Creating A Steady State by Using Microsoft Technologies
Creating A Steady State by Using Microsoft Technologies
Technologies
Microsoft Corporation
Published: September 2010
Abstract
This document provides information for IT professionals and partners who support Internet cafes,
libraries, and schools. It describes how to use Group Policy settings, native Windows 7 features,
and the Microsoft Deployment Toolkit to create a steady state on shared-access computers.
Copyright information
This document is provided as-is. Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using
it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
Contents
Creating a Steady State by Using Microsoft Technologies..............................................................4
Native Windows Features............................................................................................................... 5
Scenarios and Limitations............................................................................................................... 6
Introducing Ben Miller.............................................................................................................. 8
Configuring Standard User Accounts.............................................................................................. 8
Configuring Shared User Accounts............................................................................................... 12
Creating a Mandatory User Profile................................................................................................12
Assigning a Mandatory User Profile.............................................................................................. 13
Configuring Accounts to Autologon...............................................................................................14
Configuring Group Policy Settings................................................................................................15
Blocking Applications.................................................................................................................... 17
Scheduling Updates...................................................................................................................... 18
Using Group Policy Preferences................................................................................................... 20
Restoring the Hard Disk Drive...................................................................................................... 21
System Restore......................................................................................................................... 22
Using the Microsoft Deployment Toolkit 2010...............................................................................22
Exporting and Importing Profiles................................................................................................... 23
Virtualizing Shared Computers..................................................................................................... 25
Additional Information................................................................................................................ 26
Creating a Steady State by Using Microsoft Technologies (this document) Describes the
native Windows 7 features and free tools from Microsoft that you can use to create a steady
state on computers running Windows 7.
For a web version of this document, see Creating a Steady State by Using Microsoft
Technologies in the Windows 7 Technical Library.
Group Policy Settings for Creating a Steady State Describes Group Policy settings that you
can use to configure computer and user settings and prevent users from changing those
settings.
For a web version, see Group Policy Settings for Creating a Steady State in the Microsoft
Download Center.
Note
The SteadyState Reference worksheet (a downloadable .xlsx file) Look up and filter settings
that the two previous documents describe. For example, you can quickly find information
about settings that are related to Start menu restrictions.
In this document:
changes to a location within a users profile. The application believes it has full access to the
system, even though it does not. Users can continue using older applications that are not
compatible with standard user accounts without affecting other users on a shared computer.
Windows 7
In this document
Creating user
accounts and
configuring user
settings
Configuring Standard
User Accounts
Setting computer
restrictions
Scheduling software
updates
Scheduling Updates
Windows Disk
Protection helps
Configuring Shared
User Accounts
Windows SteadyState
Windows 7
In this document
user session
Disk Drive
Exporting and
importing user
profiles
With the exception of Windows Disk Protection, the features that Windows SteadyState provides
have counterparts in the native Windows 7 features and the free tools that this document
describes. Although Windows SteadyState does provide a single, easy-to-use interface for
configuring shared computers, any IT pro or partner can easily set up and manage shared
computers by following the guidance in this document. As for Windows Disk Protection, the
section titled Restoring the Hard Disk Drive, recommends strategies that can help you simulate, if
not replicate, this feature.
This document supports a variety of scenarios. These include computers that are shared in
businesses (for example, kiosks and call centers), libraries, schools, and Internet cafes. To help
7
Note
2. Click the Users folder, click Action, and then click New User.
3. In the New User dialog box (shown in Figure 1), type the appropriate information, and
then click Create.
10
Figure 2 Copying the default user profile by using the User Profiles dialog box
8. In the Copy To dialog box, do the following:
a. In the Copy profile to text box, type the path of the location where you want to save
the default user profile.
b. Under Permitted to use, click Change, type Everyone, and then click OK.
9. Click OK to copy the default user profile.
Note
Other methods of creating default user profiles exist. For example, you can click
the Copy To button on the User Profiles dialog box to copy a user profile folder to
the default user profile. However, the steps that this section describes are the
only steps that Microsoft supports for customizing a default user profile. These
steps clean the source user profile so that it supports multiple users. For more
information, see How to customize default user profiles in Windows 7 and in
Windows Server 2008 R2.
11
On the View tab, select the Show hidden files and folders check box, clear the
Hide protected operating system files check box, click Yes to confirm that you
want to show operating system files, and then click OK to save your changes.
d. Rename Ntuser.dat to Ntuser.man. Figure 3 shows what this should look like in
Windows Explorer with hidden files showing.
12
14
Note
Note
Value
Type
Setting
AutoAdminLogon
REG_SZ
DefaultDomainName
REG_SZ
LITWARE
DefaultUserName
REG_SZ
ByaGuest
DefaultPassword
REG_SZ
Password
Administrators Local Group Policy. This LGPO applies user policy settings to members of
the Administrators group.
Non-Administrators Local Group Policy. This LGPO applies user policy settings to users
who are not included in the Administrators group.
16
Note
6.
User-Specific Local Group Policy. This LGPO applies user policy settings to a specific local
user.
Using multiple LGPOs has an advantage over configuring a single LGPO. The single
LGPO applies settings to the computer and to all users who use the computer. So the
restrictions in the LGPO apply to local administrators, and these restrictions can prevent
administrators from maintaining the computer without first resetting the LGPO. Instead,
you can configure restrictions by using the non-administrators LGPO. This leaves
administrators free to maintain the computer while applying restrictions to standard users.
1. Click Start, type mmc, and press ENTER to open the Microsoft Management Console.
2. Click File, and then click Add/Remove Snap-in.
3. In the Available Snap-ins list, click Group Policy Object Editor, and then click Add.
4. In the Select Group Policy Object dialog box, click the Browse button.
5. In the Browse for the Group Policy Object dialog box, click the Users tab, and then
click the user or group for which you want to create or edit the local Group Policy
settings.
6. Click OK, click Finish, and then click OK.
Blocking Applications
Windows SteadyState allows you to create a list of programs to block for each user. Windows 7
includes a more robust feature for controlling the applications that users can run: AppLocker (see
Figure 6). AppLocker works with the LGPOs and GPOs that are deployed in Active Directory, and
it provides a significant advantage for shared computer environments. Applocker is supported by
the Windows 7 Enterprise or Windows 7 Ultimate operating systems.
AppLocker is more flexible than earlier tools for managing the applications that users can run,
including software restriction policies and Windows SteadyState. Instead of providing a list of
programs to block, AppLocker allows you to specify which applications users are allowed to run.
Doing so can make controlling applications easier because it allows you to prevent even unknown
applications from running on the computer.
17
Figure 6 Defining an AppLocker rule by using the Create Executable Rules Wizard
With AppLocker, you can:
Define rules based on file attributes, such as the files digital signature, including the
publisher, product name, file name, or file version. For example, you can create a rule that
specifically allows any version of Adobe Acrobat Reader to run.
Create exceptions to rules. For example, you can create a rule that allows all built-in
Windows programs to run except the Registry Editor (Regedit.exe), preventing users from
trying to make changes to the registry.
Creating AppLocker rules by using the Create Executable Rules Wizard is easy. You can learn
more about AppLocker on TechNet.
Scheduling Updates
Bens requirements include keeping computers healthy and protecting users from security risks. A
key way Ben can do that is by applying security updates regularly. One option is to manually
configure Automatic Updates. To do that, he simply clicks Start, types windows update, and clicks
Windows Update. Then, he clicks Change settings and chooses which type of updates to install
and when to install them.
To configure Automatic Updates for shared computers, Ben can use Group Policy settings.
Because Blue Yonder Airlines uses Windows Server Update Services (WSUS) to install Windows
updates, Ben will create a GPO in Active Directory that configures his shared computers to
automatically download and install approved updates from WSUS.
18
You can also configure an LGPO or a GPO in Active Directory to automatically download and
install updates from Windows Update. As shown in Figure 7, Windows Update settings are
located at:
Computer Configuration\Administrative Templates\Windows Components\Windows Update
To do that, Ben can use Group Policy preferences in the Group Policy Management Console. In
Figure 8, you see how Ben uses registry items in Group Policy preferences to configure
Autologon in Windows 7. (LGPOs do not support Group Policy preferences.) By using Group
Policy preferences, Ben can configure settings for applications that do not support Group Policy.
Also, he can configure these settings and allowing users to change them, or he can enforce them
each time Group Policy refreshes. To learn more about Group Policy preferences, see Group
Policy Preferences Overview.
20
changing them. Group Policy refreshes policy settings every 90 minutes, by default, but this time
can be configured by a Group Policy administrator.
In contrast to Group Policy settings, Group Policy preferences are not strictly enforced. Group
Policy does not store preferences in the Policy branches of the registry. Instead, it writes
preferences to the same locations in the registry that the application or operating system feature
uses to store the settings. The implications of this include:
Group Policy preferences support applications and operating system features that are not
compatible with Group Policy.
Group Policy preferences do not cause the application or operating system feature to disable
the user interface for the settings they configure.
The result is that when you deploy Group Policy preferences, users can change the settings. By
default, Group Policy refreshes preferences at the same interval as Group Policy settings.
However, you can prevent Group Policy from refreshing individual preferences by choosing to
apply them only once. Doing so configures the preference one time and allows the user to
change it.
Group Policy filtering is substantially different from Group Policy preference item-level targeting.
You filter GPOs using WMI filters, and those filters determine whether Group Policy applies to the
entire GPO. You cannot filter individual policy settings within a GPO. Of course, you can create
GPOs based upon your filtering requirements to work around this limitation, but that might lead to
a large set of GPOs to manage. On the other hand, Group Policy preferences support item-level
targetingyou can target individual preference items within a GPO. For example, a single GPO
can contain two preference items, both of which configure power policies. You can target the first
preference item at desktop PCs and the second at mobile PCs. Additionally, whereas Group
Policy filtering requires you to write sometimes complex WMI queries, item-level targeting
provides a friendly user interface.
System Restore
System Restore is a Windows 7 feature that helps users quickly recover from problems. System
Restore saves snapshots of the system at key points, such as before installing an application or
21
device driver. Users can recover from a problem by restoring the operating system to one of
these snapshots.
Although scripting is beyond the scope of this document, it is possible to use System Restore to
simulate the functionality of Windows Disk Protection. The TechNet Script Center Repository
contains a number of scripts for automating System Restore. You can use these scripts to
assemble a solution that creates a snapshot during installation, and then restores the computer to
that snapshot when the user logs off of the computer.
System Restore does not restore users files; however, combining System Restore with
mandatory user profiles can almost completely reset a computer between each user session.
22
Connect two computers by using an Easy Transfer Cable and then run Windows Easy
Transfer on both computers to transfer everything.
Export a shared computers accounts to a removable storage device, then transfer them to
other computers.
Ben wants to copy accounts from one shared computer to another without connecting them, so
he will export a shared computers accounts to a removable storage device. Then, he can transfer
the accounts to other shared computers from the removable storage device.
Use the following procedure on the computer that you want to save and copy the account.
1. On the Start menu, type easy transfer, and then click Windows Easy Transfer.
2. Click Next.
3. Click An external hard disk or USB flash drive, and click Next.
4. Click This is my old computer.
5. Select the check box next to each account that you want to export to the removable
storage device, as shown in Figure 9, and then click Next.
23
7. Click Close.
Windows Virtual PC Windows Virtual PC is a free download for Windows 7 that provides
desktop virtualization on the client. Although Windows Virtual PC does not provide the
deployment and management features of other Microsoft virtualization products, it is a simple
solution to shared-access computing. For example, you can use the Undo Disks tool to
restore virtual machines to their original state. The Virtual PC Guy's Blog contains numerous
scripts that you can use to automate various tasks. The drawback to using Windows Virtual
PC in Bens scenario is that preventing users from accessing the host computer is difficult.
For more information, see Windows Virtual PC.
Virtual Desktop Infrastructure (VDI) With VDI, businesses host users desktops in the
datacenter. Users access those desktops by using Remote Desktop Connection. VDI has the
potential to be viable in shared-computer scenarios. You can put thin clients in public areas
instead of rich clients. Then, employees can access their own virtual desktops from the
datacenter. In this case, the thin client is shared, but the desktop experience is not. You can
also provide access to shared virtual desktops. In this case, the thin client and the desktop
experience are shared. The benefit is that you can heavily manage the virtual desktop from a
central location. Additionally, you can write scripts to add capabilities such as reverting to a
snapshot when a user logs off of the desktop. See Operating system virtualization for more
information.
Application Virtualization (App-V) App-V is part of MDOP. By itself, App-V does not
provide the capability to virtualize shared computers. However, App-V can add value to
shared computers by giving users access to their applications from any shared computer they
use. For more information, see Application Virtualization.
Additional Information
AppLocker on TechNet
25
Group Policy
How to customize default user profiles in Windows 7 and in Windows Server 2008 R2
Microsoft Virtualization
Windows SteadyState
26