locked
SteadyState RRS feed

  • Question

  • Can a group of computers be unlocked from a central location, that are locked down with SteadyState?
    Tuesday, May 19, 2009 3:03 PM

Answers

  • Hi heardm, thanks for the post. Do you mean you want to disable the restrictions on the computers from one computer? If this is the case, I recommend you using SCTSettings.adm to restrict those computers, so that you can disable the restrictions on one computer.

     

    Windows SteadyState includes a Group Policy template called SCTSettings.adm in the ADM folder commonly located in C:\Program Files\Windows SteadyState. This template reproduces most of the settings included in Windows SteadyState Feature Restrictions tab of the User Settings dialog box, and can be used to deploy restrictions to users who are members of an Active Directory domain.

    Group Policy for a domain can be configured either with the Group Policy Management Console, an add-in tool available for download from Microsoft, or by using the Group Policy Editor built into Active Directory Users and Computers. By adding the SCTSettings.adm template into these tools, you gain access to account restrictions and settings that are appropriate for user accounts on shared computers.

    The SCTSettings.adm Group Policy template included with Windows SteadyState also includes the capability to set idle and mandatory logoff timers, if Windows SteadyState is installed on your computers.

    It is important that you apply these settings only to specific user accounts, so as not to restrict legitimate administrative user accounts on any computers.

       To use Active Directory Users and Computers to manage Windows SteadyState restrictions

    1.    Start Active Directory Users and Computers on a computer running Microsoft Windows Serverä 2003 by clicking Start, and then clicking All Programs.

    2.    Click Administrative Tools. In Active Directory Users and Computers, right-click the organizational unit (OU) for which you want to configure policy, and then click Properties.

    3.    On the Group Policy tab, select the policy you want to modify, and then click Edit.

    4.    Expand User Configuration, right-click the Administrative Templates folder, and then click Add/Remove Templates.

    5.    In the Add/Remove Templates dialog box, click Add and then browse to the location of the SCTSettings.adm template, commonly located in C:\Program Files\Windows SteadyState\ADM.

    6.    Browse the settings in the All Windows SteadyState Restrictions folder and note their similarity to the program and user restrictions settings in Windows SteadyState. Descriptions are given for each setting.

    7.    Make any restrictions changes that you want and then exit Group Policy Editor.

     

    Note: We recommend that you create an OU that stores the shared user accounts in your environment, and that you apply the SCTSettings.adm template to the User Configuration portion of a Group Policy Object linked to this dedicated OU.

     

    If you refer to disable WDP from one computer, you can try the following commands:

     

    To enabled WDP, run the following command from an administrator account:

    "C:\Program files\Windows SteadyState\sctui.exe" /EnableWDPAndReboot

     

    To disable WDP:

    "C:\Program files\Windows SteadyState\sctui.exe" /DisableWDPAndReboot

     

    Hope this helps!


    Sean Zhu - MSFT
    • Proposed as answer by Sean Zhu - Thursday, May 21, 2009 5:02 AM
    • Marked as answer by Sean Zhu - Tuesday, May 26, 2009 3:27 AM
    Thursday, May 21, 2009 5:02 AM

All replies

  • Hi heardm, thanks for the post. Do you mean you want to disable the restrictions on the computers from one computer? If this is the case, I recommend you using SCTSettings.adm to restrict those computers, so that you can disable the restrictions on one computer.

     

    Windows SteadyState includes a Group Policy template called SCTSettings.adm in the ADM folder commonly located in C:\Program Files\Windows SteadyState. This template reproduces most of the settings included in Windows SteadyState Feature Restrictions tab of the User Settings dialog box, and can be used to deploy restrictions to users who are members of an Active Directory domain.

    Group Policy for a domain can be configured either with the Group Policy Management Console, an add-in tool available for download from Microsoft, or by using the Group Policy Editor built into Active Directory Users and Computers. By adding the SCTSettings.adm template into these tools, you gain access to account restrictions and settings that are appropriate for user accounts on shared computers.

    The SCTSettings.adm Group Policy template included with Windows SteadyState also includes the capability to set idle and mandatory logoff timers, if Windows SteadyState is installed on your computers.

    It is important that you apply these settings only to specific user accounts, so as not to restrict legitimate administrative user accounts on any computers.

       To use Active Directory Users and Computers to manage Windows SteadyState restrictions

    1.    Start Active Directory Users and Computers on a computer running Microsoft Windows Serverä 2003 by clicking Start, and then clicking All Programs.

    2.    Click Administrative Tools. In Active Directory Users and Computers, right-click the organizational unit (OU) for which you want to configure policy, and then click Properties.

    3.    On the Group Policy tab, select the policy you want to modify, and then click Edit.

    4.    Expand User Configuration, right-click the Administrative Templates folder, and then click Add/Remove Templates.

    5.    In the Add/Remove Templates dialog box, click Add and then browse to the location of the SCTSettings.adm template, commonly located in C:\Program Files\Windows SteadyState\ADM.

    6.    Browse the settings in the All Windows SteadyState Restrictions folder and note their similarity to the program and user restrictions settings in Windows SteadyState. Descriptions are given for each setting.

    7.    Make any restrictions changes that you want and then exit Group Policy Editor.

     

    Note: We recommend that you create an OU that stores the shared user accounts in your environment, and that you apply the SCTSettings.adm template to the User Configuration portion of a Group Policy Object linked to this dedicated OU.

     

    If you refer to disable WDP from one computer, you can try the following commands:

     

    To enabled WDP, run the following command from an administrator account:

    "C:\Program files\Windows SteadyState\sctui.exe" /EnableWDPAndReboot

     

    To disable WDP:

    "C:\Program files\Windows SteadyState\sctui.exe" /DisableWDPAndReboot

     

    Hope this helps!


    Sean Zhu - MSFT
    • Proposed as answer by Sean Zhu - Thursday, May 21, 2009 5:02 AM
    • Marked as answer by Sean Zhu - Tuesday, May 26, 2009 3:27 AM
    Thursday, May 21, 2009 5:02 AM
  • Will these directions work on server 2008? I have a group of computers that I am looking to put this on for are upcoming school year. There are only 22 of them but if all I have to do is install the software on the computer and control it from AD then that would be great.
    Thanks
    Thursday, August 6, 2009 8:02 PM