本地组策略编辑器(Local Group Policy Editor)是 IT 管理员最常使用的 Windows 工具,用于快速更改网络中计算机的设置。但是,本地组策略编辑器(Local Group Policy Editor)还允许您控制与您的计算机和本地用户帐户相关的许多设置。本文探讨了它的功能、布局和用例。继续阅读以了解本地组策略编辑器(Local Group Policy Editor)是什么以及如何在 Windows 中使用本地组策略:
注意:(NOTE: )虽然您也可以使用此工具更改网络中其他计算机的设置,但本文重点介绍本地计算机及其用户的编辑设置。
什么是本地组策略编辑器(Group Policy Editor)?
首先,什么是本地组策略编辑器(Local Group Policy Editor)?为了回答这个问题,让我们首先定义组策略。(Group Policies.)根据定义,组策略(Group Policy)是一种 Windows 功能,它为连接到同一域的所有计算机提供集中管理(mass managing)和配置操作系统(operating system)、程序和用户设置的方法。如果您是网络管理员(network administrator)并且需要在您管理的网络中的计算机或用户上强制执行规则或设置,组策略最有用。(Group Policies)
本地组策略(Local Group Policy)是组策略的变体,(Group Policy)适用于单个计算机,而不是在域中注册的所有计算机。一个很好的例子是您的家庭计算机(home computer)安装了Windows 11、Windows 10、Windows 8.1 或 Windows 7。简而言之,您应该将本地组策略(Local Group Policy)视为一组规则,用于管理Windows如何在您的计算机或设备(computer or device)上运行.
您猜对了,允许您修改这些规则的内置工具是本地组策略编辑器(Local Group Policy Editor)。
本地组策略编辑器
从技术上讲,编辑器只是可以托管在Microsoft 管理控制台(Microsoft Management Console)( MMC ) 中的插件之一,但为了简单起见,我们不会在此详细介绍。本地组策略编辑器(Local Group Policy Editor )是管理本地设置的强大工具。您可能会问自己,“但我实际上(actually )可以使用本地组策略编辑器(Local Group Policy Editor)做什么?” 例如,您可以:
- 只允许(Allow)用户访问您计算机上的部分应用程序。
- 阻止(Block)用户在计算机上使用可移动设备(例如USB 记忆(USB memory)棒)。
- 阻止用户访问控制面板(Control Panel )和设置(Settings )应用程序。
- (Hide)在Windows 用户(Windows user)界面或控制面板中(Control Panel)隐藏特定元素。
- 指定桌面上使用的壁纸并(Desktop )阻止用户更改它。
- 阻止(Block)用户启用/禁用LAN连接或阻止他们更改计算机LAN(局域网(Local Area Network))连接的属性。
- 拒绝(Deny)用户从 CD、DVD、可移动驱动器等读取和/或写入数据。
这些只是您可以使用此工具配置的数百个设置的一小部分。但是这个工具对你有用吗?在下一节中,我们将解释谁可以使用本地组策略编辑器(Local Group Policy Editor)以及该程序的要求是什么。
我可以使用本地组策略编辑器(Local Group Policy Editor)吗?
只有具有管理权限的用户才能运行本地组策略编辑器(Local Group Policy Editor)。如果普通用户尝试运行它,系统将显示错误。
只有具有管理权限的用户才能使用本地组策略编辑器(Local Group Policy Editor)
此外,由于本地组策略编辑器是一种高级工具,您应该知道默认情况下它在(Local Group Policy Editor)Windows的(Windows)Home或Starter版本中不可用。无需额外调整,您只能在专业(Professional)(或更高)版本的Windows中访问和使用它:
- Windows 11专业版和 Windows(Pro and Windows) 11 企业版
- Windows 10专业版和 Windows(Pro and Windows) 10 企业版
- Windows 7 专业版(Professional)、Windows 7 旗舰版(Ultimate)和Windows 7企业版
- Windows 8.1专业版和 Windows(Professional and Windows) 8.1 企业版
该编辑器也用于旧版本的Windows。尽管本文没有介绍它们,但也有一些方法可以在 Windows Home版本上安装本地组策略编辑器。(Local Group Policy Editor)如果您不知道您拥有的Windows 版本(Windows version),这里有一篇文章解释了如何找到该信息:如何分辨我拥有的Windows(11 种方式)。
如何打开本地组策略编辑器(Local Group Policy Editor)
在使用它之前,您应该知道如何访问本地组策略编辑器(Local Group Policy Editor)。首先问自己要为谁更改设置。它适用于所有用户吗?还是针对特定用户或一组用户?由于过程非常不同,我们将两者分开介绍。
使用本地组策略编辑器(Local Group Policy Editor)更改本地计算机上所有用户的设置
如果您想为所有用户应用设置,有很多方法可以启动本地组策略编辑器(Local Group Policy Editor)。查看我们关于如何在Windows中打开(Windows)本地组策略编辑器(Local Group Policy Editor)的文章以了解更多详细信息。最快的方法(也是我们更喜欢的方法)是简单地按下键盘上的Windows键(或单击/点击桌面上的“开始”按钮),然后输入(Start)gpedit和Enter。这会立即打开本地组策略编辑器(Local Group Policy Editor)。
从开始菜单(Start Menu)打开本地组策略编辑器(Local Group Policy Editor)
使用本地组策略编辑器(Local Group Policy Editor)更改计算机上特定用户或组的设置
如果您只想调整特定用户帐户或用户组(user account or user group)的设置,则启动本地组策略编辑器(Local Group Policy Editor )会更加复杂。首先(First),启动Microsoft 管理控制台(Microsoft Management Console)。最快的方法是按Windows + R打开“运行”窗口(Run window),然后键入mmc ,然后按Enter。接下来,在MMC窗口中,单击或点击File,然后单击Add/Remove Snap-in。
在Microsoft 管理控制台中添加管理单元(Microsoft Management Console)
在Add or Remove Snap-ins窗口中,单击或点击Group Policy Object Editor,然后按Add。或者,您可以双击组策略对象编辑器(Group Policy Object Editor)。
选择(Select)Group Policy Object Editor,然后按Add
这将打开选择组策略对象(Select Group Policy Object)向导。单击或点击浏览(Browse)。
在向导中点击浏览
在下一个窗口中,转到“用户(Users)”选项卡,然后选择要对其进行更改的用户或用户组。在本例中,我们选择了非管理员(Non-Administrators)组。之后点击或点击OK,然后点击Finish。
选择要更改设置的用户或组
最后一步是按OK。这将打开适用于所选用户/组的设置树。
按确定,编辑器将出现
为了在下次您要修改该特定用户或组(user or group)的设置时绕过这个冗长的过程,您可以保存控制台设置并为其创建快捷方式。打开文件(File)菜单,然后单击或点击另存为(Save as)。
保存本地组策略编辑器(Local Group Policy Editor)的控制台配置(console configuration)
接下来,导航到要创建控制台快捷方式的位置,重命名快捷方式,然后单击或点击(click or tap)Save。
重命名快捷方式并将(shortcut and place)其放在您选择的文件夹中
下次您要修改同一用户或组(user or group)的设置时,只需双击或双击新创建的图标。
如何使用本地组策略编辑器(Local Group Policy Editor)
使用上述方法之一启动本地组策略编辑器后,就该学习如何使用它了。(Local Group Policy Editor)我们先来看看编辑器的布局。
本地组策略编辑器布局(Local Group Policy Editor layout)
无论您是在Windows 11还是任何其他版本的Windows上使用它,界面的设计看起来都是一样的。从顶部开始,您有一系列菜单,然后是一个工具栏,您可以在其中浏览策略。随意(Feel)单击菜单项和工具栏按钮以熟悉界面,您不会破坏任何东西:)。
将鼠标悬停在工具栏按钮上会显示工具提示
界面的主要元素位于工具栏下方。在默认视图(default view)中,本地组策略编辑器(Local Group Policy Editor )左侧有一个名为控制台树的导航窗格,您可以在其中选择(Console Tree)策略类别或节点(policy category or node)。在中心,主要部分列出了所选类别中的所有策略,以及对您选择的任何策略的非常有用的描述。策略列表(policy list)包含策略的名称、状态(可以是Not Configured、Enabled或Disabled)以及您或其他管理员添加的注释。在控制台树(Console Tree)中选择所有设置时(All Settings),将显示一个附加列,显示该特定设置在树中的路径。
在主要部分中选择策略会显示设置说明
最后,通过按下工具栏中的相应按钮,您可以显示或隐藏左侧的控制台树(Console Tree)和主窗口右侧的操作窗格。(Action pane)
使用工具栏中的按钮显示或隐藏左右窗格
根据您使用左窗格(left pane)导航到的位置,主要部分中的列表可能会变得非常广泛。说到这里,我们现在继续……
导航控制台树
在本地组策略编辑器(Local Group Policy Editor)的默认视图中,控制台树(Console Tree)显示两个大部分:
- 计算机配置(Computer Configuration)- 包含控制在计算机范围内应用的策略的本地组策略(Local Group Policy )设置,无论用户(user or users)是否登录。
- 用户配置(User configuration)- 保存控制用户策略的本地组策略(Local Group Policy )设置。这些策略适用于用户,而不是整个计算机。
计算机配置(Computer Configuration)和用户配置(User Configuration)类别都分为三个部分或节点:
- 软件设置(Software Settings)- 包含适用于已安装程序的策略,默认情况下应为空。
- Windows 设置(Windows Settings)- 保存Windows 安全(Windows security)设置。它也是您可以找到或添加应在Windows启动或关闭或登录和注销时运行的脚本的地方。
- 管理模板(Administrative Templates)- 如果您在这里调整系统,这是最有趣的部分。这是您可以查看、更改甚至强制执行各种设置和规则的地方。举几个例子,您可以管理控制面板(Control Panel)、网络(Network)、开始菜单(Start Menu)和任务栏(Taskbar)的工作方式以及用户在使用它们时可以更改的内容。
单击每个节点旁边的箭头或双击文件夹将展开它。如果一个节点没有(node doesn)额外的子文件夹,您将不会看到它旁边的箭头。
导航控制台树
如果您在控制台树(Console Tree )中选择一个文件夹(通过单击或点击它),其内容将显示在本地组策略编辑器(Local Group Policy Editor)的主要部分。
最后,如果您要在管理模板(Administrative Templates)中查找设置,但不知道具体在哪里搜索,您可以通过选择管理模板(Administrative Templates )节点过滤节点,然后转到上方的操作(Action )菜单窗口并选择“过滤器选项...(Filter Options…) ”
访问本地组策略编辑器的过滤器设置(Local Group Policy Editor)
要使用关键字进行过滤,请单击Enable Keyword Filters,然后输入关键字,定义查找它们的位置,最后单击OK。过滤器将立即应用,并有望缩小您的搜索范围。
使用关键字过滤设置列表
要切换过滤器,请单击或点击(click or tap)工具栏上的过滤器(Filter)按钮(看起来像漏斗的那个)。
修改本地组策略
为了解释如何修改策略,让我们举一个例子。假设您想为计算机上的所有用户设置并强制使用相同的桌面墙纸(desktop wallpaper)。首先(First),导航到设置。由于该设置适用于用户,因此该策略将位于User Configuration/Administrative Templates/Desktop/Desktop下。接下来,双击或双击桌面壁纸(Desktop Wallpaper)进行编辑。
双击(Double-click)要配置的设置
在下一个窗口中,您可以将其设置为Enabled、Disabled或Not Configured。根据您正在编辑的设置,这三种状态将允许或限制各种操作。在这种情况下,我们希望将其设置为启用(Enabled)以强制所有用户使用相同的壁纸。接下来,在“选项(Options)”部分中,键入壁纸图像的路径和名称(path and name)。然后,选择壁纸样式(wallpaper style)(Center、Fill、Fit等)并单击或点击(click or tap)OK. 下次您或其他用户登录时,将显示所选壁纸。此外,除非用户有权访问本地组策略编辑器(Local Group Policy Editor),否则他们将无法更改壁纸。
启用或禁用它,然后配置其选项
您也可以在评论(Comment)部分留言。一旦你点击OK(OK)它将被保存。
根据您希望更改的设置,选项可能会有所不同或完全缺失。例如,假设您要锁定所有用户的任务栏(User Configuration/Administrative Templates/Start Menu and Taskbar)。在这种情况下,您只需要启用该设置,因此没有其他选项可用。
某些设置没有更多选项
启用或禁用策略后,其状态将显示在列表中。请记住(Remember),大多数设置将在用户下次登录其帐户时应用。
您可以在列表中清楚地看到修改后的设置
提示:(TIP: )要熟悉这些设置,请在本地组策略编辑器(Local Group Policy Editor)中单击它们以显示它们的描述。或者,双击它们以查看该设置的可能选项。只要您不单击“(t click) 确定(OK)”,就不会发生任何变化,因此请随意浏览。
本地组策略编辑器(Group Policy Editor)对您有用吗?
本地组策略编辑器(Local Group Policy Editor)是一个复杂的工具,可让您轻松为您的计算机及其用户设置各种策略和规则。我们希望我们已经让您体验了使用此工具可以完成的工作,并且由于您现在了解了基础知识以及如何导航它,因此您可以自己尝试一下。您想在本地组策略编辑器(Local Group Policy Editor)中进行哪些更改?在下面的评论中与我们分享您的经验。
What is the Local Group Policy Editor, and how do I use it?
The Local Group Policy Editor is a Windows tool most often used by IT administrators to quickly change settings for computers in a network. However, the Local Group Policy Editor also lets you control many settings related to your computer and the local user accounts. This article explores its functions, layout, and use cases. Read on to find out what the Local Group Policy Editor is and how you can work with local group policies in Windows:
NOTE: Although you can also use this tool to change settings on other computers in the network, this article focuses on editing settings for the local machine and its users.
What is the Local Group Policy Editor?
First of all, what is the Local Group Policy Editor? To answer that, let’s first define the Group Policies. By definition, a Group Policy is a Windows feature that offers a centralized way of mass managing and configuring the operating system, the programs, and user settings for all the computers connected to the same domain. Group Policies are most useful if you are a network administrator and you need to enforce rules or settings on the computers or users within the network you manage.
A Local Group Policy is a variant of Group Policy that applies to individual computers, as opposed to all the computers that are registered on a domain. A good example is your home computer with Windows 11, Windows 10, Windows 8.1, or Windows 7. To put it into simple terms, you should think about Local Group Policy as a set of rules that govern how Windows works on your computer or device.
The built-in tool that allows you to modify these rules is, you guessed it, the Local Group Policy Editor.
The Local Group Policy Editor
Technically speaking, the editor is just one of the snap-ins that can be hosted in the Microsoft Management Console (MMC), but for the sake of simplicity, we won’t go into more detail here. The Local Group Policy Editor is a powerful tool in managing local settings. You may be asking yourself, “but what can I actually do with the Local Group Policy Editor?” You can, for example:
- Allow users to access only some of the applications found on your computer.
- Block users from using removable devices (ex. USB memory sticks) on the computer.
- Block users' access to the Control Panel and to the Settings app.
- Hide specific elements from the Windows user interface or the Control Panel.
- Specify the wallpaper used on the Desktop and block users from changing it.
- Block users from enabling/disabling LAN connections or block them from changing the properties of the computer's LAN (Local Area Network) connections.
- Deny users to read and/or write data from CDs, DVD, removable drives, etc.
These are just a tiny part of the hundreds of settings you can configure using this tool. But is this tool even available to you? In the next section, we explain who can use the Local Group Policy Editor and what the program’s requirements are.
Can I use the Local Group Policy Editor?
Only users with administrative rights can run the Local Group Policy Editor. If a regular user tries to run it, the system will display an error.
Only users with administrative rights can use the Local Group Policy Editor
Also, since the Local Group Policy Editor is an advanced tool, you should know that it's not available by default in the Home or Starter editions of Windows. Without additional tweaking, you can access and use it only in Professional (or above) versions of Windows:
- Windows 11 Pro and Windows 11 Enterprise
- Windows 10 Pro and Windows 10 Enterprise
- Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise
- Windows 8.1 Professional and Windows 8.1 Enterprise
The editor is used in older versions of Windows too. Although they aren’t covered in this article, there are ways to install the Local Group Policy Editor on Windows Home editions as well. If you don’t know what Windows version you have, here’s an article that explains how to find that information: How to tell what Windows I have (11 ways).
How to open Local Group Policy Editor
Before using it, you should know how to access the Local Group Policy Editor. Start by asking yourself for whom you want to change the settings. Is it for all users? Or is it for a particular user or a group of users? Because the process is very different, we cover the two separately.
Using the Local Group Policy Editor to change settings for all users on the local computer
If you want to apply the settings for all users, there are many ways to launch the Local Group Policy Editor. Check out our article on how you can open the Local Group Policy Editor in Windows for more details. The quickest method (and the one we prefer) is simply pressing the Windows key on the keyboard (or clicking/tapping on the Start button on the desktop), then typing gpedit followed by Enter. This opens the Local Group Policy Editor immediately.
Open the Local Group Policy Editor from the Start Menu
Using the Local Group Policy Editor to change settings for particular users or groups on your computer
If you want to adjust settings only for a specific user account or user group, launching the Local Group Policy Editor is more complicated. First, start the Microsoft Management Console. The quickest way to do it is by pressing Windows + R to open the Run window, and then typing mmc followed by Enter. Next, in the MMC window, click or tap on File, then on Add/Remove Snap-in.
Add a snap-in in the Microsoft Management Console
In the Add or Remove Snap-ins window, click or tap on Group Policy Object Editor, then press Add. Alternatively, you can double-click the Group Policy Object Editor.
Select the Group Policy Object Editor, then press Add
This opens the Select Group Policy Object wizard. Click or tap on Browse.
Hit Browse in the wizard
In the next window, go to the Users tab, then select the user or the group of users for which you want to make changes. In this case, we selected the Non-Administrators group. Click or tap on OK afterward, then on Finish.
Selecting the user or the group for which you want to change settings
The final step is to press OK. This opens the settings tree applicable to the selected user/group.
Press OK and the Editor will appear
In order to bypass this lengthy process the next time you want to modify the settings to that particular user or group, you can save the console settings and create a shortcut for it. Open the File menu, then click or tap on Save as.
Save the console configuration for the Local Group Policy Editor
Next, navigate to the location where you want a shortcut to the console to be created, rename the shortcut, and click or tap on Save.
Rename the shortcut and place it in a folder of your choosing
The next time you want to modify the settings for the same user or group, simply double-click or double-tap the newly-created icon.
How to use the Local Group Policy Editor
After you’ve started the Local Group Policy Editor using one of the methods described earlier, it is time to learn how to use it. Let’s first look at the layout of the editor.
The Local Group Policy Editor layout
Whether you use it on Windows 11 or any other version of Windows, the design of the interface looks identical. Starting from the top, you have a series of menus, then a toolbar that lets you, among other things, navigate through the policies. Feel free to click on the menu items and the toolbar buttons to familiarize yourself with the interface, you are not going to break anything :).
Hovering over the toolbar buttons displays a tooltip
The main elements of the interface are below the toolbar. In the default view, the Local Group Policy Editor has a navigation pane called Console Tree on the left, where you can select the policy category or node. In the center, the main section lists all the policies in the selected category, as well as a very useful description of any policy you select. The policy list contains the name of the policy, the state (which can be Not Configured, Enabled, or Disabled), and the comments added by you or other administrators. When selecting All Settings in the Console Tree, an additional column is displayed, showing the path of that particular setting in the tree.
Selecting a policy in the main section displays a description of the setting
Finally, by pressing the corresponding buttons in the toolbar, you can show or hide the Console Tree on the left and an Action pane on the right of the main window.
Use the buttons in the toolbar to show or hide the left and right panes
Depending on where you navigate to using the left pane, the list in the main section can get pretty extensive. Speaking of which, let’s now move on to…
Navigating the Console Tree
In the default view of the Local Group Policy Editor, the Console Tree displays two large sections:
- Computer Configuration - holds Local Group Policy settings that control policies applied computer-wide, regardless of the user or users logged in.
- User configuration - holds Local Group Policy settings that control user policies. These policies are applied to users, rather than the whole computer.
Both the Computer Configuration and the User Configuration categories are split into three sections or nodes:
- Software Settings - contains policies that apply to installed programs and, by default, it should be empty.
- Windows Settings - holds Windows security settings. It's also the place where you can find or add scripts that should run when Windows starts or shuts down, or when logging in and out.
- Administrative Templates - this is the most interesting part if you’re here to tweak your system. This is the place where you can see, change and even enforce all kinds of settings and rules. To give you a few examples, you can manage how the Control Panel, Network, Start Menu, and Taskbar work and what users can change when using them.
Clicking on the arrow next to each node or double-clicking the folder will expand it. If a node doesn’t have additional subfolders, you won’t see an arrow next to it.
Navigating the Console Tree
If you select a folder in the Console Tree (by clicking or tapping on it), its contents will be displayed in the main section of the Local Group Policy Editor.
Finally, if you are looking for a setting in the Administrative Templates, but you don’t know exactly where to search for it, you can filter the nodes by selecting the Administrative Templates node, then going to the Action menu in the upper part of the window and selecting “Filter Options…”
Accessing the filter settings for the Local Group Policy Editor
To filter using a keyword, click on Enable Keyword Filters, then input the keyword(s), define where to look for them, and finally click on OK. The filter will be applied immediately and will hopefully narrow your search.
Filtering the settings list using keywords
To toggle the filter, click or tap on the Filter button on the toolbar (the one that looks like a funnel).
Modifying Local Group Policies
In order to explain how to modify a policy, let’s pick an example. Let’s say you want to set and enforce the same desktop wallpaper for all users on your computer. First, navigate to the setting. Since the setting applies to users, the policy will be located under User Configuration/Administrative Templates/Desktop/Desktop. Next, double-click or double-tap on Desktop Wallpaper to edit it.
Double-click the setting you want to configure
In the next window, you can set it to Enabled, Disabled, or Not Configured. Depending on which setting you are editing, these three states will allow or restrict various actions. In this case, we want to set it to Enabled to enforce the same wallpaper for all users. Next, in the Options section, type the path and name of the wallpaper image. Then, select the wallpaper style (Center, Fill, Fit, etc.) and click or tap on OK. The next time you or another user logs in, the selected wallpaper will be displayed. Moreover, the users won’t be able to change the wallpaper unless they have access to the Local Group Policy Editor.
Enable or disable it, then configure its options
You can also leave a note in the Comment section. It will be saved once you hit OK.
Depending on the setting you wish to change, the options might be different or missing altogether. For example, suppose you want to lock the taskbar for all users (User Configuration/Administrative Templates/Start Menu and Taskbar). In this case, you just need to enable the setting, so no other options are available.
Some settings don't have more options
Once you enable or disable a policy, its status will show up in the list. Remember that most of the settings are applied the next time users log into their account.
You can clearly see in the list the modified settings
TIP: To familiarize yourself with the settings, click on them in the Local Group Policy Editor to display their description. Alternatively, double-click on them to see the possible options for that setting. Nothing changes as long as you don’t click OK, so feel free to browse.
Is the Local Group Policy Editor useful to you?
The Local Group Policy Editor is a complex tool that makes it easy for you to set all kinds of policies and rules for your computers and their users. We hope that we have given you a taste of what you can accomplish with this tool, and since you now know the basics and how to navigate it, you can try it on your own. What kind of changes do you want to make in Local Group Policy Editor? Share with us your experience in a comment below.