A business has a kiosk computer located in the lobby for customers to use. The kiosk computer has recently been updated to Windows 7 from Windows XP and is not part of a domain. The local computer policy created for Windows XP has been applied to Windows 7. This policy severely restricts the use of the computer, so that customers can only use the Web browser.
Occasionally, an administrator needs to log on to the kiosk computer to perform maintenance and update software. However, this is awkward because the administrator needs to disable settings in the local policy before performing any task. Then, when the tasks are complete, the administrator needs to re-enable the settings in the local policy. Explain how this system can be improved upon when using Windows 7.
tyhf
Windows
To improve the system when using Windows 7, you can make use of Group Policy Preferences (GPP) along with security filtering. Here's a step-by-step guide on how to do it:
1. Open the Local Group Policy Editor by pressing the Windows key + R, typing "gpedit.msc" in the Run dialog box, and hitting Enter.
2. Navigate to "Computer Configuration" > "Preferences" > "Control Panel Settings" > "Local Users and Groups".
3. Right-click in the empty space and choose "New" > "Local Group".
4. In the "Group Name" field, enter a name for the group (e.g., "Kiosk Administrators"), and click "Add".
5. Add the administrator account(s) that will require access to the kiosk computer for maintenance, updates, etc. Click "OK" when done.
6. Under the "Members" tab, add the desired user(s) to this group by clicking "Add" and selecting the user(s). Click "OK" when done.
7. Now, still in the Local Group Policy Editor, navigate to "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "User Rights Assignment".
8. Double-click on "Deny log on locally" to open its properties.
9. Click the "Add User or Group" button and enter the group name you created in step 4 ("Kiosk Administrators").
10. Click "OK" to add the group to the deny list, which will prevent those users from logging on to the kiosk computer.
11. Close the Local Group Policy Editor.
Now, whenever an administrator needs to perform maintenance or update tasks on the kiosk computer:
1. Open the Local Group Policy Editor using steps 1 and 2 mentioned above.
2. Navigate to "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "User Rights Assignment".
3. Double-click "Deny log on locally" to open its properties.
4. Remove the group you created in step 4 ("Kiosk Administrators") from the deny list by clicking "Remove".
5. Close the Local Group Policy Editor.
After completing the necessary tasks:
1. Follow steps 1-5 above to add the group back to the deny list.
2. Close the Local Group Policy Editor.
By following this approach, you can avoid the need to manually disable and re-enable settings in the local policy every time an administrator needs to access the kiosk computer.
To improve the system when using Windows 7 on the kiosk computer, there are a few steps you can take:
1. Create a separate user account for the administrator: Instead of using the administrator account directly on the kiosk computer, create a separate user account specifically for the administrator's tasks. This will help to maintain security and prevent unauthorized access.
2. Assign appropriate permissions to the administrator account: Ensure that the administrator account has the necessary permissions to perform maintenance and update software. This can be done by adding the administrator account to the appropriate user groups, such as the Local Administrators group.
3. Use Group Policy to manage restrictions: Instead of relying solely on the local computer policy, which can be cumbersome to enable and disable, leverage Group Policy to manage restrictions on the kiosk computer. Group Policy allows you to centrally manage and apply settings to multiple computers in a domain.
4. Create an Organizational Unit (OU) for the kiosk computer: If the kiosk computer is not part of a domain, you can create an OU specifically for the kiosk computer in the Local Security Policy. This will allow you to apply specific policies and restrictions to the computer without affecting other devices.
5. Configure Group Policy for the OU: Within the OU, configure Group Policy objects to enforce the desired restrictions for the kiosk computer. You can use Group Policy settings to limit access to specific applications, control user rights, and restrict access to system settings.
6. Enable Group Policy loopback processing: By enabling loopback processing, you can ensure that the applied Group Policy settings take effect regardless of the user account logged into the kiosk computer. This eliminates the need to disable and re-enable local policies when the administrator needs to perform tasks.
By following these steps, you can create a more efficient and manageable system for the administrator to perform maintenance tasks on the kiosk computer while maintaining the necessary restrictions for customer use.