*** , Captive of Delicious Food - Yu Lan Slice
Group Policy is the main tool for administrators to define and control programs, network resources, and operating system behavior for users and computers. By using Group Policy, various software, computer, and user policies can be set.
Contents
Basic Overview Important Versions Operation Methods Individual Operations Using Group Policy as an Independent MMC Management Unit Software Restriction Policies Complete Guide to Securely Using Windows 7 Group Policy I System Settings Security Section 1. Prevent Running Specific Programs 2. Lock Registry Editor 3. Prohibit Accessing Command Prompt 4. Prevent Modifying System Restore Configuration 5. Protect Secrets in Virtual Memory Page Files 6. Avoid Menus Leaking Privacy 7. Don't Let Searches Leak Privacy 8. Refuse to Use Unsigned Desktop Gadgets 9. Completely Prohibit USB Drive Usage 10. Prevent Data Writing to USB Drives 11. Allow Identifying Specific USB Drives 12. Prevent CDs from Auto-Playing 13. Prevent Installing Mobile Devices 14. Prevent Users from Accessing Selected Drives 15. Don't Let Them Change My Desktop Basic Overview So-called Group Policy refers to policy based on groups. It exists in the form of a Windows MMC management unit and helps system administrators set multiple configurations for entire computers or specific groups/users, including desktop and security configurations. For example, you can customize available programs, desktop contents, and "Start" menu options for specific users or user groups, or create special desktop configurations across the entire computer range. In short, Group Policy is a collection of system modification and configuration management tools in Windows. The registry is a database in the Windows system that stores system software and application software configurations. As Windows functionality becomes richer, the number of registry configurations increases, and many configurations can be customized. However, these configurations are scattered throughout the registry, making manual configuration difficult and complex. Group Policy integrates important system configuration functions into various configuration modules for direct user use, thereby facilitating computer management. Simply put, Group Policy settings involve modifying registry configurations. Of course, Group Policy uses more comprehensive management methods, allowing for the management and configuration of various objects, far more convenient and flexible than manually modifying the registry, with even more powerful functions. Main Versions For Windows 9X/NT users, they are familiar with the concept of "System Policy." In fact, Group Policy is an advanced extension of System Policy, evolving from the "System Policy" of Windows 9X/NT, with more management templates, flexible setting objects, and more features, mainly applied in Windows 2000/XP/2003/7/2008 operating systems. Early system policies operated through policy management templates, defining specific POL files (usually Config.pol). When a user logs in, it rewrites the settings in the registry. Of course, the system policy editor also supports modifying the current registry and connecting to network computers to configure their registries. Group Policy and its tools directly modify the current registry. Clearly, the network functionality of Windows 2000/XP/2003 systems is one of their biggest characteristics, so network functionality is naturally indispensable. Therefore, Group Policy tools can also open network computers for configuration or even open Active Directory (AD) objects (i.e., sites, domains, or organizational units) for settings. This was something the previous "System Policy Editor" tool could not achieve. Of course, whether it's "System Policy" or "Group Policy," their basic principle is to modify corresponding registry items to configure computers, just with some changes and expansions in their operational mechanisms. Operational Methods General Operation In Windows 2000/XP/2003 systems, the Group Policy program is installed by default. To run it, click "Run" in the "Start" menu, input "gpedit.msc," and confirm to start Group Policy. Using the above method opens the Group Policy object for the current computer. If you need to configure another computer's Group Policy object, you need to open Group Policy as an independent MMC management unit: (1) Open Microsoft Management Console (input "MMC" in the "Run" dialog box of the "Start" menu and confirm). (2) Click "File → Add/Remove Management Unit" in the menu, then click "Add" in the opened dialog box. (3) In the "Available Standalone Management Units" dialog box, select "Group Policy" and click "Add." (4) In the "Select Group Policy Object" dialog box, click "Local Computer" to edit the local computer object or browse for the required Group Policy object by clicking "Browse." (5) Click "Finish," and the Group Policy management unit will open the Group Policy object to be edited. (6) Locate the option to change in the left pane, right-click the specific option to change in the right pane, and click "Properties" to open its properties dialog box. Select "Enabled," "Not Configured," or "Disabled" to manage the computer policy. Opening Group Policy as an Independent MMC Management Unit If you want to open the Group Policy Editor via the GPE plugin in the MMC console, follow these steps: [1] (1) Click "Start" → "Run," enter "mmc" in the dialog box, and click the "OK" button to open the Microsoft Management Console window. (2) Select "Add/Remove Management Unit" under the "File" menu. (3) In the "Add/Remove Management Unit" window, click "Add" in the "Standalone" tab. (4) In the "Add Standalone Management Unit" dialog box, select "Group Policy" in the "Available Standalone Management Units" list and click "Add." (5) Since the Group Policy is applied to the local computer, click "Local Computer" in the "Select Group Policy Object" dialog box to edit the local computer object, or click "Browse" to find the required Group Policy object. (6) Click "Finish" → "Close" → "OK," and the Group Policy management unit will open the Group Policy object to be edited. Software Restriction Policies Software restriction policies are a new feature in Microsoft Windows XP and Microsoft Windows Server 2003. They provide a set of policy-driven mechanisms to specify which programs are allowed to execute and which are not. Software restriction policies help organizations protect against malicious code attacks. That is, software restriction policies provide another layer of protection against viruses, Trojan horses, and other types of malicious code. Full Guide to Securely Using Windows 7 Group Policy Group Policy is the main tool for administrators to define and control programs, network resources, and operating system behavior for users and computers. By using Group Policy, various software, computer, and user policies can be set. Considering security reasons, Windows 7 has developed many new and enhanced Group Policy features and services to help you better protect data, functions, and services residing on your computer. These feature configurations depend on your specific needs and usage environment. This article primarily introduces techniques for securely using Windows 7 Group Policy, explaining how to configure Group Policy features and services to better meet your system security, network security, data protection, and personalization needs.