In today's lesson we are going to see how to use the Local Group Policy editor, a hidden and very full section of Windows from which it is possible to make many changes to the PC that would otherwise be possible only by modifying the more complicated registry keys. The Group Policy editor is only available in the Pro versions of Windows and is absent in the Home and Premium versions.
However, you can download and install gpedit.msc on Windows 10, 7 and 8 Home.
In general there is no reason to touch these group policies on a home PC, but it is still important to know how to access them and what you can do to not be unprepared in case a change is required.
For example, Group Policy is useful for configuring security on a corporate network to block certain changes on all computers or to prevent users from running unapproved software.
To open the group policy editor on Windows you need to open a Run window by pressing Windows-R keys and then write and run the gpedit.msc command.
The window that opens is similar to any other administration tool, with a hierarchical tree of folders that each contain many settings.
The settings are really many, but still described in detail.
There are two main folders: Computer Configuration, with settings that affect system behavior for all users and User Configuration, to change the behavior of Windows based on the user who uses it.
Below the two main folders are three sections:
- Software settings, where to create new customized configurations.
- Windows Settings is a folder that contains security settings and a start / stop script.
- Administrative models, with registry-based configurations which is the part on which it is easier to intervene, with many options available.
Security settings (some examples)
To give an example of what can be done to restrict computer security at the user level, go to User Configuration -> Administrative Templates -> System and double click on the " Prevent access to command prompt " setting.
From the window that opens you can activate the control and then press Apply to block access to the command prompt for all users of the PC.
Another option in the same folder allows you to create choose which programs can be opened on your computer.
Double click on " Run only specified Windows applications ", enable and then indicate which programs to allow.
Everything else is now blocked.
Under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options folder you will find many useful settings to make your computer a little more secure if you want.
For example, you can rename the Administrator account and the Guest account and you can choose to activate the credential request to the " User Account Control: behavior of the request for elevation of privileges for administrators " to ask to enter the password every time you try to do something in administrator mode.
With this option, Windows becomes more secure and similar to Linux and Mac, where you are asked to provide your password every time you need to make a change.
With user account control: only elevates signed and validated executable files, applications that are not digitally signed run as administrator are forbidden.
Recovery console, allow automatic admin access to have no password requests when using the recovery console to perform system operations.
As you will notice, there is a huge number of settings in the Group Policy editor, so out of curiosity, it is definitely worth spending some time looking at them.
Most settings allow you to disable Windows features that you don't want to use.
It is worth noting that many of the policies on the list do not apply to all versions of Windows.
Yet another example of what can only be done using the Group Policy editor is creating a script that runs after a logoff or after a shutdown, every time you restart your PC.
This can be useful for cleaning up your system or making a quick backup of some files every time you turn off your computer, and you can use batch files or even PowerShell scripts for both.
The only caveat is that these scripts must be run in the background or the logoff process would be blocked.
There are two different types of scripts that can be run.
Start / stop script in Computer Configuration -> Windows Settings -> Script and will run under the local system account, so that they can manipulate system files, but will not be running as a user account.
Login / Logout Script in User Configuration -> Windows Settings -> Script .
Login and logout scripts do not allow you to run commands that require administrator access if there is no UAC completely disabled.
It is worth noting that the same operations can be scheduled in the scheduler, one of the administration tools in the Control Panel, much easier to use.
The Group Policy editor is so rich that it will be impossible to find a complete and comprehensive guide on what is best to edit.
In other articles I have called them into question regarding:
- How to disable Skydrive in Windows 8.1 (or hide it)
- Activate Bitlocker on Windows 7
- Activate Enterprise mode in Internet Explorer 11
- Disable UAC Control in Windows 7 and 8
