How to use Local Group Policy Editor to tweak your computer

This article will show you how to use Local Group Policy Editor to make computer changes.

Note: Group Policy Editor is only available on the Pro version of Windows 10. Home or Home Premium users do not have access to it.

1. How to install Group Policy Editor (GPEdit.Msc) on Windows 10 Home Edition

Group Policy is a powerful tool used to set up corporate networks, lock computers so that users cannot make changes, prevent them from running unapproved software and many other uses.

For home computers, uses such as password length limit, computer lock to run only approved executable files are not available. However, this tool has many other things you can configure such as disabling Windows features that you don't like, blocking certain applications or scripting that run when logging out or logging in.

1. 8 "tweak" Windows Group Policy any Admin should know
2. 4 tips to open Local Group Policy Editor on Windows 8 / 8.1
3. 10 important Windows Group Policy settings need to be done immediately

Interface Local Group Policy Editor

The interface of Local Group Policy Editor is similar to other administration tools. Treeview on the left allows users to search for a hierarchical directory structure. It has an installation list, a preview pane to provide more information about specific settings.

You need to consider two top-level directories:

1. Computer Configuration : Contains computer settings for all logged-in users.
2. User Configuration : Contains settings that apply to user accounts.

In each of these directories there are several other directories that provide some of the available settings:

1. Software Settings : Contains software-related and default default configuration on Windows clients.
2. Windows Settings: Contains security settings and scripts for login / logout, start / shutdown.
3. Administrative Templates : This folder contains registry-based configurations to quickly tweak your computer or user account.

Customize security rules

If you double click on Prevent access to the command prompt , a window like the one below will appear. In fact, most installations in Administrative Templates look like that.

This specific installation will allow you to block users from accessing the Command Prompt. You can also configure the settings inside the dialog box to block batch files.

When you enable the Run only specified Windows applications option in the same directory as the above option, you can allow specific Windows applications to be run on the system.

In this case, if you run an application that is not on the list, you will receive an error message like the one below.

You should be careful to tweak the rules here, otherwise your computer will be locked to be unusable.

Refine UAC settings for security

In the Computer Configuration folder > Windows Settings> Security Settings> Local Policies> Security Options , you will find a variety of interesting settings to secure your computer.

We will look at the first option in this folder as User Account Control: Behavior of the elevation prompt for Administrators . In the dialog box that appears, if you select Prompt for credentials on the secure desktop , you or another user must enter the password whenever you run something in admin mode.

This option makes Windows work like Linux or Mac, asking for a password whenever you make changes.

Some other useful options:

1. User Account Control: Only elevate the executables that are signed and validated: This option prevents applications that are not digitally signed to run as admin.
2. Recovery console, allow automatic administrative logon : When you need to use the recovery panel to perform system tasks, you need to provide an administrator password. If you forget your password, this option allows you to access your password more easily. However, because you can easily delete Windows passwords, this option is really less secure.

See also: Instructions on how to login to your computer when you forget your password

It is worth noting that many policies in the list do not really apply to all versions of Windows. For example, installing Remove My Documents Icon is only available on Windows XP and 2000. Other policies like At least Windows XP or similar will not work on all versions.

There are many settings in Group Policy Editor, you can take the time to learn them. Most of the settings here allow you to disable Windows features that you don't like, very few settings that offer no functionality by default.

Set up scripts to run when logging in, logging out, starting or shutdown

If you want to set up the script for logout, log in to run each time you boot your computer, you can only do this on Group Policy Editor.

This is really useful when cleaning your system or making quick backups of certain files every time you turn off your computer. You can use batch files or even PowerShell scripts. One thing to note is that these scripts must be run 'quietly' otherwise it will block the logout process.

There are two types of scripts you can use:

1. Startup / Shutdown Scripts : You can find these scripts inside Computer Configuration> Windows Settings> Scripts and run in Local System accounts, so they can manipulate system files but not run as user accounts .
2. Logon / Logoff Scripts : This script is found in Configuration> Windows Settings> Scripts and is run in the user account.

Note, the logout and login scripts will not allow you to run utilities that require administrative access unless you disable UAC completely.

For example, we will create a logout script by accessing User Configuration> Windows Settings> Scripts and double-clicking Logoff .

The Logoff properties window allows you to add logout scripts to run.

In addition, you can also configure PowerShell scripts.

Note, you need to leave these scripts in a specific directory so they can work correctly.

Let the script log out and log in in the directory below:

1. C: WindowsSystem32GroupPolicyUserScriptsLogoff
2. C: WindowsSystem32GroupPolicyUserScriptsLogon

And let the script start and shut down the computer in the directory:

1. C: WindowsSystem32GroupPolicyMachineScriptsShutdown
2. C: WindowsSystem32GroupPolicyMachineScriptsStartup

After configuring the logout script, you can test it.

Note, if the script requires user data to be imported, Windows will be suspended during shutdown or logout for 10 minutes before turning off the script and Windows can restart. Therefore you need to note this point while creating the script.

In the enterprise, it is one of the most powerful and important tools. However, this article only aims to introduce Group Policy's basic usage to amateur users, so it won't go into details.