operationsIT
asked on
Secure Windows 7 with 2 logins Kiosk and Administrator
Is it possible to have a automatic login with a Kiosk user or maybe it doesn't have to be Kiosk that limits many areas of interaction with the Operating System? However when required can switch to administrator who can support the system local/remote via admin credentials? What is the best setup?
ASKER
If this is a stand alone machine we can use the local GPO to lock it down (no desktop right click) yet somebody can login and override this with admin rights?
operationsIT,
If someone else has admin rights, then yes, they will typicaly be able to change things.
There are two places you can remove the desktop context menu (right click):
One is the registry, at key HKEY_CURRENT_USER\Software \Microsoft \Windows\C urrentVers ion\Polici es\Explore r, key NoViewContextMenu. Giving this a value of 1 will disable the context menu.
The other is in Group Policy, at User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer > Remove Windows Explorer's Default Context Menu. Changing that to Enabled will disable the context menu.
*Ideally* the machine would be connected to some sort of domain that could apply the policy to different groups (I.E. the GPO that locked the system down would apply only to domain users the regular account, and the domain admins would be exempt from it).
I hope this helps!
Sean
If someone else has admin rights, then yes, they will typicaly be able to change things.
There are two places you can remove the desktop context menu (right click):
One is the registry, at key HKEY_CURRENT_USER\Software
The other is in Group Policy, at User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer > Remove Windows Explorer's Default Context Menu. Changing that to Enabled will disable the context menu.
*Ideally* the machine would be connected to some sort of domain that could apply the policy to different groups (I.E. the GPO that locked the system down would apply only to domain users the regular account, and the domain admins would be exempt from it).
I hope this helps!
Sean
ASKER
This is a machine we will put at a customer site to manage equipment so it will not be on their domain and the management team there wants it locked down so we can change to administer it, but their team cannot
• Remove all icons from desktop
• Remove or disable taskbar
• Remove right click on desktop
• Disable most system keyboard functions
Anything with these that won't work? What will context menu removal do specifically?
We will still be able to switch to or restart to get admin in?
• Remove all icons from desktop
• Remove or disable taskbar
• Remove right click on desktop
• Disable most system keyboard functions
Anything with these that won't work? What will context menu removal do specifically?
We will still be able to switch to or restart to get admin in?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There should be one locked down and one engineer who has administrative rights
Disabling:
File system navigation (except through package analytics)
All shortcut and fast keys (IE: <control>+<alt>+<delete>)
Right click menus
Command Window
Start menu (all of the menu, however can leave one option: user login change)
Effectively, the locked down user should only be able to:
Have the option to change users (change to engineering)
View the package analytics user interface (dashboard)
Remote desktop accessibility
Mount/unmount an external drive (USB)
Disabling:
File system navigation (except through package analytics)
All shortcut and fast keys (IE: <control>+<alt>+<delete>)
Right click menus
Command Window
Start menu (all of the menu, however can leave one option: user login change)
Effectively, the locked down user should only be able to:
Have the option to change users (change to engineering)
View the package analytics user interface (dashboard)
Remote desktop accessibility
Mount/unmount an external drive (USB)
ASKER
Great help thanks!
In my opinion:
Through Group Policy, most things are possible!
Most of the settings for this can be found under User Configuration > Policies > Administrative Templates.
Cheers!
Sean