SteadyState in a domain to lock down computers no matter who logs in... RRS feed

  • Question

  • This question is regarding setting up something like DeepFreeze or SteadyState in a domain environment.  We have a lab with about 30 computers and we want to keep the computers running smoothly (i.e. not letting people install programs, download junk, mess with system settings, etc&.).  I know Microsoft has a product called SteadyState but I believe this is meant to run in a non-domain environment; in other words it needs to be installed on each computer you want to lock down.  

    I would think a group policy would be the way to go if you are running in a domain.  You would just create an OU, apply a GP to that OU and drop any computer you want to lock down into this OU.  I would also think you would not need to run a program (like SteadyState) locally because the GP should handle everything.  

    I know SteadyState has a GP template but the settings seem to only apply to users and not computers.  I am wondering if there is a way to lock down the computer through a GP. In other words, I wonder if there is a GP that mimics SteadyState but works on computers (not users).  This way no matter who logs into the computer (student, faculty, etc...), the SteadyState policies should apply.

    Wednesday, July 15, 2009 1:22 PM


  • Hi Dan, thanks for the post. I’d like to inform you that the GP template in Windows SteadyState applies to users. You can check the following paragraph in the handbook:


    Windows SteadyState includes a Group Policy template called SCTSettings.adm in the ADM folder commonly located in C:\Program Files\Windows SteadyState. This template reproduces most of the settings included in Windows SteadyState Feature Restrictions tab of the User Settings dialog box, and can be used to deploy restrictions to users who are members of an Active Directory domain.

    Group Policy for a domain can be configured either with the Group Policy Management Console, an add-in tool available for download from Microsoft, or by using the Group Policy Editor built into Active Directory Users and Computers. By adding the SCTSettings.adm template into these tools, you gain access to account restrictions and settings that are appropriate for user accounts on shared computers.

    The SCTSettings.adm Group Policy template included with Windows SteadyState also includes the capability to set idle and mandatory logoff timers, if Windows SteadyState is installed on your computers.

    It is important that you apply these settings only to specific user accounts, so as not to restrict legitimate administrative user accounts on any computers.

    Sean Zhu - MSFT
    • Marked as answer by Sean Zhu - Thursday, July 23, 2009 2:53 AM
    Friday, July 17, 2009 4:15 AM