First, what is the group strategy (1) What is the use of group policies?
Speaking of Group Policy, I have to mention the registry. The registry is the database of saved systems, application software configurations in the Windows system, and more and more configuration items in the registry are increasingly rich. Many configurations can be customized, but these configurations are posted in the various corners of the registry, if it is hand-configured, what difficulties and troubles can be thought of. The group policy collects the system important configuration functions into various configuration modules for direct use of the management, thereby achieving the purpose of facilitating managing the computer.
Simply said that the Group Policy is to modify the configuration in the registry. Of course, group strategies use their own more complete management organization methods to manage and configure settings in various objects, which is much more powerful than hand-modified registry, flexible, and functions.
(2) Version of Group Policy
Most of the Windows 9x / NT users may have heard the concept of "System Policy", and we are now very hearing this name. In fact, group strategy is the higher level of extension of system strategies. It is developed by Windows 9x / NT "System Policy", with more management templates and more flexible setting objects and more features, mainly to Windows 2000 / XP / 2003 system.
The operational mechanism of early system strategies is to define specific .pol (usually config.pol) files through the Policy Management Template. When the user logs in, it rewrites the set value in the registry. Of course, the system policy editor also supports modifications to the current registry, and also supports connecting to the network computer and sets their registry. The group strategy and its tools are directly modified to the current registry. Obviously, the network function of the Windows 2000 / XP / 2003 system is its largest feature, and its network function is naturally indistinguisha, so the group policy tool can also open a computer on the network to configure, and even open an Active Directory. Objects (ie, sets, domain or organization) and set it. This is the previous "System Policy Editor" tool could not be done.
Whether it is a system strategy or group strategy, their basic principles are the corresponding configuration items in the registry, thus achieving the purpose of configuring the computer, only some of their operating mechanisms have changed and extension.
Second, the management template in group strategy
Several .adm files are included in the Windows 2000 / XP / 2003 directory. These files are text files, called "Management Templates", which provides policy information for Group Policy Management Template items.
In the Windows 9x system, the default admin.adm management template is saved in the policy editor in the same folder. In the INF folder of the Windows 2000 / XP / 2003 system folder, the four template files under default installation are included in:
1) System.adm: It is installed in "Group Policy" by default for system settings. 2) inets.adm: By default, installation is installed in Group Policy; for Internet Explorer policy settings. 3) WMPLAYER. ADM: Used for Windows Media Player settings. 4) conf.adm: Used for NetMeeting settings.
In the Group Policy Console of Windows 2000 / XP / 2003, you can add "Policy Templates" multiple times, and under Windows 9x, you only allow the currently open a policy template. The following describes how to use the policy template. First, use the following: First Run the "Group Policy" program, then select "Computer Configuration" or "Manage Template" under "User Configuration", press the right mouse button, in the pop-up menu Select "Add / Remove Template". Then click the Add button to select the appropriate .adm file in the pop-up dialog box. Click the "Open", open the selected script file in the System Policy Editor and wait for the user to execute.
After returning to the "Group Policy" editor main interface, open the directory "Local Computer Policy → User Configuration → Management Template", and then click the appropriate directory tree, you will see the configuration items generated by our newly added management template. (In order to make it easy to do it together, it is recommended to add other template files that divide the default template file).
Let's see the group policy editor under Windows 9x. First select "Close" in the File menu in the Group Policy Editor, so that the current script is turned off, then select "Template" in the "Options" menu.
Then click the "Open Template" button to select the appropriate .adm file in the pop-up dialog box and click the "Open", open the selected script file in the editor and wait for the user to execute.
Third, run group strategy
(1) Windows 9X Policy Editor
According to the different operating system, the policy editing tool is divided into two kinds, one for the Windows 2000 / XP / 2003 Group Policy Management Console, which has been installed by default when the system is installed; the other is the system policy editing of Windows 9X It is not installed when the system is installed, and the program file is in the / Tools / Reskit / Netadmin / Poledit directory on the Windows installation disc, which includes files such as POLEDIT.EXE, POLEDIT.INF, Windows.adm.
If it is a Windows 9x system through the following method, a regular installation process can be performed.
1. In the Control Panel, double-click the Add / Remove Programs icon, click Install Windows tab, and then click the "From Disk Install" option. 2. In the Disk Installation dialog box, click the "Browse" button and specify the Tools / Reskit / NetAdmin / Poledit directory of the Windows 9x installation CD. 3. Click the "Confirm" button and click the Confirm button in the dialog again. 4. In the Disk Installation dialog box, select the System Policy Editor and Group Policy check box, and then click the Install button.
After the installation is complete, click the "Run" command, type the POLEDIT, and then click the "Confirm" button, the administrator can use the System Policy Editor in two different ways: registry mode and policy file.
1. Use the System Policy Editor in a registry. In the File menu in the System Policy Editor, click Open Registry Editor and double-click the appropriate local user or local computer icon. This depends on which portion of the registration table is to be edited. When using the registry, you can directly edit the registry of the local or remote computer. In this way, the change made will immediately reflect. After making modifications, you must shut down and restart your computer to make the modifications to take effect.
2. Use the System Policy Editor by policy file. In the File menu in the System Policy Editor, click New or Open to open a policy file. When using the policy file, you can create and modify the system policy file (POL) for other computers. In this manner, the registry is indirectly modified. This change will reflect after the policy file is downloaded when the user logs in. When editing the settings in a policy file, click a registry option, you can see one of the three possible states: select, clear, and gray. Whenever one option is selected, the next possible state is displayed, which is different from the selection of a standard check box. The standard checkbox only selects or clears two options. If a setting value requires additional information, an editing control will appear at the bottom of the default user property dialog. Typically, if a policy is selected, do not want to use it, you should clear the checkbox to cancel the policy.
(2) Windows 2000 / XP / 2003 Group Policy Console
If it is a Windows 2000 / XP / 2003 system, the system has been installed by default. In the Start menu, click the Run command entry, enter gpedit.msc and determine, you can run the program.
Using the above method, the open group policy object is the current computer, and if you need to configure other computer group policy objects, you need to open the Group Policy as a stand-alone console manager. The specific steps are as follows:
1) Open the Microsoft Management Console (you can enter the MMC directly in the "Run" dialog box of the Start menu and run the console program). 2) On the File menu, click Add / Delete Administration Unit. 3) On the Independence tab, click Add. 4) In the "Available Independent Management Unit" dialog box, click Group Policy, and then click Add. 5) In the Select Group Policy Object dialog box, click the Local Computer to edit the local computer object, or by clicking Find the Group Policy object you want. 6) Click Finish, click Close, and then click OK. The Group Policy Management unit opens the group policy object to be edited.
For computer systems that do not contain domains, in the 5th step of the above, there is only a "computer" tag without other tag items.
With the above method, we can use the Windows 2000 / XP / 2003 Group Policy System powerful network configuration, allowing administrators to work more easily and efficient.
On top of us, we introduced three states in Windows 9X, "Select, Clear, and Gray", and Windows 2000 / XP / 2003 Group Policy Management Console also has three states, but the name has changed. They are: enabled, not configured, disabled.
Fourth, "Desktop" setting
Windows's desktop is just like our work desk, you need to conduct regular finishing and cleaning, and Group strategies are like our close secretary, making desktop management work easily. Let's take a look at several practical configuration examples:
Location: "Group Policy Console → User Configuration → Management Template → Desktop"
1. Hide Desktop System Icon (Windows 2000 / XP / 2003)
Although the function of the system icon on the desktop can be achieved by modifying the registry, it is more troublesome, and there is a risk. The method of using the group policy configuration can be easily and easily and quickly.
For example, to hide the "Online Neighbor" and "Internet Explorer" icon on the desktop, as long as the "hidden desktop 'online neighbor' icon" and "hidden desktop Internet Explorer icon" are enabled in the "hidden desktop" on the right pane. That is; if all icons on the desktop are hidden, you can enable "Hide and disable all items on the desktop"; "Delete the 'My Document' icon on the desktop" I "I am delete the 'I After the computer 'icon "two options," My Computer "and" My Documents "icon will disappear from your computer desktop; if you want the" recycle bin "icon to disappear, you only need to delete recycling from desktop Station policy item is enabled. 2. Do not save desktop settings when exiting (Windows 2000 / XP / 2003)
This policy prevents users from saving some changes to the desktop. If you enable this policy, users can still make changes to the desktop, but some changes, such as the location of the icon, the location and size of the taskbar, can not be saved after the user is logged out, but the shortcut on the taskbar can always be saved.
This policy option is enabled in the "exit when exiting" in the right pane.
3. Shield "Cleanup Desktop Wizard" function (Windows XP / 2003)
"Cleanup Desktop Wizard" will automatically run on the user's computer every 60 days to clear the desktop icons that users do not often use or never use. If this policy setting is enabled, you can block the "Cleanup Desktop Wizard" if you disable or do not configure this setting, "Clean Desktop Wizard" will run once every 60 days according to the default settings.
Open the "Delete Cleanup Desktop Wide" in the right pane, set the policy option as needed.
4. Enable / disable "Active Desktop" (Windows 2000 / XP / 2003)
"Active Desktop" is Windows 98 (and later version) or the advanced feature that comes with IE 4.0 system. The biggest feature is that wallpapers that can be set in various picture formats, and even display web pages as wallpaper. But for the consideration of security and performance, sometimes we need to disable this feature (and prohibit users from enabling it), which can be easily achieved by policy settings. Specific operation method: Open the "Disable Active Desktop" in the right pane and enable this policy.
Tip: If the "Enable Active Desktop" settings and "Disable Active Desktop" are enabled, the "Disable Active Desktop" setting will be ignored. If the "Disable Active Desktop and Web View" settings (in "User Configuration → Management Templates → Windows Components → Windows Explorer") is enabled, Active Desktop is disabled, and both strategies are ignored.
The above introduces several group policy configuration items on the desktop, there are other group policy configuration items under the "Group Policy Console → User Configuration → Management Templates → Desktop", readers can be configured as needed, and details are not described here.
V. Personalized "taskbar" and "start" menu
The "Tasklet" and "Start" menu are displayed on group policy configuration items. Let's see the specific example: Location: "Group Policy Console → User Configuration → Management Template → Task Bar and Start Menu"
1. Give "Start" menu weight loss (Windows 2000 / XP / 2003)
If you think that Windows's "Start" menu is too bloated, you can delete unwanted menu items from the Start menu. In the Group Policy Right Side pane, provide "Delete User Folder", "Delete to 'Windows Update'", "Delete Using Utility Pro Group from Start Menu", "Remove from the Start menu" A variety of group policy configuration items such as 'My Document' Icon. You only need to enable the policies corresponding to the unwanted menu items.
2. Protect the "Task Bar" and "Start" menu (Windows 2000 / XP / 2003) If you don't want to let others change the "taskbar" and "Start" menu settings, you only need to put the group policy console on the right pane "Blocking Change the 'Task Bar and Start Menu' Settings" and "Blocking Access Task Bars" two policy items are enabled. This way, when you right-click the taskbar and click Properties, the system will appear, and when the mouse is right-click the project on the taskbar, such as the "Start" button, clock and The "Tasklet" button, the pop-up menu is hidden.
3. Prohibited "Logout" and "Shutdown" (Windows 2000 / XP / 2003)
When the computer starts, if you don't want this user to perform "shutdown" and "logout" operation, you can delete the 'Logout' "and" delete '"and" delete' "and" delete the start menu on the right pane of the Group Policy Console. Access the 'shutdown' command "two policies are enabled.
This setting will delete the "Shutdown" option from the Start menu and disable the Windows Task Manager dialog box. Press Ctrl Alt Del to appear "Shutdown" options in this dialog. It is also important to note that this setting can prevent the user from shutting down with a Windows interface, but cannot prevent the user from shutting down with other third-party tool programs.
Tip: If you enable the 'Logout' on the De Start menu, you will delete the Show Logout project from the Start Menu Option. Users cannot restore the "Logout
4. Protect personal document privacy (Windows 2000 / XP / 2003)
Windows has an advanced smart feature that you can record the files you have visited. Although this feature can make it easy for users to open this file again, it is sometimes possible to block this feature for security and performance considerations (for example, do not want to know which web pages and opens you have visible yourself). Using Group Policy, as long as "Do not keep the recently opened document" and "Remissance Recent Opened Document" in the right pane "and" Record of the recently opened document "are enabled.
It is also important to note that if this policy setting is enabled but does not enable the "Delete Document Menu" policy settings from the Start menu, the Document menu will appear on the Start menu, but the menu is an empty menu. If this policy setting is enabled, it is later disabled to "unconfigured", and the document shortcut saved before the policy setting will reappear in the File menu of the Document menu and the application.
Six, IE setup hand to come
Microsoft's Internet Explorer allows us to easily swim on the Internet, but if you want to use Internet Explorer, you must configure it. In the Internet Options window of the IE browser, there is a comprehensive setup option (for example: "Home", "Temporary Folder", Security Level, and "Hierarchical Review", but some advanced features are not These features can be easily implemented by group policies. Let's see the specific example:
Location: "Group Policy Console → User Configuration → Management Template → Windows Components → Internet Explorer (add inetres.adm template file)"
1. Disable "Open in a new window" menu item (Windows 2000 / XP / 2003)
For safety considerations, sometimes we need some of the function menus that block IE, group policies provide a rich setup item, such as disabling "Save As ...", "File", "New". The following is described as an example to describe the specific setting method as an example. Open the "Group Policy Console → User Configuration → Management Templates → Windows Components → Internet Explorer → Browser Menu", then open "Disabling" Opens the 'Menu item in the new window "and set to Enable. When this policy is enabled, the user is right-click on a link, and then click "Open in a new window", the command will not work. This policy can be used with the "'File' menu to disable the 'New' menu item", the latter prohibits users from opening the browser in the new window by clicking the File menu, pointing to "New", and then click "Window" to open the browser in a new window.
Tip: After enabling this policy, click the "Open in the new window" command will not open the link in a new window, the system will prompt the user to be invalid, the window automatically opened the window is also banned, in fact, this can also be reached Shield the effect of popping up the advertising window.
2. Restrict the save function of IE browser (Windows 2000 / XP / 2003)
During using the IE to browse the webpage, when you encounter a good picture, article, you can save it to your local hard disk when you share a computer, when you share a computer, you need to keep your hard disk. Limit the browser's save function. So how can I achieve it? Operation: Open the "Group Policy Console → User Configuration → Management Template → Windows Components → Internet Explorer → Browser Menu", and then "'file' menu in the right pane: Disable" Save as ... 'menu item ","' file 'menu: Disable Save As Web Menu Item "," View' Menu: Disable the 'Source File' Menu Item "and" Disable Context Menu "and other policy items all enabled can.
If you don't want others to change the settings of the IE browser, you can enable the "" Tool 'menu: Disable the' Internet Options ... 'policy. In addition, other items can also be disabled in this pane according to the needs of the individual.
3. Disable "Internet Options" Control Panel (Windows 2000 / XP / 2003)
The "Disabling Internet Options" is mentioned above, using this feature to prevent others from setting up the IE. And this method cannot specifically disabate the control template item in the Internet option, so there is a hassle to specific applications. This requirement can be implemented by the following group policy setting method:
Open the Group Policy Console → User Configuration → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel, we can see "Disable General Page", "Disable Security Page" and other Group Policy items in the right pane. The following is a "Disable General Page" as an example: Open "Disable General Page" in the right pane and set to "Enable". Then we open the Internet Option Control Panel, discover the "General" project has no, so that users will not see and change the settings of the home page, cache, history, webpage, and auxiliary functions, because the policy will delete the interface. The "General" tab, so if this policy is set, there is no need to set the strategy such as "Disabled Change Home Settings" in "User Configuration → Management Templates → Windows Components → Internet Explorer", "Disabled Change Color Settings". .
4. Prohibit the modification of the homepage of the IE browser (Windows 2000 / XP / 2003)
If you don't want others to make free changes to your own IE IE page, you can open the Group Policy Console → User Configuration → Administrative Templates → Windows Components → Internet Explorer → Toolbar, then select Disable Change Home Settings. Group Policy and Enable. In this pane, there is also a disabled feature of "Change History Settings", "Change Color Settings", and "Change Internet Temporary File Settings". After enabling this policy, in the Internet Options dialog box of the IE browser, the settings of the "Home" area of the General tab will be grayed.
Tip: If you set the "Disable General Page" policy located in the Group Policy Console → User Configuration → Management Template → Windows Components → Internet Explorer → Internet Explorer Control Panel, you do not need to set this policy, because "Disable General Page" Policy will delete the General tab on the interface.
5. Custom IE Toolbar (Windows 2000 / XP / 2003)
The background and buttons of the IE toolbar can be customized. In the past, we used to manually modify the registry method, but it is not intuitive. Now we can use "group strategy" to make it more convenient to achieve effect, create us themselves IE.
Open the "Group Policy Console → User Configuration → Windows Settings → Internet Explorer Maintenance → Browser User Interface" "Browser Toolbar Button Custom" policy configuration item, here, you can customize the background image of the browser toolbar Click "Browse" to select a BMP bitmap file (Note: The toolbar background should be the same as the toolbar size, and the brightness should be sufficient to display black text, otherwise the actual effect is not ideal).
Next, we have to add your own shortcut on the IE toolbar, such as adding "My QQ", which can also be done easily here.
Click "Add", lift "My QQ" in "Toolbar Title", select the path to the QQ program in "Toolbar Operation", and finally select the "Color Icon" and "Gray Icon" path ( If you don't know how to extract these two icons, you can ask the Exescope software to help, you can download it at major sites). After the setting is complete, click "OK". After opening the IE again, you can see the modified effect.
Seven, easy to implement Windows advanced features
1. Set and lock Windows Media Player appearance (Windows 2000 / XP / 2003)
Windows Media Player is currently one of the most popular multimedia players. If other users do not want other users to change their interface appearance, use the group policy to be easily implemented. Open "Group Policy Console → User Configuration → Management Templates → Windows Components → Settings and locks the appearance in the Windows Media Player → User Interface" Enables this policy.
Once this policy is enabled, Windows Media Play will be displayed only in the specified appearance mode, and the appearance can be used in the appearance of the "Appearance" box on the Policy tab. You have to use a complete file name, such as miniplayer.wmz. If the appearance file is not installed on the user's computer, the player will open in the look of Windows Media Player.
Tip: This policy setup software version is at least Windows Media Player V8.00, the ADM file is WmPlayer.adm.
2. Prohibit Windows Media Player to run screensaver (Windows 2000 / XP / 2003)
The screen saver can effectively protect our monitor, but when we use the player to watch the wonderful movie, the screen saver suddenly appears suddenly and interrupted the embarrassing situation. Now we can solve the troubleshooting problem of Windows Media Player to play the interrupt by group strategy. Open "Group Policy Console → User Configuration → Management Templates → Windows Components → WIDOWS Media Player → Allow Running screen saver in playback" and set it to "Disabled" status. 3. Optimize Windows Media Player Network Buffer (Windows 2000 / XP / 2003)
When we use Windows Media Player to play streaming media, the player buffers the streaming media before playing so that you can play smoothly. In practical applications, according to the network bandwidth and server connection speed, the cache is not the same, but Windows Media Player is using the same setting, which is undoubted to match the actual network situation, so we can use the specific network bandwidth The situation is optimized to configure the network buffer. Open "Group Policy Console → User Configuration → Management Templates → Configuring Network Buffers in Windows Components → Windows Media Player → Network" and set to enable status, in the buffer time (second number of seconds) configuration options, according to the network's bandwidth The situation is customized (up to 60 seconds).
Tip: If this policy is enabled, the cache option on the Windows Media Player "Performance" tab will not be configured.
4. Mask access to all Windows Update features (Windows 2000 / XP / 2003)
Windows Update can automatically connect to Microsoft websites and download updates, which is more practical for most users, but this feature is excessive for computer users who do not need to update or bandwidth, and often rumors Windows Update. The computer user information "Secret" will be sent to Microsoft, so this "intelligent" advanced feature can also be masked. Open "Delete Use All Windows Update Features" Group Policy in "Group Policy Console → User Configuration → Management Templates" Group Policy Group Policy to use all Windows Update features and enable this policy.
Tip: If you enable this setting, all Windows Update features (which include blocking the Windows Update website http // windowsupdate.microsoft.com, the Windows Update on the Windows Update on the Start menu, and the tool menu on the Internet Explorer) been deleted. Windows automatic updates are also disabled, you will not receive notifications for updates, nor will you receive an important update for Windows Update. This setting also blocks the device manager automatically downloads the update of the installation driver from the Windows Update website.
5. Remote shutdown in Windows XP / 2003 (Windows XP / 2003)
In Windows XP / 2003, a command line tool "ShutDown" has been added, which can be turned off or restarted locally or remote computers. With it, we can not only cancel the user, shut down or restart your computer, but also realize timing shutdown, remote shutdown. The syntax format of this command is as follows:
Shutdown [-i | -l | -s | -r | -a] [- f] [- m [// computename]] [- t xx] [- c "message"] [- d [u] [p ]: xx: yy]
This command is specifically using parameters and techniques, please refer to Windows Help Systems to help the system have a comprehensive information. We now simply look at some of the basic usage of this command:
1) Log out the current user shutdown - L
This command can only log out of this unit user, which is not applicable to the remote computer.
2) Turn off the local computer
Shutdown - s
3) Restart the local computer
Shutdown - R
4) Timed shutdown
Shutdown - S -T 30
Specifies to automatically shut down the computer after 30 seconds.
5) Turning off the computer. Sometimes we set up the computer timing shutdown, if you want to cancel this shutdown operation for some reason, you can abort it.
In the format of this command, there is a parameter [-m [// computername] that can specify the computer name that will be turned off or restarted, if the words are omitted, the default is to operate the unit. You can take the following command:
Shutdown -s -m // Anyes-Solon -t 30
Close the computer name-Solon (Anyes-Solon is a computer that is equally WINDOWS XP / 2003) in 30 seconds.
After the command is executed, the computer Anyes-Solon does not have a point, but it is prompted on the screen "Access is Denied".
This happens because of the default security policy of Windows XP, only the user of the administrator group has the right to close the computer from the distal end, and when we accesses the computer from other computers in the LAN, only guest users are only guest. So when we perform the above command, the "reject access" will appear.
And we use the Group Policy to give guest users to remote shutdown permissions. Open the "Group Policy Console → Computer Configuration → Windows Settings → Security Settings → Local Policy → User Right System Force" from the remote system forced shutdown ", displaying only members of the" Administrators "group in the pop-ups From remote shutdown; click the Add User or Group button under the dialog box, then enter Guest in the new pop-up dialog box, click the "OK" button.
After the above operation, we grant the permissions of remote shutdown to the computer Anyes-Solon Guest users. In the future, if you want to close the computer from INYES-SOLON, you can enter the following command shutdown -s -m // anyes-solon -t 60 in other computers in the network with Windows XP / 2003.
At this time, a "system shutdown" dialog will appear on the screen of the Anyes-Solon computer, and there is a timer under the dialog box, how much time is displayed from shutdown. In the time of waiting to shut down, users can also perform other tasks, such as closing the program, open files, etc., but cannot close the dialog, unless you use the shutdown -a command to abort the shutdown task.
Eight, group strategy to improve system performance
1. Let Windows's Internet speed increase 20% (Windows XP / 2003)
By default, the Windows network connection packet scheduler is limited to the 80% connection bandwidth, which is undoubtedly a non-small expenditure for a network of bandwidth. We can replace the default value through group policy settings, so that our Internet rate is increased by 20%!
Open the "QoS Packet Schema" in the Group Policy Console → Computer Configuration → Management Templates → Network, and enable this policy, then use the "Bandwidth Limit" box below to adjust the bandwidth ratio of the system to be reserved, set it to 0%, then press OK to exit, then we can use another 20% bandwidth.
2. Close the cache of thumbnails (Windows XP / 2003)
The Windows XP / 20003 system has a thumbnail view function, and in order to speed up the frequently browsed thumbnail display speed, the system can cache these displayed pictures to directly read the information in the cache when the next time. Receive the purpose of fast display. However, if we do not want the system to buffer (such as a picture that only views only one picture), you can use the Group Policy to turn off the thumbnail cache, so the first browsing speed is greatly accelerated (because the cache processing is not performed). Open the "Close Thumbnail Cache" in the Group Policy Console → User Configuration → Management Templates → Windows Components → Windows Explorer "and enable this policy.
3. CD burn function with shielding system (Windows XP / 2003)
Windows XP / 2003 system comes with a CD burn function. If you have a CD burner on your computer, the Windows Explorer allows you to make and modify the rewritable CD. However, this will undoubtedly affect the system performance and the execution speed of the resource manager, so we can use the Group Policy to block this feature (most users use dedicated CD burn software).
Open "Delete CD Burn Function" in "Group Policy Console → User Configuration → Management Templates → Network →" and enable this policy.
4. Turn off system restore function (Windows XP / 2003)
The system restore is a powerful feature integrated in Windows XP / 2003. It is on the system running, and the system restores the files and data, if there is a problem, the system restore enables the user to put the computer without losing personal data files. Restore to the previous state. By default, the system is restored to open.
But the cost of paying for this feature is also quite large, the system performance will be significantly reduced, and the disk space will also take a lot. For a computer that is not high, it is highly recommended to turn off this feature.
Open "Off System Restore" in "Group Policy Console → Computer Configuration → Management Templates → System → System Restore" and enable this policy. Enable this setting to close the system restore function and cannot access the System Restore Wizard and Configure Interface.
5. No Windows Messenger automatic operation (Windows XP / 2003)
There are more and more excellent applications integrated in the Windows system, but these system built-in software have no uninstall options, causing dissatisfaction with many computer users. For example, Windows Messenger, which comes with Windows XP, not only uninstalled, but also automatically runs with the system. For users who do not access the Internet or users do not need to block the automatic run function of this software.
Open the "Group Policy Console → Computer Configuration → Management Templates → Windows Components → Windows Messenger" and this policy is enabled.
Tip: This setting appears in the Computer Configuration and User Configuration folder. If both settings are configured, the settings in Computer Configuration are prioritized than the settings in the User Configuration.
Nine, group strategy to create system copper wall iron-level function
1. Hide the drive specified in "My Computer" (Windows XP / 2003)
This group policy can delete the icon that represents the selected hardware drive from "My Computer" and "Windows Explorer". And all drives represented by the drive can not appear on the standard open dialog.
Open "Hidden 'My Computer'" in "Hide 'My Computer'" in "Group Policy Console → User Configuration → Management Templates → Windows Components" and enable this policy and select one in the following list box. Drivers or several drives.
Tip: This policy only deletes the drive icon. Users can still continue access to the drive by using other ways. At the same time, this policy does not prevent the user from accessing these drives or its contents. And it will not prevent the user from using disk management plug and playing to view and change the drive feature.
2. Prevents access from "My Computer" (Windows 2000 / XP / 2003) This policy allows users to view the contents of the actors selected in "My Computer" or "Windows Explorer". At the same time, it also prohibits the use of run dialogs, mirror network drive dialogs, or Dir commands to view directorys on these drives.
Open "Group Policy Console → User Configuration → Management Templates → Windows Components → Windows Explorer" "to prevent this policy from" My Computer 'Access Drive "and enable this policy, and select a drive or several in the list box below Drive.
Tip: These representative the icon for the specified drive still appears in "My Computer", but if the user double-click the icon, a message interpretation will appear to prevent this. These settings do not prevent users from accessing local and network drives using other programs. And do not prevent them from using disk management plug-and-play to view and change drive features.
3. Prohibit Using Command Tips (Windows 2000 / XP / 2003)
In Windows 2000 / XP / 2003, we can run cmd.exe to enter the command prompt state and continue to run some DOS commands and other command line programs. For safety considerations, some systems should block this feature.
Open the "Block Access Command Prompt" in the Group Policy Console → User Configuration → Management Templates → System, and enable this policy, and select "or deactivate command prompt script processing in the list box", this setting It is also determined whether the batch file .cmd and .bat can run on your computer.
If this setting is enabled, a message is displayed when the user tries to open the command window, and the interpretation setting blocks this.
4. Forbidden to change display properties (Windows 2000 / XP / 2003)
Select "Show" in Control Panel or click Right click to select Properties. You can enter the "Display Settings" dialog box, you can have items such as desktop topics, desktop background, screen saver, display settings. Conduct settings, if you don't want others to change the settings at will, you can hide it through Group Policy.
Open the Group Policy Console → User Configuration → Management Templates → Control Panel → Display, you can see the Hidden Desktop tab, Hide Topic Tab, Hide Protection Tab, Hide Settings tab, etc. Configure these items. For example, after the "Hidden 'Desktop' Tab" policy is enabled, open the "Display Properties" dialog, you can't see the "Desktop" tag, so you can't change your desktop properties anymore.
5. Disable Registry Editor (Windows 2000 / XP / 2003)
In order to prevent others from entering the computer, you can make a disable access settings for the Registry Editor in the Group Policy. Specific method of operation: Open "Block Access Registry Editing Tool" in the Group Policy Console → User Configuration → System, and enable this policy.
After this policy is enabled, when the user attempts to start the Registry Editor (regedit.exe and regedt32.exe), the system will prohibit such operations and pop up a warning message.
6. Thoroughly ban access "Control Panel" (Windows 2000 / XP / 2003)
If you do not want other users to access the "Control Panel" of the computer, you can also use the group policy to implement. Open the Disable Access Control Panel in the Group Policy Console → User Configuration → Administration Templates → Extension Panel and enable this policy.
This policy is enabled after the "Control Machine" program file (Control.exe) starts. Others will not be able to launch "Control Panel" (or run any "Control Panel" item). In addition, this setting will delete "Control Panel" from the Start menu. At the same time, this setting also removes the Control Panel folder from the Windows Explorer.
7. It is forbidden to establish a new dial-up connection (Windows 2000 / XP / 2003) If you don't want others to set up a new connection in your computer, Group Policy can also do it. Open "Prohibition Access New Connection Wizard" in the Group Policy Console → User Configuration → Administration Templates → Network → Network Connections and enable this policy.
After this policy is enabled, "establish a new connection" will not appear in the Network Connection folder and the Start Menu.
Tip: This setting cannot prevent users from bypass this setting using other programs such as Internet Explorer. In addition, this setting must restart the computer to take effect.
8. Disable "Add / Remove Programs" (Windows 2000 / XP / 2003)
"Add or Remove Programs" items in Control Panel Allows you to install, uninstall, repair and add and delete Windows features and components, and a lot of Windows programs. If you want to prevent other users from installing or uninstaling, you can use the Group Policy.
Open "Delete 'Add / Remove Programs" in "Group Policy Console → User Configuration → Management Templates → Control Panel → Add → Delete Programs" and enable this policy, when we open "Control Panel" Add / Delete Programs When the module, the warning window will be automatically popped, and the "Add / Remove Programs" will not be able to run.
In addition, in the "Add / Remove Programs" branch, "Add a new program" in the Windows Add / Remove Programs, "Add Program from CD-ROM or Floppy Disk", "Add Program from Microsoft," from Network Add Program "and other items are hidden, and the settings of these policy items have played the role of system files and applications in the computer.
9. Restrictions use applications (Windows 2000 / XP / 2003)
If your computer sets multiple users, some programs we may not want other users to run freely, and they can set in Group Policy.
Open the "Group Policy Console → User Configuration → Management Templates → System" "only Operation License Windows Application" and enable this policy, then click the "Show" button below "Allowed Application List", pops up A "Display Content" dialog where you click the Add button to add the application that allows you to run. The general user can only run the program in the "Allowed Application List".
