Today I'm beginning to setup the Group Policy side of things. Your OU structure may differ, but in mine, I have an OU that will contain only workstations that will get "Thin Client"-ized. There's a couple of settings that will help us push out this to any workstations in the OU.
If you haven't already, go ahead and create the user that will ultimately be the your "limited access" user that automatically logs in to these workstations. We'll do some configuration in the next step, but the user needs to exist for the group policy settings below.
If you're using a new OU (I'd recommend it), you'll need to create a new GP Object and link it to your OU. This is easiest in Group Policy Management (available for download from Microsoft). Right click the OU and click "Create and Link new GPO Here". Give it a good name--remember that GP objects are linked at the OU level, but they all exist in a flat structure in the Directory.
Right click on your new GPO and click Edit. Then go into Computer Configuration/Software Settings and add a new package. Browse for the MSI you created in step 1. Select "Advanced" as the deployment method and click OK. On the package properties window, go to Deployment and check "Install this application at Logon" (if this is greyed out, click on "Assigned" even though it's already selected--it'll ungrey the option). Then click OK.
Here are the other settings that we need to change:
Computer Configuration\Security Settings\Local Policies\User Rights Assignment
Add your limited access user to these rights: Load and Unload Device Drivers, Shut down the system. You'll probably also want to add your Domain Admins group as well, otherwise your limited access user may be the only one who can shut these computers down. (Note: The Device Drivers item isn't related to Shutdown, and might not be necessary at all--I am using it just in case it's needed later for the USB passthrough.
Administrative Templates\Network\Network Connections
Enable the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy.
We'll be back in this policy in the next step to setup the Automatic Logon for computers in this OU.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment