8 Windows Group Policy Tweaks Every Admin Should Know

By . in Desktop. Updated on .

Windows Group Policy is a powerful tool to configure many aspects of Windows. Most of the tweaks it has to offer are targeted towards PC administrators to monitor and control standard accounts. If you are administrating PCs in a company environment or administrate multiple accounts at home, then you should definitely take advantage of Windows Group Policy to control PC usage of employees and family.

Below we have listed 8 Windows Group Policy tweaks that will surely make administrative tasks easier.

Note: Group Policy editor is not available in the standard and home edition of Windows. You must have professional or enterprise version of Windows to use Group Policy.

Read Also:  8 Tools to Customize Your Windows 10

How to access Windows Group Policy Editor

You must access Group Policy Editor before following any of the tweaks below. Although there are many ways to access Windows Group Policy editor, but using "Run" dialog is the fastest and works in all versions of Windows.

Press Windows +R keys to open "Run" dialog. Here type "gpedit.msc" and hit Enter to open Group Policy Editor.

gpedit

Furthermore, make sure you are logged in to the administrator account before accessing the Group Policy.

Standard accounts are not allowed to access the Group Policy.

1. Track account logins

From Group Policy you can force Windows to record all successful and failed logins to the PC from any user account. You can use such information to track who is logging in to the PC and whether an unauthorized person tried to login or not.

In Group Policy editor, move to the below mentioned location and double-click on "Audit logon events".

Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Here check the checkbox next to "Success" and "Failure" options. When you will click on "OK", Windows will start keeping a record of logins made to the PC.

track logins

To view these logs, you will have to access another useful Windows toolWindows Event Viewer. Open "Run" dialog again and enter "eventvwr" in it to open Windows Event Viewer.

Here expand "Windows Logs" and then select "Security" option from it. In the middle panel, you should see all the recent events. Don’t get confused by all these events, you just need to find successful and failed login events from this list.

Successful login events have "Event ID: 4624", and failed ones have "Event ID: 4625". Just look for these event IDs to find the logins and see exact date and time of logins.

view logins

Double-clicking on these events will show more details along with the exact name of the user account that logged in.

login detqails

2. Prohibit access to Control Panel

Control Panel is the hub of all the Windows settings, both security and usability. However, these settings can be really bad in the wrong hands. If a novice user will be using the PC or you doubt that someone may mess around with these sensitive settings, then you should definitely prohibit access to Control Panel.

To do so, move to the below mentioned location in Group Policy editor and double-click on "Prohibit access to the Control Panel".

User Configuration > Administrative Templates > Control Panel

prevent access to control panels

Here select the "Enable" option to prohibit access to Control Panel. Now Control Panel option will be removed from the start menu and no one will be able to access it from anywhere, including "Run" dialog.

All the options in the Control Panel are also prohibited and accessing them using any other method will show an error.

enable prohibit control panel

3. Stop users from installing new software

It can take quite some time to clean a PC infected with malware. To ensure users don’t install any infected software from any mean, you should disable Windows installer in the Group Policy.

Navigate to the below mentioned location and double-click on "Disable Windows Installer".

Computer Configuration > Administrative Templates > Windows Components > Windows Installer

disable windows installer

Select "Enable" option here and select "Always" from the drop down menu in the "Options" panel below. Now users will not be able to install new programs in the PC. Although they will still be able to download or move them in PC storage.

prevent software installatio

4. Disable removable storage devices

USBs and other forms of removable storage devices can be very dangerous for the PC. If someone accidentally (or on purpose) connects a virus infected storage device with the PC, it could infect your whole PC and may even make it inoperable.

To stop users from using removable storage devices, go to the below mentioned location and double-click on "Removable Disks: Deny read access".

User Configuration > Administrative Templates > System > Removable Storage Access > Removable Disks: Deny read access

disable removable disk

Enable this option and the PC will not read any type of data inside an external storage device. Additionally, there is an option below it saying "Removable Disks: Deny write access". You can enable it if you don’t want anyone to write (paste) data to a removable storage device.

disable read access for storage devices

5. Prevent specific apps from running

Group Policy also allows you to create a list of apps to prevent them from running. It is perfect to ensure users don’t waste time on known time-wasting apps. Move to the below mentioned location and open the "Don’t run specified Windows applications" option.

User Configuration > Administrative Templates > System > Don’t run specified Windows applications

disable specific apps

Enable this option and click on the "Show" button below to start creating the list of apps you would like to block.

prevent apps from running

To create the list, you must enter the executable name of the app to be able to block it; the one with .exe at the end, I.e., CCleaner.exe, CleanMem.exe or lol.launcher.exe. The best way to find exact executable name of an app is to look for the app’s folder in the Windows File Explorer and copy the exact executable name (along with its extension ".exe").

Enter this executable name in the list and click on "OK" to start blocking it.

create app list

There is also an option of "Run only specified Windows applications" below it. If you want to disable all types of applications except for few important ones, then use this option and create a list of apps that you would like to allow.

This is a great option if you want to create a really strict working environment.

6. Disable Command Prompt and Windows Registry Editor

Control Panel is bad in wrong hands, but the Command Prompt and Registry Editor are the worse. Both of these tools can easily make Windows inoperable, especially the Registry Editor that could damage Windows beyond repair.

You should disable both Command Prompt and Windows Registry Editor if you are concerned about the PC’s security (and health).

Move to the location given below:

User Configuration > Administrative Templates > System

Here disable both "Prevent access to the command prompt" and "Prevent access to registry editing tools" options to stop users from accessing Command Prompt and Registry Editor.

disable command prompt registry

7. Hide Partition Drives from My Computer

If there is a specific drive with sensitive data inside, then you can hide it from My Computer so users are unable to find it. It’s a good measure to keep users fooled, but it should not be used as a method to protect data against prying eyes.

Go to the below mentioned location and enable the option "Hide these specified drives in My Computer".

User Configuration > Administrative Templates > Windows Components > Windows Explorer > Hide these specified drives in My Computer

hide drives

Once enabled, click on the drop down menu in the "Options" panel and select which drives you would like to hide. The drives will be hidden when you will click on "OK".

tweak specify drive

8. Tweaks for Start Menu and Taskbar

Group Policy offers dozens of tweaks for Start Menu and the Taskbar to customize them as you like. The tweaks are perfect for both administrators and regular users looking to customize Windows Start Menu and Taskbar. Go to the below mentioned location in Group Policy Editor and you will find all the tweaks with an explanation of what they do.

User Configuration > Administrative Templates > Start Menu and Taskbar

The tweaks are really easy to understand, so I don’t think I’ll have to explain each one of them. Besides, Windows already offers a detailed description for each tweak. Some of the things you can do include, change start menu power button function, prevent users from pinning programs to taskbar, restrict search option’s reach, hide notifications area, hide battery icon, prevent changes in taskbar and start menu settings, prevent users from using any power options (shutdown, hibernate, etc.), remove "Run" option from start menu and a whole lot of other tweaks.

start menu tweaks
How to Enable and Disable Windows Action Center Messages

How to Enable and Disable Windows Action Center Messages

How often do you see this image when you are on Windows? It's annoying, isn't it? Every time... Read more

Time to show who’s the boss

The above Group Policy tweaks should help you take control over a PC and ensure nothing goes wrong when other users use it. Group Policy has hundreds of options to control different Windows functions, above are just few of the most handy ones. So you should explore Group Policy editor and see if you find any hidden gems. Although make sure you create a system restore point before making any changes.

Which one of these Windows Group Policy tweaks you like? Do share with us in the comments.

Read Also:  8 Handy Windows Built-in Tools You Might Not Know About

WebsiteFacebookTwitterInstagramPinterestLinkedInGoogle+YoutubeRedditDribbbleBehanceGithubCodePenWhatsappEmail