Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: GPEDIT Lock down help

28 Jun 2012   #1
xndrxw

Windows 7 Ultimate x64
 
 
GPEDIT Lock down help

I am currently supporting 12 remote locations who just log into citrix via internet explorer. Our users can not seem to understand that they do not log into the domain with there main account but our account called citrix. I am looking to completely disable their ability to log off, switch user, restart, shut down, lock, sleep and hibernate. I enabled some features in gpedit and currently I am left with lock and log off. Is there anyway to get rid of those two also. I tried to edit the registry to get rid of them and had no luck also. If I could disable the entire start menu it would be even better. I just need the desktop to have a single internet explorer icon on it. Any help would be great. All machines are windows 7 professional x64. Thank you


My System SpecsSystem Spec
29 Jun 2012   #2
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by xndrxw View Post
........If I could disable the entire start menu it would be even better. I just need the desktop to have a single internet explorer icon on it. Any help would be great. All machines are windows 7 professional x64. Thank you
I'm not sure that I totally understand your situation, but you can replace the explorer shell with internet explorer and have IE go to the page of interest. See the video for info on how to do that. Doing that gets rid of the desktop, taskbar, start button.....

Be sure that you can use remote registry to put the explorer shell back.

Be sure that you can restart these remote computers via a tool like psexec.


You could have these computers set to automatically log on the user named citrix

Use group policies at the user lever to prevent IE from being shutdown
(alt-f4 will not close that window either)
User Configuration >
Administrative Templates >
Windows Components >
Internet Explorer >
Browser menus
File menu: disable closing the browser and Explorer windows

And it sounds like you have already enabled all 4 options under:
User Configuration >
Administrative Templates >
System >
Ctrl+Alt+Del Options

You might have done this too:
(I did not enable this so I could restart in the video):
User Configuration >
Administrative Templates >
Start Menu and Taskbar
Remove and prevent access to the Shut Down, Restart.....

And at the computer level:
Computer Configuration >
Administrative Templates >
System >
Logon
Hide entry points for Fast User Switching

A system setup like that will look like this when it starts:

My System SpecsSystem Spec
29 Jun 2012   #3
UsernameIssues

W7 Pro SP1 64bit
 
 

BTW, I think that I figured out how to get rid of the last two one items (lock and log off) that you mentioned, but you did not specify where you were seeing them.

User Configuration >
Administrative Templates >
Start Menu and Taskbar
Change Start Menu power button
Set the power button to "Lock".

User Configuration >
Administrative Templates >
System >
Ctrl+Alt+Del Options
Remove Lock Computer
Will disable (but not always hide) "Lock".
When a user clicks on Lock - nothing happens.
Lock will still show on the power button and on it's menu...
...but nothing happens when you click on it.

Edit: spoke too soon - doing the steps above moves log off to the power button's menu :-(
My System SpecsSystem Spec
29 Jun 2012   #4
xndrxw

Windows 7 Ultimate x64
 
 

The kiosk mode looks like it could be the way to go for these setups. The only problem would be if another user, not someone using citrix as their login would try to get into the machine. Would it still launch into the kiosk mode or would it actually launch a normal desktop? Also I am going to be trying to deploy this starting next Tuesday across about 100 machines so I need something somewhat fast to do. So could I write up a .reg file to make the kiosk change in the registry to simplify things?
My System SpecsSystem Spec
29 Jun 2012   #5
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by xndrxw View Post
...The only problem would be if another user, not someone using citrix as their login would try to get into the machine. Would it still launch into the kiosk mode or would it actually launch a normal desktop?...
I cannot tell from your original post or from that sentence & question above - if you want other users to be able to use the computer normally or not.

In the setup that I showed, it will always be a kiosk. Once you replace the shell, there is never an opportunity for another user to log on. The computer must be set to automatically log on one user. It becomes a computer dedicated to one simple task. It won't be good as a normal computer until you put the normal shell back.


Quote   Quote: Originally Posted by xndrxw View Post
...Also I am going to be trying to deploy this starting next Tuesday across about 100 machines so I need something somewhat fast to do. So could I write up a .reg file to make the kiosk change in the registry to simply things?
You could, but I would not fan it out without testing it in one or two locations for months - with a variety of users.


I've not had any personal experience administrating computers in this kiosk mode. I've only seen it done at a college (using XP). And of course, the challenge then became attempting to crash IE - which makes the kiosk useless until it automatically rebooted each night via the bios.
My System SpecsSystem Spec
29 Jun 2012   #6
xndrxw

Windows 7 Ultimate x64
 
 

Hmm. Maybe I can have IE launch automatically in full screen and not allow it to be shut down. The biggest problem is that users are logging out of one account and into their own and trying to pull their profile remotely will sometimes take up to 2 hours. The account I created "citrix" has nothing in the profile and logs in right away. It seems like any precaution I put into place a user finds away around it. The kiosk mode will defiantly work for our systems setup for video conferencing and I will be testing that out as soon as I return from the remote offices.
My System SpecsSystem Spec
29 Jun 2012   #7
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by xndrxw View Post
Hmm. Maybe I can have IE launch automatically in full screen and not allow it to be shut down. The biggest problem is that users are logging out of one account and into their own...........
You do not want to let the Explorer shell launch and then launch IE. Once Explorer launches, then all sorts of things have to be locked down (like you tried). If you let the Explorer shell start and then start IE full screened, I think that users can still "Alt-Tab" to get to the desktop. Then they can log off & thus try to log themselves on.

If you replace the Explorer shell with IE - then there is no desktop (Start Menu) to "Alt-Tab" to - so most of those lock down issues go away. :-)

-have fun
-let us know how this turns out
My System SpecsSystem Spec
Reply

 GPEDIT Lock down help




Thread Tools





Similar help and support threads
Thread Forum
Num Lock, Caps Lock and Scroll Lock all lights up (not blinking)
For some time now, i have been experiencing that my Num Lock, Caps Lock and Scroll Lock all lights up (not blinking) all at the same time, I tried to google it but i can not find any solutions or explanations for it. Does anyone know if it is bad? and what is causing this? I am having a wired...
Hardware & Devices
Caps Lock/Num Lock, on screen pop up gone Gateway NV77
Good afternoon, I just did a clean install of 7 to fix errors with my laptop, and it fixed one, but not the other main issues, My caps lock, and number lock button on the keyboard don't have a light on it and the pop up that is supposed to pop up doesn't show up on screen. I figured by doing...
General Discussion
gpedit.msc
Hi there! I was following tips from Restrict or prevent users from running programs in Windows and everything works well apart that gpedit.msc itself getting blocked even that I am logged as an administrator. When I have chosen just couple of programs to be allowed I cannot start gpedit.msc as...
General Discussion
Caps lock, num lock, scroll lock screen messages
Hi, how to disable Caps lock, num lock, scroll lock screen messages? I have desktop pc with two keyboards usb and bluetooth. Also TOSHIBA Bluetooth Stack software, but in device manager: keyboard > hid keyboard device both using microsoft drivers. And I dont have any software installed...
General Discussion
Gpedit
I ran a search in the Start Menu's Search window, but it found nothing. I checked in the Services.msc and it shows the Group Policy Client set to automatic and is started, so how do I access gpedit?
Customization
TrayStatus Displays Indicator of Num Lock, Caps Lock, S
Read The Rest At: TrayStatus Displays Indicator of Num Lock, Caps Lock, Scroll Lock Status and Hard Drive Read/Write Activity My Digital Life
News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:51.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App