Tuesday, August 26, 2008

Group Policy Editor- How it works


Although the Group Policy Editor console (gpedit.msc) is mostly used by administrators of networks and domains, it also has uses for a stand-alone home computer. One application is to allow convenient and easy editing of the Registry so that a variety of tweaks or changes to the system can be made. These settings are known as policies and are stored in a special hidden folder

%SystemRoot%\System32\GroupPolicy\

(For most home systems the environment variable %SystemRoot% is C:\Windows.) Policies that apply to the machine are stored in a sub-folder "Machine" and policies that apply to a user are stored in a sub-folder "User". In each case the settings are in a file named "Registry.pol". Thus the settings for the machine are in

%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol

and in similar fashion user settings are in User\Registry.pol. Policies are used to write to a special key of the Registry and override any settings elsewhere in the Registry. Since only the administrator account can access the policy settings, limited account users can be prevented from making unwanted system changes.
Another useful application of the Group Policy Editor (GPE) is to provide for the automatic running of scripts or programs whenever the computer is started up or shut down or when a user logs on or off. This may be the application of most practical use to a typical home PC user.
(Note that the GPE is not present in the Home Edition of Windows XP. The usual warnings about being careful when editing the Registry apply.)
Using the Group Policy Editor
Like many other management consoles, the GPE is not listed in Start-All Programs. To open it, go to Start-Run and enter "gpedit.msc" (without quotes). Figure 1 shows one view of the console. Note that there are entries for the computer configuration and for the user configuration. Selecting either one then gives the entries shown in the right panel of the figure. Clicking plus signs in the left panel will expand the selections.
Figure 1. Group Policy Editor


Administrative templates- Example of removing the Desktop Cleanup Wizard
The editing possibilities are quite numerous and too many to cover in detail here but I will illustrate the procedure with an example that an average home PC user might be interested in. Custom configurations can be made but there are also a number of pre-existing templates that provide for a variety of standard choices. One of these is whether to turn the desktop cleanup wizard off. Personally, I am irritated by the Windows nanny that is always nagging me to remove unused icons from the desktop. This nuisance can be turned off in other ways but I will use the GPE to illustrate the general procedure for using a template. Figure 2 shows an expanded view of the GPE with Desktop templates shown.
Figure 2. Expanded view of Group Policy Editor

The right panel in Figure 2 shows the numerous tweaks that can be made to the Desktop. To illustrate the process for making changes, Figure 3 shows the dialog box obtained by double-clicking the the right-panel entry "Remove the Desktop Cleanup Wizard". The radio buttons are used to enable or disable the wizard. "Not configured" will leave the setting up to the user's discretion.
Figure 3. Dialog for configuring Desktop Cleanup Wizard
Running scripts or programs at startup/shutdown or user logon/logoff
A very useful feature of GPE is the ability to to set scripts or programs to run automatically when the computer is turned on or shut down or when a user logs on or off (Figure 4). Any executable file can be invoked. This would include files with the extensions BAT, CMD, EXE, JS, VBS and others. There are other ways to run scripts or programs at startup but not so many for shutdown so I will illustrate the script capabilities of GPE with a discussion of shutdown or logoff scripts.
In Figure 4, the entry "Windows Settings" entry has been expanded and you can see entries that provide a way to add scripts for both startup and shutdown. Scripts can also be set to run when a user logs on or off by selecting "User Configuration-Windows Settings". More than one script can be run and in a particular order. Also, command-line parameters can be specified.
Figure 4. Running scripts
To add a script, double-click the entry "shutdown" in the right pane shown in Figure 4 and the window shown in Figure 5 will open.
Figure 5. adding a shutdown script
Click the "Add..." button to get the dialog box shown in Figure 6.
Figure 6. Choosing the file for a script Browse to the file that you wish to add and indicate any parameters that are needed to go with the script or program. Scripts or programs may be located anywhere on the computer but a convenient location for scripts is provided by the folder

C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Shutdown


There are corresponding folders for Startup, User\Scripts\Logon and User\Scripts\Logoff

No comments: