Monday, March 30, 2009

Public PC Restrictions Without SteadyState

I have come to dislike Windows SteadyState.  The version I was running on some XP boxes was not compatible with Windows Service Pack 3 for Windows XP and the only way to remove SteadyState was to format the hard drive and reinstall.  But I still need to apply restrictions on public stations that are part of a Workgroup instead of a Domain.  A Domain enables you to use the powerful Group Policy environment.  I love it.  But there are places I cannot put a server, so what to do?  Do this.  It’s a somewhat complicated process, so you should be pretty familiar with Windows XP to set this up.

This is on a new install of a fully updated post-SP3 Windows XP Professional box.  I have a public user named “pub”.  I have a workstation management user called “exec”.  And I also use the built-in Administrator account.  Both “exec” and “administrator” are members of the Administrator’s Local Group.  The user “pub” is a member of the Users Group.  As you’ll see, we need all three accounts.

There are a number of Group Policy settings included with the XP Pro install.  To these we need to add the restrictions found in Windows SteadyState.  All SteadyState restrictions are on the User side, not the Computer side.  You’ll soon see what that means.  Keep in mind that what we are doing with this step is making these restrictions available for configuration.  We are not here turning them on or off.

First, we need to get the Administrative Template included with Windows SteadyState.  The most obvious technique is to install SteadyState on a box and grab the file.  The file you are looking for is c:\program Files\Windows Sdeadystate\ADM\SCTsettings.adm.  A much cleaner solution is to extract the file “SCTsettings.adm” right from the Steadystate msi installation file.  Search on “msiexec” to find how to use a tool to avoid having to install to get the file.
Next we want to put this file where it belongs.  On the PC we are going to lock down, put SCTsettings.adm in the c:\windows\system32\grouppolicy\adm folder.  Open the admfiles.ini file for editing.  Add a line for the SCTsettings.adm file ending in 1 like the other lines.

Reboot.  Logon as Administrator.  Run gpedit.msc at the Run line.  In the left pane, note that there is a folder following  the path “User Configuration – Administrative templates – All Windows SteadyState Restrictions”.  In this folder are all the same restrictions you find in Windows SteadyState and you don’t have to worry about pulling all your hair out dealing with a SteadyState problem sometime down the road.

But we’re not finished yet.  How are we going to apply these restrictions to only one specific user on this PC?  Not being the brightest crayon in the box, I didn’t know.  So I googled it.  To solve that problem, I will simply point you to www.theeldergeek.com/gp07.htm.  He solves it using permissions.  I have made one change from his description.  I modify permissions on the “User” folder in the “GroupPolicy” folder rather than the “GroupPolicy” folder itself.  All SteadyState restrictions are User restrictions, so as long as you are making only SteadyState restrictions, you only need deny access to the “User” folder.

There is one last clue.  If you don’t find the Security tab where you expect it, as per the elder geek’s instructions, turn off “Simple File Sharing”.  Open Windows Explorer, go to Tools – Folder Options – View, scroll to the bottom of the list and you’ll see the checkbox.

Now here is how my procedure works.  I set “pub” to logon automatically.  The restrictions are applied and the user is restricted.  When I want to change a restriction, I logon as “Administrator” and make changes using gpedit.msc.  If the administrator is blocked from accessing that tool, then the only option is to use the technique described at the end of the elder geek’s description.  For all administration that doesn’t involve changing these restrictions, I use the “exec” logon.

OK, so that is how you would apply and manage restrictions on a public workgroup XP station.  What restrictions should you apply?  I’ll talk about that in the next blog.