也许您听过 IT 人员在工作中谈论GPO(GPOs)或用户策略。或者,也许您想知道如何更好地控制您的计算机。在任何情况下,Windows 10组策略编辑器(Group Policy Editor)都是要使用的工具。有了它,您可以使用组策略对象(Group Policy Objects)( GPO ) 来自定义计算机的功能和用户体验。
在网络环境中,组策略编辑器(Group Policy Editor)用于配置从允许运行的程序到桌面自定义的所有内容。它与Active Directory合作执行此操作。对于没有Active Directory的普通 Windows 10 用户,我们仍然可以使用本地组策略对象(Local Group Policy Objects)( LGPO(LGPOs) ) 来配置我们的计算机。
在哪里可以找到 Windows 10 组策略编辑器?(Where Do I Find the Windows 10 Group Policy Editor?)
如果您有Windows 10 家庭(Windows 10 Home)版,则没有组策略编辑器(Group Policy Editor)。它仅包含在Windows 10 专业版(Pro)和Windows 10 企业版(Windows 10 Enterprise)中。
实际的程序名称是 gpedit.msc,它通常位于C:\Windows\System32\gpedit.msc或%windir%\System32\gpedit.msc.
但是您不必每次想要使用它时都打开文件资源管理器来查找它。(File Explorer to find)有几种方法可以访问组策略编辑器(Group Policy Editor)。
- 打开开始(Start )菜单并搜索gpedit.msc。
- 按Windows Key + R。在“运行”(Run )窗口中键入gpedit.msc并选择“(gpedit.msc)确定(OK)” 。
- 创建 gpedit.msc 的快捷方式并将其放在桌面上。
- 在文件资源管理器中,导航到C:\Windows\System32\gpedit.msc.
- 右键单击gpedit.msc并选择创建快捷方式(Create a shortcut)。
- 将弹出一个窗口,显示“ Windows无法在此处创建快捷方式。你想把快捷方式放在桌面上吗?” 选择是(Yes)。创建快捷方式后,您可以将快捷方式移动到任何您想要的位置。
Windows 10 组策略编辑器导览(A Guided Tour Of The Windows 10 Group Policy Editor)
打开组策略编辑器(Group Policy Editor)后,您会注意到窗口左侧有两个主要类别。有计算机配置(Computer Configuration)和用户配置(User Configuration)。
计算机配置(Computer Configuration)中的策略将适用于整台计算机并影响计算机和操作系统的一般功能。这些设置不会因登录计算机的用户而异。
用户配置(User Configuration)中的策略适用于用户。用户配置(User Configuration)策略非常适合自定义用户的桌面体验。如果您只更改本地组策略对象 ( LGPO ),它将应用于该计算机上的所有用户。
如果您正在处理服务器并在 Active Directory 中应用组策略,则这些设置可能适用于所有或部分用户。这完全取决于政策适用的级别。
当您深入到不同的部分时,您会看到不同应用程序或服务的不同区域。 请(Make)特别注意计算机(Computer)和用户配置中(User Configuration)管理模板(Administrative Templates)部分下的内容。
可以为您可能安装的许多不同应用程序添加管理模板。例如,可以将大量Microsoft Office管理模板添加到组策略编辑器(Group Policy Editor)中。即使是非 Microsoft 公司,如Google、FoxIt PDF 阅读器(FoxIt PDF reader)和LogMeIn 远程桌面访问,也提供管理模板供您使用。下载和安装它们是一个过程,但并不难。
有太多的政策让我们无法一一浏览并描述它们能做什么。
如果您想查看计算机(Computer)或用户配置下可用的所有管理(User Configurations)模板(Template)策略,请导航到Administrative Templates > All Settings并选择它。在右侧窗格中,您会看到一长串可能的设置。在下图中,有 2500 个设置。您的计算机或服务器上可能还有更多。
撰写本文时,Windows有 4200 多个本机策略。这不包括可以添加 的不同管理(Administrative) 模板。(Templates)
如果您有兴趣深入了解所有Microsoft策略,可以下载Microsoft 的 Windows 和 Windows Server 组策略设置参考(Microsoft’s Group Policy Settings Reference for Windows and Windows Server)。
我可以使用 Windows 10 组策略编辑器做什么?(What Can I Do With the Windows 10 Group Policy Editor?)
将组策略编辑器(Group Policy Editor)视为您在 Windows 注册表中工作的安全方式(safe way to work in Windows Registry)。组策略编辑器(Group Policy Editor)不允许您更改Windows 注册表(Windows Registry)中的所有内容,但它允许您更改几乎(almost)所有您想在Windows 注册表(Windows Registry)中更改的内容。
安全策略是一个很好的起点。让我们通过设置策略来禁用Windows 命令提示符(Windows Command Prompt)。
打开组策略编辑器:
- 导航到User Configuration > System。
- 在右窗格中,选择阻止访问命令提示符(Prevent access to the command prompt)。双击打开。
- 要简单地启用它,请单击已启用(Enabled)单选按钮。
- 这是可选的。您还可以通过更改禁用命令提示符脚本处理来阻止运行批处理脚本?(Disable the command prompt script processing also? )从否(No)到是(Yes)。
花点时间阅读帮助:(Help:)部分以充分了解此设置的作用。如果您需要运行批处理文件进行系统维护,请不要打开它。
当您处于此区域时,请检查其他设置,例如阻止访问注册表编辑工具(Prevent access to registry editing tools)和仅运行指定的 Windows 应用程序(Run only specified Windows applications)。这些也是很好的安全设置(good security settings)。
您可以做的事情有很多,我们为您提供了很多关于其中的文章。我们可以向您展示禁用 Cortana 的最佳方法(the best way to disable Cortana)、如何启用生物识别功能以使 Hello Fingerprint 正常工作(enable biometrics so Hello Fingerprint works),以及如何为用户设置精细的密码策略(set granular password policies for users)。进入那里,环顾四周,您会惊喜地发现使用Windows 10组策略编辑器可以控制和自定义计算机的程度
What Is the Windows 10 Group Policy Editor?
Perhaps you’ve heаrd the IT person at work talk about GPOs or user policіes. Or, maybe, you would like to know how to have better control ovеr your computer. In any case, the Windows 10 Group Policy Editor is the tool to use. With it, you can work with Group Policy Objects (GPO) to customize your computer’s functions and the user experience.
In a network environment, the Group Policy Editor is used to configure everything from what programs are allowed to run to desktop customization. It does this in partnership with the Active Directory. For the average Windows 10 user who doesn’t have Active Directory, we can still use Local Group Policy Objects (LGPOs) to configure our computers.
Where Do I Find the Windows 10 Group Policy Editor?
If you have Windows 10 Home edition, you don’t have the Group Policy Editor. It’s only included with Windows 10 Pro and Windows 10 Enterprise.
The actual program name is gpedit.msc and it’s generally located at C:\Windows\System32\gpedit.msc or %windir%\System32\gpedit.msc.
But you don’t have to open File Explorer to find it every time you want to use it. There are several ways to access the Group Policy Editor.
- Open the Start menu and search on gpedit.msc.
- Press Windows Key + R. Type gpedit.msc in the Run window and select OK.
- Create a shortcut to the gpedit.msc and place it on the desktop.
- In File Explorer, navigate to C:\Windows\System32\gpedit.msc.
- Right-click on gpedit.msc and select Create a shortcut.
- A window will pop up that reads, “Windows can’t create a shortcut here. Do you want the shortcut to be placed on the desktop instead?” Select Yes. You can move the shortcut wherever you want after it’s created.
A Guided Tour Of The Windows 10 Group Policy Editor
Once you have the Group Policy Editor opened, you’ll notice two main categories on the left side of the window. There are Computer Configuration and User Configuration.
The policies in Computer Configuration will apply to the entire computer and affect the functioning of the computer and the operating system in general. These settings do not change depending on who is logged in to the computer.
The policies in User Configuration apply to the users. The User Configuration policies are ideal for customizing the user’s desktop experience. If you are only changing the local group policy objects (LGPO), it will apply to all users on that computer.
If you are taking care of servers and applying the group policy in your Active Directory, the settings may apply to all or some users. It all depends on what level the policies are applied.
As you drill down into the different sections, you’ll see different areas for different applications or services. Make special note of what’s under the Administrative Templates sections in both Computer and User Configuration.
Administrative Templates can be added for many different apps you may install. For example, there is a large set of Administrative Templates for Microsoft Office that can be added to the Group Policy Editor. Even non-Microsoft companies, like Google, FoxIt PDF reader, and LogMeIn remote desktop access provide Administrative Templates for you to use. It’s a bit of a process to download and install them, but it’s not that hard.
There are far too many policies for us to go through them all and describe what they can do.
If you’d like to see all the Administrative Template policies available under either Computer or User Configurations, navigate to Administrative Templates > All Settings and select it. In the right-hand pane, you’ll see a long list of possible settings. In the image below, there are 2500 settings. There may be more on your computer or server.
When this was written, there were over 4200 policies native to Windows. That’s not including the different Administrative Templates one can add.
If you’re interested in going further into all the Microsoft policies, you can download Microsoft’s Group Policy Settings Reference for Windows and Windows Server.
What Can I Do With the Windows 10 Group Policy Editor?
Think of the Group Policy Editor as your safe way to work in Windows Registry. Group Policy Editor won’t allow you to change everything you could in the Windows Registry, but it does allow you to change almost everything you’d want to change in Windows Registry.
Security policies are a great place to start. Let’s go through setting a policy to disable the Windows Command Prompt.
With the Group Policy Editor open:
- Navigate to User Configuration > System.
- In the right pane, select Prevent access to the command prompt. Open by double-clicking on it.
- To simply enable it, click on the Enabled radio button.
- This is optional. You can also prevent running batch scripts by changing the Disable the command prompt script processing also? from No to Yes.
Take a moment to read through the Help: section to fully understand what this setting can do. If you need to run batch files for system maintenance, do not turn this on.
While you’re in this area, check out other settings like Prevent access to registry editing tools and Run only specified Windows applications. These are good security settings to work with as well.
There are so many things you could do, and we have articles for you about many of them. We can show you the best way to disable Cortana, how to enable biometrics so Hello Fingerprint works, and how to set granular password policies for users. Get in there, take a look around and you’ll be pleasantly surprised how much you can control and customize your computer using the Windows 10 group policy editor