" and "shutdown" (Windows 2000/XP/2003)

After the computer is started, if you do not want this user to "Shut Down" or "log out" again, you can enable the two policies, "logout" on the "delete Start Menu" and "Delete and block access to the" shutdown "command in the right pane of the Group Policy console.

This setting deletes the "shutdown" option from the Start menu, and disables the "Windows Task Manager" dialog box by pressing "CTRL + ALT + DEL". The "shutdown" option appears in this dialog box. In addition, although this setting can prevent users from shutting down windows, it cannot prevent users from using other third-party tools to shut down Windows.

Tip: If you enable "delete logout" on the Start menu, the "show logout" project is deleted from "Start Menu Options. You cannot restore the "logout <username>" project to the Start menu (you can only manually modify the registry ). This setting only affects the Start Menu. It does not affect the "logout" project in the "Windows Task Manager" dialog box (you must enable the "Delete and block access to the" shutdown "command at the same time "), it does not prevent users from logging out using other methods.

4. Use group policies to protect the privacy of personal documents (Windows 2000/XP/2003)

Windows has an advanced smart function that records files you have accessed. Although this feature allows you to easily open the file again, for security and performance considerations (for example, you do not want to know which web pages you have browsed and which files you have opened ), you may need to disable this function. With group policies, you only need to enable the policies "do not keep records of recently opened documents" and "clear records of recently opened documents at exit" in the right pane.

In addition, If you enable this policy setting but disable the "delete Document menu from Start Menu" policy setting, the "document" menu will also appear on the "Start" menu, however, this menu is empty. If you enable this policy, disable it and set it to "not configured ", the saved file shortcuts are displayed in the Document menu and file menu of the application on the policy settings page.

6. Set IE to catch

Microsoft Internet Explorer allows us to easily navigate through the internet, but to make good use of Internet Explorer, We must configure it. In the Internet Options window of IE browser, comprehensive setting options are provided (for example: "Homepage", "Temporary Folder", "security level", "hierarchical Review", and other projects), but some advanced functions are not provided, and these functions can be easily implemented through group policies. Let's take a look at the specific example below:

Location: "Group Policy console → user configuration → management template → Windows Components → Internet Explorer (you need to add the inetres. ADM template file )"

1. Disable the "open in New window" menu item (Windows 2000/XP/2003)

For security considerations, it is sometimes necessary to block some functional menus of IE. The Group Policy provides a wide range of settings, such as disabling "Save... "," file "," new ", etc. The following describes how to set "Disable" to enable "menu items" in a new window.

Open "Group Policy console → user configuration → management template → Windows Components → Internet Explorer → browser menu ", enable "enable" and set "enable" to "enable ". When this policy is enabled, you can right-click a link and click open in a new window. This policy can be used with "'file' menu disabling 'new' menu item". The latter prohibits users from clicking the "file" menu to point to "new ", click "window" to open the browser in the new window.

Tip: After this policy is enabled, you cannot open the link in the new window by clicking the "open in New window" command. The system will prompt that the command is invalid, the window opened automatically on the webpage is also disabled. In fact, this can also shield the pop-up advertisement window.

2. Restrict IE browser's saving function (Windows 2000/XP/2003)

When using IE to browse Web pages,ArticleYou can use the "Save as" function to save resources to a local hard disk. When multiple people share a computer, to keep the hard disk clean, you need to restrict the browser's storage function. How can we achieve this? You can do this: Open "Group Policy console → user configuration → manage template → Windows Components → Internet Explorer → browser menu", and then click "'file' menu in the right pane: disable 'Save... 'menu item' and 'file' menu: Disable "Save As webpage menu item" and "'view' menu: enable all policy items such as 'source' menu item "and" Disable context menu.

If you do not want others to modify the settings of IE, you can enable the "'tool' menu: Disable 'Internet options... '" policy. In addition, other projects can be disabled in this pane as needed.

3. Disable the "Internet Options" Control Panel (Windows 2000/XP/2003)

As mentioned above, the "Disable Internet option" function can be used to prevent others from setting Internet Explorer casually. However, this method cannot specifically disable the control template project in the Internet option, which makes the specific application troublesome. This requirement can be achieved through the following group policy setting method:

Open "Group Policy console → user configuration → management template → Windows Components → Internet Explorer → Internet control panel ", in the right pane, You can see group policy items such as "Disable General page" and "disable security page. The following uses the "Disable General page" as an example: Open the "Disable General page" in the right pane and set it to "enable ". Then, open the Internet option control panel and you will find that the "regular" project is no longer available, in this way, the user will not be able to see and change the settings of the home page, cache, history, webpage appearance, and auxiliary functions, because this policy will delete the "General" tab on the interface, therefore, if this policy is set, you do not need to set policies in "user configuration> management template> Windows Components> Internet Explorer", such as "Disable or change homepage Settings" or "Disable or change color settings.

4. Do not modify the homepage of IE browser (Windows 2000/XP/2003)

If you do not want others to modify the homepage of your IE browser, you can choose "Group Policy console> User Configuration> management template> Windows Components> Internet Explorer> toolbar ", then select the "Disable and modify homepage Settings" Group Policy and enable it. In addition, the "change history Settings", "change color settings", and "Change Temporary Internet File Settings" items are disabled in this pane.

After this policy is enabled, the settings in the "home page" area on the "General" tab of the "Internet Options" dialog box of IE will become grayed out.

Tip: If you set the "Disable General page" policy in "Group Policy console> User Configuration> management template> Windows Components> Internet Explorer control panel, you do not need to set this policy because the "Disable General page" policy deletes the "General" tab on the interface.

5. Customize IE Toolbar (Windows 2000/XP/2003)

The background of the IE Toolbar and the buttons above can be customized. In the past, we used to manually modify the registry, but it was not intuitive, now we can use "Group Policy" to achieve better results and create our own ie.

Choose "Group Policy console> User Configuration> Windows Settings> Internet Explorer Maintenance> browser user interface"> "browser toolbar button custom". Here, you can customize the background image in the toolbar of the browser and Click Browse to select a BMP bitmap file (note: the background of the toolbar should be the same as that of the toolbar, and the brightness should be sufficient to display black text, otherwise, the actual effect is not satisfactory ).

Next, we will add our own shortcuts on the IE Toolbar, such as adding "My QQ", which can be easily done here.

Click "add", enter "My QQ" in "toolbar title", and select the QQ program path in "toolbar operations, finally, select the path of "color icon" and "gray icon". (If you do not know how to extract the two icons, please use exists, can be downloaded from all major sites ). After setting, click "OK" and open ie again to see the modification effect.

7. Easy Implementation of Windows Advanced functions

1. Set and lock the appearance of Windows Media Player (Windows 2000/XP/2003)

Windows Media Player is currently one of the most popular multimedia players. If you do not want other users to change the appearance of the interface, you can use the Group Policy to easily implement it. Open "Group Policy console → user configuration → manage template → Windows Components → Windows Media Player → settings in user interface and lock appearance" to enable this policy.

After this policy is enabled, Windows Media Player is displayed in the specified appearance mode only. You can use the appearance specified in the appearance box on the Policy tab. You must use the complete file name for the appearance, such as miniplayer. wmz. If the appearance file is not installed on your computer, the player will be opened as a Windows Media Player.

Tip: this policy sets the software version to at least Windows Media Player v8.00, And the ADM file to wmplayer. ADM.

2. disable screen saver during Windows Media Player playback (Windows 2000/XP/2003)

The screen saver can effectively protect our monitors, but when we use a player to watch wonderful movies, there are often embarrassing situations where the screen saver suddenly runs and stops watching. Now we can use a group policy to solve the problem that the screen saver causes the playback interruption of Windows Media Player. Open "Group Policy console → user configuration → manage template → Windows Components → Windows Media Player → allow running screen saver in playback" and set it to "disabled.

3. optimized the configuration of Windows Media Player network buffer (Windows 2000/XP/2003)

When we use Windows Media Player to play streaming media, the player will buffer the streaming media before playing, so that it can play smoothly. In practical applications, the cache duration varies according to the network bandwidth and server connection speed, but Windows Media Player uses the same setting, this undoubtedly does not match the actual network conditions. Therefore, we can optimize and configure network buffering based on the specific network bandwidth conditions. Open "Group Policy console → user configuration → manage template → Windows Components → Windows Media Player → configure network Buffering in network" and set it to enabled. The cache time (in seconds) that appears) in the configuration options, you can customize the network bandwidth (up to 60 seconds ).

Tip: If this policy is enabled, the cache options on the performance tab of Windows Media Player cannot be configured.

4. block access using all Windows Update functions (Windows 2000/XP/2003)

Windows Update can automatically connect to the Microsoft website and download updates, which is more practical for most users, but for computer users who do not need updates or have insufficient bandwidth, this function is redundant, and it is often rumored that Windows Update will send computer user information "secretly" to Microsoft, so it can also block this "smart" advanced function. Go to the "Group Policy console> User Configuration> management template> Windows Components> Windows Update"> "delete access using all Windows Update functions" Group Policy and enable this policy.

Tip: If you enable this setting, all Windows Update functions (including blocking access to the Windows Update website http // windowsupdate.microsoft.com, the Windows Update hyperlink on the Start menu, and the tool menu on Internet Resource Manager) will be deleted. Windows automatic update is also disabled. You will not receive notifications about updates or important Windows Update updates. This setting also prevents the Device Manager from automatically downloading updates to the driver from the Windows Update Website.

5. remote shutdown in Windows XP/2003 (Windows XP/2003)

In Windows XP/2003, a command line tool "shutdown" is added, which can be used to shut down or restart a local or remote computer. With this function, we can not only log off the user, shut down or restart the computer, but also implement Timed Shutdown and remote shutdown. The syntax format of this command is as follows:

Shutdown [-I |-L |-S |-r |-A] [-F] [-M [\ computername] [-T XX] [-c "Message "] [-d [u] [p]: XX: yy]

For detailed usage parameters and skills of this command, refer to the Windows Help system to help the system with comprehensive information. Let's take a brief look at some basic usage of this command:

1) log out of the current user

Shutdown-l

This command can only log off a local user, not applicable to remote computers.

2) disable the Local Computer

Shutdown-S

3) restart the Local Computer

Shutdown-R

4) Timed Shutdown

Shutdown-s-t 30

Specify to automatically shut down the computer after 30 seconds.

5) Stop the computer. If you want to cancel the shutdown operation for some reason after you set the computer to shut down at a certain time, you can use shutdown-a to stop the operation.

In the format of this command, there is a parameter [-M [\ computername], which can be used to specify the name of the computer to be shut down or restarted, if this parameter is omitted, the local operation is performed by default. You can try it with the following command:

Shutdown-S-m \ anyes-Solon-T 30

In 30 seconds, shut down the computer named anyes-Solon (anyes-Solon is a computer with Windows XP/2003 installed in the LAN.

After the command is executed, the computer anyes-Solon does not respond at all, but the screen prompts "access is denied (access is denied )".

This is because, in Windows XP's default security policy, only users in the Administrator group have the right to shut down the computer from the remote end. Generally, when we access the computer from other computers in the LAN, only the Guest user is authorized. Therefore, when we execute the preceding command, access is denied.

However, we can use the Group Policy to grant the Guest user the permission to remotely shut down the instance. Open "Group Policy console → Computer Configuration → Windows Settings → Security Settings → Local Policies → Force Shutdown From Remote System in user privilege assignment ", in the displayed dialog box, only members in the "Administrators" group have the right to remotely shut down the instance. Click the "add user or group" button at the bottom of the dialog box, in the displayed dialog box, enter "guest" and click "OK.

After the above operations, we will grant the remote shutdown permission to the guest user on the computer anyes-Solon. In the future, if you want to remotely shut down the computer anyes-Solon, enter the following command shutdown-S-m \ anyes-Solon-T 60 on a computer with Windows XP/2003 installed on the network.

At this time, a "system shutdown" dialog box is displayed on the screen of the anyes-Solon computer, and a timer is displayed at the bottom of the dialog box, showing the time to shutdown. During the waiting time, You can execute other tasks, such as closing the program or opening a file. However, you cannot close the dialog box unless you use the shutdown-a command to stop the shutdown task.

8. Using group policies to improve system performance

1. Increase the Internet access rate of Windows by 20% (Windows XP/2003)

By default, the Windows Network Connection packet scheduler limits the system to 80% of the connection bandwidth, which is undoubtedly a small expense for a network with a small bandwidth. We can use group policy settings to replace the default value and increase the Internet access rate by 20%!

Open "QoS packet scheduler" in "Group Policy console> Computer Configuration> management template> network" and enable this policy, then, use the "Bandwidth limit" box below to adjust the available bandwidth ratio of the system, set it to 0%, and then exit as determined. Then we can use another 20% of the bandwidth.

2. Disable the thumbnail cache (Windows XP/2003)

Windows XP/20003 has a thumbnail view function, and to speed up the display of frequently browsed thumbnails, the system caches these images, this allows you to directly read the information in the cache when you open it next time to achieve quick display. However, if you do not want the system to buffer the image (for example, to view the image only once), you can use the Group Policy to disable the thumbnail cache function, in this way, the first browsing speed will be greatly accelerated (because no cache processing is performed ).

Open "Disable thumbnail cache" in "Group Policy console> User Configuration> management template> Windows Components> Windows Resource Manager" and enable this policy.

3. Shielding the built-in CD burning function (Windows XP/2003)

Windows XP/2003 comes with the CD burning function. If you have a CD recorder connected to your computer, Windows Resource Manager allows you to create and modify a Rewritable CD. However, this will undoubtedly affect the system performance and the execution speed of the resource manager. Therefore, we can use group policies to block this function (most users use specialized CD recording software ).

Open "delete CD burning function" in "Group Policy console> User Configuration> management template> network>" and enable this policy.

4. Disable system restoration (Windows XP/2003)

System Restoration is a powerful feature integrated in Windows XP/2003. It backs up the changed files and data while the system is running, system Restoration allows you to restore your computer to a previous state without losing your personal data files. By default, the system restore is on.

However, the cost for this function is also quite large, and the system performance will be significantly reduced, and the disk space will also be occupied. We strongly recommend that you disable this function for computers with low configurations.

Open "Disable System Restore" in "Group Policy console> Computer Configuration> management template> system> System Restore" and enable this policy. After this setting is enabled, you can disable the system restoration function and cannot access the "System Restoration wizard" or "configuration interface ".

5. Disable Windows Messenger from running automatically (Windows XP/2003)

There are more and more excellent application software integrated in Windows systems, but none of these built-in software has been uninstalled, which has caused dissatisfaction among many computer users. For example, in Windows XP, Windows Messenger not only does not have to be uninstalled, but also runs automatically along with the system. For computer users who do not access the Internet or users who do not need Windows Messenger at all, of course, the automatic running function of the software should be blocked.

Open "Windows Messenger not allowed" in "Group Policy console> Computer Configuration> management template> Windows Components> Windows Messenger" and enable this policy.

Tip: This setting appears in the "Computer Configuration" and "user configuration" folders. If both settings are configured, the settings in Computer Configuration take precedence over those in user configuration.

9. Using group policies to build the system's copper wall and ibi-level functions

1. Hide the drive specified in my computer (Windows XP/2003)

This group of policies can delete icons representing the Selected hardware drive from my computer and Windows Resource Manager. And all the drives represented by the drive letter do not appear in the standard open dialog box.

Go to "Group Policy console> User Configuration> management template> Windows Components> Windows Resource Manager"> "hide the specified drives in my PC" and enable this policy, select one or more drives from the list box below.

Tip: this policy only deletes the drive icon. You can still access the drive content in other ways. At the same time, this policy does not prevent users from using programs to access these drives or their content. It also does not prevent users from using disk management plug-and-play to view and change the drive features.

2. prevent access to the drive from my computer (Windows 2000/XP/2003)

This policy prevents users from viewing the content of the drive selected in my computer or Windows Resource Manager. It also prohibits you from using the run dialog box, image network drive dialog box, or dir command to view the directories on these drives.

Go to "Group Policy console> User Configuration> management template> Windows Components> Windows Resource Manager"> "prevent access to the drive from my computer" and enable this policy, select one or more drives from the list box below.

Tip: The icons that indicate the specified drive will still appear on "My Computer", but if you double-click the icon, a message Interpretation Setting will appear to prevent this operation. These settings do not prevent users from using other programs to access local and network drives. It does not prevent them from using disk management plug-and-play to view and change the drive features.

3. Do not use a command prompt (Windows 2000/XP/2003)

In Windows 2000/XP/2003, we can run cmd.exe to enter the command prompt state, and continue to run some DOS commands and other command line programs. For security considerations, some systems should block this function.

Open "block access command prompt" in "Group Policy console> User Configuration> management template> System" and enable this policy, select "Also disable command prompt script processing" in the list box below. This setting also determines the batch file. CMD and. whether bat can run on a computer.

If this setting is enabled, a message is displayed when the user tries to open the command window, explaining the setting to block this operation.

4. Do not change the Display Properties (Windows 2000/XP/2003)

Select "display" in "Control Panel" or right-click the blank area on the Windows desktop and select "properties" to go to the "Display Settings" dialog box, you can set the desktop theme, desktop background, screen saver, and display settings. If you don't want others to modify the settings at will, you can hide the settings through the Group Policy.

Open "Group Policy console → user configuration → management template → Control Panel → display ", you can then see the policy configurations such as hiding the desktop tab, hiding the topic tab, hiding the Protection Program tab, and hiding the settings tab. You can configure these items as needed. For example, if the "Hide 'desktop" tab policy is enabled, and then the "show properties" dialog box is opened, the "desktop" label is invisible, in this way, you can no longer change the desktop properties.

5. Disable Registry Editor (Windows 2000/XP/2003)

To prevent others from modifying the Registry file after entering the computer, you can disable access settings for the Registry Editor in the Group Policy. For more information, see "Group Policy console> User Configuration> System"> "Disable registry editing tools" and enable this policy.

After this policy is enabled, the system will disable this type of operation and bring up a warning message when you try to start the Registration Table editor (regedit.exe and regedt32.exe.

6. Completely prohibit access to the control panel (Windows 2000/XP/2003)

If you do not want other users to access the computer's "Control Panel", you can also use group policies. Open "forbidden access control panel" in "Group Policy console> User Configuration> management template> extended panel" and enable this policy.

After this policy is enabled, you can prevent the launch of the Panel supervisor program (control.exe. Others will not be able to start the Control Panel (or run any control panel project ). In addition, this setting will delete the "control panel" from the "Start" menu ". In addition, this setting also removes the control panel folder from "Windows Resource Manager.

7. Do not create a new dial-up connection (Windows 2000/XP/2003)

If you do not want others to establish a new connection on the computer to dial up the Internet, you can also set up a group policy. Open the "prohibit access to new connection wizard" in "Group Policy console> User Configuration> management template> network connection" and enable this policy.

After this policy is enabled, "New Connection" does not appear in the "Network Connection" folder and "Start Menu ".

Tip: This setting cannot prevent users from using other programs such as Internet Explorer to bypass this setting. In addition, this setting takes effect only after the computer is restarted.

8. Disable "Add/delete programs" (Windows 2000/XP/2003)

The "add or delete programs" item in "Control Panel" allows you to install, uninstall, repair, and add and delete Windows functions and components, as well as a wide range of Windows programs. If you want to prevent other users from installing or uninstalling programs, you can use group policies.

Open "delete" Add/delete programs "in" Group Policy console> User Configuration> management template> Control Panel> Add> Delete programs "and enable this policy, when we open the "Add/delete programs" module in the "control panel", a warning window is displayed, and "Add/delete programs" cannot be run.

In addition, in the Add/Remove Programs Branch, you can also add new programs, add programs from CD-ROM or floppy disk, and add programs from Microsoft in the Add/delete programs item for Windows programs, add programs from the network, and so on, through setting these policy items, the system files and applications in the computer are protected.

9. restrict the use of applications (Windows 2000/XP/2003)

If multiple users are set on your computer, some programs may not want other users to run at will, but can also be set in group policies.

Open "only licensed Windows Applications" in "Group Policy console> User Configuration> management template> System" and enable this policy, click the "show" button next to the "Application List" to bring up a "show content" dialog box, click the "add" button here to add applications that are allowed to run. Generally, you can only run programs in the "List of permitted applications.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.