System Administration with Group Policy in Windows XP - Part I
In Windows XP there is a nice tool, Group Policy (GP). Many Windows users have been around for a long time but have never known this tool because they cannot be found in Control Panel, Administrative Tools or System Tools. GP is one of the components of Microsoft Management Console and you must be a member of the Adminstrators group to be able to use this program. If not, you will receive the following error message:
Start the program: There are 2 ways to start the program.
Method 1: Go to Start menu> Run, then enter mmc command to start Microsoft Management Console. Then go to the File menu, select Open. In the Open window, click the Browse button and navigate to the System32 folder. You will see many files appear with the extension * .msc. Files of this type are components created by Microsoft Management Console. If you notice, you will see some familiar tools like: Event Viewer (eventvwr.msc), Services (services.msc) (these two tools are in Admin Tools) . and more. In the scope of this article, you need to select gpedit.msc to open Group Policy.
Method 2: If you work regularly with GP, this way will be faster. Go to Start menu> select Run and enter gpedit.msc and click OK to start the program. When the program has started, you will see the interface window as shown below:
The program is classified into a tree and is easy to use. If you use software like Security Administrator, TuneUp Utilities, . you will find that most system configuration options are in GP. And you absolutely can use the GP that Windows provides available for system administration, no need to install the above software.
* General usage: find branches, Not Not configured if not configured for that feature, Enable to kick active feature, Disable to disable the feature.
* Computer Configuration: Changes in this section will apply to all users on the computer. This branch contains many sub-branches such as:
+ Windows Settings: you will configure account usage, account password, start-up and system login management .
+ Administrative Templates:
- Windows Components: you will configure the components installed in Windows such as Internet Explorer, NetMeeting .
- System: configuration of the system. It should be noted that before configuring any component, you need to know it carefully. You can select the component and right-click to select Help.
Alternatively, do not select Help but choose Properties. When the Properties window appears, switch to the Explain tab to get a detailed explanation of this component.
By default, the initial status of these components is 'Not configured'. To change the status of certain components, select the Setting tab in the Properties window, there are 3 options for you to choose from: Enable (effective), Disable (disable) and Not configure (not configured). form).
* User Configuration: helps you configure the account you are using. The components are a bit different, but the use and configuration are similar.
Part I: Computer Configuration:
Windows Setting:
Here you can fine-tune, apply policies on account usage, account passwords, start-up and system login management .
+ Scripts (Startup / Shutdown):
You can specify whether windows will run a certain piece of code when Windows Startup or Shutdown.
+ Security settings: Security settings for the system, these settings are applied to the entire system, not just users.
Name Feature Summary Account Policies Policies apply to user accounts. Local Policies Verify policies, benefit options, and security policies for on-site users. Public Key Policies Shared key policies
Here we will in turn go into the details of each small part of it.
1. Account Policies: Set policies for accounts
a> Password Policies : Includes policies related to account passwords of account users on the computer.
Enforce password history: For users who do not have the habit of remembering multiple passwords, when forced to change passwords, they still use the same old password to replace the new password, this is a big gap. Direct attention to revealing passwords. This setting forces a new password to not resemble any of the passwords we decide. Valid from 0 to 24 passwords.
Maximum password age: The maximum time the password is valid, after this time the system will ask us to change the password. Changing passwords periodically to improve account security, because a bad guy can track your habits, can easily find the password. Values range from 1 to 999 days. The default value is 42.
Minimum password age: Specify the minimum time before the password can be changed. At the end of this time, you can change the password of the account, or you can change it immediately by setting the value to 0. Value from 0 to 999 days. Do you need to set a larger 'Minimum password age' if you want the 'Enforce password history' policy to be effective, because users can reset the password multiple times so that they can re-use the password. old password.
Minimum password length: Minimum minimum length of account password. (Calculated by number of characters entered). The length of the password is valid from 1 to 14 characters. Set the value to zero if you do not use a password. The default value is 0.
Password must meet complexity requirements: Determine the complexity of the password. If this feature is valid. The password of the account must at least meet the following requirements:
- Does not contain all or part of the user account name
- The minimum length is 6 characters
- Contains 3 or 4 characters of the following characters: Lowercase letters (a -> Z), uppercase letters (A -> Z), Digits (0 -> 9) and special characters.
Password complexity is considered mandatory when creating or changing a password. Nails: Disable.
Store password using reversible encryption for all users in the domain: Store passwords using reverse encryption for all domain users. The feature provides support for applications that use the protocol, it requires an understanding of the user's password. Password archiving using native encryption is essentially the same as storing encrypted text of password protection information. Default: Disable.
b> Acount lockout Policy:
* Account lockout duration: Specify the number of minutes remaining after the account is locked before the unlocking is done. Valid from 0 to 99,999 minutes. It is possible to set a value of 0 if you do not want Auto Unlock. The default is not valid because this policy is only available when the 'Account lockout threshold' policy is set.
* Account lockout threshold: Determines the number of attempts to log in but failed. In this case Acount will be locked. Unlocking can only be done by the administrator or wait until the lock expires. It is possible to set the value for the wrong login number from 1 to 999. In case of setting a value of 0, the account will not be locked.
* Reset account lockout counter after: Reset the number of attempts to log on to 0 after a specified time. This setting is valid only when the 'Account lockout threshold' is set.
2. Local Policies: Local policies :
User rights Assignment: Assign user rights.
User rights here include access rights, data backup rights, and system time changes .
In this section, to configure a section you can double-click on the item and click Add user or group to authorize any user or Group you want.
* Access this computer from the network: For the curious, prying, why should we allow them to access our computer. With this setting you can add more, reduce access to the machine for any account or group.
* Act as part of the operating system: This policy specifies which account will be allowed to operate as part of the system. By default, the Aministrator account has the highest permissions, can change any system settings, be verified as any user, so you can use system resources like any user. Come on. Only low level authentication services require this privilege.
* Add workstations to domain: Insert an account or group into the domain. This policy only works on systems that use Domain Controllers. When added to the domain, this account will have additional rights to operate on the Active Directory directory, which can access network resources as a member on the Domain.
* Adjust memory quotas for a process: Specify who is allowed to adjust the memory target for a process. This policy has increased the efficiency of the system but it can be abused to serve bad purposes such as attacking the DoS (Dinal of Sevices) service.
* Allow logon through Terminal Services: Terminal Services is a service that allows us to remotely login to the computer. This policy will decide to help us who are allowed to use Terminal services to log in to the system.
* Back up files and directories: Similar to the above policies, here will grant permissions to those who will have the right to backup data.
* Change the system time: Allows users to change the system time.
* Create global objects: Grant permissions for those who can create shared objects
* Force shutdown from a remote system: Allows those who have the right to shut down the computer via the remote control system.
* Shut down the system: Allows anyone to have the right to shut down the computer.
And there are many other policies waiting for you to discover.
Nguyen Quang Duy - IITM
Email: quangduy2500@gmail.com
- Use Group Policy to manage the network in Windows Vista
- Use Group Policy functionality in Windows Vista
- Computerize public administration: Where to start?
- Upgrade Windows
- 10 things you should know about Windows 10
- Things on Windows 10 make users disappointed
- Microsoft released Windows Server 2003 Service Pack 2 RC
- The market share for EeePC is higher than the Windows operating system
- Fix the situation of Windows 10 computer slowly
- Windows XP SP3 is automatically updated from July 10
- Windows 10 supports logging with fingerprints, eyes, faces
- Microsoft will fix the Windows vulnerability next week