Practical application of group policy:
1. Desktop project settings
In the left window of Group Policy, expand the User Configuration → Administrative Templates → Desktop nodes to see all settings about the desktop. This node mainly functions to manage users' rights to use desktops and to hide desktop icons.
1. Hide unnecessary desktop icons
We can easily delete some shortcuts on the desktop, but to delete default icons such as "My Computer", "Recycle Bin", "Online Neighbor", etc., you need to rely on "Group Policy". For example, to delete "My Documents", just set it in the "Delete the My Documents icon" item on the desktop. To hide the "Online Neighbors" and "Internet Explorer" icons on the desktop, just enable the "Hide the "Online Neighbors" icon on the desktop" and "Hide the Internet Explorer icon on the desktop" in the right pane; if you hide all icons on the desktop, just enable the "Hide and Disable all items on the desktop"; when the "Delete the "My Documents" icon on the desktop" and "Delete the "My Computers" icon on the desktop" are enabled, the "My Computers" and "My Documents" icons will disappear from your computer desktop; if you no longer like the "Recycle Bin" icon on the desktop, you can also delete it. The specific method is to enable the "Delete the Recycle Bin from the desktop" policy item.
2. No changes to desktop
Using Group Policy can achieve the purpose of prohibiting others from changing certain settings on the desktop. The "Prohibit users from changing the My Documents path" item prevents users from changing the path to the My Documents folder. The "Disable Add, Drag, Drop, and Close Toolbar Toolbars for Taskbars" item prevents users from adding or removing taskbars from the desktop. After double-clicking to enable "Don't save settings when exit", the user will be unable to save changes to the desktop. Finally, double-click to enable the "Hide and Disable All Projects on the Desktop" setting, which will remove icons, shortcuts, and all other default and user-defined items from the desktop, and even the right-click menu on the desktop will be disabled.
3. Enable or disable active desktops
Using the "Active Desktop" item, you can set various properties of the active desktop according to your needs. The Enable Active Desktop item enables the active desktop and prevents the user from disabling it. The Active Desktop Wallpaper item specifies the desktop wallpaper that is displayed on all users' desktops. Enable the "Don't Allow Changes" item to prevent users from changing the active desktop configuration.
4. Lose weight for the "Start" menu
There are many menu items in the "Start" menu of Windows XP, and you can delete unnecessary items through Group Policy. Provides strategies to delete the utility group, My Documents icon, Documents menu, Network Connection, Favorites menu, Search menu, Help command, Run menu, Picture Collection icon, My Music icon, and Online Neighbors icon in the Start menu. Just enable the policy corresponding to the unwanted menu items. Take the "My Document" icon in the Start menu as an example to see the specific operation method: Double-click the "Delete "My Document" icon from the "Start" menu in the right window, click "Enabled" in the "Settings" tab of the pop-up dialog box, and then click "OK", so that the "My Document" icon in the "Start" menu will be hidden.
5. Protect the settings of the "Taskbar" and "Start" menus
If you don't want others to change the settings of the Taskbar and Start menus at will, just enable the two policy items "Block changes to the Taskbar and Start Menu settings" and "Block access to the Context Menu of the Taskbar" in the right pane. In this way, when you right-click the Taskbar and click "Properties", an error message will appear, prompting that a setting prohibits this operation.
2. Hide or disable control panel items
The control panel project settings mentioned here refer to the settings of configuring the control panel program, which are mainly used to hide or disable control panel projects. In the left window of Group Policy, expand the "User Configuration" → "Administrative Templates" → "Control Panel" items to see all the settings and children under the "Control Panel" node.
1. Disable access to the "Control Panel"
If you do not want other users to access the Control Panel of your computer, you just need to run Group Policy Editor (), expand the "Local Computer Policy" → "User Configuration" → "Administrative Templates" → "Control Panel" branch in the left pane, and enable the "No Access Control Panel" policy in the right pane. This setting prevents the "Control Panel" program file() from being started. As a result, others will not be able to start Control Panel (or run any Control Panel projects). Additionally, this setting will remove Control Panel from the Start menu. At the same time, this setting also deletes the "Control Panel" folder from Windows Explorer.
2. Hide or disable the "Add/Remove Program" item
Expand the "Add/Remove Program" item: After double-click to enable the "Delete "Add/Remove Program" program setting, the "Add/Remove Program" item in the control panel will be deleted. In addition, there are 3 pages in the "Add or Remove Programs" dialog box: "Change or Remove Programs", "Add a New Program" and "Add/Remove Windows Components"; and when you enter the "Add a New Program" page, you will find 3 options: "Add a Program from CD-ROM or floppy disk", "Add a Program from Microsoft" and "Add a Program from the Network". If you want these specific pages or options to be hidden, you can directly enable the corresponding hidden function in the "Add/Remove Programs" item of the Group Policy.
3. Hide or disable the "Show" item
Expand the Show item and find that this item is the same as the previous item to hide the tabs in the Show Properties dialog box. I won't go into details here. For example, after double-clicking to enable the "Hide 'Desktop' tab", the "Desktop" item will no longer appear in the "Show Window". In addition, users can also enable "Delete 'Show' in the Control Panel". This way, when double-clicking on the control panel to open the "Show" item, a dialog box will pop up to remind you: System administrators prohibit the use of the "Show" control panel.
4. Others
Expand the "Show" → "Desktop Theme" item, and double-click to enable the "Delete Theme Options", "Block Select Window and Button Style", and "Prohibit Select Font Size" items to prevent others from changing the theme, window and button style, and fonts. Expand the Printer item and double-click to enable Block Add Printer or Block Delete Printer to prevent other users from adding or deleting printers. Finally, enable "Disable Access Control Panel" directly under the "Control Panel" item, and the control panel will not start.
3. System project settings
This item is set in "User Configuration" → "Administrative Templates" → "System" (Figure 15). The system settings in Group Policy involve many projects such as login, power management, group policy, scripting, etc. The following are the parts closely related to us, which are listed as follows:
1. The welcome screen interface is not displayed when logging in
There is a welcome screen when logging in to Windows 2000 and Windows XP systems by default. Although it is beautiful, it is also troublesome and extends the login time. It can be removed through Group Policy. Double-click to enable "Don't show the welcome screen when logging in" under the "System" node, and the welcome screen will be hidden every time the user logs in.
2. Disable the Registry Editor
To prevent others from modifying the registry, access to the registry editor can be prohibited in Group Policy. After double-clicking the "Block access to Registry Editor" entry under the "System" node, when the user tries to start the Registry Editor, the system prompts that the registration editing has been disabled by the administrator (Figure 16). In addition, if your registry editor is locked, you can also double-click this setting and click the "Unconfigured" item in the "Settings" tab of the pop-up dialog box, so that your registry will be unlocked. If you want to prevent users from opening the registry using other registry editing tools, double-click to enable Run Licensed Windows Applications only.
3. Turn off the system automatic playback function
Once you insert the CD into the CD drive, Windows XP will start reading the CD drive and launch the relevant applications. Although this brings convenience to our work, it also brings a lot of trouble at some point. Under the System node, there is an item for "Off AutoPlay". Double-click it and click "Enabled" in the "Settings" tab of the pop-up dialog box, and select "CD-ROM Initiator" or "All Drives" items in the "Off AutoPlay" box.
Note: This setting does not prevent the automatic playback of music CDs.
4. Turn off Windows automatic update
Whenever a user connects to the Internet, Windows XP will search for available updates on the user's computer, and will give the user a prompt when the downloaded component is ready to be installed or before downloading it, depending on the configuration. If you don't like Boss Bill's self-advocacy attitude, you can turn off this feature through Group Policy. Just double-click the "Windows Automatic Update" setting item under the "System" node, click "Disabled" in the pop-up dialog box and confirm.
5. Delete the Task Manager
If the Windows XP user has cancelled the "Use Welcome Screen" item, and if the "Ctrl+Alt+Del" key is pressed at the same time, a "Windows Security" dialog box will pop up. There are 6 function buttons in this dialog box: "Lock Computer", "Lock Out", "Shutdown", "Change Password", "Task Manager", and "Cancel". Everyone knows that every button here plays a key role in the system. To prevent others from doing it, these buttons can be blocked through Group Policy.
Find the "Ctrl+Alt+Del option" under "System", and double-click to enable the "Delete Task Manager", "Delete "Lock Computer"", "Delete Change Password", and "Delete Logout" items to block the "Task Manager", "Lock Computer", "Change Password", and "Cancel" function buttons in the "Windows Security" dialog box.
Note: The blocking of the two menu items "Log out" and "Shut down" is under the "User Configuration" → "Administrative Templates" → "Taskbar and "Start" Menu" nodes.
4. Hide or delete projects in Windows XP Explorer
Resource Manager has always been the most important tool in Windows system. How to manage resources efficiently and securely has always been the unremitting pursuit of computer users. Expand the "User Configuration" → "Administrative Templates" → "Windows Components" → "Windows Explorer" items in turn, and you can see all settings under the "Windows Explorer" node. Let’s take a look at how to achieve personalization of the resource manager through group policy
1. Delete "Folder Options"
"Folder Options" is an important menu item in Explorer. It can modify the way files are viewed and edit the way file types are opened. After we set it ourselves, in order to prevent others from changing it at will, we can delete this menu item. You only need to double-click to enable the "Delete the 'Folder Options' Menu from the 'Tools' Menu" to complete this setting.
2. Hide the "Manage" menu item
In the shortcut menu that right-click "My Computer" in the Explorer, there is a "Management" menu item. Through this menu item, you can open a "Computer Management" window that includes many tools such as "Event Viewer", "Local Users and Groups", "Device Manager", and "Disk Management". To protect your computer from unintentional destruction, block this menu item by double-clicking the "Hide the 'Manage' item" item on the Windows Explorer context menu.
3. Hiding of other projects
In addition, you can hide the drives you specified by enabling "Hide these specified drives in 'My Computer'". You can also block the "Enterprise Network" item by enabling "'Online Neighbors' does not include 'Enterprise'". Double-click to enable the "Delete CD burn function" to delete the CD burn function that comes with Windows XP. Double-click to enable "Do not move deleted files to the 'Recycle Bin'". When deleting files in the future, they will not enter the Recycle Bin and delete them directly. Of course, there are many projects that have not been mentioned here. You can discuss them yourself as needed and make appropriate configurations.
5. IE browser project settings
In the left window of Group Policy, expand the items "User Configuration" → "Administrative Templates" → "Windows Components" → "Internet Explorer" in turn. In the right window, you can see all settings and children under the "Internet Explorer" node. IE is a web browser that comes with Windows XP and is also a browser used by most users, but its security is also criticized. Let’s “transform” it through group policy.
1. Restrict the saving function of IE browser
When multiple people share a computer, in order to keep the hard disk clean, the browser's saving function needs to be restricted. So how can it be achieved? The specific method is: select "User Settings" → "Administrative Templates" → "Windows Components" → "Internet Explorer" → "Browser Menu" branch, and then enable policy items such as "'File' Menu: Disable Save As...' Menu", "'File' Menu: Disable Save As Web Menu", "'View' Menu: Disable the 'Source File' Menu" and "Disable Context Menu" in the right pane.
In addition, if you do not want others to change the settings of the IE browser at will, you just need to enable the "Tools menu: Disable the 'Internet Options...'" policy. In addition, other items can be disabled in this pane according to your personal needs.
2. Lose weight for the toolbar
If you want to hide the tool button in the toolbar, the specific method is: select "User Settings" → "Administrative Templates" → "Windows Components" → "Internet Explorer" → "Toolbar" branch, and then double-click the "Configure Toolbar Press" policy in the right pane. The "Configure Toolbar Press Properties" window will pop up. Select the "Enabled" radio button in the "Settings" tab, and mark the check box before the button name to be displayed in the list. If you want to hide some buttons, do not check the check box in front of it. Then click the "OK" button
3. Add shortcuts to the IE toolbar
I don’t know if you have noticed that many software will add icons to the IE toolbar after installation, and click it to enable the corresponding program. Using Group Policy, you can add shortcuts to any program on the IE toolbar. Here are examples of how to add an ICQ startup icon. Expand the "Browser User Interface" under "Internet Explorer Maintenance", double-click the "Browser Toolbar Customization" setting item, click the "Add" button in the pop-up dialog box, enter ICQ in the "Toolbar Title" of the "Browser Toolbar Button Information" dialog box, enter D:\Fun\ICQLite\ in "Toolbar Operation", and then select a "Color Icon" and "Grayscale Icon". Of course, you can also use ExeScope, etc. to extract ICQ icons). After clicking "OK", there will be an ICQ icon in the IE toolbar!
4. Let the IE plug-in stop harassing you
When we browse the web pages online, some tips such as "whether to install Flash plug-in" and "whether to install 3721 network real name" will pop up, which is as annoying as an advertising window. In fact, we can prohibit the occurrence of this prompt by enabling "Disable the automatic installation of Internet Explorer components" under the "Internet Explorer" node in Group Policy. However, sometimes this function is also very useful, so please consider it before banning this function.
5. Protect your personal privacy
Generally, by clicking the "History" button on the IE toolbar, you can learn about the web pages and files you have browsed before. For confidentiality, you can double-click the "Do not keep records of recently opened documents" and "Clear recent open documents when exiting" settings under the "Internet Explorer" node. In this way, click the "History" button on the IE toolbar, and all the historical web records you have visited will disappear.
6. Prohibit modifying the home page of IE browser
If you do not want others to modify your homepage, you can enable the "Disable Change Homepage Settings" setting item under the "Internet Explorer" node to prohibit others from changing your homepage. You can also enable the settings items in the IE browser to block several menu items by accessing the "Browser Menu". Finally, under the Internet Control Panel node, you can also hide some tabs in the Internet Options dialog box.
If this policy is enabled, the settings in the Home page area of the General tab of the IE browser will be grayed out in the Internet Options dialog box.
Special tip: If you set the "Disable General Page" policy in "User Configuration" → "Administrative Templates" → "Windows Components" → "Internet Explorer" → "Internet Control Panel", you do not need to set the policy because the "Disable General Page" policy will delete the "General" tab on the interface.
7. Disable import and export favorites
Users are prohibited from using the Import/Export Wizard menu item to import or export favorite links. \User Configuration\Administrative Templates\Windows Components\Internet Explorer.
If this policy is enabled, the Import/Export Wizard menu item will not be able to import/export favorite links and cookies. If you disable the feature or do not configure it, users can import/export favorites in IE by clicking the Import and Export menu item on the File menu and then running the Import/Export Wizard.
Note: If you enable this policy, the user can still view the Import/Export Wizard, but when the user clicks the Complete button, a prompt message indicating that the feature has been disabled will appear.
6. System security/sharing/permission settings
Since the beginning of computers, security has been the focus of people's attention, and Windows XP is no exception. In Group Policy, system security configuration is generally carried out in "Computer Configuration" → "Windows Settings" → "Security Settings".
1. Password policy
This policy is configured in the Account Policy → Password Policy node. Passwords are a major hidden danger of system security. You can set the minimum length of the password (password) through group policy: double-click to enable the "Password Must Meet Complexity Requirements" setting item, and double-click the "Password Length Minimum Value" setting item after confirmation. Set the minimum password length to 8 or greater in the pop-up dialog box. In this way, you must enter more than 8 digits when setting the account password in the future, which makes the security much higher.
2. User rights assignment
Expand the "Local Policy" → "User Rights Assignment" node, and you can see all settings under the "User Rights Assignment" node in the right window. Properly assigning user rights can solve some strange problems. For example, friends who use Windows XP system in a LAN will generally find a strange phenomenon, that is, even if you enable the guest user and give permissions, users of other Win9X operating systems in the LAN still cannot access shared resources in the Windows XP system. This problem can be solved by modifying the relevant settings in Group Policy: Double-click the "Deny access to this computer from the network" setting item under the "User Rights Assignment" node, click "guest" in the pop-up dialog box, then click "Delete", and finally confirm. Under the "User Rights Assignment" node, you can also add many permissions to the user, such as adding remote shutdown permission to the guest and adding permission to change the system time to the general user.
3. File and folder settings review
Windows XP Professional can use audits to track user accounts used to access files or other objects, login attempts, system shutdown or restarts, and similar events. Reviewing files and folders (only applicable to NTFS file systems) can ensure the security of files and folders. Before the audit occurs, you must use Group Policy to specify the event type to audit. The steps to set up audits for files and folders are as follows.
a. Click to select the "Start" → "Run" command, type the "" command in the pop-up "Run" dialog box, and then click the "OK" button; of course, you can also create a corresponding shortcut on the desktop.
b. In the "Group Policy" window that pops up, expand the "Computer Configuration" → "Windows Settings" → "Security Settings" → "Local Policy" branch in the right pane step by step, and then select the "Audit Policy" option under this branch.
c. Double-click the "Audit Object Access" option with your mouse in the right pane. In the pop-up "Local Security Policy Settings" window, mark the "Success" and "Failed" check boxes in the "Local Policy Settings" box. As shown in Figure 12. Then click OK to press
d. Right-click the file (or folder) you want to review. Select the Properties command of the shortcut menu, and then select the Security tab in the pop-up window.
e. Click the Advanced button and select the Audit tab.
f. Select your operation according to the specific situation:
(1) If you set up audit for a new group (or user), please click the "Add" button, type the new user name in the "Name" box, and then click the "OK" button, and the "Audit Items" dialog box will open.
(2) To view (or change) the original group (or user) audit, select the user name, and then click the "View/Edit" button.
(3) To delete the original group (or user) review, select the user name, and then click the "Delete" button.
g. If necessary, in the Apply to list in the Apply to list in the Apply to list (The Apply to list is valid for folders only).
h. If you want to prohibit files and subfolders in the directory tree from inheriting these audit items, select the "Apply these audit items only for objects and/or containers within this container" check box.
If the check box under Access in the Audit Project dialog box becomes dark, or the Delete button is unavailable in the Access Control Settings dialog box, the audit from the parent folder has been inherited.
It should be noted that you must be a member of the Administrator group or a user authorized in Group Policy with the "Manage Audit and Security Log" permission can audit files or folders. Before Windows XP audits files and folders, you must enable "Audit Object Access" of "Audit Policy" in "Group Policy". Otherwise, when you set up file and folder review, an error message will be returned, and the files and folders will not be reviewed. The Event Viewer can check the successful or failed attempts of accessing audited files and folders.
4. Solution to the problem of Windows 98 accessing Windows XP shared directory being denied
On a local area network, you can often encounter the problem that computers with Windows 2000 have opened a shared directory, while computers with Windows 98 are inaccessible. This can be found on Microsoft's official website, and it is recommended to enable GUEST users of Windows 2000. However, after Windows XP came out, it also faced this problem. As a result, some people found that this method was not working. Accessing the shared directory of Windows XP from online neighbors may not be allowed. What is the reason? This question has troubled me for several days, and later I accidentally discovered the answer to the question. Maybe this is a bug in Windows XP?
When the system Guest user is enabled, run the Group Policy Editor program, and you can see that there are Guest users in "Local Computer Policy" → "Computer Configuration" → "Windows Settings" → "Security Settings" → "Local Policy" → "User Rights Assignment" → "Reject to access this computer from the network"! If you delete the Guest user here, other computers can view the shared directory of this computer from the online neighbors.
5. Block access to command prompt
Prevents users from running command prompt window(). This setting also determines whether the batch files (.cmd and .bat) can run on the computer. Location:\User Configuration\Administrative Templates\System\ If this setting is enabled, the user tries to open the command window, and the system will display a message explaining the settings to prevent this operation.
Note: If the computer uses login, logout, start or close the batch file script, it does not prevent the computer from running the batch file; it does not prevent users using terminal services from running the batch file.
6. Block access to the registry editing tool
This policy will be disabled to disable the Windows Registry Editor. This can greatly prevent malicious code on the web page from tampering with IE. Location:\User Configuration\Administrative Templates\System\ If this setting is enabled and the user tries to start the registry editor, a message explaining the settings prohibiting such operations will appear. To prevent users from using other system administration tools, use the Run Licensed Windows Applications policy setting.
8. Supplement
1. Group policy cannot be used after the program is disabled
You can restore settings by restarting the computer, pressing the F8 key when the startup menu appears, selecting the "Safe Mode with Command Line Prompt" option in the Windows Advanced Options menu, and then running at the command prompt. In the "Console" window that opens, click "File → Add/Delete snap-in → Add → Group Policy → Add → Finish → Close → OK". Now a Group Policy console has been added. Next, change the original settings and then re-enter Windows.
2. Delete shared documents from "My Computer"
When a Windows user is in a workgroup, a Shared Document icon appears in "Other Locations" and "Other Files Stored on this Computer" as the Windows Explorer web view. With this setting, you can choose not to display these items.
Local Computer Policy—> User Configuration—> Administrative Templates—> Windows Components—> Windows Explorer\
If you enable this setting, the Shared Documents folder will not appear in web view or appear in My Computer. If this setting is disabled or not configured, the Shared Documents folder will be displayed in Web view or appear in My Computer when the user is part of the Workgroup.