I had originally done a quick write up on ThinKiosk by Andrew Morgan when it first came out. I have been using ThinKiosk personally since then and have come up with a ThinKiosk Active Directory design reference. Please note, these guides are in no way affiliated with ThinKiosk or Andrew Morgan, they are just the method I came up with that seems to work best for me. You can read more about ThinKiosk from Andrew Morgan at his site:
First: Identify Endpoint Devices
Before we can get started, we need to identify the endpoint devices where ThinKiosk will be deployed. Once you have the devices, you need to create an Active Directory (AD) organizational unit (OU) to hold those endpoint devices. For demonstration purposes, I named the OU "ThinKiosk". Once you have created the OU, then you need to move all your AD computer objects which you identified earlier into this OU. Before moving on to the next phase you need to have the following in place:
Identified all endpoint devices that will be using ThinKiosk.
The identified endpoint devices must be part of the AD domain.
An OU structure created - A root endpoint device OU (For example, I named this OU "ThinKiosk").
Place all endpoint AD computer objects in their respective OU created before.
Second: Identify User Roles
We now need to identify what users will receive what functionality. There are 3 major categories for users in regards to ThinKiosk:
Endpoint Users
Help desk users
Administrators
With endpoint users, there should be minimal user functionality, in other words, they need to be locked down. Help desk users need a bit more flexibility because they might need access to tools that would be normally locked out to endpoint users. Administrators need full access and typically would need to log straight into the Explorer shell instead of ThinKiosk. Based on the descriptions below is a sampling of features per user group:
Endpoint users features
Log off the auto logged-in session.
Restart the local endpoint device.
Shutdown the local endpoint device.
Change display settings.
Change keyboard settings.
Change mouse settings.
Change volume settings
Help desk users features
Have the same ability as task workers.
Enter custom Citrix Web Interface URLs.
Access the command prompt.
Access Windows Explorer.
Lock ThinKiosk.
Exit ThinKiosk.
Administrators Features
Have the same ability as help desk users.
Log in straight to the Windows Explorer shell.
For each of the above groups of users, we need to create an AD security group. Before moving to the next phase, the following needs to be completed:
Users identified in their proper feature group.
Create 3 AD security group, 1 for each feature group (For example, the following AD security groups named: ThinKiosk-Users, ThinKiosk-HelpDesk, ThinKiosk-Administrators).
Add users to their respective groups based on features.
Third: Create Group Policy Objects
Group policy is going to deploy the settings and permissions for the respective user groups. The following group policy objects (GPO) need to be created:
ThinKiosk GPO. This GPO is applied to all endpoint devices no matter what OS version. So any computer settings that are global and non-OS-dependent will be applied at this GPO.
Endpoint users GPO. This GPO is linked to the same endpoint device root OU. This GPO applies settings and permissions to endpoint users only.
Help desk users GPO. This GPO is linked to the same endpoint device root OU. This GPO applies settings and permissions to help desk users only.
Administrators GPO. This GPO is linked to the same endpoint device root OU. This GPO applies settings and permissions to administrator users only.
The following is a list of base GPO settings per GPO:
ThinKiosk GPO
To automatically install ThinKiosk
Navigate to: Computer Configuration\Policies\Software Settings\Software Installation.
Create a new package and select the ThinKiosk.msi file from an accessible network location.
Set the URL to the Citrix Web Interface
Navigate to: Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings.
Web Interface URL - Enabled and enter the URL for the Citrix Web Interface.
OPTIONAL. To configure auto login for the ThinKiosk endpoint devices. Please note, the password entered is stored in clear text in the GPO and on the endpoint device. So, if you want to use this option, make sure the account used is extremely locked down. To use a group policy auto-login account, you need to download the ADM file provided by Andrew Morgan which can be downloaded here. An alternative approach is to configure each endpoint manually with the "Control UserPasswords2" command and configure it appropriately.
Import the ADM file into the GPO.
Navigate to: Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings\Autologon Settings.
AutoLogon to Workstation - Enabled and set to Yes.
Default DomainName - Enabled and type in the FQDN of the AD domain.
Default Password - Enabled and type in the password for the locked-down AD account used for autologin.
Default User Name - Enabled and type in the username for the locked-down AD account used for autologin.
Endpoint Users GPO
Allow user policy settings to apply only when logging into a ThinKiosk endpoint device.
Navigate to: Computer Configuration\Policies\Administrative Templates\System\Group Policy
User Group Policy loopback processing mode - Enabled and set to Merge
Change the shell from Windows Explorer to ThinKiosk.
Navigate to: User Configuration\Policies\Administrative Templates\System
Custom User Interface - Enabled and type C:\Program Files\ThinKiosk\ThinKiosk.exe
Lockdown control-alt-delete options.
Navigate to: User Configuration\Policies\ Administrative Templates\System\Ctrl-Alt-Del Options
Remove Change Password - Enabled
Remove Lock Computer - Enabled
Remove Task Manager - Enabled
Configure ThinKiosk settings.
Navigate to: User Configuration\Policies\ Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings
Disable unlocking of ThinKiosk - Enabled
Show Log Off Option - Enabled
Disable screen saver password protection.
Navigate to: User Configuration\Policies\ Administrative Templates\Control Panel\Personalization
Password protect the screen saver - Disabled
Helpdesk users GPO
Allow user policy settings to apply only when logging into a ThinKiosk endpoint device.
Navigate to: Computer Configuration\Policies\Administrative Templates\System\Group Policy
User Group Policy loopback processing mode - Enabled and set to Merge
Change the shell from Windows Explorer to ThinKiosk.
Navigate to: User Configuration\Policies\Administrative Templates\System
Custom User Interface - Enabled and type C:\Program Files\ThinKiosk\ThinKiosk.exe
Configure ThinKiosk settings.
Navigate to: User Configuration\Policies\ Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings
Show Admin Menu - Enabled
Show Log Off Option - Enabled
Administrators GPO
Allow user policy settings to apply only when logging into a ThinKiosk endpoint device.
Navigate to: Computer Configuration\Policies\Administrative Templates\System\Group Policy
User Group Policy loopback processing mode - Enabled and set to Merge
Change the shell from Explorer (This policy is in place to make sure users can be moved from one group to another and make sure they receive the correct shell).
Navigate to: User Configuration\Policies\Administrative Templates\System
Custom User Interface - Enabled and type C:\Windows\Explorer.exe
Configure ThinKiosk settings.
Navigate to: User Configuration\Policies\ Administrative Templates\Classic Administrative Templates (ADM)\ThinKiosk Settings
Show Admin Menu - Enabled
Show Log Off Option - Enabled
Conclusion
In conclusion, this is just a base reference. There are obviously more settings and permissions that can be configured.