• home
  •  > 
  • Graphics and design
  •  > 
  • Windows 10 secpol msc how to open. Restrict computer users using local group policy

Windows 10 secpol msc how to open. Restrict computer users using local group policy

The Local Group Policy Editor allows you to change Group Policy settings on Windows operating systems. This snap-in allows you to edit local group policy objects that are stored on your computer. The Group Policy Editor is available by default only in Professional and Enterprise versions of Microsoft operating systems.

This article will tell you how to open the Local Group Policy Editor in Windows 10. We will look at all the current ways to access the Local Group Policy Editor. We will also show you how to find the editor in the system using Explorer.

Thanks to the updated search compared to the previous version of the Windows operating system, it is now possible to quickly launch any application.

You can also enter the command in the search gpedit.msc and select from the results Microsoft Common Console document. The user is similarly taken to the Group Policy Editor.

How to access the Local Group Policy Editor (Explorer)

All system applications are located on the system local disk. If you know what and where to look, then you can launch any standard program through Explorer.


How to start the Local Group Policy Editor (Run)

Probably the best way to launch the Group Policy Editor. In just a few clicks, you can immediately open the Group Policy Editor, without having to search for it. An interesting feature of the Run window is that it saves previous commands that have already been used in the list. Therefore, it is enough just to open the Execute window and select the desired command.

  1. Launch the Execute window by clicking Win+X and selecting the item Execute(you can also use the keyboard shortcut Win+R).
  2. In line Open: enter gpedit.msc and press OK.

More useful commands can be found in the article.

How to open the Local Group Policy Editor (Management Console)


conclusions

The Local Group Policy Editor is often used by users to configure the operating system. By changing Group Policy, you can configure your computer. That is why even on our website you can find many articles where the Group Policy Editor is used.

In this article, we looked at the best ways to open the Local Group Policy Editor in Windows 10 Professional. We ourselves prefer the method of opening the editor using the Run window.

Are you trying to launch the Local Group Policy Editor using the gpedit.msc command in Windows 10 Home? And you get the error "Cannot find gpedit.msc. Check if the name is correct and try again"? The fact is that the home edition simply doesn’t have it. The lack of a Group Policy Editor in Windows 10 Home is a headache for home users. They are limited in the operating system settings. All simple manipulations that can be performed quickly and easily using Group Policy have to be edited through the registry editor, which is very incomprehensible, confusing and difficult for ordinary users.

Group Policy is a tool that allows network administrators to change the ability to enable or disable many important settings. Contains all the settings that can be changed via the desktop in a couple of clicks, but unfortunately Microsoft does not include the Gpedit function in the Windows 10 Home edition. And accordingly, home users have to change the “kosher” settings through the registry.

Activate Local Group Policy Editor Gpedit.msc in Windows 10 Home

Windows 10 doesn't have a built-in tool that can enable the Local Group Policy Editor. Thus, the only way is the help of a third-party Policy Plus utility with a Russian interface.

Policy Plus

Policy Plus is a free program that perfectly activates the local group policy editor "Gpedit.msc" in Windows 10 Home. This tool is licensed to run on Windows 10, so you can run it without any violation issues. Policy Plus resembles the real Windows 10 Group policy editor.

Step 1. Download Policy Plus from Github repository . Once the download is finished, open the file and you will immediately get a simple, clean interface that has all the policy options in categories and subcategories.

Step 2. Click " Help", and then " Acquire ADMX Files". In the window that appears, click " Begin" (begin). This will download the full set of policies from Microsoft.

Step 3. You can start adjusting the settings of your Windows 10 Home system.


The Windows operating system has always been distinguished by a wide selection of possible settings, the number of tasks performed and supported applications. But managing such a volume of resources would be difficult if not for a special program that allows you to change all the necessary parameters in one place. It is for these purposes that in almost all versions of Windows, including Windows 10, there is a special “Local Security Policy” application.

Why do you need the Local Security Policy app?

This application contains a variety of settings both for the entire system and for individual users. Using this program, you can set various parameters and restrictions for the system, change registry settings, remove or configure applications installed on your computer.

On the left side of the program window, you can use the folder tree, which is divided into two largest sections: computer and user configuration. Which one to use depends on whether you want to make changes for all users on your computer or just one. If you are interested in the first option, you may need administrator rights.

Each of the main sections has three sub-items, which contain all the settings and functions for a specific file type:

How to open the program - instructions

Why is the application missing from my computer?

Local Security Policy is not available in Home or Home Premium editions of Windows. You can launch and use it only in the “Professional” or “Maximum” version.

What to do if the Group Policy Editor does not open

First, make sure that your operating system allows for the program. If this is not the cause of the problem, and when you try to open the program, an error appears indicating that the operation is impossible, then use the instructions below.

  1. The way out of this situation is to manually install local group policy. First, go to the official Microsoft website (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=25250) and download the program installation file.
  2. Start the installation process and, if you are using a 64-bit operating system, then when you complete it, do not close the window or click the Finish button. First, follow these steps:
  3. Using the Windows search bar, open Run.
  4. Type and run the command %WinDir%\Temp to navigate to the desired folder. Copy the dll, fde.dll, gptext.dll, appmgr.dll, fdeploy.dll files from it and move them to the System32 folder located on drive C. Also transfer the GroupPolicy, GroupPolicyUsers, GPBAK, gpedit.msc elements located in the C folder :\Windows\SysWOW64, to the same System32 folder.

  5. Restart your computer.
  6. Done, the program should now start opening.
  7. If the program does not open by executing the command, you can try going to the C:\Windows\Temp\gpedi folder and running the .bat file named after the bitness of your system manually.

Cancel changes made (disable) via local security policy

If you are faced with the fact that after changing the parameters in the application, you have errors in the system, or it begins to work incorrectly, then you need to roll back all the settings made to the default value:

You should not change local security policy settings if you do not understand it or do not have reliable instructions, as this may cause you to cause various errors or break the system. If you decide to make any changes, check the result of your work after editing each parameter separately in order to notice in time that your actions caused an undesirable result.

One of the main tools for fine-tuning user and Windows system settings is group policies - GPO (Group Policy Object). The computer itself and its users can be affected by domain group policies (if the computer is in an Active Directory domain) and local ones (these policies are configured locally and are applied only on this computer). Group policies are an excellent system configuration tool that can improve its functionality, security, and safety. However, for novice system administrators who decide to experiment with the security of their computer, incorrect configuration of some local (or domain) group policy parameters can lead to various problems: from minor problems, such as the inability to connect a printer or USB flash drive, to a complete ban on installation or launch of any applications (through SPR or AppLocker policies), or even prohibiting local or remote login.

In such cases, when the administrator cannot log into the system locally, or does not know exactly which of the policy settings he applied is causing the problem, he has to resort to the emergency scenario of resetting group policy settings to standard (default) settings. In the “clean” state of the computer, none of the group policy settings are configured.

In this article, we will show several methods for resetting local and domain group policy settings to default values. This instruction is universal and can be used to reset GPO settings on all supported versions of Windows: from Windows 7 to Windows 10, as well as for all versions of Windows Server 2008/R2, 2012/R2 and 2016.

Resetting local policies using the gpedit.msc console

This method involves using the graphical console of the Local Group Policy Editor gpedit.msc to disable all configured policies. The graphical local GPO editor is only available in Pro, Enterprise and Education editions.

Advice. In Home editions of Windows, the Local Group Policy Editor console is missing, but you can still launch it. Using the links below you can download and install the gpedit.msc console for Windows 7 and Windows 10:

Launch the gpedit.msc snap-in and go to the section All Settings local computer policies ( Local Computer Policy -> Computer Configuration -> Administrative templates / “Local Computer” Policy -> Computer Configuration -> Administrative Templates). This section contains a list of all policies available for configuration in administrative templates. Sort policies by column State(State) and find all active policies (in the state Disabled/Disabled or Enabled/ Enabled). Disable all or only certain policies by setting them to Notconfigured(Not specified).

The same actions must be carried out in the user policies section ( UserConfiguration/ User Configuration). This way you can disable all GPO Administrative Template settings.

Advice. A list of all applied local and domain policy settings in a convenient html report can be obtained using the built-in utility with the command:
gpresult /h c:\distr\gpreport2.html

The above method of resetting group policies in Windows is suitable for the “simplest” cases. Incorrect group policy settings can lead to more serious problems, for example: the inability to launch the gpedit.msc snap-in or all programs in general, the user losing system administrator rights, or being prohibited from logging in locally. Let's consider these cases in more detail.

Force a local GPO reset from the command line

This section describes how to force a reset of all current Group Policy settings in Windows. However, first we will describe some principles of operation of administrative group policy templates in Windows.

The architecture of group policies is based on special files Registry.pol. These files store registry settings that correspond to certain settings of configured group policies. User and computer policies are stored in separate files Registry.pol.

  • Computer configuration settings (section Computer Configuration) are stored in %SystemRoot%\System32\GroupPolicy\Machine\registry.pol
  • User policies (section User Configuration) - %SystemRoot%\System32\GroupPolicy\User\registry.pol

When the computer boots, the system imports the contents of the \Machine\Registry.pol file into the HKEY_LOCAL_MACHINE (HKLM) system registry hive. The contents of the \User\Registry.pol file are imported into the HKEY_CURRENT_USER (HKCU) branch when the user logs in.

When opened, the Local Group Policy Editor console loads the contents of these files and provides them in a user-friendly graphical form. When you close the GPO Editor, the changes you make are written to the Registry.pol files. After updating group policies (using the gpupdate /force command or on a schedule), the new settings are added to the registry.

Advice. To make changes to files, you should only use the GPO Group Policy Editor. It is not recommended to edit Registry.pol files manually or using older versions of the Group Policy Editor!

To remove all current local group policy settings, you must delete the Registry.pol files in the GroupPolicy directory. You can do this with the following commands, running in a command prompt with administrator rights:

RD /S /Q "%WinDir%\System32\GroupPolicyUsers" RD /S /Q "%WinDir%\System32\GroupPolicy"

After this, you need to update the policy settings in the registry:

Gpupdate /force

These commands will reset all local group policy settings in the Computer Configuration and User Configuration sections.

Open the gpedit.msc editor console and make sure that all policies are in the Not configured state. After launching the gpedit.msc console, remote folders will be created automatically with default settings.

Resetting local Windows security policies

Local security policies configured using a separate management console secpol.msc. If problems with your computer are caused by “tightening the screws” in local security policies, and if the user still has access to the system and administrative rights, you should first try resetting the local Windows security policy settings to their default values. To do this, in a command prompt with administrator rights, run:

  • For Windows 10, Windows 8.1/8 and Windows 7: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
  • For Windows XP: secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

After which the computer needs to be restarted.

If problems with security policies persist, try manually renaming the local security policy database checkpoint file %windir%\security\database\edb.chk

ren %windir%\security\database\edb.chk edb_old.chk

Run the command:
gpupdate /force
Restart Windows using:
Shutdown –f –r –t 0

Resetting local policies when you can't log into Windows

In the event that local login is not possible or the command line cannot be launched (for example, when blocking it and other programs using ). You can delete Registry.pol files by booting from the Windows installation disk or any LiveCD.


Resetting applied domain GPO settings

A few words about domain group policies. If the computer is included in an Active Directory domain, some of its settings can be managed by the domain administrator through domain GPOs.

The registry.pol files of all applied domain group policies are stored in the directory %windir%\System32\GroupPolicy\DataStore\0\SysVol\ contoso.com\Policies. Each policy is stored in a separate directory with the domain policy GUID.

These registry.pol files correspond to the following registry branches:

  • HKLM\Software\Policies\Microsoft
  • HKCU\Software\Policies\Microsoft
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

The history of applied versions of domain policies that are saved on the client is located in the following branches:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\

When a computer is excluded from a domain, the registry.pol files of domain policies on the computer are deleted and, accordingly, are not loaded into the registry.

If you need to forcefully delete domain GPO settings, you need to clear the %windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies directory and delete the specified registry keys (it is strongly recommended to create a backup copy of the deleted files and registry keys!!!) . Then run the command:

gpupdate /force /boot

Advice. This technique allows you to reset all local group policy settings in all versions of Windows. All settings made using the Group Policy Editor are reset, however not reset all changes made to the registry directly through the registry editor, REG files or any other way.