Escolar Documentos
Profissional Documentos
Cultura Documentos
Technologies
Microsoft Corporation
Published: September 2010
Abstract
This document provides information for IT professionals and partners who support Internet cafes,
libraries, and schools. It describes how to use Group Policy settings, native Windows 7 features,
and the Microsoft Deployment Toolkit to create a steady state on shared-access computers.
Copyright information
This document is provided “as-is.” Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using
it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
Contents
Creating a Steady State by Using Microsoft Technologies..............................................................1
Abstract ...................................................................................................................................1
Copyright information......................................................................................................................2
Contents..........................................................................................................................................3
Blocking Applications....................................................................................................................17
Scheduling Updates......................................................................................................................18
4
• The SteadyState Reference worksheet (a downloadable .xlsx file) Look up and filter
settings that the two previous documents describe. For example, you can quickly find
information about settings that are related to Start menu restrictions.
In this document:
• Native Windows Features
• Scenarios and Limitations
• Configuring Standard User Accounts
• Configuring Shared User Accounts
• Configuring Group Policy Settings
• Restoring the Hard Disk Drive
• Exporting and Importing Profiles
• Virtualizing Shared Computers
Note
To provide feedback or ask questions about the information that these documents
contain, please contact: Windows IT Pro Community.
Creating user You can apply system You can create Configuring Standard
accounts and and feature restrictions standard user User Accounts
configuring user to each user account accounts to isolate Configuring Shared
settings on the computer so users from system User Accounts
that users have limited tools, services,
access to Windows applications, and files;
system tools, other then, use Group Policy
services, applications, settings to configure
files, and data. and restrict access to
user settings.
Setting computer You can apply privacy You can create Configuring Group
restrictions and security standard user Policy Settings
restrictions to the accounts to restrict
whole computer and users from changing
design a uniform user computer settings and
experience. help protect their
privacy. You can
configure the computer
by using Group Policy
settings.
Scheduling software You can download and You can schedule Scheduling Updates
updates install updates. This Automatic Updates by
works with Windows using Group Policy
Disk Protection to help settings. Standard
ensure that important user accounts cannot
updates are applied to remove these
the computer and not important updates.
removed.
Restoring the hard Windows Disk Users with standard Restoring the Hard
disk drive after each Protection helps user accounts cannot Disk Drive
6
Windows SteadyState Windows 7 In this document
Exporting and You can export shared You can export users’ Exporting and
importing user user profiles created files and settings by Importing Profiles
profiles on one computer and using Windows Easy
import them to any Transfer, and then
computer on which import them on any
Windows SteadyState other computer.
is installed. Windows Easy
Transfer is a tool that
is built in to Windows 7
that users can use to
migrate their files and
settings from one
Windows installation to
another.
With the exception of Windows Disk Protection, the features that Windows SteadyState provides
have counterparts in the native Windows 7 features and the free tools that this document
describes. Although Windows SteadyState does provide a single, easy-to-use interface for
configuring shared computers, any IT pro or partner can easily set up and manage shared
computers by following the guidance in this document. As for Windows Disk Protection, the
section titled Restoring the Hard Disk Drive, recommends strategies that can help you simulate, if
not replicate, this feature.
This document supports a variety of scenarios. These include computers that are shared in
businesses (for example, kiosks and call centers), libraries, schools, and Internet cafes. To help
7
you better understand this document’s recommendations, it follows a fictional user named Ben
Miller, who is an IT pro with Blue Yonder Airlines.
Note
When you create user accounts for individual users, do not select the User cannot
change password check box. However, when you create shared, role-based user
accounts, select this check box to prevent users from changing the password and to
prevent other users from accessing the shared computer. Additionally, select the
Password never expires check box to ensure continuous access to the shared account.
In addition to creating standard user accounts, you can configure them when users first log on to
the computer. Windows 7 stores users’ files and settings in user profiles, which are separated
from system settings. By default, Windows 7 stores these user profiles in C:\Users, creating one
subfolder for each user who logs on to the computer. The first time a user logs on to the
computer, Windows 7 creates the user’s profile folder by copying the default user profile from
C:\Users\Default to the user’s profile folder.
Configuring default user profiles is an easy way to configure new user accounts. However, they
aren’t appropriate for all settings. Default user profiles are a great and simple way and to
configure preferences that you want to allow users to change. They are not appropriate for
settings that you want to control. For these, use Group Policy settings. For more information
9
about configuring policies, see the section titled Configuring Group Policy Settings in this
document.
Note
Use a lab or extra computer running a clean installation of Windows 7 to create a
default user profile. Do not use a computer that is required for business (that is, a
production computer). The process these steps describe removes all domain
accounts from the computer, including user profile folders. After creating the
default user profile, you can copy it from C:\Users\Default to a network location or
to a removable storage device.
2. Configure the settings that you want to include in the user profile. For example, you
can configure settings for the Start Menu, Windows Explorer, and so on.
3. Create an Unattend.xml file that sets the CopyProfile parameter to True. The
CopyProfile parameter causes Sysprep to copy the currently logged-on user’s profile
folder to the default user profile. You can use Windows System Image Manager, which is
part of the Windows Automated Installation Kit (Windows AIK) to create the Unattend.xml
file. For more information, see Windows Automated Installation Kit for Windows 7.
4. At a command prompt, type the following command and press ENTER:
sysprep /oobe /reboot /generalize /unattend: unattend.xml
(Sysprep.exe is located at: C:\Windows\System32\sysprep)
5. Complete the out-of-box experience, and then log on to the computer by using an
account that has local administrator privileges.
6. Click Start, type user profile, and then click Configure advanced user profile
properties.
7. In the User Profiles dialog box (shown in Figure 2), click Default Profile, and then
click Copy To.
10
Figure 2 Copying the default user profile by using the User Profiles dialog box
8. In the Copy To dialog box, do the following:
a. In the Copy profile to text box, type the path of the location where you want to
save the default user profile.
b. Under Permitted to use, click Change, type Everyone, and then click OK.
9. Click OK to copy the default user profile.
Note
Other methods of creating default user profiles exist. For example, you can click
the Copy To button on the User Profiles dialog box to copy a user profile folder to
the default user profile. However, the steps that this section describes are the
only steps that Microsoft supports for customizing a default user profile. These
steps clean the source user profile so that it supports multiple users. For more
information, see How to customize default user profiles in Windows 7 and in
Windows Server 2008 R2.
11
Configuring Shared User Accounts
In addition to configuring shared computers for employees, Ben is creating shared computers for
corporate guests. For these computers, users will share a single account named ByaGuest.
Maintaining the computers’ health and creating a consistent user experience are requirements.
Additionally, because users might leave personal information on shared computers (for example,
through cookies in Internet Explorer® 8), he needs to protect their privacy.
Ben needs Windows 7 to forget users’ changes after every user session. This includes any files
they saved in the Documents folder, any cookies that Internet Explorer 8 saved, and so on. The
simplest way to do that is to use a mandatory profile.
Ben can create a default user profile, as the previous section described, and then use that profile
as the basis for a mandatory profile. This will create one central user profile for all users. When
users log off of the computer, Windows 7 deletes their changes. Each time users log on to the
computer by using the shared account, they start with a new copy of the mandatory user profile.
12
Figure 3 Preparing a mandatory user profile
13
Figure 4 Assigning a mandatory user profile to a user account
14
Value Type Setting
AutoAdminLogon REG_SZ 1
Note
The Windows Sysinternals Suite includes a tool named Autologon that you can use to
configure computers to automatically log on to a specific account. The benefit of using
this tool is that it encrypts the password, whereas the values shown in Table 1 in store the
password in plain text.
Note
Group Policy is enforceable only with standard user accounts. If you allow users to log on
to their computers as administrators, they can change or remove Group Policy settings
with minimal effort. However, Group Policy will reapply any settings that users change or
remove at the next refresh interval.
The second document in this set, Steady State Reference Document, describes a large number
of Group Policy settings that you can use to configure and restrict settings. It also identifies
Windows SteadyState settings that match Group Policy settings to help you transition from
15
Windows SteadyState to using native Windows 7 features by identifying which Group Policy
settings match which Windows SteadyState settings.
Because Ben’s shared computers are domain-joined, he can configure GPOs in Active Directory,
and then apply those GPOs to multiple computers. The remainder of this section focuses on how
to configure local Group Policy objects (LGPOs) on shared computers that are running
Windows 7, replicating the way Windows SteadyState works. Local Group Policy objects are
stored on individual computers whether or not they are part of an Active Directory Environment.
16
• User-Specific Local Group Policy. This LGPO applies user policy settings to a specific
local user.
Note
Using multiple LGPOs has an advantage over configuring a single LGPO. The single
LGPO applies settings to the computer and to all users who use the computer. So the
restrictions in the LGPO apply to local administrators, and these restrictions can prevent
administrators from maintaining the computer without first resetting the LGPO. Instead,
you can configure restrictions by using the non-administrators LGPO. This leaves
administrators free to maintain the computer while applying restrictions to standard users.
Blocking Applications
Windows SteadyState allows you to create a list of programs to block for each user. Windows 7
includes a more robust feature for controlling the applications that users can run: AppLocker (see
Figure 6). AppLocker works with the LGPOs and GPOs that are deployed in Active Directory, and
it provides a significant advantage for shared computer environments. Applocker is supported by
the Windows 7 Enterprise or Windows 7 Ultimate operating systems.
AppLocker is more flexible than earlier tools for managing the applications that users can run,
including software restriction policies and Windows SteadyState. Instead of providing a list of
programs to block, AppLocker allows you to specify which applications users are allowed to run.
Doing so can make controlling applications easier because it allows you to prevent even unknown
applications from running on the computer.
17
Figure 6 Defining an AppLocker rule by using the Create Executable Rules Wizard
With AppLocker, you can:
• Define rules based on file attributes, such as the file’s digital signature, including the
publisher, product name, file name, or file version. For example, you can create a rule that
specifically allows any version of Adobe Acrobat Reader to run.
• Create exceptions to rules. For example, you can create a rule that allows all built-in
Windows programs to run except the Registry Editor (Regedit.exe), preventing users from
trying to make changes to the registry.
Creating AppLocker rules by using the Create Executable Rules Wizard is easy. You can learn
more about AppLocker on TechNet.
Scheduling Updates
Ben’s requirements include keeping computers healthy and protecting users from security risks. A
key way Ben can do that is by applying security updates regularly. One option is to manually
configure Automatic Updates. To do that, he simply clicks Start, types windows update, and clicks
Windows Update. Then, he clicks Change settings and chooses which type of updates to install
and when to install them.
To configure Automatic Updates for shared computers, Ben can use Group Policy settings.
Because Blue Yonder Airlines uses Windows Server Update Services (WSUS) to install Windows
updates, Ben will create a GPO in Active Directory that configures his shared computers to
automatically download and install approved updates from WSUS.
18
You can also configure an LGPO or a GPO in Active Directory to automatically download and
install updates from Windows Update. As shown in Figure 7, Windows Update settings are
located at:
Computer Configuration\Administrative Templates\Windows Components\Windows Update
19
To do that, Ben can use Group Policy preferences in the Group Policy Management Console. In
Figure 8, you see how Ben uses registry items in Group Policy preferences to configure
Autologon in Windows 7. (LGPOs do not support Group Policy preferences.) By using Group
Policy preferences, Ben can configure settings for applications that do not support Group Policy.
Also, he can configure these settings and allowing users to change them, or he can enforce them
each time Group Policy refreshes. To learn more about Group Policy preferences, see Group
Policy Preferences Overview.
20
changing them. Group Policy refreshes policy settings every 90 minutes, by default, but this time
can be configured by a Group Policy administrator.
In contrast to Group Policy settings, Group Policy preferences are not strictly enforced. Group
Policy does not store preferences in the Policy branches of the registry. Instead, it writes
preferences to the same locations in the registry that the application or operating system feature
uses to store the settings. The implications of this include:
• Group Policy preferences support applications and operating system features that are not
compatible with Group Policy.
• Group Policy preferences do not cause the application or operating system feature to
disable the user interface for the settings they configure.
The result is that when you deploy Group Policy preferences, users can change the settings. By
default, Group Policy refreshes preferences at the same interval as Group Policy settings.
However, you can prevent Group Policy from refreshing individual preferences by choosing to
apply them only once. Doing so configures the preference one time and allows the user to
change it.
Group Policy filtering is substantially different from Group Policy preference item-level targeting.
You filter GPOs using WMI filters, and those filters determine whether Group Policy applies to the
entire GPO. You cannot filter individual policy settings within a GPO. Of course, you can create
GPOs based upon your filtering requirements to work around this limitation, but that might lead to
a large set of GPOs to manage. On the other hand, Group Policy preferences support item-level
targeting—you can target individual preference items within a GPO. For example, a single GPO
can contain two preference items, both of which configure power policies. You can target the first
preference item at desktop PCs and the second at mobile PCs. Additionally, whereas Group
Policy filtering requires you to write sometimes complex WMI queries, item-level targeting
provides a friendly user interface.
System Restore
System Restore is a Windows 7 feature that helps users quickly recover from problems. System
Restore saves snapshots of the system at key points, such as before installing an application or
21
device driver. Users can recover from a problem by restoring the operating system to one of
these snapshots.
Although scripting is beyond the scope of this document, it is possible to use System Restore to
simulate the functionality of Windows Disk Protection. The TechNet Script Center Repository
contains a number of scripts for automating System Restore. You can use these scripts to
assemble a solution that creates a snapshot during installation, and then restores the computer to
that snapshot when the user logs off of the computer.
System Restore does not restore users’ files; however, combining System Restore with
mandatory user profiles can almost completely reset a computer between each user session.
22
5. Schedule a task on the shared computers to automatically start installation each night,
making sure to include the credentials of a local administrator account that has access to the
deployment shared resource. Because each new installation will not have the scheduled task,
Ben will use Group Policy preferences to automatically schedule the installation task.
Alternatively, you can write a script to schedule the installation task.
23
Figure 9 Exporting an account by using Windows Easy Transfer
6. In the Password box, type a password with which to protect the exported account,
files, and settings. In the Confirm Password box, retype the password, and then click
Save.
7. In the Save Your Easy Transfer File dialog box, type the path and name of the Easy
Transfer File that you want use for exporting the account. Then, click Save.
8. Click Next, click Next, and then click Close.
Use the following procedure on the computer that you want to apply the account.
24
7. Click Close.
Additional Information
• AppLocker on TechNet
25
• Group Policy
• Group Policy Preferences Overview
• How to customize default user profiles in Windows 7 and in Windows Server 2008 R2
• Microsoft Deployment Toolkit (MDT) 2010
• Microsoft Download Center
• Microsoft Virtualization
• Windows Automated Installation Kit for Windows 7
• Windows SteadyState
26