Manage Windows 10 with Group Policy

Lance Whitney

You can use Group Policy to administer your Windows 10 computers, even in a small office. Here’s how.

Managing your Windows devices through Group Policy is a task usually reserved for large organizations with domains and Active Directory. But you can also use Group Policy to control one or more computers for a small office if you want to apply the same settings throughout. Group Policy isn’t the most user-friendly tool, but it is effective in that it can display all the key settings and features in Windows, giving you the ability to enable or disable them individually. Certain settings apply only to enterprise-scale organizations, so you wouldn’t touch them. But there are more than a few settings you can tweak for Windows 10 devices used in a small office.

Group Policy can be a helpful way to lock down or disable certain settings if you don’t want people in your office to change them. Through Group Policy, you can alter the settings on one computer and have them apply to anyone who uses that computer. You can also export the settings from one computer to another as a way of handling them all. You can use Group Policy no matter which version of Windows you run. But we’ll look at how to use Group Policy to manage your Windows 10 devices.

If you’re still using the original version of Windows 10, the necessary policy templates are part of the operating system. If you’re running the Windows 10 Anniversary Edition or have since installed the recent Windows 10 Creators Update, you’ll need to download a new set of templates to cover the new features. To do this for the Anniversary Edition, surf to the Download Center page for Administrative Templates (.admx) for Windows 10 and Windows Server 2016. For the Windows 10 Creators Update, surf to the Download Center page for Administrative Templates (.admx) for Windows 10 Creators Update.

Download and install the appropriate MSI file for your version of Windows. After the new templates have been installed, open your local Group Policy Editor as follows: Press Win+R. In the Open field of the Run window, type gpedit.msc. The Group Policy Editor appears with two different configurations: Computer Configuration and User Configuration. In an enterprise environment, Computer Configuration applies the policies to anyone who logs into the current computer, while User Configuration applies the policies to specific users no matter which computer they use. For a small office environment, you can use both configurations to set your policies.

You can control your Windows security settings by using a Group Policy snap-in called secpol.msc. Through this snap-in, you can manage settings for password length and complexity, the account lockout policy, the Windows firewall, and the audit policies. To learn how to use secpol.msc, refer to my article on “How to Control Windows 10 Security via Group Policy.”

For this article, I’ll instead focus on controlling some of the general features in Windows 10. Double-click on the Administrative Templates folder under Computer Configuration. Double-click on Control Panel and then click on Personalization.

To modify a certain setting, such as the ability to change the Lock screen and logon image, click on it once. Make sure the Extended tab is selected, and you’ll see a description of the setting and what happens if you enable it.

Double-click on the setting, and up pops a window where you can enable it. In this case, Group Policy gives you three choices. You can leave the setting as “Not configured,” meaning it stays as is and is left unmanaged. You can disable the setting, meaning it’s turned off and left managed. Or you can enable the setting, which means you modify it and put the policy into effect. In the case of the ability to change the Lock screen and logon image, enabling this setting means you’re preventing anyone who signs into the current computer from changing the Lock screen and image. Assuming you wish to enable the setting, click on the button for Enabled and then click OK.

Next, move to the User Configuration section. Double-click on Administrative Templates. Double-click on Control Panel, and then click on Personalization. Open the settings here that apply to themes, desktop background, and colors, and enable them to prevent people from changing them.

Now, restart your computer and sign back in. Right-click on the desktop and then click on Personalize from the popup menu. If your policy changes have gone into effect, you should see certain options grayed out with a message that reads: “Some settings are hidden or managed by your organization.”

Reopen the Group Policy Editor. Go through the various subfolders under Administrative Templates in both the Computer Configuration and User Configuration sections and enable any other settings you choose. Certain subfolders, such as Network and Servers, may not play a role in your environment, so you can leave their settings alone. You’re more likely to find items in the Desktop, Start Menu and Taskbar, and Windows Components folders more relevant.

After you’ve finished enabling the appropriate settings, you can restart your computer and check Windows to make sure the policies have gone into effect.

Now, let’s say you have other Windows 10 computers or devices for which you want to apply the same settings. In an enterprise environment, you would use Active Directory and the Group Policy Management Console to propagate those settings. But assuming you don’t have such tools, you’ll have to resort to an export and import, and for that you’ll want to use a special command-line tool from Microsoft known as LGPO, or Local Group Policy Object Utility.

On the computer on which you’ve created your policies, download and extract the LGPO.zip file from its Microsoft Security Guidance page. You can open the downloaded LGPO.PDF file to learn how the tool works and see all its command-line switches. But here’s how to export or back up your Group Policy settings. First, copy the LGPO.exe file to the Windows\System32 folder. Open a command prompt as an Administrator. At the command prompt, type the command LGPO.exe /b location, replacing the word location with the actual folder in which you want to store the settings, for example, LGPO.exe /b C:\.

A GUID (a folder with a long alphanumeric name) is created in the location you specified. Copy that folder to the target computer on which you want to apply the settings. Also, copy the LGPO file to the Windows\System32 folder on the target PC. Open a command prompt as an Administrator. At the command prompt, type the command LGPO.exe /g location, replacing the word location with the actual folder in which the folder is stored, for example, LGPO.exe /g c:\. Be prepared to wait awhile. You should then see a message that the settings have been applied to your target computer. Reboot the PC and check Windows to confirm that the new settings are now in effect.



= Paid content

All Windows Secrets articles posted on 2017-04-27: