System Group Policy is almost one of the necessary tools for network administrators to manage the network. The general application skills of this tool are believed to be familiar to many people. However, the author has always believed that as long as we are careful and careful, we will continue to dig new application skills from the system group strategy. If you don't believe it, let's take a look at the following content. I believe they will help you enter a new "new state" of application! Beware of programs, beware of "self-locking" Windows server has a name called "Only allow Windows applications to run." "Group Policy project, once you enable the project, and restrict the specified program to run outside, then whether you are in the "Allow only run list of programs", add the gpedit.msc command, as long as "only allow Windows to run" The "Group" policy of the application takes effect, the system's group policy will automatically "self-lock", even if you use the "gpedit.msc" command under the super administrator account, you can not open the system's group policy editing window! So there is no One way is to limit the running of the application and prevent the system group policy from "self-locking". The answer is yes, you can follow the steps below: First click "Start" /"Run" Command, in the pop-up system run box, enter the string command "gpedit.msc", click "OK" button After that, open the System Group Policy Edit window; expand the User Configuration /Administrative Templates /System project in the window, and in the sub-window to the right of the System project, double-click the Windows application that only runs the license. Program option, in the interface that pops up, select the Enabled option. Then, you will see the "Show" button is activated automatically in the corresponding window, then click the "Show" button, then continue to click the "Add" button in the window after it, and then enter the name of the application you need to run. In the Add Settings box, finally click the "OK" button; below, please do not close the Group Policy Edit window immediately; then open the system run dialog box and execute the "gpedit.msc" command in it, at this time you You will find that the System Group Policy Editor is no longer working! However, fortunately, the Group Policy Edit window has not been closed before. Now you can continue to double-click the "Allow Windows Application Only" project just set in the Group Policy Edit window. In the pop-up policy settings window, select the "Unconfigured" option, and finally click the "OK" button. This will not only limit the purpose of running the application, but also prevent the system group policy from "self-locking". Tip: If you add the specified application name to the "Allow Windows applications only" list, and directly close the Group Policy Edit window, you can use the following steps to recover: Re-start the server system, During the startup process, press the F8 function key continuously until the system's boot menu appears, and then execute the "safe mode with command prompt" command to switch the server system to the command line prompt state; Directly execute the mmc.exe string command at the command prompt. In the pop-up system console interface, click the File menu item and click the Add/Remove Snap-in option from the pop-up drop-down menu. Click on the "Independent" tab in the window, and then in the tab page shown in Figure 1, click the "Add" button; below, click "Group Policy", "Add", "Finish", " Close", "OK" button, you can successfully add a new Group Policy console; in the future, you can re-play Open the group policy editing window, and then follow the above settings, to achieve the purpose of limiting the running of the application, but also to prevent the system group policy from "self-locking" phenomenon. Unlocking "self-locking" As you like, in addition to restricting the way your application runs, there are many things that can cause Group Policy to "self-lock" inadvertently. If other factors cause the group policy to "self-lock" phenomenon, how can we easily release it? In fact, all the settings for the group policy are based on the system registry>, so the setting of any branch of the group policy, It will be reflected in the corresponding branch of the registry; for this reason, we can easily crack the "self-locking" phenomenon of the group policy by modifying the registry: Click the "Start" /"Run" command, and then pop up In the system running dialog box, enter the string command "regedit", click the "OK" button, open the system's registry editing window; in this window, expand the registry branch HKEY_CURRENT_USER\\Software\\PolicIEs\\Microsoft\\MMC\\ {8FC0B734-A0E1-11D1-A7D3-0000F87571E3}, in the right area of the window shown in Figure 2, you will see a “Restrict_Run” key value; double-click the key value to open a value setting. Window, enter the number "0" in it, and finally click the "OK" button; after that, when you open the system run dialog again, and in it When you execute the "gpedit.msc" command, you will find the self-locking Group Policy editing window, which can now be easily opened. Policy change, immediate effect Whether it is for Windows 2003 domain or Windows 2000 domain, once the default security policy of the domain is modified, the new security policy cannot be effective immediately. Generally, it takes about 5 to 15 minutes. Windows systems will automatically update the settings in System Group Policy. So is there a way to make the modified security policy work immediately for the user or client? The answer is yes, you can follow the steps below: For Windows 2000 domain, if you want the newly modified computer If the policy takes effect immediately, you can click the "Start" /"Run" command to open the system running dialog box, enter the string command "cmd", click the "OK" button, and switch the Windows system to Ms- In DOS working mode; then at the DOS command prompt, enter the string command "secedit /refreshpolicy Machine_policy /enforce", click the Enter key, the newly modified security policy will take effect immediately; if you want the new modified If the user policy takes effect immediately, just execute the string command "secedit /refreshpolicy user_policy /enforce" at the DOS command prompt. For Windows 2003 domains, if you want the newly modified computer policy to take effect immediately, you can click the "Start" /"Run" command, open the system run dialog box, and enter the string command "cmd". After clicking the "OK" button, switch the Windows system to Ms-DOS working mode; then at the DOS command prompt, enter the string command "gpupdate /target:computer", click the Enter key, the newly modified The security policy will take effect immediately; if you want the newly modified user policy to take effect immediately, just execute the string command "gpupdate /target:user" at the DOS command prompt. If you want to update both the computer policy and the user policy, you can execute the string command "gpupdate" directly. Different users, different permissions, maybe there are many users in your server, but in order to protect the security of the server, you want these users to have different access control rights to the server, so that in the future, when the server encounters an accident, you can according to the permissions. Different, you can quickly find the user who is "disordered". To assign different access control permissions to different users, you only need to set the server group policy. The following are the specific setup steps: Click the "Start" /"Run" command in turn, the pop-up system In the Run box, enter the string command "gpedit.msc" and click the "OK" button to open the System Group Policy Edit window; in this window, expand "Computer Configuration" /"Windows Settings" /"Security" Set the "/"Local Policy" /"User Rights Assignment" item; in the right window area corresponding to the "User Rights Assignment" item, you will see that there are multiple rights to assign, as shown in Figure 3. For example, if you only want aaa users to remotely access content on the server via a network connection, rather than allowing them to log in to the server locally to write content or execute applications, you can double-click the "Deny local login" permission. In the setting window that opens later, click “Add”, then select the account name corresponding to the aaa user, and click “Add”, so that the aaa user can only access the server through the remote network in the future. The content is gone. Similarly, you can assign local login control rights to bbb users, assign ownership of files or other objects to ccc users, etc. Once different control permissions are assigned to different users, you can later depending on the permission level. Targeted management and control of users. For example, if you find that the server is free to upload illegal information to the server during the time when the server is not connected to the network, you can easily exclude the aaa user. After all, the aaa user does not have such a "copying ability". Protect settings to avoid conflicts In the LAN, the IP address of the workstation is often modified at will, causing IP conflicts, which affects the operating efficiency of the LAN. Although there are many ways to avoid IP address conflicts, but carefully scrutinize, you can easily find that some of these methods are a bit difficult for some rookie users; in fact, with the group policy function, you can easily limit the LAN. The network configuration parameters of the workstation are modified arbitrarily, so as to avoid conflicts of IP addresses in the network: Click the "Start" /"Run" command, and enter the string command "gpedit.msc" in the pop-up system operation box. After clicking the "OK" button, open the system group policy editing window; expand the "User Configuration" /"Administrative Templates" /"Network" /"Network and Dial-up Connection" policy items in the window, corresponding to "Network and Dial-up" In the right window area of the Connection policy, double-click the "Allow TCP/IP Advanced Settings" item; in the pop-up settings window shown in Figure 4, select the "Disable" option and click the "OK" button. In this case, any workstation user will open the TCP/IP property setting window later. Will find it impossible to enter the "Advanced" settings window to modify the IP address or other network parameters workstations, LAN IP address in this way is not that big of a conflict-prone.