Windows operating system Group Policy application all the strategy

Anonymous Source: It expert network Forum 2007-07-23 13:31

　　First, what IS Group Policy

　　(a) What is the use of Group Policy?

When it comes to Group Policy, you have to mention the registry. The registry is a database of storage systems, application software configurations in Windows systems, and as Windows features become richer, more and more configuration items are in the registry. Many configurations can be customized, but these configurations are published in various corners of the registry, and if they are manually configured, it can be difficult and chores to imagine. The Group Policy integrates the important configuration functions of the system into various configuration modules, which can be used directly by the management personnel, so as to facilitate the management of the computer.

To put it simply, Group Policy is to modify the configuration in the registry. Of course, Group Policy uses its own more sophisticated management organization approach, which can manage and configure settings in a variety of objects, far more convenient, flexible, and powerful than manually modifying the registry.

　　(ii) version of Group Policy

Most Windows 9X/NT users may have heard the concept of "system Policy", and most of what we hear now is the name "Group Policy". In fact, Group Policy is a more advanced extension of system Policy, which is developed by the "System Policy" of Windows 9x/nt, with more administrative templates and more flexible settings objects and more features, which are currently used primarily in Windows 2000/xp/2003 systems.

Early system policy runs through policy Management templates that define specific. POL (usually a Config.pol) file. When the user logs on, it overrides the setting values in the registry. Of course, the System Policy Editor also supports modifications to the current registry, and it also supports connecting to network computers and setting up their registry. Group Policy and its tools, however, are direct modifications to the current registry. Obviously, the network function of Windows 2000/xp/2003 system is its biggest feature, its network function is natural, so the Group Policy tool can also open a computer on the network to configure, even can open an active Directory object (that is, site, Domain or organizational unit) and set it. This is not possible with the System Policy Editor tool previously.

The rationale for both system and Group Policy is to modify the corresponding configuration items in the registry to achieve the purpose of configuring computers, but some of their operating mechanisms have changed and expanded.

　　Ii. Administrative Templates in Group Policy

Several. adm files are included in the Windows 2000/xp/2003 directory. These files are text files, called Administrative Templates, that provide policy information for the Group Policy Management template project.

In a Windows 9X system, the default Admin.adm administrative template is saved in the same folder as the Policy Editor. In the INF folder of the Windows 2000/xp/2003 System folder, there are 4 template files under the default installation, respectively:

1) System.adm: Installed by default in Group Policy, for System setup.

2) Inetres.adm: Installed in Group Policy by default, for Internet Explorer policy settings.

3) Wmplayer.adm: For Windows Media Player settings.

4) Conf.adm: for NetMeeting settings.

In the Group Policy console of Windows 2000/xp/2003, you can add policy templates multiple times, and under Windows 9X, only one policy template is currently open. The methods for using policy templates are described below. First, use the following in the Windows 2000/XP/2003 Group Policy console:

First run the "Group Policy" program, and then select "Computer Configuration" or "User Configuration" under "Administrative Templates", press the right mouse button, in the pop-up menu select "Add/Remove Template", then pop up the dialog box shown in 1.

　　

Figure 1

Then click the Add button to select the appropriate. adm file in the dialog box that pops up. Click the Open button to open the selected script file in the System Policy Editor and wait for the user to execute it.

After you return to the Group Policy Editor main interface, open the directory "local Computer policy → user Configuration → Administrative Templates", then click on the appropriate directory tree, you will see our newly added administrative template generated by the configuration items (for the sake of the example later in this article we can work together, It is recommended to add additional template files in addition to the default template files.

Then look at the Group Policy Editor under Windows 9X. The dialog box shown in 2 pops up first by selecting Close on the File menu in the Group Policy Editor to close the current script and then selecting Template from the Options menu.

　　

Figure 2

Then click the Open Template button, select the appropriate. adm file in the dialog box that pops up and click the Open button, and then open the selected script file in the editor and wait for the user to execute it.

Third, run Group Policy

　　A Windows 2000/xp/2003 Group Policy console

In the case of a Windows 2000/xp/2003 system, the system has already installed the Group Policy program by default, and on the Start menu, click the Run command entry, enter gpedit.msc and OK to run the program (shown in interface 4).

　　

Figure 4

Using the method above, the Group Policy object that is opened is the current computer, and if you need to configure additional computer Group Policy objects, you need to open the Group Policy as a stand-alone console manager, in the following steps:

1) Open the Microsoft Management Console (you can enter MMC directly in the Run dialog box in the Start menu and return to run the console program).

2) On the File menu, click Add/Remove Snap-in.

3) On the Standalone tab, click Add.

4) in the Available Standalone Snap-in dialog box, click Group Policy, and then click Add.

5) in the Select Group Policy Object dialog box, click Local Computer to edit the local computer object, or locate the desired Group Policy object by clicking Browse.

6) Click Finish, click Close, and then click OK. The Group Policy snap-in opens the Group Policy object that you want to edit.

For a computer system that does not contain a domain, in the 5th step above, there is only the "Computer" tab and no other label items.

With this approach, we can use the powerful network configuration features of the Windows 2000/XP/2003 Group Policy system to make the administrator's work easier and more efficient.

The Windows 2000/xp/2003 Group Policy Management Console has three states of "checked, cleared, dimmed" three states, respectively: enabled, not Configured, disabled.

　　Four, "desktop" settings

Windows ' desktops are like our desks, which need to be regularly collated and cleaned, and Group Policy is like our personal secretaries, making desktop management a breeze. Let's take a look at a few useful configuration examples:

Location: "Group Policy console → User Configuration → administrative Templates → desktop"

　　1. Hide the desktop's system icon (Windows 2000/xp/2003)

Although the ability to hide the system icons on the desktop can be achieved by modifying the registry, it is cumbersome and risky. The method of Group Policy configuration can be used to achieve this goal conveniently and quickly.

For example, to hide the "Network Places" and "Internet Explorer" icons on the desktop, you can turn on the "Hide My Network Places on the desktop" and "Hide Internet Explorer icons on the desktop" Two policy options in the right pane (5); If you hide all the icons on your desktop, just turn on "Hide and disable all items on the desktop" and then "My Computer" and "My Documents" icons will disappear from your desktop when "delete My Documents on desktop" and "delete My Computer icons on desktop" two options are enabled; Also, if you want the Recycle Bin icon to disappear, you only need to enable the Remove Recycle Bin from desktop policy item.

　　

Figure 5

2. Do not save desktop settings when exiting (Windows 2000/xp/2003)

This policy prevents users from saving certain changes to the desktop. If you enable this policy, users can still make changes to the desktop, but some changes, the location of the target, the location and size of the taskbar, cannot be saved after the user logs off, but the shortcut on the taskbar can always be saved.

The "Do not save settings on exit" policy option is enabled in the right-hand pane.

　　3. Masking the "Desktop Cleanup Wizard" feature (Windows xp/2003)

The Desktop Cleanup Wizard will automatically run on the user's computer every 60 days to clear the desktops icons that users don't use frequently or never use. If you enable this policy setting, you can mask the Clean Desktop Wizard, and if you disable or do not configure this setting, the Desktop Cleanup Wizard runs every 60 days, according to the default settings.

Open the Delete Desktop Wizard in the right pane and set the policy options as needed.

　　4. Enable/disable "Active Desktop" (Windows 2000/xp/2003)

The Active Desktop is the advanced feature that comes with Windows 98 (and later) or a system with IE 4.0 installed, and the biggest feature is the ability to set up wallpaper in a variety of image formats, or even to display a Web page as a wallpaper. But because of security and performance considerations, sometimes we need to disable this feature (and prohibit users from enabling it), which can be easily achieved through policy settings. How to do this: open "Disable Active Desktop" in the right pane and enable this policy.

Tip: If both the Enable Active Desktop setting and the Disable Active Desktop setting are enabled, the Disable Active Desktop setting is ignored. If the Disable Active Desktop and Web views setting (in User Configuration → Administrative Templates →windows component →windows Explorer) is enabled, Active Desktop is disabled and both policies are ignored.

The above describes a few Group Policy configuration items on the desktop, in the "Group Policy console → User Configuration → administrative Templates → desktop" There are several other Group Policy configuration items, the reader can be configured as needed, here no longer repeat.

　　V. Personalization "taskbar" and "Start" menu

On the right side of the window shown in Figure 6, the relevant Group Policy configuration items for the taskbar and Start menu are displayed. Let's look at a concrete example:

　　

Figure 6

Location: Group Policy console → User Configuration → administrative templates → taskbar and Start menu

　　1. Give Start menu weight loss (Windows 2000/xp/2003)

If you feel that the Windows Start menu is too bloated, you can remove the unwanted menu items from the Start menu. In the right-hand pane of Group Policy, you have a variety of Group Policy configuration items, such as remove user folders from the Start menu, remove access and links to Windows Update, remove common program groups from Start menu, remove My Documents from the Start menu. You just need to enable the policy for the unwanted menu items.

　　2. Protect the Taskbar and Start menu (Windows 2000/xp/2003)

If you don't want to let others change the settings of the taskbar and Start menu, you can enable the two policy items in the right pane of the Group Policy console, prevent changes and Start menu settings, and prevent access to the taskbar's context menu. This way, when you right-click the taskbar and click Properties, an error message appears (Figure 7), and the popup menu is hidden when you right-click an item on the taskbar and on the taskbar, such as the Start button, clock, and taskbar button.

　　

Figure 7

　　3. Disable "logout" and "Shut Down" (Windows 2000/xp/2003)

When the computer starts, if you do not want this user to be "shut down" and "logoff" again, you can enable the "Remove and block access to shutdown" command in the right pane of the Group Policy console for the two policies.

This setting removes the "Shutdown" option from the Start menu and disables the Windows Task Manager dialog box

Windows operating system Group Policy application all the strategy