1. Basic Knowledge Group Policy of Group Policy is the main tool for administrators to define and control programs, network resources, and operating system behaviors for users and computers. Various software, computers, and user strategies can be set by using group policies. For example, you can use Group Policy from your desktop to delete icons, customize the Start menu and simplify the Control Panel. In addition, you can also add scripts that run on your computer (when your computer is started or stopped, and user login or logging), even configures Internet Explorer.
This article focuses on the application of the local group policy of Windows XP Professional. Group Policy The local computer can perform two aspects: local computer configuration and local user configuration. All strategic settings will be saved to the relevant projects of the registry. Save your computer policy to the key_local_ma-chine of the registry, save the user's policy settings to the HKEY_CURRENT_USER related items.
There are two ways to access the local group policy: the first method is the command line mode; the second method is to be implemented by selecting a GPE plugin in the MMC console.
(1) Group Policy Editor's command line starts you simply click on the "Start" → "Run" command, enter "gpedit.msc" in the "Open" box of "Run" dialog box, then click "OK "You can start the Windows XP Group Policy Editor by twisting. (Note: This "Group Policy" program is located in "C: / WinNT / SYS-TEM32", the file name is "gpedit.msc".)
In the open group policy window (as shown in Figure 1), you can find that the left pane is a control object given by a tree structure, and the right pane is a specific policy that can be set for a certain configuration on the left. In addition, you may have noticed that the Local Computer policy in the left pane is composed of "computer configuration" and "user configuration" two major sub-keys, and some of the items in both are repeated, such as two Below below, "Software Settings", "Windows Settings", etc. So what is the difference between the settings of the same project under different sub-keys? The "Computer Configuration" here is set to the system configuration in the entire computer, which works on all users' operational environments in the current computer; "User Configuration" is set to the current user's system configuration, it Only the current user works. For example, both provide the setting of the "Disabled Auto Play" feature. If this feature is selected in "Computer Configuration", then all users' disc auto-run function will fail; if it is selected in "User Configuration" This feature is just the failure of the user's disc automatic run function, and other users are not affected. Pay attention to this when setting.
figure 1
(2) Open the Group Policy as a stand-alone MMC management unit To open the group policy editor by selecting the GPE plugin in the MMC console, the specific method is as follows:
1. Click Select Start → "Run" command, type "MMC" in the pop-up dialog, and then click "OK" button. Open the Microsoft Management Console window. as shown in picture 2.
figure 2
2. Select the "Add / Delete Management Unit" command under the File menu.
3. In the "Separate" tab of the Add / Remove Management Unit window, click Add.
4. The Add Independent Management Unit dialog box is popped and selects the Group Policy option in the "Available Independent Management Unit" list, and click the Add button. As shown in Figure 3.
image 3
5. Since the Group Policy is applied to the local computer, in the Select Group Policy Object dialog box, click Local Computer, edit the local computer object, or by clicking "Browse" to find the desired Group Policy. Object.
6. Click "Complete" → "Close" → "OK" button, the Group Policy snap-in can open the group policy object to be edited.
If you want to save the Group Policy Console, you want to choose to open the Group Policy objects through the command line, select "Select Group Policy Object" dialog box "Allow to change the group policy management unit when starting from the command line Focus "check box. Second, the deletion of the "Task" and "Start" menu Related options and disabled in "Local Computer 'Policy", step-by-step "User Configuration" → "Management Template" → "The taskbar and" Start "menu" branch In the right pane, the "taskbap" and "Start Menu" are provided, as shown in Figure 4.
Figure 4
(1) Give the "Start" menu thin slimming If you feel that Windows XP's "Start" menu is too bloated, you can delete the unwanted menu item from the Start menu. In the right pane, provide a public program group in the "Start" menu, "My Document" icon, "Document" menu, "Network Connection", "Favorites" menu, "Search" menu, "Help" "Command," Run "menu," Photo Collection "icon," My Music "icon, and" online neighbor "icon and other strategies. You only need to enable the policies corresponding to the unwanted menu items. Now use to delete the "My Document" icon as an example, the specific steps are:
1. Double-click on the Strategy list pane to delete the 'My Document' Icon setting option from the "Start" menu.
2. In the Settings tab of the pop-up window, select "Enable" radio button (as shown in Figure 5), and then click "OK" button.
Figure 5
(2) Protect your personal privacy For a certain security, if you don't want to know which pages you have visited and open, you only need to keep "not to keep the record recently opened the document" in the right pane " "And" Record the record of the recently opened document when exiting "is enabled.
(3) Protecting the settings of the "Task Bar" and "Start" menu If you don't want to let others change the "Task Bar" and "Start" menu settings, you only need to change the 'taskbar in the right pane And "Start" menu 'settings "and" Context Menu for Blocking Access Task Bar "are enabled. This way, when you right-click the taskbar and click Properties, the system will have an error. Message, the prompt information is a setting to prohibit this operation.
(4) Prohibition "Logout" and shutdown When the computer starts, if you don't want this user to turn off and log out, then "delete" to delete the "Start" menu on the "Start" menu "and" Delete and block access 'shutdown' commands two policies are enabled.
If you delete "Logout" on the Start menu, "Logout
Prevent users from shutting down or restarting Windows. This setting will delete the "Shutdown" option from the Start menu and disable the "Shutdown" option in the Windows Security dialog (Press Ctrl Alt DEL to appear); this setting can also prevent users from using The Windows user interface is turned off, but the user cannot be prevented from shutting down Windows.
Third, the deletion of desktop related options and the desktop for Windows XP are like your work desk, sometimes need to be organized and cleaned, there is a group policy editor, this work will become easy, you only need "" local computer In 'Policy, step-by-step "User Configuration" → "Management Template" → "Desktop" branch, you can display the corresponding policy option in the right pane, as shown in Figure 6.
Figure 6
(1) The system icon hidden the desktop If you hide the system icon on your desktop, the traditional method is implemented by modifying the registry, which has certain risk, and uses the Group Policy Editor, it can easily reach this. purpose. To hide the "Online Neighbors" and "Internet Explorer" icons on the desktop, just enable the "Hidden Desktop" on the "Hidden Desktop" on the right pane. That is; if you hide all the icons on your desktop, you can enable "hidden and disable all items on your desktop". When "Deleting the 'My Document' Icon" on the desktop "and" My Computer 'Icon on Desktop "I have two options," My Computer "and" My Documents "icon will be from your computer The desktop disappears; if you no longer like the "recycle bin" icon on the desktop, you can delete it, the specific method is to enable the "Remove Recycle Bin" policy item from the desktop.
(2) Prohibiting some changes to the desktop If you do not want others to change the settings of your computer desktop, please "exit when you save the settings when you exit" in the right pane. When you enable this setting, other users can make certain changes to the desktop, but some changes, such as the location of the icon and open the window, the location and size of the taskbar cannot be saved after the user is logged out.
4. Prohibiting Access Control Panel If you do not want other users to access the computer's "Control Panel", you only run the Group Policy Editor (GPEDIT.MSC), expand "'Local Computer' Policy" in the left pane → User Configuration → Administrative Templates → Control Panel Branch, and then enable the "Prohibited Access Control Panel" policy of the right pane, as shown in Figure 7.
Figure 7
This setting prevents the start of "Control Panel" program files (Con-Trol.exe). As a result, others will not be able to launch "Control Panel" (or run any "Control Panel" project). In addition, this setting will delete "Control Panel" from the Start menu. At the same time, this setting also removes the Control Panel folder from the Windows Explorer.
If you want to select a "Control Panel" item from the properties item of the context menu, you will show this setting to prevent this operation.
5. Prevent users from using the Add or Remove Programs In Control Panel, Add or Remove Programs Projects allow you to install, uninstall, repair and add and remove Windows XP features and components, and a wide range of Windows programs. Programs issued or assigned to the user will appear in the Add or Remove Programs. Enable "Delete" Add / Remove Programs in the Right pane of "'local computer' policy" → "User Configuration" → "Management Template" → "User Configuration" → "Management Template" → "Control Panel" → "Administrative Template" → Control Panel " Program "Policy Options.
Enabling this setting will delete Add or Remove Programs from the Control Panel and delete the Add or Remove Programs from the menu; this setting does not prevent the user from installing or uninstalling the program with other tools and methods.
6. Set User Permissions in Windows XP When multiple people share a computer, set user permissions in Windows XP, follow the steps below:
1. Run the Group Policy Editor program (gpedit.msc).
2. Expand "Computer Configuration" → "Windows Settings" → "Security Settings" → "Local Policy" → "User Rights Assign" branch in the left pane of the editor window.
3. Double-click the user permissions that you need to change. Click "Add" and double-click the user account you want to assign to the permissions, as shown in Figure 8. Click "OK" to call twice.
Figure 8
7. Implementing a remote shutdown in Windows XP In Windows XP, a command line tool "Shutdown" is added to "turn off or restart local or remote computers". With it, we can not only cancel the user, shut down or restart your computer, but also realize timing shutdown, remote shutdown. The syntax format of this command is as follows:
Shutdown [-i | -l | -s | -r | -a] [-f] [-m [// computename]] [-t xx] [-c "message"] [-d [u] [p ]: xx: yy] Among them, the meaning of each parameter is:
-i Displays a dialog box for a graphical interface.
-L log out of the current user, this is the default setting.
-s turn off the computer.
-r is turned off and restarted.
-a is aborted. In addition to -l and computername, the system will ignore other parameters. You can only use -a during timeout.
-f is forcibly running the application you want to close.
-m [// computername] Specifies the computer to be turned off.
-t xx Sets the timer used to system off to XX seconds. The default is 20 seconds.
-c "message" specifies the message that will be displayed in the "Message" area in the System Close window. You can use up to 127 characters. Messages must be included in quotes.
-d [u] [p]: xx: yy lists the reason code of the system shutdown.
First, let's take some basic usage of this command:
1. Log out the current user shutdown - l
This command can only log out of this unit user, which is not applicable to the remote computer.
2. Close your local computer
Shutdown - s
3. Restart Local Computer Shutdown - R
4. Timed shutdown shutdown - s -t 30
Specifies to automatically shut down the computer after 30 seconds.
5. Turbine
Sometimes we set up the computer timing shutdown, if you want to cancel this shutdown operation for some reason, you can abort it. Such as: shutdown -s - t 300 sets the computer after 5 minutes.
Shutdown - a cancels the above shutdown operation.
The above is some of the basic applications of the shutdown command in this unit. As we have already introduced, this command is closed, and more importantly, it can operate remote computers, but how can it be implemented?
In the format of this command, there is a parameter [-m [// computername] that can specify the computer name that will be turned off or restarted, and if the words are omitted, the default is to operate the unit. You can try it with the following command:
SHUTDOWN -S -M // Sunbird -t 30
Close the computer named Sunbird's machine within 30 seconds; Note: Sunbird is a computer that is equipped with Windows XP in the LAN.
However, after the command is executed, the computer Sunbird does not have a point, but the screen is prompted "Access Is Denied".
Why does this happen? It turns out that in the Windows XP default security policy, only the user of the administrator group has the right to close the computer from the distal end, and when we accesses the computer from other computers in the LAN, only guest users, so When we perform the above command, "reject access" will appear.
After finding the root of the problem, the solution is also very simple, and you can give the Guest user remote shutdown by the client computer (the computer that can be closed, the sunbird, as described above). This can be implemented using the "Local Security Policy" in Windows XP "Group Policy" or "Administrative Tools". The following is a "Group Policy" as an example: 1. Click the Start button, select "Run", enter "gpedit.msc" in the dialog, and then click OK to open the Group Policy Editor.
2. Expand "Computer Configuration" → "Windows Settings" → "Security Settings" → "Local Policy" → "User Rights Assign" in the left pane of the Group Policy window.
3. Select "Forced shutdown from the remote system" in the right pane of the Group Policy window, open it by double-click.
4. In the pop-up dialog box, only members of the "Administra-Tors" group have the right to shut down from the remote shutdown; click the Add User or Group button under the dialog box, then enter "Guest" in the new pop-up dialog box. , Click "OK" button, as shown in Figure 9.
Figure 9
5. At this time, a "Guest" user is added in the "GUEST" user who is "forced from the remote system", click OK.
6. Close the Group Policy window.
After the above operation, we give the computer Sunbird's Guest users to the remote shutdown permissions. In the future, if you want to close the computer Sunbird, you can enter the following command in other computers that have Windows XP in the network:
Shutdown -s -m // sunbird -t 30 (other parameters are used by the same)
At this time, a "system shutdown" dialog box will be displayed on the screen of the Sunbird computer, prompting the system is about to shut down. Please save all the work running and log out. The unsaveful changes will be lost. Shutdown is Sunbird / Guest initial. "There is also a timer under the dialog that is displayed from the shutdown. In the time of waiting to shut down, users can also perform other tasks, such as closing the program, open files, etc., but cannot close the dialog, unless you use the shutdown -a command to abort the shutdown task.
8. Windows 98 Accessing the Windows XP Shared Directory is rejected by the Directory in the LAN, often encountered a shared directory with a Windows 2000 computer, while the Windows 98 is not accessible. This can find the answer on the official website of Microsoft, prompting the GUEST user who opens Windows 2000. However, after Windows XP came out, the same is also facing this problem, and some people find this method, and the shared directory of Windows XP from the Internet is not necessarily allowed. What is the reason? This question has also happened that I have been a few days, and later I discovered the answer to the question, maybe this is a bug in Windows XP?
When the system guest user is turned on, the Group Policy Editor program is run, in the Local Computer Policy → Computer Configuration → "Windows Settings" → "Security Settings" → "Local Policy" → "User Rights Assign" → "Refuse to access this computer from the network" can see a guest user! If you delete guest users here, other computers can view this computer's shared directory from the online neighbor.
Nine, let Windows XP Professional's Internet speed increase 20% 1. First, you must log in to the system as a system administrator.
2. Run the Group Policy Editor program (gpedit.msc). In the "Local Computer 'Policy", the "Computer Configuration" → Manage Template "→" Network "→" QoS Packet Scheduler "branch is expanded step by step. The "QoS Packet Scheduler" policy will appear on the right side of the screen. Then click "Restriction Reserved Bandwidth" of the right side item. At this time, the detailed description of "Restriction Reserved Bandwidth" will be displayed on the left. From here we can learn about some of the basic situations of "restriction reserved bandwidth". After understanding, we can set the "restriction reserved bandwidth". Click "Limit" to "Properties" next to "Display" (or select Subject "Limits Reserved Bandwidth, then right click →" Properties "can also be)," Restriction Reserved Bandwidth "dialog box appears First click "Description", further understand the "limiting reserved bandwidth" to determine the percentage of connection bandwidth of the system that can be retained.
Then we can enter the additional 20% bandwidth. Click Settings. "Settings" provides us with three options (unconfigured, enabled, disabled), select "Enabled", then set the% of the bandwidth limit to 0%, then quit.
3. Click Start → "Connect to" → "Display all connections."
Select the connection you established, right-click the attribute, click the network in the connection properties that appear, in the displayed network dialog box, check "QoS packet scheduler" in the "QoS packet scheduler" in this connection I have hooked, and I have no problem to quit.
4. Finally, the system is restarted to complete the bandwidth of another 20%.
X. Prohibit MSN Messenger automatically run in Windows XP Professional, there are many built-in software that have built-in software uninstall, causing dissatisfaction with many computer users. To disable the automatic operation of Windows Messenger (4.0 or higher). You just need it in the Group Policy program window. By double-clicking the "Computer Configuration" → "Management Template" → "Windows Components" → "Windows Messenger" branch, then from the right window, double-click "Do not allow Windows Messenger", "Do not allow Windows Messenger" In the Properties dialog box, click Enabled, and then click "OK" to remove it.
11. Disable IE6 browser related settings, menu items and toolbars provide comparison options in the Internet Options window of the IE browser (for example, home, temporary folder, security level, and grading review, etc. Project), this will greatly soon we surf. In order not to change others to change your settings for the browser and use certain functional limits for IE, it is necessary to hide or disable your setting options. In the past, in the Windows 9x system, it is generally implemented by modifying the registry, but this will bring certain risks to the security of the system. This risk is almost reduced by zero when you choose Windows XP. Now introduce you how to use the Group Policy provided by Windows XP to set IE6.
In the left pane of the Group Policy Settings window, the User Settings → "Management Template" → "Windows Components" → "Internet Explorer" branch will be discusted step by step. You will find the Internet Control Panel. Machine page "," Browser Menu "," Toolbar "," Continuous Behavior "and" Administrator Approved Control "and other policy options.
(1) Limiting the saving function of the IE browser When multi-person uses a computer, in order to keep the hard disk clean, you need to limit the use of the browser's save function, so how can you implement? The specific method is: Select "User Settings" → "Administrative Template" → "Windows Components" → "Internet Explorer" → "Browser Menu" branch, then "'file' menu in the right pane: Disable" Save ... 'menu item ","' file 'menu: Disable Save As Web menu item "," View' Menu: Disable the 'Source File' Menu Item and "Disable Context Menu" and other policy items. In addition, if you don't want others to make free changes to the IE settings, you can enable "the 'Tool' menu: Disable the 'Internet Options ...' policy. In addition, according to your personal needs, other items can be disabled in this pane.
(2) Give toolbar weight loss If you want to hide the tool button in the toolbar, the specific method is to select "User Settings" → "Administrative Template" → "Windows Components" → "Internet Explorer" → "Toolbar" branch, Then double-click the "Configuration Toolbar button" policy in the right pane, pop up the Configuration Toolbar Press Torsion Properties window, select "Enable" radio button in the Settings tab, will display the list in the list Press the checkbox in front of the key to check the tag, to hide some twisting, do not check the checkboxes in front. Then click "OK" button, as shown in Figure 10.
Figure 10
(3) Prohibition of modifying the homepage of the IE browser If you don't want others to change your own set IE page, you only need to select "User Configuration" → "Management Template" → "Windows Components" → "Internet Explorer "Branch, and then in the right pane," Disable the Home Settings "policy is enabled. In this pane, there is also a disabled function for changing history settings, changing color settings, and changing Internet temporary file settings.
If this policy is enabled, in the Internet Options dialog box of the IE browser, the settings of its "Home" area of the General tab will be grayed.
Special Tip: If you set the "Disable General Page" policy in "User Configuration" → "Management Template" → "Windows Components" → "Internet Explorer" → "Internet Control Panel", there is no need to set this policy because "disabled" Conventional Page "Policy will delete the General tab on the interface.
12. Setting Unsterer File and Folders Windows XP Professional can use audit to track user accounts for accessing files or other objects, login attempts, system shutdown, or restart, and similar events. Audit files, folders (only available to NTFS file systems) guarantee the security of files and folders. You must use the Group Policy to specify the type of event to be reviewed before reviewing. The steps to set the audit for files and folders are as follows.
1. Click Select Start → "Run" command, type the "gpedit.msc" command in the "Run" dialog box pop-up, and then click "OK" button; of course, you can also create a corresponding on the desktop. Shortcut.
2. In the pop-up "Group Policy" window, the "Computer Configuration" → "Windows Settings" → "Security Settings" → "Windows Settings" → "Security Settings" → "Local Policy" branch in the right pane is stepped down, then select "Audit Policy" under this branch. Options, as shown in Figure 11.
Figure 11
3. Double-click the "Review Object Access" option in the right pane. In the "Local Security Policy Settings" window that pops up, "Success" and "Fail" check boxes in the Local Policy Settings box are hooked. Numbers. As shown in Figure 12. Then click "OK" button.
4. Right-click the file (or folder) you want to review. Select the Properties command of the shortcut menu and select the Security tab in the pop-up window. Figure 12
5. Click the Advanced button and select the Audit tab.
6. Select your operations according to the specific situation:
(1) If you set an audit for a new group (or user), click "Add" button, type the new username in the Name box, then click "OK" button, will open the "Review item" Dialog.
(2) To view (or change) the original group (or user) audit, select the user name, and then click "View / Edit" button.
(3) To delete the original group (or user) audit, select the username, and then click "Delete" button.
7. If necessary, select the place you want to review in the "Apply to" list in the Audit Project dialog box (Apply to "list only valid for folders).
8. If you want to prohibit files and subfolders in the directory tree inherited these audit items, select "Use only objects and / or containers within this container to check boxes.
If the check box below "Access" in the Audit Project dialog is darker, or the "Delete" button in the Access Control Settings dialog is not available, the review has been inherited from the audit from the parent folder. . It should be noted that users must be a member of the administrator group or a user who is authorized to have "Management Audit and Security Log" permission in the Group Policy to audit files or folders. On the Windows XP audit file, before the folder, you must enable "Audit Policy" in "Group Policy". Otherwise, when you set the file, a folder is returned to an error message, and the file, the folder is not audited. Through the Event Viewer, you can check the success or failure of the file and folder of the audio.
Windows XP Professional also provides many security control methods to effectively protect computer resources. We will introduce you here, I hope you can discover more better methods through your own practice.
(Text / Ma Xianting)
