If you’ve been to a bar, you’re familiar with these two categories of people – the quiet loner sitting in a corner, drink in hand, and the boisterous group of individuals ready to unwind after a tiring day at work. Which one do you think is easier to handle?
The former, of course! The latter is a wild, unruly bunch that’ll get drunker with each passing hour and, more often than not, get into trouble if left unchecked. Just go watch the movie “Roadhouse.” Now let’s look at it in the context of an office setting.
A single user is easy to manage, but when there’s a group present, you need to come up with a few guidelines that they must adhere to. This is the exact role played by Group Policy in offices full of computers running Microsoft Windows – configuration and management.
Group Policy represents a series of settings in the computer registry that looks after security and other operational behaviors. It’s a lot like the Control Panel but more powerful.
Group Policy enables you to prevent users from accessing parts of the system, run specific scripts when the system starts up or shuts down, and forces a particular home page to open for every user in the network. Keep in mind, however, that Group Policy is available only on those computers running Windows Professional, Education, or Enterprise Versions. Group Policy is also available for those people trying to book a vacation to the Bahamas, oh, oops, wrong topic!
You can either configure it locally or push the settings down from Active Directory. However, the latter option is problematic for a number of reasons, the most significant one being the loss of control. Thus, you need to increase your awareness about the different Group Policy settings and how to change them. To know how, read on below.
Group Policy Editor: How to access it
Changing the Group Policy settings is easiest with the Group Policy Editor. You can access it in different ways, but the simplest method is given below:
- Click the Start Menu.
- Search for the option marked Edit Group Policy.
- Open it.
Though Group Policy is not a part of Windows Home editions, there is still a way to access it. All you have to do is tweak the system a bit and install a third-party Group Policy Editor.
And here’s the big caveat: Once you open the Group Policy Settings editor, you will see scores of branches with thousands of entries. Microsoft doesn’t make it easy to find what you want because there is no “search” option. It’s going to be up to you to find what you need to change. (One hint: Many of the settings discussed below can be found in Computer Configuration/Administrative Templates/Windows Components. And, perhaps most important, back up your registry before you make any changes so you can always restore your old settings in case something goes wrong.
Settings you should know and change
The first thing you should know about the Group Policy Editor is that it’s highly sensitive. One bad tweak may render the whole of your system inoperable. This is why experimentation is best avoided. This is not a college biology lab! Is your name Bruce Banner?! You’ll have thousands of different preferences, settings, and options at your disposal, and we’ve chosen the 10 best tweaks and corrections that your system shouldn’t be without.
1. Choose who can access your control panel
It’s important to set limits for your Control Panel in a business environment. This provides you the master control over all aspects of your system. You can block total access to the Control Panel or allow limited access.
2. Turn off the LM hash storage
It’s easy to convert LM password hashes to the plain-text version of the password equivalents. Be very careful about this. Never allow Windows to store them on the disk. This increases the chances of them being found by hash dump tools used by hackers.
3. Make sure access to command prompt is restricted
There’s no doubt about the usefulness and functionality of the command prompt. At the same time, it can turn into a nightmare if placed in the wrong hands as it gives users the opportunity to run commands that would otherwise be deemed undesirable and circumvent other restrictions in place. This is why it’s best to disable it altogether. However, bear in mind that when this happens, you cannot run cmd.exe files.
4. Turn off forced restarts
If your Windows Update is turned on, you probably know that Windows pesters you to reboot the system once it’s done updating. This is extremely annoying, and though you’re able to postpone the process to an extent, it eventually gets out of hand.
You can use the Group Policy settings to permanently disable these forced restarts. As soon as you’ve enabled the settings, you’ll have to reboot your system one last time. Or, if you want, you can simply launch an elevated Command Prompt and run the command “gpupdate/force”. This automatically causes any sort of change you made to the Group Policy to take effect.
5. Do not allow removable media drives
Removable media drives are handy, aren’t they? But unfortunately, they can also be dangerous, especially if they contain virus and malware. If you plug one of these infected drives into your system, it could affect the whole network. This is why it’s best if you disable the removable drives entirely, especially when you’re dealing with a business office environment. You’ll also find options for disabling DVDs, CDs, even floppy drives. You can disable these, too, if you want, but the primary concern is removable drives.
6. Disable any software installations
There are loads of ways you can block users from installing new software on their system. This helps decrease the amount of maintenance and cleaning required when something bad is installed. You can prevent such installation by changing the existing Group Policy settings.
7. OneDrive – how to deal with it
OneDrive. You either love it or hate it. But one thing’s for certain – you can’t ignore it. That’s because Microsoft doesn’t allow you to. Whether users make use of the program or not, OneDrive is a part of the system, and you won’t be able to disable it unless you use the Registry Editor or Group Policy Editor. When you choose the “Prevent the usage of OneDrive for file storage” option, it removes access to OneDrive from anywhere in the system. It will also no longer appear as a shortcut in the File Explorer sidebar.
8. Control Windows Update
Windows 10 has caused a lot of controversy because of its forced updates. However, Group Policy allows you to delay major upgrades and updates by almost a year or pause them entirely. Now if we could just put a pause on the IRS or any more “Jurassic Park” or “Jurassic World” movies, that would be outstanding!
9. Switching Windows Defender off
Windows Defender is the built-in security suite offered by Microsoft. However, you aren’t allowed to uninstall it. You can only disable it by installing a compatible security suite from a third-party provider. Changing Group Policy settings, however, allows you to disable it minus the need to install anything else. Your security will finally be in your hands, for better or worse.
10. Disabling automatic driver updates on your system
Driver updates are often a serious nuisance for Windows users, but they can’t switch it off since it’s an automated feature. Although its useful and it benefits you to keep your system updated, it’s still problematic when Windows doesn’t allow you to run custom drivers. The latest version of the driver they provide might contain a bug that causes your system to crash, but you still have to work with it since there’s no other option.
Until now. Windows Group Policy settings can be changed to disable automatic driver updates. However, for this to take effect, you must submit the hardware IDs of the devices you want to stop updates for. You’ll have to use the Device Manager to access these IDs.
There are times you feel beaten due to the loss of control in a Windows PC. However, don’t give up just yet. Group Policy Settings are the perfect workaround, and they provide you with the level of control you always wanted. Just make sure you know what you’re doing.
14 thoughts on “10 Windows Group Policy settings you need to tweak”
Thank you for your effort. It could have been more useful if you added the path to each one of these policies as it could be very hard to search for it sometimes.
Yes, even i agree for this
Thanks. I hope your week is going well.
Thanks for the feedback. OK. I may write an article on that in the future. Hope all is well.
Thank you Benjamin, I really enjoyed this and got a few new tips from you. Thanks again.
Comes in handy turning off Windows updates, our clients hate it. Worst is when you need to attend some ware and as soon as you want to shut down “Update and Shut Down/Update and Restart”.
I kept reading expecting an explanation on how to perform each group policy fix.
Many of these changes are ill advised. Reboots need to happen to ensure security patches are applied, defender is actually a decent product for defense against malware, and attacks come in through driver/firmware vulnerabilities as well. Let’s not make suggestions like this to those who may not know better anyway.
First, thanks for your comment; it brought me to this page, and I think I need to do an update article very soon.
You make an interesting point about the necessity of auto-reboots. I am more of opinion that forced restarts can be very discomforting; for instance, I was able to verify that several customers have the same view.
Of course, for someone not really in a position to take active decisions about necessary patches and upgrades, probably there’s a case for forced restarts, but that comes at a cost.
Similarly, switching to something most comprehensive than Windows Defender, in my opinion, is essential for an enterprise computer.
I appreciate your comments though. Disagreement brings improvements.
I think an article focused on Group Policy settings should really list a path to each of the policies discussed in the article.
Not sound advice to switch Windows Defender off.
I can guess where your concerns come from.
The reason why I mentioned it is – it’s good to know how to do it!
Especially because some antiviruses require you to switch off any
other competing software.
I hope your weekend is going well.
Some of these comments are silly. Apparently you either work in a very small office or provide consumer pc support. Company’s IT Dept. typically do NOT want windows 10 to update itself or reboot itself, ever. We control the update and reboots and set them during a scheduled time.
Windows defender comments is similar to the above. It might be an alright piece of software but when you are guarding millions/billions of dollars worth of data/equipment/time, you can’t tell your boss X was hacked because of this free software we use. You pay for better products and sometimes you don’t want to have to deal with multiple software interfering with each other or you don’t want the hassle of configuring and monitoring two kinds of software that do the same thing.
Anyways, good article.
I appreciate your detailed comment.
In response, I believe that a group admin must know more than just the best practices, even if it’s an anti-best practice in certain contexts. Know it > don’t use it > until there’s a situation where you need to defy conventional wisdom and do some crazy stuff to save the day.
I have worked in different teams, difference contexts, different industries, and have seen leaders take decisions to ‘test in production’ on days there were no other options. Do I recommend that as a best practice – NO. Do I feel that’s good to know – yeah.
Respect for your opinion though. Cheers.