I've been busy visiting my friends down east in Halifax for the eastern stop of the IO tour (more on that visit later). I always mention to the audience whenever I speak that I am looking for stories to share with the greater Canadian IT Professional community. I encourage you to email me your post suggestions / complete posts and I will put them up.
One came in a while ago from Todd Lamothe, a member of the Ottawa Windows Server UserGroup study group who just recently passed his first exam as a result of participating in the group. Congrats Todd!
I met Todd at an Ottawa event and also through the Ottawa UG. He wrote to me in order to share his experiences with implementing the Shared Computer Toolkit in his workplace. This is rather timely, since last week (or was it the week before) the Shared Computer Toolkit turned 1. The Beta of V2 is getting ready to go. Vista support? Stay tuned!
have a read!
I just wanted to share my experience using the Microsoft Shared Computer Toolkit with you.
I just started a new position the first week of August with the County of Lennox and Addington in the Information Services Department and my first project was to roll out 30 new computers for our branch libraries which are used mainly for library patron’s to look up library books and use the Internet. I remembered reading on your blog back in April or May about the Microsoft Shared Computer Toolkit and I thought I would give it a try. The libraries had been using Deep Freeze and Disk Sherriff to protect against disk changes, but there was no operating system lockdown as the computers are stand-alone computers.
I built my computer up with the operating system and installed any desired software then downloaded the toolkit. The toolkit walked me through step by step what I needed to do lock down the computer and enable disk protection.
Basically you install the toolkit on the computer you want to lock down. If you wish to use the Disk Protection which prevents unauthorized changes to files on the hard disk, you must have free space at the end of the partition totaling 1GB or 10% of the windows partition, whichever is greater and the disk type must be basic. (There are some other rules as well, the manual spells them all out)
Then log in a with the user account you plan to use as your shared computer user. Open up all the programs you plan on making available to this user, accept all EULA and configure the programs how you want them to run. Add any printers or other devices you need the user to access. Log out and back in with the account you used to install the toolkit. You can then if you want configure the Users Start Menu and the All Users Start Menu.
Next lock down the profile of the user that will be using the shared computer. It has some recommended restrictions. I used most if not all of the recommendations. Then log back in as the restricted account and see if everything still works the way you expect. At this point in the process, I sys-prepped. Once I was done I logged back in as the toolkit admin and locked down the hard drive. This needed a couple of reboots and there I was all done and going.
It was really straightforward and easy to setup and implement. I also followed the advice of the guide and moved the swap file and log files to a non-protected storage. This way I could see the history of the logs without them being overwritten by disk protection on reboot. A nice feature for when you enable Disk Protection, you can set it up to reboot at a specified time with protection off so that antivirus updates and windows updates can download and install automatically. This really helps me out as I don't need to visit all the computers (which are in 10 locations) on regular basis to provide updates.
Once you do get this up and going, it is important to remember to lock out the ability to boot off any removable media (cdrom, USB key, floppy, etc.) as that is a way users can get around this security. But definitely a great tool for schools, libraries, information kiosks, I could even see it use on production line computers; basically anywhere you have computers that you don’t want getting messed up.
Rick, I am glad you blogged about it otherwise I might not have even been aware of its existence.
Todd Lamothe, MCP
Information Services, County of Lennox & Addington