<div dir="ltr">Oh boy. It sounds like you're in for a "treat". I don't envy your situation.<div><br></div><div>I've started using Windows 8 on my patron/staff computers myself. The patron computers all authenticate to Active Directory and get their group policies for the computers and the users from there. That's a lot easier to manage then individual computers with local policies configured. In this configuration, you can have a Patron user defined in AD, with a set of policies that configure the patron user profile just the way you want it, but you can also log in as an admin level user that doesn't have the same restrictions that the patron user has. No need to temporarily enable/disable various policy settings to do your workstation management, plus you can tweak the patron policies centrally and have them apply all at once to all patron profiles/computers.</div>
<div><br></div><div>The way I typically configure the patron computers is all via group policies. From the patron's viewpoint, they walk up to a computer and see a blank screen with a single message saying something like, "I agree to the library's AUP and not do anything stupid or illegal, yada, yada." and an OK button. At this point, the computer is NOT logged in locally to Windows OR the domain. The patron can only click on the OK button, which then automatically logs the computer into the domain as Patron user, but using a temporary local non-roaming user profile with user policies defined and pulled from AD.</div>
<div><br></div><div>The patron is free to do whatever he/she can do on the computer and generally just walks away from the computer when done. The computer is configured to <u>reboot</u> after 15 minutes of idle when logged in. Rebooting between patron is default and encouraged because it causes Deep Freeze to reset the computer back to a known safe state.</div>
<div><br></div><div>That's all done via Computer and User group policies tailored for the patron computers. Further, with Windows 8 computers, I try to minimize use of the Metro/Modern/Ugly user interface. When clicking on the "Start Menu", it displays the full list of programs installed, rather than showing the Tiles first. I configure Internet Explorer to use the normal desktop version rather than the touch-screen version. Same for pdf viewer. As much as I can, I use GP to try to limit being unexpectedly jarred back and forth between the desktop and Modern/Metro UI. It seems to help quite a bit for the patrons if they are kept in the desktop interface.</div>
<div><br></div><div>When it comes to administering the workstation, I leverage GP to do it centrally. For local workstation needs, it's slightly inconvenient, but not too bad: Click on OK to accept the AUP and log in as Patron user. Then disable Deep Freeze and reboot. Then click OK again to log in as Patron user, then log out. On a log out, the option to log in as a different user is available (as opposed to auto logging in as patron user). I usually then log in as a local administrative user, but could also log in as an AD user if I needed access to network files. When done admining the workstation, re-enable Deep Freeze and reboot.</div>
<div><br></div><div>It's a pretty nice/tidy setup using pretty much nothing but GP. No scripts or third party software required. The staff particularly like the library's AUP (or references it rather) being right there every time a new patron wants to use the computer. It's unavoidable.</div>
<div><br></div><div>When it comes to working with GP on a new OS (Windows 8 for instance), I generally start by working with a very, very virgin Windows computer. I then do NOTHING (as absolutely little as possible) but attach it to the domain. I then will log it in as my Patron AD user and see what happens. For every window that pops up, every feature that I see that I want to make a change for, I find the GP that will do it for me. If I can't find a GP for the feature I want to adjust or the window that pops up, I'll Google for a registry key or some other solution that I can apply via GP. Usually there is something that you can plug into GP to get the job done. I'll test and incrementally build up a GP that can take a virgin computer/account and have it completely configured the way I want it with almost NO adjustments at all that have to be made manually.</div>
<div><br></div><div>A lot of how I develop the GP is basically, "It would be nice if I didn't have to do X every time." or "It would be nice if it would do X for the patron every time they use the computer." or "I don't want the patron to be able to do X..." etc. ...and then just find the policy or reg entry that will make it so.</div>
<div><br></div><div>It's also very beneficial to have a virgin Windows test computer that's either frozen with Deep Freeze or is virtualized (and frozen with DF or whatever method provided with the hypervisor). This way you can use your same virgin install over and over again to test each feature change you make with GP. That's hugely beneficial.</div>
<div><br></div><div>HTH,</div><div>Chad</div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div>______________________________<br><b>Chad Neeper</b><br><font size="1">Senior Systems Engineer</font><br>
<br><b>Level 9 Networks</b><br><font size="1">740-548-8070 (voice)<br>866-214-6607 (fax)</font><br><br><font size="1"><i>Full LAN/WAN consulting services -- Specialized in libraries and schools</i></font><br></div>
<br><br><div class="gmail_quote">On Mon, Jul 7, 2014 at 12:14 PM, Tyson Horton <span dir="ltr"><<a href="mailto:tyson@mywcpl.org" target="_blank">tyson@mywcpl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal">This goes out to anyone using Group Policies to lock down their computers. Our old IT guy has all of the public computers here locked down using Group Policy. Our new computers are all windows 8. Looking for your input, if you are using group policy, as to how you have yours set up. I’ve not done much with group policies, so any help would be appreciated. >From what I can see, it’s a pain to go in and disable all of them to be able to make changes to the computer if necessary, unless I am missing something that makes it quicker to undo them? Steve left abruptly, so I was never shown what he did exactly. I’ve just been figuring it out on my own. If someone has a good list of things to Enable/Disable, that would be greatly appreciated! Or other means to keep users from making changes and/or getting into things they shouldn’t…<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="font-size:18.0pt;font-family:"Brush Script MT";color:blue">Tyson Horton<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:blue">Systems Administrator<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:blue">Williams County Public Library<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:blue">107 East High Street<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:blue">Bryan, OH 43506<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:blue"><a href="tel:419-636-6734" value="+14196366734" target="_blank">419-636-6734</a> (voice)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:blue"><a href="tel:419-630-0408" value="+14196300408" target="_blank">419-630-0408</a> (fax)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:blue"><a href="http://www.mywcpl.org/" target="_blank"><span style="color:purple">www.mywcpl.org</span></a></span><u></u><u></u></p>
</div></div><br>_______________________________________________<br>
OPLINTECH mailing list<br>
<a href="mailto:OPLINTECH@lists.oplin.org">OPLINTECH@lists.oplin.org</a><br>
<a href="http://lists.oplin.org/mailman/listinfo/oplintech" target="_blank">http://lists.oplin.org/mailman/listinfo/oplintech</a><br>
<br>
<br></blockquote></div><br></div>