SEARCH

How-To Geek

HTG Explains: What Group Policy Is and How You Can Use It

image

Group Policy is a Windows feature that contains a variety of advanced settings, particularly for network administrators. However, local Group Policy can also be used to adjust settings on a single computer.

Group Policy isn’t designed for home users, so it’s only available on Professional, Ultimate, and Enterprise versions of Windows.

Centralized Group Policy

If you’re using a Windows computer in an Active Directory environment, Group Policy settings can be defined on the domain controller. Network administrators have one place where they can configure a variety of Windows settings for every computer on the network. These settings can also be enforced, so users can’t change them. For example, using group policy, a network administrator can block access to certain sections of the Windows control panel, or set a specific website as the home page for every computer on the network.

This can be useful for locking down computers, restricting access to specific folders, control panel applets, and applications. It can also be used to change a variety of Windows settings, including ones that can’t be changed from the control panel or require registry tweaks to change.

image

Many Group Policy settings actually change registry values in the background – in fact, you can see which registry value a group policy setting changes. However, Group Policy provides a more user-friendly interface and the ability to enforce these settings.

Local Group Policy

Group Policy isn’t only useful for networks of computers in businesses or schools, however. If you’re using a Professional version of Windows, you can use the local Group Policy Editor to change Group Policy settings on your computer.

Using Group Policy, you can tweak some Windows settings that aren’t normally available from the graphical interface. For example, if you want to set a custom login screen in Windows 7, you can either use the Registry Editor or the Group Policy Editor – it’s easier to change this setting in the Group Policy Editor. You can also tweak other areas of Windows 7 with the Group Policy Editor — for example, you can hide the notification area (also known as the system tray) entirely.

The local Group Policy Editor can also be used to lock down a computer, just as you’d lock down a computer on an enterprise network. This can be useful if you have children using your computer. For example, you can allow users to run only specific programs, restrict access to specific drives, or enforce user account password requirements, including setting a minimum length for passwords on the computer.

image

Using Local Group Policy

To access the local Group Policy Editor on your Windows computer (assuming you’re using a Professional edition of Windows or better, not a Home version), open the Start menu, type gpedit.msc, and press Enter.

If you don’t see the gpedit.msc application, you’re using a Home edition of Windows.

image

You probably shouldn’t dig through the Group Policy Editor and look for settings to change, but if you see an article on the web recommending you change a Group Policy setting to achieve a specific goal, this is where you can do it.

Group Policy settings are broken up into two sections – the Computer Configuration section controls computer-specific settings, while the User Configuration section controls user-specific settings.

image

For example, Internet Explorer settings are located under Administrative Templates\Windows Components\Internet Explorer

image

You can change a setting by double-clicking it, selecting a new option, and clicking OK.

image


This is just scratching the surface of what you can do with Group Policy – we’ve also covered enabling auditing from the Group Policy editor to see who logged into your computer and when.

You should now have a better understanding of Group Policy, what you can do with it, and how it differs from the registry editor, which isn’t designed for easy editing of settings by hand.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 09/25/12

Comments (7)

  1. r

    I just do all this from Active Dir. on Win2008r2. It’s the most efficient way to create, edit & assign policies & permissions, and configure & maintain all things for domain controllers, servers & workstations.
    –like this I have easy access to everything all at the same time.

  2. Jakeu1701

    @r – not everyone has a server they admin with srv2008. most of us get by with a desktop enviorn being used as a server.

  3. r

    @ Jakeu1701 : that’s fine, my comment wasn’t intended for everyone

  4. gc

    I have win xp pro on a machine, (an old IBM) given to me by a former employer..
    What I need to do is take ownership, as the log-on screen opens with his name and a blank password. I’ve tried to replace his name with mine, but when I boot up and log back on, there his name is again! My questions..(4)

    1. How do I take complete ownership of this pc? (simple instructions step by step please)

    2. Will I be able to download/install any updates/upgrades for the existing software on this machine if it’s still registered to him(former boss) and not me? How to change this?

    3. I screwed around with some permissions on a different pc and then altered/deleted something by accident and have never been able to get it back. Do i need to do a reinstall full recovery, or selective install to get that specific sofware back? (PC Tools application built in with HP Pavilion 753n Desktop PC-it’s not available on line) I have a set of recovery disks, but i don’t know how to find the one that might have that software on it. Any help here appreciated)

    4. Can group policy functions be set up to monitor or track web activity, or log network events?

    thanks all!

  5. r

    @gc

    1. you need to create a new local administrator account if you can’t use any other available. You’ll need any admin password already on the computer to login & do this…(check internet on how to do this)
    2. this depends on the software, some are global. However, once you create & use a new account this may impact your access to certain programs, which may demand a key again.
    3.If you changed any “permissions” then this didn’t delete any programs. You’ve just denied yourself access to them. they should be still there. If you deleted PC Tools, search the recovery disks, or you can download a copy at their site (either way, you’ll need the key to register it eventually)
    4.web activity access to questionable and undesirable sites. or logging network events can

  6. r

    @ gc

    …sorry,….slippery fingers :)

    4.web activity access to questionable and undesirable sites can be managed in group policy. Logging network events can be monitored in Computer mgt. > Event Viewer.

    There are many other ways to approach the problems here depending on more info.

  7. thesilentman

    Strange. I swear I saw this once in my Vista Home Premium. Anyway, good succinct article on the group policy editor.

Enter Your Email Here to Get Access for Free:

Go check your email!