Group Policy is a helpful tool for administrators. It lets us set up specific rules for all the computers in a network, which gives us better control and makes things easier to manage. Sometimes, users might feel like they have limited control because these rules dictate how they use their computers.
But from an administrator’s perspective, it’s all about making things work better for users. We want to create a computer environment where users can operate smoothly, stay safe from problems, and be productive. We aim to keep everything running smoothly and securely for the organization and its users.
So, Group Policy helps us make things more organized and easier to manage and keeps users safe from potential issues. When we set up these rules carefully, we can strike a balance between a secure and efficient environment while still letting users do their jobs effectively.
Useful Group Policies for Windows Clients
There are thousands of different group policies. Hardly any Windows settings cannot be configured via a policy.
The question arises: Which group policies do I need in my network?
Unfortunately, the answer is disappointing. Because every single group policy has its right to exist, depending on the roles, features, or applications used, the selection can be narrowed down.
In this article, I have therefore focused on 10 useful group policies. The rights of the users are to be restricted by these guidelines. But he should not be hindered in his work.
1. Lock Windows applications
Windows users do not need to be able to open every application. Some functions can already be deactivated via group policy, but these can also be named explicitly.
The associated policy is called “Do not run specified Windows applications”. Here the (common) administrator can let off steam to his heart’s content. Typical applications that can be blocked with this policy would be Windows PowerShell or Paint.
Third-party programs can also be blocked with it. Since this is a user policy, access to installed programs can be very well restricted.
The guidelines include User Configuration -> Policies -> Administrative Templates -> System.
2. Prevent access to the registry
The registry is the brain of Windows. All configurations and other settings come together here. A normal Windows user should, therefore, not have access to this powerful tool.
All access to the registry can be blocked via the group policy “Prevent access to programs that edit the registry.” Direct importing using .reg files is also no longer possible.
This policy should, therefore, always be activated. If you import registry keys via a login script, you can activate the option to run in the background. Then these imports will continue to work when you log in.
You can find the guidelines at User Configuration -> Policies -> Administrative Templates -> System.
3. Lock the control panel
In certain environments, the control panel must be completely locked. Every admin knows his “play children,” who always have to fiddle around everywhere. The urge to play can be severely restricted with this user group policy.
The “Don’t allow access to Control Panel and PC Settings” policy does just that: opening the Control Panel and Settings in Windows 10 is completely prohibited.
The guidelines are found at User Configuration -> Policies -> Administrative Templates -> Control Panel.
However, the administrator can also create much work with this policy. It is now no longer possible for the user to open the display or printer settings. If you don’t want to regulate quite so strictly here, you can use the following two guidelines to mitigate them:
4. Remove access to all Windows Update features
Windows updates must be controlled centrally in the company. This is possible either via WSUS or via patch management software.
To prevent Windows users from playing around with the settings of the Windows update function, access to it should be completely blocked. This works wonderfully via group policies.
The associated policy is called “Remove access to all Windows Update features” and is located in the path User Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update.
In addition to blocking the Windows Update function, you can hide the notifications about a required restart.
5. Connect printers and network drives
These two settings are a bit more extensive. But they are worth implementing. You will save yourself a lot of time in the future. Promised.
With these group policies, you can connect network printers and network drives depending on the user at login. The login scripts have been replaced with the usual net use commands.
Since the configuration is difficult, I have written two articles for these guidelines. You can find them here:
- Install printers using group policies
- Map network drive via group policy
6. Automatically delete user profiles that are not required
When a domain user logs on to a computer, a user profile is created on the hard drive. Depending on the setting and usage, these user profiles can consume quite a lot of storage space.
A group policy can automatically delete user profiles that have not been used for a long time. This is particularly worthwhile for computers that different people use very frequently.
The group policy is “Open user profiles older than a certain number of days at system startup”. To find under Computer Configuration -> Policies -> Administrative Templates -> System -> User Profiles.
7. Enable User Account Control
User Account Control is one of the most critical security features of Windows. It prevents unauthorized changes to the operating system.
Unfortunately, you often see security levels that are too low or a completely deactivated user account control. User account control should always be controlled via group policies to ensure no one can change this setting.
8. Activate screen saver automatically
Again and again, one sees abandoned and unlocked computers. The employee leaves for several minutes and forgets to secure his workplace. Everyone would now have the opportunity to access data at this workplace.
For this reason, it is advisable to activate the screensaver automatically after a certain period of time. Includes password protection.
These three policies must be enabled for this:
- Activate screen saver
- Use password protection for the screensaver
- Screen saver timeout
The timeout must be specified in seconds. The default is 900 seconds (15 minutes). I recommend a value of 300 seconds (5 minutes).
All three policies are under User Configuration -> Policies -> Administrative Templates -> Control Panel -> Customization.
9. Create desktop icons
Links to server applications or websites can also be distributed to client computers using group policies.
The necessary settings can be found in the path User Configuration -> Settings -> Windows Settings -> Shortcuts be made.
The benefit: Element-level targeting is available for this. This allows a very specific assignment at user or group level.
10. Disable the lock screen
The lock screen is not required in the corporate environment. It’s unpleasant – you must press a key before entering the password.
Fortunately, the lock screen can be disabled via group policy. I have already published detailed instructions in a separate article. You can find it here: Disable lock screen.
Other useful group policies
Of course, the ten group policies mentioned are only a few possibilities. There are also many other use cases: