Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: GPEDIT Lock down help

28 Jun 2012   #1

Windows 7 Ultimate x64
 
 
GPEDIT Lock down help

I am currently supporting 12 remote locations who just log into citrix via internet explorer. Our users can not seem to understand that they do not log into the domain with there main account but our account called citrix. I am looking to completely disable their ability to log off, switch user, restart, shut down, lock, sleep and hibernate. I enabled some features in gpedit and currently I am left with lock and log off. Is there anyway to get rid of those two also. I tried to edit the registry to get rid of them and had no luck also. If I could disable the entire start menu it would be even better. I just need the desktop to have a single internet explorer icon on it. Any help would be great. All machines are windows 7 professional x64. Thank you

My System SpecsSystem Spec
.

29 Jun 2012   #2

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by xndrxw View Post
........If I could disable the entire start menu it would be even better. I just need the desktop to have a single internet explorer icon on it. Any help would be great. All machines are windows 7 professional x64. Thank you
I'm not sure that I totally understand your situation, but you can replace the explorer shell with internet explorer and have IE go to the page of interest. See the video for info on how to do that. Doing that gets rid of the desktop, taskbar, start button.....

Be sure that you can use remote registry to put the explorer shell back.

Be sure that you can restart these remote computers via a tool like psexec.


You could have these computers set to automatically log on the user named citrix

Use group policies at the user lever to prevent IE from being shutdown
(alt-f4 will not close that window either)
User Configuration >
Administrative Templates >
Windows Components >
Internet Explorer >
Browser menus
File menu: disable closing the browser and Explorer windows

And it sounds like you have already enabled all 4 options under:
User Configuration >
Administrative Templates >
System >
Ctrl+Alt+Del Options

You might have done this too:
(I did not enable this so I could restart in the video):
User Configuration >
Administrative Templates >
Start Menu and Taskbar
Remove and prevent access to the Shut Down, Restart.....

And at the computer level:
Computer Configuration >
Administrative Templates >
System >
Logon
Hide entry points for Fast User Switching

A system setup like that will look like this when it starts:

My System SpecsSystem Spec
29 Jun 2012   #3

W7 Pro SP1 64bit
 
 

BTW, I think that I figured out how to get rid of the last two one items (lock and log off) that you mentioned, but you did not specify where you were seeing them.

User Configuration >
Administrative Templates >
Start Menu and Taskbar
Change Start Menu power button
Set the power button to "Lock".

User Configuration >
Administrative Templates >
System >
Ctrl+Alt+Del Options
Remove Lock Computer
Will disable (but not always hide) "Lock".
When a user clicks on Lock - nothing happens.
Lock will still show on the power button and on it's menu...
...but nothing happens when you click on it.

Edit: spoke too soon - doing the steps above moves log off to the power button's menu :-(
My System SpecsSystem Spec
.


29 Jun 2012   #4

Windows 7 Ultimate x64
 
 

The kiosk mode looks like it could be the way to go for these setups. The only problem would be if another user, not someone using citrix as their login would try to get into the machine. Would it still launch into the kiosk mode or would it actually launch a normal desktop? Also I am going to be trying to deploy this starting next Tuesday across about 100 machines so I need something somewhat fast to do. So could I write up a .reg file to make the kiosk change in the registry to simplify things?
My System SpecsSystem Spec
29 Jun 2012   #5

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by xndrxw View Post
...The only problem would be if another user, not someone using citrix as their login would try to get into the machine. Would it still launch into the kiosk mode or would it actually launch a normal desktop?...
I cannot tell from your original post or from that sentence & question above - if you want other users to be able to use the computer normally or not.

In the setup that I showed, it will always be a kiosk. Once you replace the shell, there is never an opportunity for another user to log on. The computer must be set to automatically log on one user. It becomes a computer dedicated to one simple task. It won't be good as a normal computer until you put the normal shell back.


Quote   Quote: Originally Posted by xndrxw View Post
...Also I am going to be trying to deploy this starting next Tuesday across about 100 machines so I need something somewhat fast to do. So could I write up a .reg file to make the kiosk change in the registry to simply things?
You could, but I would not fan it out without testing it in one or two locations for months - with a variety of users.


I've not had any personal experience administrating computers in this kiosk mode. I've only seen it done at a college (using XP). And of course, the challenge then became attempting to crash IE - which makes the kiosk useless until it automatically rebooted each night via the bios.
My System SpecsSystem Spec
29 Jun 2012   #6

Windows 7 Ultimate x64
 
 

Hmm. Maybe I can have IE launch automatically in full screen and not allow it to be shut down. The biggest problem is that users are logging out of one account and into their own and trying to pull their profile remotely will sometimes take up to 2 hours. The account I created "citrix" has nothing in the profile and logs in right away. It seems like any precaution I put into place a user finds away around it. The kiosk mode will defiantly work for our systems setup for video conferencing and I will be testing that out as soon as I return from the remote offices.
My System SpecsSystem Spec
29 Jun 2012   #7

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by xndrxw View Post
Hmm. Maybe I can have IE launch automatically in full screen and not allow it to be shut down. The biggest problem is that users are logging out of one account and into their own...........
You do not want to let the Explorer shell launch and then launch IE. Once Explorer launches, then all sorts of things have to be locked down (like you tried). If you let the Explorer shell start and then start IE full screened, I think that users can still "Alt-Tab" to get to the desktop. Then they can log off & thus try to log themselves on.

If you replace the Explorer shell with IE - then there is no desktop (Start Menu) to "Alt-Tab" to - so most of those lock down issues go away. :-)

-have fun
-let us know how this turns out
My System SpecsSystem Spec
Reply

 GPEDIT Lock down help




Thread Tools



Similar help and support threads for2: GPEDIT Lock down help
Thread Forum
Solved gpedit.msc General Discussion
gpedit.msi for Win 7 Home Prem. x64? Software
Caps lock, num lock, scroll lock screen messages General Discussion
Solved gpedit.msc failing on me. System Security
HELP!!! Can't find gpedit.msc General Discussion
Solved Gpedit Customization
TrayStatus Displays Indicator of Num Lock, Caps Lock, S News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:03 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33