Creating a Steady State by Using Microsoft

Technologies
Microsoft Corporation
Published: September 2010

Abstract
This document provides information for IT professionals and partners who support Internet cafes,
libraries, and schools. It describes how to use Group Policy settings, native Windows 7 features,
and the Microsoft Deployment Toolkit to create a steady state on shared-access computers.

Copyright information
This document is provided as-is. Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using
it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.

Contents
Creating a Steady State by Using Microsoft Technologies..............................................................4
Native Windows Features............................................................................................................... 5
Scenarios and Limitations............................................................................................................... 6
Introducing Ben Miller.............................................................................................................. 8
Configuring Standard User Accounts.............................................................................................. 8
Configuring Shared User Accounts............................................................................................... 12
Creating a Mandatory User Profile................................................................................................12
Assigning a Mandatory User Profile.............................................................................................. 13
Configuring Accounts to Autologon...............................................................................................14
Configuring Group Policy Settings................................................................................................15
Blocking Applications.................................................................................................................... 17
Scheduling Updates...................................................................................................................... 18
Using Group Policy Preferences................................................................................................... 20
Restoring the Hard Disk Drive...................................................................................................... 21
System Restore......................................................................................................................... 22
Using the Microsoft Deployment Toolkit 2010...............................................................................22
Exporting and Importing Profiles................................................................................................... 23
Virtualizing Shared Computers..................................................................................................... 25
Additional Information................................................................................................................ 26

Creating a Steady State by Using Microsoft

Technologies
Shared computers present unique challenges. Microsoft publishes software that gives users a
great degree of flexibility, allowing them to customize their experiences by configuring their
computers settings. In shared-computer scenarios, however, administrators want to limit users
ability to change settings, particularly settings that would affect the health of the computer or the
experience of other users. Privacy and consistency are very important in shared-computer
scenarios.
Windows SteadyState is a free tool from Microsoft that helps make shared computers easier
to set up and manage. In scenarios where users share computers (for example, in kiosks,
schools, libraries, or Internet cafes). Windows SteadyState helps make those computers more
reliable, providing a more consistent experience for users. Additionally, it helps defend shared
computers from unauthorized changes and restricts users from changing system settings or files.
Windows SteadyState is a useful tool for shared-computer access; however, it supports 32-bit
versions of Windows XP and Windows Vista only. It does not support Windows 7. You can learn
more about Windows SteadyState, including the Windows operating systems it supports, at
Windows SteadyState.
Even though Windows SteadyState does not support Windows 7, many of its features can be
replicated by using native Windows 7 features and free tools from Microsoft. For example, you
can configure many Group Policy settings, and prevent users from changing them. You can use
the Microsoft Deployment Toolkit (MDT) 2010 to quickly reimage shared computers and restore
their original states. In addition to simulating many of the significant Windows SteadyState
features, using these features and free tools has the added benefit of supporting 64-bit
computers.
This document is part of a set of documents that is intended primarily for IT pros who configure
shared-computer access in business environments. But partners who support shared-computer
access in schools, libraries, and Internet cafes will also find the information useful. The document
set includes:

Creating a Steady State by Using Microsoft Technologies (this document) Describes the
native Windows 7 features and free tools from Microsoft that you can use to create a steady
state on computers running Windows 7.
For a web version of this document, see Creating a Steady State by Using Microsoft
Technologies in the Windows 7 Technical Library.

Group Policy Settings for Creating a Steady State Describes Group Policy settings that you
can use to configure computer and user settings and prevent users from changing those
settings.
For a web version, see Group Policy Settings for Creating a Steady State in the Microsoft
Download Center.

Note

The SteadyState Reference worksheet (a downloadable .xlsx file) Look up and filter settings
that the two previous documents describe. For example, you can quickly find information
about settings that are related to Start menu restrictions.

In this document:

Native Windows Features

Scenarios and Limitations

Configuring Standard User Accounts

Configuring Shared User Accounts

Configuring Group Policy Settings

Restoring the Hard Disk Drive

Exporting and Importing Profiles

Virtualizing Shared Computers

To provide feedback or ask questions about the information that these documents
contain, please contact: Windows IT Pro Community.

Native Windows Features

Microsoft developed Windows SteadyState when the Windows management features were less
robust and mature than they are today. As an example, many businesses allowed users to log on
to their computers with full administrative access, simply because most applications required full
access to the computer, and restricting users accounts significantly limited their flexibility.
On the other hand, Windows 7 is a modern operating system that supports modern management
features. Businesses can more easily deploy standard user accounts (accounts with limited
access to the systems files and settings) without limiting users productivity. This contributes
significantly to your ability to simulate many Windows SteadyState features by using native
Windows 7 features. Additionally, many Group Policy settings are available for restricting
computer and user settings, and features like AppLocker allow businesses to control which
applications users can run.
When users log on to computers as a member of the Administrators group, they can change any
file or setting and access other users files on shared computers. Obviously, allowing users to log
on to shared computers as a member of the Administrators group is not a best practice. When
users log on to computers with standard user accounts, they cannot change system files or
settings; therefore, standard user accounts protect the computers configuration from malicious or
accidental changes. Additionally, users with standard user accounts cannot access other users
files on a shared computerprotecting other users privacy.
Users with standard user accounts cannot change system settings or files, but this does not
prevent them from using their older applications. Applications that are designed for Windows 7
should already work with standard user accounts. For older applications that are not compatible
with standard user accounts, Windows 7 provides the ability to redirect an applications system
5

changes to a location within a users profile. The application believes it has full access to the
system, even though it does not. Users can continue using older applications that are not
compatible with standard user accounts without affecting other users on a shared computer.

Scenarios and Limitations

Windows SteadyState provides key features for setting up and managing shared computers
running Windows XP or Windows Vista. At a high level, the Windows SteadyState features and
the Windows 7 features that this document describes include the following:
Windows SteadyState

Windows 7

In this document

Creating user
accounts and
configuring user
settings

You can apply system

and feature restrictions
to each user account
on the computer so
that users have limited
access to Windows
system tools, other
services, applications,
files, and data.

You can create

standard user
accounts to isolate
users from system
tools, services,
applications, and files;
then, use Group Policy
settings to configure
and restrict access to
user settings.

Configuring Standard
User Accounts

Setting computer
restrictions

You can apply privacy

and security
restrictions to the
whole computer and
design a uniform user
experience.

You can create

Configuring Group
standard user
Policy Settings
accounts to restrict
users from changing
computer settings and
help protect their
privacy. You can
configure the computer
by using Group Policy
settings.

Scheduling software
updates

You can download and

install updates. This
works with Windows
Disk Protection to help
ensure that important
updates are applied to
the computer and not
removed.

You can schedule

Automatic Updates by
using Group Policy
settings. Standard
user accounts cannot
remove these
important updates.

Scheduling Updates

Restoring the hard

disk drive after each

Windows Disk
Protection helps

Users with standard

user accounts cannot

Restoring the Hard

Configuring Shared
User Accounts

Windows SteadyState

Windows 7

In this document

user session

protect the Windows

operating system and
program files from
permanent changes.
When people are
using the computer,
they can cause
changes to the hard
disk drive. However,
Windows Disk
Protection discards
those changes after
restarting the
computer.

change system files or

settings. Therefore,
discarding changes to
the hard disk drive
after each user
session is less critical.
This also eliminates
the complexity of
updating computers
that are using
Windows Disk
Protection. However,
you can restore the
hard disk drive on
shared computers
each night by using
MDT 2010.

Disk Drive

Exporting and
importing user
profiles

You can export shared

user profiles created
on one computer and
import them to any
computer on which
Windows SteadyState
is installed.

You can export users

Exporting and
files and settings by
Importing Profiles
using Windows Easy
Transfer, and then
import them on any
other computer.
Windows Easy
Transfer is a tool that
is built in to Windows 7
that users can use to
migrate their files and
settings from one
Windows installation to
another.

With the exception of Windows Disk Protection, the features that Windows SteadyState provides
have counterparts in the native Windows 7 features and the free tools that this document
describes. Although Windows SteadyState does provide a single, easy-to-use interface for
configuring shared computers, any IT pro or partner can easily set up and manage shared
computers by following the guidance in this document. As for Windows Disk Protection, the
section titled Restoring the Hard Disk Drive, recommends strategies that can help you simulate, if
not replicate, this feature.
This document supports a variety of scenarios. These include computers that are shared in
businesses (for example, kiosks and call centers), libraries, schools, and Internet cafes. To help
7

To create a local user account

1.
you better understand this documents recommendations, it follows a fictional user named Ben
Miller, who is an IT pro with Blue Yonder Airlines.

Introducing Ben Miller

Ben Miller is an IT pro for Blue Yonder Airlines. His manager tasked Ben with an exciting new
project: setting up shared-access computers.
He is configuring two types of shared computers. The first type are computers that employees
can use to check email, search the Web, and so on. These computers will be in meeting rooms
and cafeterias. Employees will use their own accounts to log on to these computers.
The second type are shared computers in public areas that guests can access. Because guests
will not have an account on the Blue Yonder Airlines domain, guests will log on to shared
computers by role. That is, they will log on to shared computers using a preconfigured account
named ByaGuest. Ben prefers to not enable the built-in Guest account.
In both cases, Ben has specific requirements. The health of the computers and users privacy are
paramount. Additionally, he wants to assure users a consistent experience every time they log on
to one of the shared computers. He is installing Windows 7; therefore, he cannot use Windows
SteadyState to configure the shared computers.

Configuring Standard User Accounts

The first step to configure the shared computers for Blue Yonder Airlines is to configure user
accounts on each computer. Because the company has a network of computers running Windows
Server 2008 R2, and the employee user accounts are listed in Active Directory, Ben does not
need to configure user accounts on the computers that employees will share. He simply needs to
avoid adding user accounts to the local Administrators group. Domain users are members of the
Standard Users group by default. This will isolate users so that they cannot change system files
or settings, and they cannot access other users files or settings.
Ben needs to create user accounts for computers that guests will share. The best way to define
these accounts is based on roles. For example, a school might define three rolesstudents,
teachers, and staffand then configure each shared account as appropriate. A library might
configure patron and staff roles. Ben needs only one named ByaGuest. Rather than creating this
account in Active Directory, he will create an account on each computer and then configure the
computers to automatically log on by using the ByaGuest account.
1. On the shared computer, click Start, type local users, and then click Edit local users
and groups. If Windows 7 prompts you for an administrator password or confirmation,
type the password or confirm that you want to continue.
8

Note
2. Click the Users folder, click Action, and then click New User.
3. In the New User dialog box (shown in Figure 1), type the appropriate information, and
then click Create.

Figure 1 Creating a new user account in Windows 7

4. If you want to create more than one user account, repeat the preceding steps for each
user account, and then click Close.
When you create user accounts for individual users, do not select the User cannot
change password check box. However, when you create shared, role-based user
accounts, select this check box to prevent users from changing the password and to
prevent other users from accessing the shared computer. Additionally, select the
Password never expires check box to ensure continuous access to the shared account.
In addition to creating standard user accounts, you can configure them when users first log on to
the computer. Windows 7 stores users files and settings in user profiles, which are separated
from system settings. By default, Windows 7 stores these user profiles in C:\Users, creating one
subfolder for each user who logs on to the computer. The first time a user logs on to the
computer, Windows 7 creates the users profile folder by copying the default user profile from
C:\Users\Default to the users profile folder.
Configuring default user profiles is an easy way to configure new user accounts. However, they
arent appropriate for all settings. Default user profiles are a great and simple way and to
9

To create a default user profile

2.
configure preferences that you want to allow users to change. They are not appropriate for
settings that you want to control. For these, use Group Policy settings. For more information
about configuring policies, see the section titled Configuring Group Policy Settings in this
document.
1. Log on to a computer running Windows 7 as a member of the local Administrator group.
Do not use a domain account.
Note
Use a lab or extra computer running a clean installation of Windows 7 to create a
default user profile. Do not use a computer that is required for business (that is, a
production computer). The process these steps describe removes all domain
accounts from the computer, including user profile folders. After creating the
default user profile, you can copy it from C:\Users\Default to a network location or
to a removable storage device.
2. Configure the settings that you want to include in the user profile. For example, you can
configure settings for the Start Menu, Windows Explorer, and so on.
3. Create an Unattend.xml file that sets the CopyProfile parameter to True. The CopyProfile
parameter causes Sysprep to copy the currently logged-on users profile folder to the
default user profile. You can use Windows System Image Manager, which is part of the
Windows Automated Installation Kit (Windows AIK) to create the Unattend.xml file. For
more information, see Windows Automated Installation Kit for Windows 7.
4. At a command prompt, type the following command and press ENTER:
sysprep /oobe /reboot /generalize /unattend: unattend.xml
(Sysprep.exe is located at: C:\Windows\System32\sysprep)
5. Complete the out-of-box experience, and then log on to the computer by using an
account that has local administrator privileges.
6. Click Start, type user profile, and then click Configure advanced user profile
properties.
7. In the User Profiles dialog box (shown in Figure 2), click Default Profile, and then click
Copy To.

10

Figure 2 Copying the default user profile by using the User Profiles dialog box
8. In the Copy To dialog box, do the following:
a. In the Copy profile to text box, type the path of the location where you want to save
the default user profile.
b. Under Permitted to use, click Change, type Everyone, and then click OK.
9. Click OK to copy the default user profile.
Note
Other methods of creating default user profiles exist. For example, you can click
the Copy To button on the User Profiles dialog box to copy a user profile folder to
the default user profile. However, the steps that this section describes are the
only steps that Microsoft supports for customizing a default user profile. These
steps clean the source user profile so that it supports multiple users. For more
information, see How to customize default user profiles in Windows 7 and in
Windows Server 2008 R2.

11

To create a mandatory user profile

3.

Configuring Shared User Accounts

In addition to configuring shared computers for employees, Ben is creating shared computers for
corporate guests. For these computers, users will share a single account named ByaGuest.
Maintaining the computers health and creating a consistent user experience are requirements.
Additionally, because users might leave personal information on shared computers (for example,
through cookies in Internet Explorer 8), he needs to protect their privacy.
Ben needs Windows 7 to forget users changes after every user session. This includes any files
they saved in the Documents folder, any cookies that Internet Explorer 8 saved, and so on. The
simplest way to do that is to use a mandatory profile.
Ben can create a default user profile, as the previous section described, and then use that profile
as the basis for a mandatory profile. This will create one central user profile for all users. When
users log off of the computer, Windows 7 deletes their changes. Each time users log on to the
computer by using the shared account, they start with a new copy of the mandatory user profile.

Creating a Mandatory User Profile

The first step to creating a mandatory user profile is to create a default user profile. The section
titled Configuring Standard User Accounts, describes how to create a default user profile. You
must create a folder for the mandatory user profile and configure its permissions so that everyone
can access it. Then you copy the default user profile to the mandatory user profile folder.
Windows 7 recognizes a mandatory user profile that is based on the name of the registry hive file.
Each user profile contains a registry hive file named Ntuser.dat, which contains the users registry
settings. Renaming it to Ntuser.man causes Windows 7 to make the user profile mandatory.
1. Copy the default user profile that you created in Configuring Standard User Accounts to
C:\Users on the shared computer.
2. Rename the folder Mandatory.v2. (The root part of the file name can be anything you like,
but the folder name must end with .v2 to identify it as a Windows 7 user profile folder.)
3. Use the following procedure to rename Ntuser.dat to Ntuser.man:
a. Open C:\Users\Mandatory.v2 in Windows Explorer.
b. In Windows Explorer, click Organize, and then click Folder and search options.
c.

On the View tab, select the Show hidden files and folders check box, clear the
Hide protected operating system files check box, click Yes to confirm that you
want to show operating system files, and then click OK to save your changes.

d. Rename Ntuser.dat to Ntuser.man. Figure 3 shows what this should look like in
Windows Explorer with hidden files showing.

12

To assign a mandatory user profile to a shared account

4.

Figure 3 Preparing a mandatory user profile

Assigning a Mandatory User Profile

Previously, Ben created the account named ByaGuest for shared access to the computers. Now,
he simply needs to assign the mandatory user profile he created to the local user accounts.
1. On the shared computer, click Start, type local users, and click Edit local users and
groups. If Windows 7 prompts you for an administrator password or confirmation, type
the password or confirm that you want to continue.
2. Click the Users folder.
3. In the right pane, click the user account to which you want to assign the mandatory user
profile. In Bens case, he clicks the account named ByaGuest.
4. Click Action, and then click Properties.
5. On the Profile tab, in the Profile path box, type the path of mandatory user profile that
you want to assign to this account, omitting the .v2 from the end of the folder name. In
Bens example, the path is C:\Users\Mandatory.
13

Figure 4 Assigning a mandatory user profile to a user account

Configuring Accounts to Autologon

Ben wants to configure the public shared-access computers to automatically log on as ByaGuest
each time they start. That way, corporate guests do not need an account or password to use the
computer. To do this, he can configure the registry values shown in Table1. These values are
located in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Ben could use a manual process to configure these registry values on each shared computer. For
example, Ben could export these values to a .reg file, and then import that .reg file in to the
registry on each computer. However, because Bens shared computers are all joined to a domain,
he will use Group Policy preferences to automatically configure these values on each shared
computer. For more information about Group Policy preferences, see the section titled Using
Group Policy Preferences.

14

Note

Note

Value

Type

Setting

AutoAdminLogon

REG_SZ

DefaultDomainName

REG_SZ

LITWARE

DefaultUserName

REG_SZ

ByaGuest

DefaultPassword

REG_SZ

Password

Table 1 AutoLogon registry values

The Windows Sysinternals Suite includes a tool named Autologon that you can use to
configure computers to automatically log on to a specific account. The benefit of using
this tool is that it encrypts the password, whereas the values shown in Table 1 in store the
password in plain text.

Configuring Group Policy Settings

Group Policy provides an infrastructure for managing computer and user settings in businesses.
Administrators define Group Policy objects (GPOs) in Active Directory. Windows 7 applies the
settings to computers each time they start or to users each time they log on. Group Policy
refreshes GPOs at a regular interval.
Standard user accounts cannot change settings that administrators define in a GPO. For
example, if Ben defines a setting that configures the Windows 7 desktop theme, users cannot
change the theme. Windows 7 also supports a variety of settings that restrict users from certain
parts of the user interface. Ben can prevent users from opening Control Panel, for example.
Windows SteadyState implements many of its features as Group Policy settings, and Windows 7
provides many more Group Policy settings than earlier versions of the Windows operating
system. This makes it easy to replace Windows SteadyState with native Windows 7 features and
free tools from Microsoft.
Group Policy is enforceable only with standard user accounts. If you allow users to log on
to their computers as administrators, they can change or remove Group Policy settings
with minimal effort. However, Group Policy will reapply any settings that users change or
remove at the next refresh interval.
The second document in this set, Steady State Reference Document, describes a large number
of Group Policy settings that you can use to configure and restrict settings. It also identifies
Windows SteadyState settings that match Group Policy settings to help you transition from
Windows SteadyState to using native Windows 7 features by identifying which Group Policy
settings match which Windows SteadyState settings.
15

To configure the LGPO

5.
Because Bens shared computers are domain-joined, he can configure GPOs in Active Directory,
and then apply those GPOs to multiple computers. The remainder of this section focuses on how
to configure local Group Policy objects (LGPOs) on shared computers that are running
Windows 7, replicating the way Windows SteadyState works. Local Group Policy objects are
stored on individual computers whether or not they are part of an Active Directory Environment.
1. On the shared computer, click Start, type group policy, and then click Edit group
policy to open the Local Group Policy Editor.
2. In the console tree (left pane), click the folder that contains the setting you want to
configure, as shown in Figure 5.
3. In the details pane (right pane), click the setting that you want to configure, and then click
Action, Edit on the menu.

Figure 5 Configuring the LGPO

The local policy settings apply to the computer and to all users who use the computer. You can
optionally configure multiple LGPOs to help better manage settings on shared computers.
Multiple LGPOs is a collection of LGPOs that include:

Administrators Local Group Policy. This LGPO applies user policy settings to members of
the Administrators group.

Non-Administrators Local Group Policy. This LGPO applies user policy settings to users
who are not included in the Administrators group.

16

Note

To configure multiple LGPOs

6.
User-Specific Local Group Policy. This LGPO applies user policy settings to a specific local
user.
Using multiple LGPOs has an advantage over configuring a single LGPO. The single
LGPO applies settings to the computer and to all users who use the computer. So the
restrictions in the LGPO apply to local administrators, and these restrictions can prevent
administrators from maintaining the computer without first resetting the LGPO. Instead,
you can configure restrictions by using the non-administrators LGPO. This leaves
administrators free to maintain the computer while applying restrictions to standard users.
1. Click Start, type mmc, and press ENTER to open the Microsoft Management Console.
2. Click File, and then click Add/Remove Snap-in.
3. In the Available Snap-ins list, click Group Policy Object Editor, and then click Add.
4. In the Select Group Policy Object dialog box, click the Browse button.
5. In the Browse for the Group Policy Object dialog box, click the Users tab, and then
click the user or group for which you want to create or edit the local Group Policy
settings.
6. Click OK, click Finish, and then click OK.

Blocking Applications
Windows SteadyState allows you to create a list of programs to block for each user. Windows 7
includes a more robust feature for controlling the applications that users can run: AppLocker (see
Figure 6). AppLocker works with the LGPOs and GPOs that are deployed in Active Directory, and
it provides a significant advantage for shared computer environments. Applocker is supported by
the Windows 7 Enterprise or Windows 7 Ultimate operating systems.
AppLocker is more flexible than earlier tools for managing the applications that users can run,
including software restriction policies and Windows SteadyState. Instead of providing a list of
programs to block, AppLocker allows you to specify which applications users are allowed to run.
Doing so can make controlling applications easier because it allows you to prevent even unknown
applications from running on the computer.

17

Figure 6 Defining an AppLocker rule by using the Create Executable Rules Wizard
With AppLocker, you can:

Define rules based on file attributes, such as the files digital signature, including the
publisher, product name, file name, or file version. For example, you can create a rule that
specifically allows any version of Adobe Acrobat Reader to run.

Create exceptions to rules. For example, you can create a rule that allows all built-in
Windows programs to run except the Registry Editor (Regedit.exe), preventing users from
trying to make changes to the registry.

Creating AppLocker rules by using the Create Executable Rules Wizard is easy. You can learn
more about AppLocker on TechNet.

Scheduling Updates
Bens requirements include keeping computers healthy and protecting users from security risks. A
key way Ben can do that is by applying security updates regularly. One option is to manually
configure Automatic Updates. To do that, he simply clicks Start, types windows update, and clicks
Windows Update. Then, he clicks Change settings and chooses which type of updates to install
and when to install them.
To configure Automatic Updates for shared computers, Ben can use Group Policy settings.
Because Blue Yonder Airlines uses Windows Server Update Services (WSUS) to install Windows
updates, Ben will create a GPO in Active Directory that configures his shared computers to
automatically download and install approved updates from WSUS.
18

You can also configure an LGPO or a GPO in Active Directory to automatically download and
install updates from Windows Update. As shown in Figure 7, Windows Update settings are
located at:
Computer Configuration\Administrative Templates\Windows Components\Windows Update

Figure 7 Group Policy settings for Automatic Updates

Group Policy settings provide a great deal of flexibility for scheduling updates. Not only can you
configure which types of updates to install and when to install them, but you can choose whether
Automatic Updates prompts users to restart their computers, whether Automatic Updates installs
recommended updates in addition to important updates, and so on. Automatic Updates in
Windows 7 allows you to schedule updates on shared computers similarly to Windows
SteadyState.
The second document in this set, Steady State Reference Document, describes the Group Policy
settings that you can use to schedule and configure Automatic Updates in Windows 7. That
document also lists recommended values for these settings. You can apply these settings by
using an LGPO or a GPO in Active Directory.

Using Group Policy Preferences

Ben has identified a number of settings that he wants to configure with Group Policy for
applications that do not support Group Policy settings. He also wants to configure a number of
Windows features that do not provide Group Policy settings. For example, he wants to configure
shared computers so that they automatically log on by using the ByaGuest account.
19

To do that, Ben can use Group Policy preferences in the Group Policy Management Console. In
Figure 8, you see how Ben uses registry items in Group Policy preferences to configure
Autologon in Windows 7. (LGPOs do not support Group Policy preferences.) By using Group
Policy preferences, Ben can configure settings for applications that do not support Group Policy.
Also, he can configure these settings and allowing users to change them, or he can enforce them
each time Group Policy refreshes. To learn more about Group Policy preferences, see Group
Policy Preferences Overview.

Figure 8 Using Group Policy preferences to configure shared computers

The key difference between Group Policy settings and Group Policy preferences is enforcement.
Group Policy strictly enforces policy settings. Group Policy writes settings to the Policy branches
of the registry, and the access control lists (ACLs) on those branches prevent standard users
from changing them. When an application or operating system feature that is compatible with
Group Policy looks for a potentially managed setting, it first looks for the policy setting. If the
policy setting does not exist, it looks for the setting elsewhere in the registry.
Applications and operating system features that are compatible with Group Policy typically
disable the user interface for settings that Group Policy is managing, which prevents users from

20

changing them. Group Policy refreshes policy settings every 90 minutes, by default, but this time
can be configured by a Group Policy administrator.
In contrast to Group Policy settings, Group Policy preferences are not strictly enforced. Group
Policy does not store preferences in the Policy branches of the registry. Instead, it writes
preferences to the same locations in the registry that the application or operating system feature
uses to store the settings. The implications of this include:

Group Policy preferences support applications and operating system features that are not
compatible with Group Policy.

Group Policy preferences do not cause the application or operating system feature to disable
the user interface for the settings they configure.

The result is that when you deploy Group Policy preferences, users can change the settings. By
default, Group Policy refreshes preferences at the same interval as Group Policy settings.
However, you can prevent Group Policy from refreshing individual preferences by choosing to
apply them only once. Doing so configures the preference one time and allows the user to
change it.
Group Policy filtering is substantially different from Group Policy preference item-level targeting.
You filter GPOs using WMI filters, and those filters determine whether Group Policy applies to the
entire GPO. You cannot filter individual policy settings within a GPO. Of course, you can create
GPOs based upon your filtering requirements to work around this limitation, but that might lead to
a large set of GPOs to manage. On the other hand, Group Policy preferences support item-level
targetingyou can target individual preference items within a GPO. For example, a single GPO
can contain two preference items, both of which configure power policies. You can target the first
preference item at desktop PCs and the second at mobile PCs. Additionally, whereas Group
Policy filtering requires you to write sometimes complex WMI queries, item-level targeting
provides a friendly user interface.

Restoring the Hard Disk Drive

A typical user session causes many changes to the Windows partition. It creates, changes, and
modifies program files. The operating system updates settings as part of its normal activity. Given
that one of Bens requirements is to provide a consistent experience from one user session to the
next, he needs a way to discard these changes each time a user session ends.
In Windows SteadyState, Windows Disk Protection helps protect system settings and data from
permanent changes on the partition on which the Windows operating system is installed.
Windows 7 does not provide a similar capability. However, free tools from Microsoft can help Ben
automatically reimage shared computers every night.

System Restore
System Restore is a Windows 7 feature that helps users quickly recover from problems. System
Restore saves snapshots of the system at key points, such as before installing an application or

21

device driver. Users can recover from a problem by restoring the operating system to one of
these snapshots.
Although scripting is beyond the scope of this document, it is possible to use System Restore to
simulate the functionality of Windows Disk Protection. The TechNet Script Center Repository
contains a number of scripts for automating System Restore. You can use these scripts to
assemble a solution that creates a snapshot during installation, and then restores the computer to
that snapshot when the user logs off of the computer.
System Restore does not restore users files; however, combining System Restore with
mandatory user profiles can almost completely reset a computer between each user session.

Using the Microsoft Deployment Toolkit 2010

Not only does Ben want to reset users profile folders when they finish their session, he also
wants to reset shared computers so that they discard any system changes that Windows made
as part of normal activity. Microsoft does not offer a tool similar to Windows Disk Protection that
supports Windows 7. However, Ben can reinstall Windows 7 on shared computers each night
resetting them daily.
Windows 7 and the Windows AIK provide flexible and robust tools for automating the Windows 7
installation. On their own, however, these tools can be difficult to automate and use for sharedcomputer scenarios.
Ben needs a simple solution that fully automates the Windows 7 deployment tools so that he can
schedule it to reset. The Microsoft Deployment Toolkit (MDT) 2010 provides such a solution, and
it is a free download at the Microsoft Download Center. MDT 2010 provides a framework for using
the Windows 7 deployment tools, and Ben can customize MDT 2010 for the shared-computer
scenario. To learn more about MDT 2010, see Microsoft Deployment Toolkit.
To use MDT 2010 to automatically rebuild shared computers each night, Ben must do the
following:
1. Create a deployment shared resource and stock it with Windows 7 source files, applications,
device drivers, and package files.
2. Create a task sequence based on the Standard Client Task Sequence that MDT 2010
provides to install Windows 7 on shared computers.
3. Configure properties in CustomSettings.ini or the MDT 2010 database to fully automate
installation of the task sequence. The Microsoft Deployment Toolkit Sample Guide, part of the
MDT 2010 documentation set, contains numerous examples that show how to fully automate
installation.
4. Make the deployment shared resource accessible to the shared computers. Because Bens
shared computers are domain-joined and have network access, Ben is hosting the
deployment shared resource on a file server. This simplifies maintenance for Ben when he
must update the applications, device drivers, and packages on the deployment shared
resource. However, you can also copy the deployment shared resource to a local hard disk
drive and install Windows 7 from there.

22

To export an account and its files and settings

7.
5. Schedule a task on the shared computers to automatically start installation each night,
making sure to include the credentials of a local administrator account that has access to the
deployment shared resource. Because each new installation will not have the scheduled task,
Ben will use Group Policy preferences to automatically schedule the installation task.
Alternatively, you can write a script to schedule the installation task.

Exporting and Importing Profiles

Windows SteadyState provides the ability to export users accounts, files, and settings and then
import them on another computer running Windows SteadyState. Windows 7 has a similar
capability: the Windows Easy Transfer tool. Ben can use this tool to copy the ByaGuest account
and its files and settings from one shared computer to another shared computer, rather than recreating them on each.
Windows Easy Transfer is a Windows 7 installation tool that helps users move their accounts,
files, and settings when they migrate from earlier Windows versions to Windows 7. The tool
supports three methods for moving accounts:

Connect two computers by using an Easy Transfer Cable and then run Windows Easy
Transfer on both computers to transfer everything.

Transfer accounts from one computer to another by using a network connection.

Export a shared computers accounts to a removable storage device, then transfer them to
other computers.

Ben wants to copy accounts from one shared computer to another without connecting them, so
he will export a shared computers accounts to a removable storage device. Then, he can transfer
the accounts to other shared computers from the removable storage device.
Use the following procedure on the computer that you want to save and copy the account.
1. On the Start menu, type easy transfer, and then click Windows Easy Transfer.
2. Click Next.
3. Click An external hard disk or USB flash drive, and click Next.
4. Click This is my old computer.
5. Select the check box next to each account that you want to export to the removable
storage device, as shown in Figure 9, and then click Next.

23

To import an account and its files and settings

8.

Figure 9 Exporting an account by using Windows Easy Transfer

6. In the Password box, type a password with which to protect the exported account, files,
and settings. In the Confirm Password box, retype the password, and then click Save.
7. In the Save Your Easy Transfer File dialog box, type the path and name of the Easy
Transfer File that you want use for exporting the account. Then, click Save.
8. Click Next, click Next, and then click Close.
Use the following procedure on the computer that you want to apply the account.
1. On the Start menu, type easy transfer, and then click Windows Easy Transfer.
2. Click Next.
3. Click An external hard disk or USB flash drive, and click Next.
4. Click This is my new computer, and then click Yes.
5. In the Open an Easy Transfer File dialog box, locate the Easy Transfer File that
contains the accounts, and then click Open.
6. Select the check box next to each account that you want to import, and then click
Transfer.
24

7. Click Close.

Virtualizing Shared Computers

A physical computer with Windows 7 installed on it is the best way to provide a rich experience for
users sharing a computer. However, it is not the only way. Virtualization can also enable sharedcomputer scenarios. The Microsoft Virtualization website describes the types of virtualization that
Microsoft offers. The following Microsoft technologies can help businesses virtualize sharedaccess computers:

Windows Virtual PC Windows Virtual PC is a free download for Windows 7 that provides
desktop virtualization on the client. Although Windows Virtual PC does not provide the
deployment and management features of other Microsoft virtualization products, it is a simple
solution to shared-access computing. For example, you can use the Undo Disks tool to
restore virtual machines to their original state. The Virtual PC Guy's Blog contains numerous
scripts that you can use to automate various tasks. The drawback to using Windows Virtual
PC in Bens scenario is that preventing users from accessing the host computer is difficult.
For more information, see Windows Virtual PC.

Microsoft Enterprise Desktop Virtualization (MED-V) MED-V is part of the Microsoft

Desktop Optimization Pack (MDOP), and it adds the missing deployment and management
features to Windows Virtual PC. You can more easily provision virtual machines to users and
control them. However, because MED-V relies on Windows Virtual PC to run virtual
machines, it has the same limitations in shared-computer scenarios: Preventing users from
accessing the physical computer is difficult. For more information, see Microsoft Enterprise
Desktop Virtualization (MED-V).

Virtual Desktop Infrastructure (VDI) With VDI, businesses host users desktops in the
datacenter. Users access those desktops by using Remote Desktop Connection. VDI has the
potential to be viable in shared-computer scenarios. You can put thin clients in public areas
instead of rich clients. Then, employees can access their own virtual desktops from the
datacenter. In this case, the thin client is shared, but the desktop experience is not. You can
also provide access to shared virtual desktops. In this case, the thin client and the desktop
experience are shared. The benefit is that you can heavily manage the virtual desktop from a
central location. Additionally, you can write scripts to add capabilities such as reverting to a
snapshot when a user logs off of the desktop. See Operating system virtualization for more
information.

Application Virtualization (App-V) App-V is part of MDOP. By itself, App-V does not
provide the capability to virtualize shared computers. However, App-V can add value to
shared computers by giving users access to their applications from any shared computer they
use. For more information, see Application Virtualization.

Additional Information

AppLocker on TechNet
25

Group Policy

Group Policy Preferences Overview

How to customize default user profiles in Windows 7 and in Windows Server 2008 R2

Microsoft Deployment Toolkit (MDT) 2010

Microsoft Download Center

Microsoft Virtualization

Windows Automated Installation Kit for Windows 7

Windows SteadyState

26