SolutionBase: Lock down user desktops with Group Policy

Group policy is one of the most powerful tools in a Windows environment. Here's a quick look at how the Group Policy Editor works in Windows XP to control user settings.

One way for your help desk staff to save on help desk calls is to limit the damage curious users can cause by meddling with their desktops' OS settings. A great tool for preventing potentially harmful tinkering is the Windows Group Policy Editor

The Group Policy Editor is a tool used to assign policies to a system. Group policies are designed to apply policy settings to a wide variety of tasks. For example, you could create a policy that disables the Run prompt or Control Panel.

How group policies work

Group policies are hierarchical; they can be applied to domains, workstations, user groups, and/or individual users. All of the various policy elements are then combined into what's known as the effective policy. The effective policy is derived by starting at the domain level and then applying policies on a more individualized basis, working toward the individual workstation's group policy, known as the local security policy. Let's look at how the Group Policy Editor works and an example of how it can be used to lock down a desktop. For the examples in this article, I will use the Group Policy Editor in Windows XP.

Opening the Group Policy Editor

If you click the Administrative Tools icon found in Control Panel, you'll notice that the Administrative Tools menu contains an option for the Local Security Policy. However, this tool only loads a subset of the total local security policy; it won't allow you to lock down the desktop. For that, you need to use the full-blown Group Policy Editor.

To open the Group Policy Editor, log on to a workstation as a user with local administrative privileges. But if you look for the Group Policy Editor you won't find any icons or menu options for it. The Group Policy Editor is a Microsoft Management Console snap-in.

There are two ways to access the Group Policy Editor. First, you can click Start | Run, enter gpedit.msc at the command line, and click OK. Second, you can open an empty Microsoft Management Console session by clicking Start | Run, entering MMC at the command line, and clicking OK. When the console opens, click Console | Add/Remove Snap In to display the Add/Remove Snap In properties sheet. Next, click the Add button on the properties sheet's Standalone tab to display a list of the available snap-ins. Select the Group Policy snap-in from the list and click the Add button. When you do, Windows will ask you which group policy object you want to work with. Select the Local Computer object and click the Finish button followed by the Close and OK buttons. This will load the Local Computer Policy snap-in into the console.

Regardless of the method you use to open the Group Policy Editor, you will be presented with a window that resembles the one in Figure A.

Figure A

Here's the Group Policy Editor.

Using the Group Policy Editor

Notice that the local security policy is divided into Computer Configuration and User Configuration. The Desktop configuration portion of the local security policy can be found by navigating through the console to User Configuration | Administrative Templates | Desktop.

Once you've selected the Desktop container, you'll see several settings appear in the column on the right. You'll notice that each of the various settings say Not Configured. Windows does this to reduce load time. During the login process, Windows must process the group policy. If Windows sees that a particular policy setting isn't configured, it can skip that setting, thus saving time.

If you want to configure a policy setting, right-click on the policy and select the Properties command from the shortcut menu. You'll then see a properties sheet for the policy setting (Figure B). Although there are variations, most properties sheets have a Policy tab and an Explain tab. The Policy tab allows you to set the policy, while the Explain tab explains the implications of setting a policy.

Figure B

For example, if you wanted to prevent the user from being able to save desktop settings on exit, you could right click on the Don't Save On Exit policy setting and select the Properties command from the context menu. To set such a policy, simply select the Enabled radio button and click OK.

You might notice that three different options are available. You can enable a policy, disable a policy, or select the Not Configured option. I've discussed the Enable and the Not Configured option, but you may be wondering about the Disabled option.

As you may recall, I mentioned that all of the group policies work together in a hierarchical method to form the effective group policy. You would use the Disabled option to turn off a policy that was applied at a higher level. For example, suppose that the domain group policy prevented anyone from saving desktop settings on exit, but since you're an IT person, you wanted to be able to save changes to your desktop. You could use the Disable option to cancel out the domain security setting for your individual machine.

Editor's Picks

Free Newsletters, In your Inbox