Windows 8.1: Local Security Policy Editor

Windows 8.1: Local Security Policy Editor
By

In Windows 8.1, Gpedit has a little sister called Secpol, which controls the security subset of local group policies. Here's how -- and when -- to use Secpol.

Windows 8.1 Group Policy Strategy

If you have Active Directory then you don't need Secpol because you can use the GPMC (Group Policy Management Console) on the domain controller. However, if you are checking or configuring security settings on a Windows 8.1 computer in a Workgroup or HomeGroup then you need the Local Security Editor -- secpol.msc.

Launch Windows 8.1 Secpol.msc

When you want change a security setting this is how you launch the Local Security Policy Editor.

1. Click in the search dialog box (from either the Apps panel or the "Everywhere" sidebar) and type: secpol.msc  
Note:
Remember to type the .msc file extension, otherwise Windows 8.1 won't find the snap-in.
2. When secpol.msc appears in the search results, consider creating a shortcut by right-clicking and choosing either "Pin to Taskbar" or "Pin to Start Menu."

3. Navigating through the security settings is as easy as finding files and folders with Windows Explorer.

Types of Group Policy Settings

To get a feel of this snap-in, the most interesting policies are under the Security Options folder.

However there are also policies for other aspects of security, for example: passwords, networks, auditing, and settings for the Windows Firewall.

Problem: Cannot Find the Windows 8.1 Secpol.msc

A common problem is that even though you type precisely secpol.msc, Windows 8.1 cannot find secpol.msc. The most likely cause is that you aren’t running Windows 8.1 Pro or Enterprise. Unfortunately you don’t get secpol.msc in the basic editions.

Another common problem is that you forget to type the .msc file extension. Windows 8.1 cannot find secpol unless you append the .msc file extension.

Additionally, your problem launching the group policy editor could be a plain typo and you type seckpl.mcs or some other anagram of secpol.msc.  A good troubleshooting technique is to try typing gpedit.msc and use the "big brother."

Windows 8.1 Secpol Case Study

How To Stop Users Remotely Shutting Down Computers

Scenario: You have a user on your network who keeps shutting down other people's machines by abusing "Shutdown -s."

Solution: Configure a security policy to prevent "Force Shutdown From a Remote Machine."

  1. Launch GPMC or secpol.msc
  2. Navigate to Local Policies, User Rights Assignment.
  3. Seek "Force shutdown from remote system."

Experiment by assigning just your account, rather than all administrators.

How To Change User Account Control (UAC) Behavior

Scenario: You are performing a large number of software updates and new application installs, but want to save time by restricting the prompt for permissions for every application activity.

Solution: Edit the policy associated with the UAC popups to eliminate them temporarily during your updates.

  1. Launch GPMC or secpol.msc
  2. Navigate to Local Policies and select Security Options
  3. Seek "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode."
  4. Select "Elevate without prompting" in the list and close.

Storing Microsoft's Windows 8.1 Group Policies

Windows 8.1 Group Policies, created by secpol.msc are stored in a special hidden folder:

%SystemRoot%\System32\GroupPolicy\

Actually there are two sub-folders where you will find the registry.pol files:

..\GroupPolicy\Machine and ..\GroupPolicy\User

The names of these files remind us that virtually all group policy settings affect settings in the registry.  Incidentally, the environment variable %SystemRoot% usually translates to C:\Windows.

Summary

Microsoft supplies a Local Policy Editor so that you can change security settings without resorting to regedit. If you are already familiar with gpedit.msc or GPMC, then secpol.msc is a subset.

If you are troubleshooting why secpol.msc does not seem to exist in your copy of Windows 8.1, then the reason is probably that you have the Basic version of Windows 8.1; unfortunately, you need to upgrade to Pro or Enterprise, or else try another machine that runs either of those Windows versions and remotely edit the security policy of your target machine.

RELATED:

Author’s Note:  This article updated to Windows 8.1 from Guy Thomas’s “Windows 8's Local Security Policy Editor”.

Comments