User Group Policy – System

Windows 2003 – Group Policy -> System

‘System’ is another Group Policy section where every administrator will benefit from restricting the users, if only by stopping them hacking the registry.  Before you start, compare and contrast the settings here with those in the Computer Configuration \ Administrative Templates \ Windows Components \ System folder.

Group Policy Topics for System Folder

Administrative Templates

     Windows Components



* Guy’s Top Five System Group Policies

System (Root)

These are settings that ‘Mr Nasty’ will love.  ‘Prevent Access to the Command Prompt’.  Perhaps you have already removed the run command, now you want to bolt the back door to the ‘Dos Box’.

I cannot think of a good reason why ordinary users need Regedit, so I would enable * ‘Prevent Access to Registry editing tools‘.  Be careful with your logic here, the risk is that you have a double negative.  For instance, ‘Disable’ the Prevent access to Registry, would allow Regedit to run, which may be the reverse of what you intended.

‘Don’t run specified Windows application’, is another setting where you should double check your logic.  Here you are making a list of the bad guys, programs that ordinary users have no business running.

‘Run only allowed Windows programs’, takes locking down the desktop one stage further, in this case you specify only programs that your people really need, for example, Excel and Winword.  Remember that this is a list of a few essential programs.

* ‘Restrict these Programs from being run from help‘. This policy neatly closes a back door which savvy users exploit to sneakily run programs that they should not be using.  Be on your guard, and choose the executables wisely.

Take a view on what should be done about ‘Windows Automatic Updates’.  Again, here is a policy to fit into your broader corporate network strategy.

Two settings which could slightly improve users experience are ‘Configure Driver search locations’ and ‘Century Interpretation for year 2000’.   The latter may be more relevant as we approach 2029!

* ‘Code signing for drivers‘, this is not a setting that you should leave to chance, I would Enable, then ‘Block’ drivers without digital signatures.  Ask yourself, ‘What are users doing installing device drivers anyway?’.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

User Profiles

I am a great fan of roaming profiles, especially for we administrators.  With these settings you can alleviate worries that roaming profiles generate too much network traffic by imposing limits on the size of the profiles and the directories to include in the roaming profile.


Nothing much here, perhaps you would want to run script visibly if you are testing, or if it had information for the users, but otherwise a section to ignore.  By all means run legacy scripts hidden, but why not upgrade those Batch files to VBScript?

Ctrl Alt Del GPO Options

The most controversial decision here is the Task Manager (not Taskbar).  My view is to leave it enabled.  Would it not save work all round if users could zap their own programs which are not responding?

I can think of only a few specialist situations where you would want to deny users Change password, and Lock Workstations tabs.  Kiosk computers or communal internet machines would benefit from this policy.  However, for the rest, leave the Ctrl Alt Del GPO as the default – not configured.



There are two ideas here that are worth a look.  Firstly, would there be any programs that clients always need?  If so, then configure the ‘Run Programs at Logon’ setting.  Secondly, have you been caught by viruses exploiting the ‘Run Once’ registry setting?  Well if so then you can block the registry RunOnce key with this policy.

Group Policy

* ‘Group Policy Slow Link Detection’, people often ask me what is a slow link?  56K, 256K?  Well here you can decide, based on the experience of how long Group Policy settings take to apply when a client logs on remotely.  The other settings here are to assist administrators who are configuring Group Policies.   See Windows 8 Group Policy Settings

Power Management

Just one policy here – Prompt for Password on Resume from Hibernate.  This is the classic trade-off, security versus convenience.  I do believe that hibernating rather turning machines off will be the way of the future.  However, at present few people trust ‘Hibernate’ so this setting is not needed – yet!

Windows Time Service

If you are fed up with those Win32 Time errors in the Event Log then why not use a Group Policy to configure the Time Servers.  In Windows Server 2003 domains Kerberos relies on time synchronization between servers, otherwise it thinks that a hacker has intercepted a packet and then put it back on the network 10 minutes later.

The Dsacls.exe Tool

Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services. You can use Dsacls.exe to lock out Terminal Services end-users from files and folders on a Windows Server 2003-based computer or a Microsoft Windows 2000-based computer.

Summary of System Group Policies

Start with the ‘Root’ section of Administrative Templates, Windows Components, System. Then follow through and investigate the folders for example, Logon where you can block the RunOnce command.

See more security Group Policies

Group Policies   •Troubleshooting Group Policies   •Security Options

Group Policy Overview  • Group Policy Tactics  •Security Restricted Groups 

Security System Services   • Security Audit   •Security Event Log

If you like this page then please share it with your friends