In today’s Geek School tutorial, we’re going to explain how to use the Local Group Policy Editor to make changes to your computer that aren’t available any other way.


  1. Using Task Scheduler to Run Processes Later
  2. Using the Event Viewer to Troubleshoot Issues
  3. Understanding Hard Drive Partitioning with Disk Management
  4. Learn to Use Registry Editor Like a Pro
  5. Monitoring Your PC with Resource Monitor and Task Manager
  6. Understanding the Advanced System Properties Panel
  7. Understanding and Managing Windows Services
  8. Using the Group Policy Editor to Customize Your PC
  9. Understanding Windows Administration Tools

It should be noted right away that the Group Policy Editor is available only in professional versions of Windows — Home or Home Premium users will not have access to it. It’s still worth learning though.

Group policies are a really powerful way to set up a corporate network with every computer locked down so users can’t mess it up with unwanted changes and prevent unapproved software from running among many other uses.

However, at home, you probably don’t want to set limits on password length or force yourself to change your password. And you probably won’t need to lock your machines to run only certain approved executables.

However, there are many other things you can configure, such as disabling unwanted Windows features, blocking certain applications from running, or creating scripts that run during login or logout.

Understanding the Interface


The interface is very similar to any other administration tool — the tree view on the left allows you to search for settings in a hierarchical folder structure, there is a list of settings, and a preview pane that gives you more information about a particular setting.

There are two top-level folders to keep in mind:

  • Computer configuration — contains settings that apply to computers regardless of which user logs on.
  • User configuration — contains settings that apply to user accounts.

Under each of these folders, there are several folders that allow you to drill down into the available settings:

  • Software Options — This folder is for software-related configurations and is empty by default on client Windows.
  • Windows settings — this folder contains security settings and scripts for login/logout and startup/shutdown.
  • Administrative Templates — This folder contains registry-based configurations, which are essentially a quick way to tweak settings for your computer or user account. There are many settings available.

Security Settings

If you were to double-click Deny Command Line Access in the screenshot above, you would see a window similar to this — in fact, most of the settings in the Administrative Templates will look similar.

This particular setting will allow you to block access to the command line for users on the PC. You can also set the option in the dialog box to block batch files.


Another option in the same folder allows you to create a «Run only specified Windows applications» setting — you must set the setting to «Enabled» and then provide a list of allowed applications. Everything else will be blocked from running.


In this case, if you run an application that is not listed, you will get an error message like this.


It’s worth noting that not following such rules can get you banned if you do something wrong, so be careful.

Security UAC Settings


In the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Settings folder, you will find many interesting settings that will make your computer more secure.

The first option can be found in this folder as «User Account Control: Prompt for Administrators Elevation Behavior» and if you select «Require Credentials on Secure Desktop» it will force you (or another user) to enter your password every time you try to run something in admin mode.

This option makes Windows more like Linux or Mac, where you are asked to provide a password any time you need to make changes, and because Secure Desktop doesn’t allow other applications to mess with the dialog, it’s a lot more insecure.


Other useful options:

  • UAC: Only elevate executables that are signed and verified. This setting prevents applications from running with administrative privileges for applications that are not digitally signed.
  • Recovery Console, allow automatic administrative logon — When you need to use the Recovery Console to perform system tasks, you usually have to provide an administrator password. If you have forgotten this password, this will make it easier for you to reset it. (And since you can easily wipe your Windows password, it’s not all that secure.)

It’s worth noting that many of the policies in the list don’t actually apply to every version of Windows. For example, in the screenshot below, the «Delete My Documents icon» option is only available for Windows XP and 2000. Some other policies will say «At least Windows XP» or something similar, which would mean that they all versions will continue to work.


There are a huge number of settings in the Group Policy Editor, so it’s definitely worth spending some time looking through them if you’re interested. Most settings allow you to turn off Windows features that you don’t particularly like — very few give you features that you didn’t have by default.

Configuring scripts to run at login, logout, startup, or shutdown


Another example of what you can only do with the Group Policy Editor is to set a logoff or shutdown script to run every time you restart your computer.

This can be very useful for cleaning up your system or quickly backing up certain files every time you shut down, and you can use batch files or even PowerShell scripts for any of these. The only caveat is that these scripts must run silently or they will block the logout process.

There are two different types of scripts that you can run.

It’s worth noting that the login and logout scripts will prevent you from running utilities that require administrator access if you have UAC completely disabled.

For today’s example, we’ll create a logout script by going to User Configuration -> Windows Settings -> Scripts and double-clicking Logout.


The logout properties window allows you to add multiple logout scripts to run.


Instead, you can also customize the PowerShell scripts.


The important thing to note here is that your scripts must be in a specific folder for them to work properly.

The login and logout scripts should be in the following folders:

Although the startup and shutdown scripts should be in the following folders:

After setting up the logout script, you can test it out — we installed a simple script that created a text file on the desktop and then logged out and back in again. But you can make it do whatever you want.


And of course, if you run a login script instead, it can launch applications.

It’s important to note that if your script asks for user input, Windows will hang during shutdown or logout for 10 minutes before the script completes and Windows can restart. This is something you should keep in mind when developing your script.

Group Policy doesn’t end there.

We’ve just covered Group Policy, and in a corporate domain environment, it’s one of the most powerful and important tools at your disposal. Since this series is not about IT users, we won’t go into the rest, but it’s worth doing a little research on your own.

Похожие записи