Implementing Group policies with Windows XP

Group policies are settings that control how Windows XP works. You can use them to customize the Windows XP interface, restrict access to certain areas, specify security settings, and much more.

Group policies are used mostly by system administrators who want to make sure that novice users don’t have access to dangerous tools (such as the Registry Editor), or who want to ensure a consistent computing experience across multiple machines. Group policies also are ideally suited to situations in which multiple uses share a single computer. However, group policies are also useful on single-user standalone machines, as you’ll see throughout this book.

Working with Group policies

You implement group policies by using the Group Policy Editor. To start the Group Policy Editor, select Start, Run and then use either of the following methods:

• To implement group policies for the local computer, enter gpedit.msc and click OK.

• To implement group policies for a remote computer, enter gpedit.msc /gpcomputer:"name", where name is the name of the remote machine, and then click OK.

  The Group Policy window that appears is divided into two sections:

• The left pane contains a treelike hierarchy of policy categories, which is divided into two main categories: Computer Configuration and User Configuration. The Computer Configuration policies apply to all users and are implemented before the logon. The User Configuration policies apply only to the current user and, therefore, are not applied until that user logs on.

• The right pane contains the policies for whichever category is selected in the left pane.

The idea, then, is to open the tree’s branches to find the category you want. When you click the category, its policies appear in the right pane. For example, Figure 1-2 shows the Group Policy window with the Computer Configuration, Administrative Templates, System, Logon category selected.

Figure 1-2: : When you select a category in the left pane, the category’s policies appear in the right pane.

In the right pane, the Setting column tells you the name of the policy, and the State column tells you the current state of the policy. Click a policy to see its description on the left side of the pane. To configure a policy, double-click it. The type of window you see depends on the policy:

• For simple policies, you see a window similar to the one shown in Figure 1-3. These kinds of policies take one of three states: Enabled (the policy is in effect and its setting is enabled), Disabled (the policy is in effect but its setting is disabled), and Not Configured (the policy is not in effect).

  
  Figure 1-3: Simple policies are Enabled, Disabled, or Not Configured.

• Other kinds of policies also require extra information when the policy is enabled. For example, Figure 1-4 shows the window for the Run These Programs At User Logon policy. When Enabled is selected, the Show button appears, which you use to specify one or more programs that run when the computer starts.

  
  Figure 1-4: More complex policies also require extra information such as, in this case, a list of programs to run at logon.

Example: Controlling Access to Control Panel

You can use group policies to hide or display Control Panel icons and to configure other Control Panel access settings. To see how this works, follow these steps:

1. In the Group Policy Editor, select User Configuration, Administrative Template, Control Panel.

2. Configure one or more of the following policies:

   • Prohibit Access To The Control Panel If you enable this policy, users can’t access Control Panel using the Start menu, Windows Explorer, or the CONTROL command. This action will also disable the user’s ability to access some Control Panel functions through alternative means, such as double-clicking the clock in the notification area or right-clicking the desktop and selecting Properties. Several of these Control Panel functions will not be removed until the user logs off.

   • Hide Specified Control Panel Applets If you enable this policy, you can hide specific Control Panel icons. To do this, click Show, then click Add, enter the name of the icon you want to hide (such as Game Controllers) or the name of the CPL file (such as Joy.cpl), and then click OK.

   • Show Only Specified Control Panel Applets If you enable this policy, you hide all Control Panel icons except the ones that you specify. To do this, click Show, then click Add, enter the name of the icon you want to show (such as Game Controllers) or the name of the CPL file (such as Joy.cpl), and then click OK.

   • Force Classic Control Panel Style If you enable this policy, Control Panel is always displayed in the Classic View, and the user can’t change to the Category View. If you disable this policy, Control Panel is always displayed in the Category View, and the user can’t change to the Classic View. However, when the Not Configured option is selected, the user can change between Category View and Classic View at will.

3. When you’ve finished with a policy, click OK or Apply to put the policy into effect.

   Tip

   Another way to hide and display Control Panel icons is to use Tweak UI, which we describe in the next section. Tweak UI’s Control Panel tab offers check boxes for each CPL file (see Figure 1-5 on the following page). Select a check box to display the icon; clear a check box to hide the icon.

Note, too, that group policies also enable you to customize the behavior of some Control Panel icons. When you open the Control Panel branch, you’ll see four sub-branches that correspond to four Control Panel icons: Add Or Remove Programs, Display, Printers And Faxes, and Regional And Language Options. In each case, you use the policies in a particular sub-branch to hide dialog box tabs (or “pages,” as the Group Policy editor calls them), specify default settings, and more.