Wednesday, June 27, 2012

Local Group Policy




Group Policies are a convenient way for an administrator to prescribe the behaviour of computers, and the rights and permissions of users, from a single console. Group Policies can be applied to single computer and its users, or to wider groups such as domains. A local computer can have only one group policy (a Group Policy Object) in operation. A group policy MMC is not installed by default on a local machine, but part of its content appears as the Local Security Policy MMC, which is installed by default.

The MMC Console is called from START > RUN.

Add the group policy console from the Add/Remove Snap-ins Wizard.

Options here fall into two broad groups, namely settings for the machine as a whole, and settings for the users of the machine.

Software Settings is really only of use within a domain where programs are published or assigned.

Windows Settings is more relevant until the computer is joined to a domain.

This is a way to specify programs to run before the user begins to interact with Windows.

Double-click on the item to view its properties.

No script files have been selected, but one can be added now:

Browse to find a file in the Start-up folder.

One way to specify that all the scripts execute at the same time as far as possible is to use the Administrative Templates facility

expand System…

Then Scripts.

There is a bewildering array of options, here. Fortunately, there are explanations for each policy setting

Double-click on Run startup scripts asynchronously.

select the appropriate radio button.

The Explain tab gives a detailed explanation of the object’s function

The previous and next policy buttons allow the administrator to scroll through all the available policies until he finds one that fulfils his requirements

The quick scan facility is very useful in view of the enormous number of options available:

The best way to get familiar will all of these settings is to play around with them. Be careful not to lock yourself out of the machine.

There are as many options again for configuring users rights…

As can be seen from the panel on the left.

The foregoing configuration opportunities give an administrator a wide range of options for setting security. However, a basic list of essential security features might include disabling the following :

Command Prompt,
Control Panel,
MMC,
Installing programs from floppy, CD or DVD,
Shutdown,
Previous Login name,
Registry editing tools
(You might also consider configuring a Web Home Page.)

Group Policy is applied to the machine and all users of it – including the Administrator.  He can permanently remove his own control.

No comments:

Post a Comment