Search
  • Chris Keim

ThinKiosk - Active Directory Design Reference

I had originally done a quick write up on ThinKiosk by Andrew Morgan when it first came out.  I have been using ThinKiosk personally since then and have come up with a ThinKiosk Active Directory design reference.  Please note, these guides are in no way affiliated with ThinKiosk or Andrew Morgan, they are just the method I came up with that seems to work best for me.  You can read more about ThinKiosk from Andrew Morgan at his site:


http://andrewmorgan.ie/


First: Identify Endpoint Devices


Before we can get started, we need to identify the endpoint devices where ThinKiosk will be deployed.  Once you have the devices, you need to create an Active Directory (AD) organizational unit (OU) to hold those endpoint devices.  For demonstration purposes, I named the OU "ThinKiosk".  Once you have created the OU, then you need to move all your AD computer objects which you identified earlier into this OU.  Before moving on to the next phase you need to have the following in place:


  • Identified all endpoint devices that will be using ThinKiosk.

  • The identified endpoint devices must be part of the AD domain.

  • An OU structure created - A root endpoint device OU (For example, I named this OU "ThinKiosk").

  • Place all endpoint AD computer objects in their respective OU created before.


Second: Identify User Roles


We now need to identify what users will receive what functionality.  There are 3 major categories for users in regards to ThinKiosk:


  • Endpoint Users

  • Help desk users

  • Administrators


With endpoint users, there should be minimal user functionality, in other words, they need to be locked down.  Help desk users need a bit more flexibility because they might need access to tools that would be normally locked out to endpoint users.  Administrators need full access and typically would need to log straight into the Explorer shell instead of ThinKiosk.  Based on the descriptions below is a sampling of features per user group:


Endpoint users features

  • Log off the auto logged-in session.

  • Restart the local endpoint device.

  • Shutdown the local endpoint device.

  • Change display settings.

  • Change keyboard settings.

  • Change mouse settings.

  • Change volume settings


Help desk users features

  • Have the same ability as task workers.

  • Enter custom Citrix Web Interface URLs.

  • Access the command prompt.

  • Access Windows Explorer.

  • Lock ThinKiosk.

  • Exit ThinKiosk.


Administrators Features

  • Have the same ability as help desk users.

  • Log in straight to the Windows Explorer shell.


For each of the above groups of users, we need to create an AD security group.  Before moving to the next phase, the following needs to be completed:


  • Users identified in their proper feature group.

  • Create 3 AD security group, 1 for each feature group (For example, the following AD security groups named: ThinKiosk-Users, ThinKiosk-HelpDesk, ThinKiosk-Administrators).

  • Add users to their respective groups based on features.


Third: Create Group Policy Objects


Group policy is going to deploy the settings and permissions for the respective user groups.  The following group policy objects (GPO) need to be created:


  1. ThinKiosk GPO.  This GPO is applied to all endpoint devices no matter what OS version.  So any computer settings that are global and non-OS-dependent will be applied at this GPO.

  2. Endpoint users GPO.  This GPO is linked to the same endpoint device root OU.  This GPO applies settings and permissions to endpoint users only.

  3. Help desk users GPO.  This GPO is linked to the same endpoint device root OU.  This GPO applies settings and permissions to help desk users only.

  4. Administrators GPO.  This GPO is linked to the same endpoint device root OU.  This GPO applies settings and permissions to administrator users only.


The following is a list of base GPO settings per GPO:


ThinKiosk GPO


To automatically install ThinKiosk

  1. Navigate to: Computer Configuration\Policies\Software Settings\Software Installation.

  2. Create a new package and select the ThinKiosk.msi file from an accessible network location.


Set the URL to the Citrix Web Interface

  1. Navigate to: Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings.

  2. Web Interface URL - Enabled and enter the URL for the Citrix Web Interface.


OPTIONAL.  To configure auto login for the ThinKiosk endpoint devices.  Please note, the password entered is stored in clear text in the GPO and on the endpoint device.  So, if you want to use this option, make sure the account used is extremely locked down.  To use a group policy auto-login account, you need to download the ADM file provided by Andrew Morgan which can be downloaded here.  An alternative approach is to configure each endpoint manually with the "Control UserPasswords2" command and configure it appropriately.

  1. Import the ADM file into the GPO.

  2. Navigate to: Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings\Autologon Settings.

  3. AutoLogon to Workstation - Enabled and set to Yes.

  4. Default DomainName - Enabled and type in the FQDN of the AD domain.

  5. Default Password - Enabled and type in the password for the locked-down AD account used for autologin.

  6. Default User Name - Enabled and type in the username for the locked-down AD account used for autologin.


Endpoint Users GPO


Allow user policy settings to apply only when logging into a ThinKiosk endpoint device.

  1. Navigate to: Computer Configuration\Policies\Administrative Templates\System\Group Policy

  2. User Group Policy loopback processing mode - Enabled and set to Merge


Change the shell from Windows Explorer to ThinKiosk.

  1. Navigate to: User Configuration\Policies\Administrative Templates\System

  2. Custom User Interface - Enabled and type C:\Program Files\ThinKiosk\ThinKiosk.exe


Lockdown control-alt-delete options.

  1. Navigate to: User Configuration\Policies\ Administrative Templates\System\Ctrl-Alt-Del Options

  2. Remove Change Password - Enabled

  3. Remove Lock Computer - Enabled

  4. Remove Task Manager - Enabled


Configure ThinKiosk settings.

  1. Navigate to: User Configuration\Policies\ Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings

  2. Disable unlocking of ThinKiosk - Enabled

  3. Show Log Off Option - Enabled


Disable screen saver password protection.

  1. Navigate to: User Configuration\Policies\ Administrative Templates\Control Panel\Personalization

  2. Password protect the screen saver - Disabled


Helpdesk users GPO


Allow user policy settings to apply only when logging into a ThinKiosk endpoint device.

  1. Navigate to: Computer Configuration\Policies\Administrative Templates\System\Group Policy

  2. User Group Policy loopback processing mode - Enabled and set to Merge


Change the shell from Windows Explorer to ThinKiosk.

  1. Navigate to: User Configuration\Policies\Administrative Templates\System

  2. Custom User Interface - Enabled and type C:\Program Files\ThinKiosk\ThinKiosk.exe


Configure ThinKiosk settings.

  1. Navigate to: User Configuration\Policies\ Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings

  2. Show Admin Menu - Enabled

  3. Show Log Off Option - Enabled


Administrators GPO


Allow user policy settings to apply only when logging into a ThinKiosk endpoint device.

  1. Navigate to: Computer Configuration\Policies\Administrative Templates\System\Group Policy

  2. User Group Policy loopback processing mode - Enabled and set to Merge


Change the shell from Explorer (This policy is in place to make sure users can be moved from one group to another and make sure they receive the correct shell).

  1. Navigate to: User Configuration\Policies\Administrative Templates\System

  2. Custom User Interface - Enabled and type C:\Windows\Explorer.exe


Configure ThinKiosk settings.

  1. Navigate to: User Configuration\Policies\ Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings

  2. Show Admin Menu - Enabled

  3. Show Log Off Option - Enabled


Conclusion


In conclusion, this is just a base reference.  There are obviously more settings and permissions that can be configured.




2 views

©2018 by ChristopherKeim. Proudly created with Wix.com