In today’s Geek School tutorial, we’re going to explain how to use the Local Group Policy Editor to make changes to your computer that aren’t available any other way.
It should be noted right away that the Group Policy Editor is available only in professional versions of Windows — Home or Home Premium users will not have access to it. It’s still worth learning though.
Group policies are a really powerful way to set up a corporate network with every computer locked down so users can’t mess it up with unwanted changes and prevent unapproved software from running among many other uses.
However, at home, you probably don’t want to set limits on password length or force yourself to change your password. And you probably won’t need to lock your machines to run only certain approved executables.
However, there are many other things you can configure, such as disabling unwanted Windows features, blocking certain applications from running, or creating scripts that run during login or logout.
Understanding the Interface
The interface is very similar to any other administration tool — the tree view on the left allows you to search for settings in a hierarchical folder structure, there is a list of settings, and a preview pane that gives you more information about a particular setting.
There are two top-level folders to keep in mind:
- Computer configuration — contains settings that apply to computers regardless of which user logs on.
- User configuration — contains settings that apply to user accounts.
Under each of these folders, there are several folders that allow you to drill down into the available settings:
- Software Options — This folder is for software-related configurations and is empty by default on client Windows.
- Windows settings — this folder contains security settings and scripts for login/logout and startup/shutdown.
- Administrative Templates — This folder contains registry-based configurations, which are essentially a quick way to tweak settings for your computer or user account. There are many settings available.
If you were to double-click Deny Command Line Access in the screenshot above, you would see a window similar to this — in fact, most of the settings in the Administrative Templates will look similar.
This particular setting will allow you to block access to the command line for users on the PC. You can also set the option in the dialog box to block batch files.
Another option in the same folder allows you to create a «Run only specified Windows applications» setting — you must set the setting to «Enabled» and then provide a list of allowed applications. Everything else will be blocked from running.
In this case, if you run an application that is not listed, you will get an error message like this.
It’s worth noting that not following such rules can get you banned if you do something wrong, so be careful.
Security UAC Settings
In the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Settings folder, you will find many interesting settings that will make your computer more secure.
The first option can be found in this folder as «User Account Control: Prompt for Administrators Elevation Behavior» and if you select «Require Credentials on Secure Desktop» it will force you (or another user) to enter your password every time you try to run something in admin mode.
This option makes Windows more like Linux or Mac, where you are asked to provide a password any time you need to make changes, and because Secure Desktop doesn’t allow other applications to mess with the dialog, it’s a lot more insecure.
Other useful options:
- UAC: Only elevate executables that are signed and verified. This setting prevents applications from running with administrative privileges for applications that are not digitally signed.
- Recovery Console, allow automatic administrative logon — When you need to use the Recovery Console to perform system tasks, you usually have to provide an administrator password. If you have forgotten this password, this will make it easier for you to reset it. (And since you can easily wipe your Windows password, it’s not all that secure.)
It’s worth noting that many of the policies in the list don’t actually apply to every version of Windows. For example, in the screenshot below, the «Delete My Documents icon» option is only available for Windows XP and 2000. Some other policies will say «At least Windows XP» or something similar, which would mean that they all versions will continue to work.
There are a huge number of settings in the Group Policy Editor, so it’s definitely worth spending some time looking through them if you’re interested. Most settings allow you to turn off Windows features that you don’t particularly like — very few give you features that you didn’t have by default.
Configuring scripts to run at login, logout, startup, or shutdown