|
GPO or Group Policy Option is a software rule to control a function of the Operating System... |
They control Security, Operation, and Features for the Windows
Operating System environment.
But do you really know what they do and why it is important to have this knowledge if you go mucking about with the gpedit.msc?
Each one has three states:
- Not Configured
- Enabled
- Disabled
In addition if you Enable it you may have parameters to fill in such as in the case of this GP:
Restrict potentially unsafe HTML Help functions to specified folders.
If you enable this GPO you will have to list the folders you want to lock the HTML code out of such as the Cookie folder for either your user id or all user ID folders.
GPO or Group Policy Options are defined as:
And have the following configurations:
Any Local Machine GP will be over ridden by Domain GP's if the Domain GP's are set for anything besides the default: Not Configured, if Not Configured then Domain GP's default to the Local Machine GP for both Computer and User configurations.
As in the example above if the Local Machine GP is set for Enabled and the parameters are set for locking out the HTML Help function on the Cookies folder, but if not set in the Domain GP then only the Local Machine the GP is set for will be affected, that is one computer may have the GP set but others may not.
Troubleshoot, repair, maintain, upgrade & secure...
With this! |
To over come this setting a Local Machine GP on each computer you could use the Domain GP's to set all computers to the same standard set of GP's and over ride any other configurations, this means that all computers in a Domain will have the same GP's at all times.
Care must be used when setting GPO or Group Policy Options, enabling or disabling a GP may have grave consequences if configured wrong, the consequences range from a BSOD, to locking a user out of the computer, or loss of functionality of programs and services.
Local Machine only effects the computer that the GP is applied on, but a Domain GP effects all computers in the Domain (with exceptions of course!).
However a well written GP can enhance the security and operation of all the Domain or Local Machine computers.
Such as disabling the "AutoPlay" GPO or Group Policy Option
is in both the Computer and User configurations.
By disabling the AutoPlay a virus or hacker can not use the AutoPlay option when a floppy disk, CD/DVD or USB pen drive is used to automatically execute a program that could gain control of a computer.
A lot of install programs use the "AutoPlay" to set up the parameters and start to install a program so if you disable this GP you have to manually start the install program. A little extra work for a lot of security.
One last thing about setting a Group Policy for a service or function: Each GP has an Explanation tab, read it, if you don't understand what the explanation is telling you do not enable it!
When I was a young Airman an instructor told the class on Aircraft Instruments I was in: "If you DO NOT KNOW WHAT IT DOES
- DON'T TURN IT ON!" A wise man.
The MCSE has a four hundred page text on what the Group Policy is and what it does, so
if you don't know - don't turn it on!
|
Proudly Made in The U. S. A.
www.diy-computer-repair.net