8 Windows Group Policy Tweaks Every Admin Should Know
Windows Group Policy is a powerful tool to configure many aspects of Windows. Most of the tweaks it has to offer are targeted towards PC administrators to monitor and control standard accounts. If you are administrating PCs in a company environment or administrate multiple accounts at home, then you should definitely take advantage of Windows Group Policy to control PC usage of employees and family.
Below we have listed 8 Windows Group Policy tweaks that will surely make administrative tasks easier.
Windows 10 offers many customization options, but they are either difficult to access or require tinkering with Windows…Read more
Note: Group Policy editor is not available in the standard and home edition of Windows. You must have professional or enterprise version of Windows to use Group Policy.
How to access Windows Group Policy Editor
You must access Group Policy Editor before following any of the tweaks below. Although there are many ways to access Windows Group Policy editor, but using "Run" dialog is the fastest and works in all versions of Windows.
Press Windows +R keys to open "Run" dialog. Here type "gpedit.msc" and hit Enter to open Group Policy Editor.
Furthermore, make sure you are logged in to the administrator account before accessing the Group Policy.
Standard accounts are not allowed to access the Group Policy.
1. Track account logins
From Group Policy you can force Windows to record all successful and failed logins to the PC from any user account. You can use such information to track who is logging in to the PC and whether an unauthorized person tried to login or not.
In Group Policy editor, move to the below mentioned location and double-click on "Audit logon events".
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Here check the checkbox next to "Success" and "Failure" options. When you will click on "OK", Windows will start keeping a record of logins made to the PC.
To view these logs, you will have to access another useful Windows tool – Windows Event Viewer. Open "Run" dialog again and enter "eventvwr" in it to open Windows Event Viewer.
Here expand "Windows Logs" and then select "Security" option from it. In the middle panel, you should see all the recent events. Don’t get confused by all these events, you just need to find successful and failed login events from this list.
Successful login events have "Event ID: 4624", and failed ones have "Event ID: 4625". Just look for these event IDs to find the logins and see exact date and time of logins.
Double-clicking on these events will show more details along with the exact name of the user account that logged in.
2. Prohibit access to Control Panel
Control Panel is the hub of all the Windows settings, both security and usability. However, these settings can be really bad in the wrong hands. If a novice user will be using the PC or you doubt that someone may mess around with these sensitive settings, then you should definitely prohibit access to Control Panel.
To do so, move to the below mentioned location in Group Policy editor and double-click on "Prohibit access to the Control Panel".
User Configuration > Administrative Templates > Control Panel
Here select the "Enable" option to prohibit access to Control Panel. Now Control Panel option will be removed from the start menu and no one will be able to access it from anywhere, including "Run" dialog.
All the options in the Control Panel are also prohibited and accessing them using any other method will show an error.
3. Stop users from installing new software
It can take quite some time to clean a PC infected with malware. To ensure users don’t install any infected software from any mean, you should disable Windows installer in the Group Policy.
Navigate to the below mentioned location and double-click on "Disable Windows Installer".
Computer Configuration > Administrative Templates > Windows Components > Windows Installer
Select "Enable" option here and select "Always" from the drop down menu in the "Options" panel below. Now users will not be able to install new programs in the PC. Although they will still be able to download or move them in PC storage.
4. Disable removable storage devices
USBs and other forms of removable storage devices can be very dangerous for the PC. If someone accidentally (or on purpose) connects a virus infected storage device with the PC, it could infect your whole PC and may even make it inoperable.
To stop users from using removable storage devices, go to the below mentioned location and double-click on "Removable Disks: Deny read access".
User Configuration > Administrative Templates > System > Removable Storage Access > Removable Disks: Deny read access
Enable this option and the PC will not read any type of data inside an external storage device. Additionally, there is an option below it saying "Removable Disks: Deny write access". You can enable it if you don’t want anyone to write (paste) data to a removable storage device.
5. Prevent specific apps from running
Group Policy also allows you to create a list of apps to prevent them from running. It is perfect to ensure users don’t waste time on known time wasting apps. Move to the below mentioned location and open the "Don’t run specified Windows applications" option.
User Configuration > Administrative Templates > System > Don’t run specified Windows applications
Enable this option and click on the "Show" button below to start creating the list of apps you would like to block.
To create the list, you must enter the executable name of the app to be able to block it; the one with .exe at the end, I.e., CCleaner.exe, CleanMem.exe or lol.launcher.exe. The best way to find exact executable name of an app is to look for the app’s folder in the Windows File Explorer and copy the exact executable name (along with its extension ".exe").
Enter this executable name in the list and click on "OK" to start blocking it.
There is also an option of "Run only specified Windows applications" below it. If you want to disable all types of applications except for few important ones, then use this option and create a list of apps that you would like to allow.
This is a great option if you want to create a really strict working environment.
6. Disable Command Prompt and Windows Registry Editor
Control Panel is bad in wrong hands, but the Command Prompt and Registry Editor are the worse. Both of these tools can easily make Windows inoperable, especially the Registry Editor that could damage Windows beyond repair.
You should disable both Command Prompt and Windows Registry Editor if you are concerned about the PC’s security (and health).
Move to the location given below:
User Configuration > Administrative Templates > System
Here disable both "Prevent access to the command prompt" and "Prevent access to registry editing tools" options to stop users from accessing Command Prompt and Registry Editor.
7. Hide Partition Drives from My Computer
If there is a specific drive with sensitive data inside, then you can hide it from My Computer so users are unable to find it. It’s a good measure to keep users fooled, but it should not be used as a method to protect data against prying eyes.
Go to the below mentioned location and enable the option "Hide these specified drives in My Computer".
User Configuration > Administrative Templates > Windows Components > Windows Explorer > Hide these specified drives in My Computer
Once enabled, click on the drop down menu in the "Options" panel and select which drives you would like to hide. The drives will be hidden when you will click on "OK".
8. Tweaks for Start Menu and Taskbar
Group Policy offers dozens of tweaks for Start Menu and the Taskbar to customize them as you like. The tweaks are perfect for both administrators and regular users looking to customize Windows Start Menu and Taskbar. Go to the below mentioned location in Group Policy Editor and you will find all the tweaks with an explanation of what they do.
User Configuration > Administrative Templates > Start Menu and Taskbar
The tweaks are really easy to understand, so I don’t think I’ll have to explain each one of them. Besides, Windows already offers a detailed description for each tweak. Some of the things you can do include, change start menu power button function, prevent users from pinning programs to taskbar, restrict search option’s reach, hide notifications area, hide battery icon, prevent changes in taskbar and start menu settings, prevent users from using any power options (shutdown, hibernate, etc.), remove "Run" option from start menu and a whole lot of other tweaks.
Time to show who’s the boss
The above Group Policy tweaks should help you take control over a PC and ensure nothing goes wrong when other users use it. Group Policy has hundreds of options to control different Windows functions, above are just few of the most handy ones. So you should explore Group Policy editor and see if you find any hidden gems. Although make sure you create a system restore point before making any changes.
Which one of these Windows Group Policy tweaks you like? Do share with us in the comments.