How to use Local Group Policy Editor to tweak your computer
This article will show you how to use Local Group Policy Editor to make computer changes.
Note: Group Policy Editor is only available on the Pro version of Windows 10. Home or Home Premium users do not have access to it.
- How to install Group Policy Editor (GPEdit.Msc) on Windows 10 Home Edition
Group Policy is a powerful tool used to set up corporate networks, lock computers so that users cannot make changes, prevent them from running unapproved software and many other uses.
For home computers, uses such as password length limit, computer lock to run only approved executable files are not available. However, this tool has many other things you can configure such as disabling Windows features that you don't like, blocking certain applications or scripting that run when logging out or logging in.
- 8 "tweak" Windows Group Policy any Admin should know
- 4 tips to open Local Group Policy Editor on Windows 8 / 8.1
- 10 important Windows Group Policy settings need to be done immediately
Interface Local Group Policy Editor
The interface of Local Group Policy Editor is similar to other administration tools. Treeview on the left allows users to search for a hierarchical directory structure. It has an installation list, a preview pane to provide more information about specific settings.
You need to consider two top-level directories:
- Computer Configuration : Contains computer settings for all logged-in users.
- User Configuration : Contains settings that apply to user accounts.
In each of these directories there are several other directories that provide some of the available settings:
- Software Settings : Contains software-related and default default configuration on Windows clients.
- Windows Settings: Contains security settings and scripts for login / logout, start / shutdown.
- Administrative Templates : This folder contains registry-based configurations to quickly tweak your computer or user account.
Customize security rules
If you double click on Prevent access to the command prompt , a window like the one below will appear. In fact, most installations in Administrative Templates look like that.
This specific installation will allow you to block users from accessing the Command Prompt. You can also configure the settings inside the dialog box to block batch files.
When you enable the Run only specified Windows applications option in the same directory as the above option, you can allow specific Windows applications to be run on the system.
In this case, if you run an application that is not on the list, you will receive an error message like the one below.
You should be careful to tweak the rules here, otherwise your computer will be locked to be unusable.
Refine UAC settings for security
In the Computer Configuration folder > Windows Settings> Security Settings> Local Policies> Security Options , you will find a variety of interesting settings to secure your computer.
We will look at the first option in this folder as User Account Control: Behavior of the elevation prompt for Administrators . In the dialog box that appears, if you select Prompt for credentials on the secure desktop , you or another user must enter the password whenever you run something in admin mode.
This option makes Windows work like Linux or Mac, asking for a password whenever you make changes.
Some other useful options:
- User Account Control: Only elevate the executables that are signed and validated: This option prevents applications that are not digitally signed to run as admin.
- Recovery console, allow automatic administrative logon : When you need to use the recovery panel to perform system tasks, you need to provide an administrator password. If you forget your password, this option allows you to access your password more easily. However, because you can easily delete Windows passwords, this option is really less secure.
See also: Instructions on how to login to your computer when you forget your password
It is worth noting that many policies in the list do not really apply to all versions of Windows. For example, installing Remove My Documents Icon is only available on Windows XP and 2000. Other policies like At least Windows XP or similar will not work on all versions.
There are many settings in Group Policy Editor, you can take the time to learn them. Most of the settings here allow you to disable Windows features that you don't like, very few settings that offer no functionality by default.
Set up scripts to run when logging in, logging out, starting or shutdown
If you want to set up the script for logout, log in to run each time you boot your computer, you can only do this on Group Policy Editor.
This is really useful when cleaning your system or making quick backups of certain files every time you turn off your computer. You can use batch files or even PowerShell scripts. One thing to note is that these scripts must be run 'quietly' otherwise it will block the logout process.
There are two types of scripts you can use:
- Startup / Shutdown Scripts : You can find these scripts inside Computer Configuration> Windows Settings> Scripts and run in Local System accounts, so they can manipulate system files but not run as user accounts .
- Logon / Logoff Scripts : This script is found in Configuration> Windows Settings> Scripts and is run in the user account.
Note, the logout and login scripts will not allow you to run utilities that require administrative access unless you disable UAC completely.
For example, we will create a logout script by accessing User Configuration> Windows Settings> Scripts and double-clicking Logoff .
The Logoff properties window allows you to add logout scripts to run.
In addition, you can also configure PowerShell scripts.
Note, you need to leave these scripts in a specific directory so they can work correctly.
Let the script log out and log in in the directory below:
- C: WindowsSystem32GroupPolicyUserScriptsLogoff
- C: WindowsSystem32GroupPolicyUserScriptsLogon
And let the script start and shut down the computer in the directory:
- C: WindowsSystem32GroupPolicyMachineScriptsShutdown
- C: WindowsSystem32GroupPolicyMachineScriptsStartup
After configuring the logout script, you can test it.
Note, if the script requires user data to be imported, Windows will be suspended during shutdown or logout for 10 minutes before turning off the script and Windows can restart. Therefore you need to note this point while creating the script.
In the enterprise, it is one of the most powerful and important tools. However, this article only aims to introduce Group Policy's basic usage to amateur users, so it won't go into details.
You should read it
- 4 tips to open Local Group Policy Editor on Windows 8 / 8.1
- How to reset Local Group Policy settings on Windows 10
- How to install the Microsoft Edge Group Policy template on Windows 10
- Fixed an issue that could not replace Windows 10 desktop wallpaper with Group Policy
- What is GPEdit.Msc (Group Policy Editor)? How to use GPEdit to configure a computer
- How to apply Local Group Policy to specific user accounts in Windows 10/11
- 8 'tweak' Windows Group Policy any Admin should know
- How to install Group Policy Editor (GPEdit.Msc) on Windows 10 Home Edition
- Configure App-V with Group Policy Objects
- How to view all applied Group Policies in Group Policy Editor
- Use Group Policy Filtering to create a NAP DHCP enforcement policy - Part 1
- Use Group Policy Filtering to create a DHCP enforcement policy for NAP - Part 2
Maybe you are interested
How to Enable and Disable Tabs in File Explorer on Windows 11
5 macOS Sequoia Features Not Available on Windows 11
Why does Windows operating system have such a bad reputation?
Quickly fix Unmountable Boot Volume error on Windows 10/11
15 safe software and application download websites for Windows
How to Fix Clipboard History Error in Windows 11 Latest Update