Link to home
Start Free TrialLog in
Avatar of operationsIT
operationsIT

asked on

Secure Windows 7 with 2 logins Kiosk and Administrator

Is it possible to have a automatic login with a Kiosk user or maybe it doesn't have to be Kiosk that limits many areas of interaction with the Operating System?  However when required can switch to administrator who can support the system local/remote via admin credentials?  What is the best setup?
Avatar of Sean Plemons Kelly, CISSP
Sean Plemons Kelly, CISSP
Flag of United States of America image

Hello operationsIT!

In my opinion:

Through Group Policy, most things are possible!

Most of the settings for this can be found under User Configuration > Policies > Administrative Templates.

Cheers!
Sean
Avatar of operationsIT
operationsIT

ASKER

If this is a stand alone machine we can use the local GPO to lock it down (no desktop right click) yet somebody can login and override this with admin rights?
operationsIT,

If someone else has admin rights, then yes, they will typicaly be able to change things.

There are two places you can remove the desktop context menu (right click):
One is the registry, at key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, key NoViewContextMenu. Giving this a value of 1 will disable the context menu.

The other is in Group Policy, at User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer > Remove Windows Explorer's Default Context Menu. Changing that to Enabled will disable the context menu.

*Ideally* the machine would be connected to some sort of domain that could apply the policy to different groups (I.E. the GPO that locked the system down would apply only to domain users the regular account, and the domain admins would be exempt from it).

I hope this helps!
Sean
This is a machine we will put at a customer site to manage equipment so it will not be on their domain and the management team there wants it locked down so we can change to administer it, but their team cannot

•      Remove all icons from desktop
•      Remove or disable taskbar
•      Remove right click on desktop
•      Disable most system keyboard functions

Anything with these that won't work?  What will context menu removal do specifically?
We will still be able to switch to or restart to get admin in?
ASKER CERTIFIED SOLUTION
Avatar of Sean Plemons Kelly, CISSP
Sean Plemons Kelly, CISSP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
There should be one locked down and one engineer who has administrative rights

Disabling:
 File system navigation (except through package analytics)
All shortcut and fast keys (IE: <control>+<alt>+<delete>)
Right click menus
Command Window
Start menu (all of the menu, however can leave one option: user login change)

Effectively, the locked down user should only be able to:
Have the option to change users (change to engineering)
View the package analytics user interface (dashboard)
Remote desktop accessibility
Mount/unmount an external drive (USB)
Great help thanks!