Chapter 1: Installation

  • Article
On This Page

Software Requirements
Software Recommendations
Install the Toolkit from the Download Center
Install the Toolkit from CD
Work with Script Blocking Software
Getting Started
Uninstall the Toolkit

Software Requirements

The Microsoft® Shared Computer Toolkit for Windows® XP requires the following:

  • Windows XP Professional, Windows XP Home Edition, or Windows XP Tablet PC Edition.

  • Windows XP Service Pack 2 (SP2) installed.

  • Internet access to perform Windows Genuine Advantage validation.

  • The User Profile Hive Cleanup Service is installed and running. This service ensures that profiles are fully unloaded upon logoff, which is required for the proper operation of the Toolkit.

  • NTFS file system in place. FAT32 and other file systems do not meet the security requirements of shared computers. If your computer is not using NTFS, see Knowledge Base article 307881 to learn how to convert it to NTFS before you install the Toolkit.

    The Toolkit requires the Windows partition, the Program Files directory, and the default location for Documents and Settings to be on NTFS volumes. Typically these are all located on the C: drive, in which case the C: drive needs to use NTFS. For more information about NTFS, see the Advantages of Using NTFS section in the Windows XP Resource Kit.

Additionally, Windows Scripting and Windows Management Instrumentation (WMI) must be working correctly. The installer will ensure that all of these requirements are met and provide guidance if they are not. 

Important Important
Only the account that installs the Toolkit will have Start menu icons for the tools.

Whether you download the Toolkit from Microsoft or install it from CD, Internet access is required to perform Windows Genuine Advantage validation. Validation is required for the tools to work.

Software Recommendations

The Shared Computer Toolkit will not remove or stop malicious software that is already on the computer. The computer must be trustworthy before you install the Toolkit.

Important Important  
Some security software may report a suspicious or malicious script error during installation and when you use the Toolkit. If this happens, you need to authorize Toolkit scripts to execute. For more information, see Chapter 8, "Troubleshooting."

Microsoft recommends you have the following software installed:

  • All of the latest critical updates from the Microsoft Update Web site.

  • Ensure the computer is free of malicious software by having up-to-date antivirus and antispyware software installed and running.

  • Adobe Acrobat Reader to view the PDF version of this Handbook.

  • Trusted programs and Microsoft ActiveX® controls your patrons may require.

Some software is generally inappropriate for shared computers, depending on your specific usage scenarios. You should consider not installing or removing the following types of programs from shared computers:

  • Desktop search utilities, because they may reveal information on the computer you don’t want users to see.

  • E-mail clients that require configuration, such as Microsoft Outlook® or Outlook Express, because they may take too long for users to use.

  • Windows components, such as Fax Services and Internet Information Services (IIS).

Install the Toolkit from the Download Center

You can download the Toolkit from the Microsoft Download Center.

To download and install the Toolkit

  1. Log on as the Toolkit administrator; a local administrative account that will use the tools in the Toolkit.

  2. Download the installation file named Shared_Computer_Toolkit_ENU.msi from the Shared Computer Toolkit download page.

  3. If prompted, first validate your copy of Windows XP through Windows Genuine Advantage.

  4. Double-click the downloaded installation file to start the installation.

  5. Review the License Agreement page, and, if the terms are agreeable to you, click I Accept the terms in the License Agreement, and then click Next.

  6. On the Customer Information page, you can click Register Now to complete the optional registration process.

  7. On the Installation Folder page, click Next.

  8. On the Ready to Install page, click Install.

  9. On the Installation Complete page, click Finish to exit. If you leave the View Getting Started check box selected, the Getting Started tool should open.

Install the Toolkit from CD

If you received the Toolkit on CD with a physical copy of the Handbook, you can install the Toolkit from this CD.

To install the Toolkit from CD

  1. Log on as the Toolkit administrator; a local administrative account that will use the tools in the Toolkit.

  2. Insert the CD into the CD-ROM drive on your computer. If the CD does not start automatically, browse to the CD, and then double-click AutoRun.hta.

  3. If required, click the Windows Genuine Advantage validation link to perform the validation process.

  4. Click Install the Toolkit.

  5. Review the License Agreement page, and, if the terms are agreeable to you, click I Accept the terms in the License Agreement, and then click Next.

  6. On the Customer Information page, you can click Register Now to complete the optional registration process

  7. On the Installation Folder page, click Next.

  8. On the Ready to Install page, click Install.

  9. On the Installation Complete page, click Finish to exit. If you leave the View Getting Started check box selected, the Getting Started tool should open.

Work with Script Blocking Software

Many security, antispyware, and system protection tools block access to scripts to help safeguard your computer. If you recognize a script as belonging to the Shared Computer Toolkit, you must authorize it to run or unexpected behavior will result.

Note Note  
Some script-blocking software does not allow you to permanently approve scripts. Script blocking must be turned off if you cannot permanently approve Toolkit scripts.

To ensure the proper operation of the Toolkit and critical updates with script blocking software in place—allow all scripts by running RunAllScripts.bat from the Scripts folder of the installation and approve each script as the Toolkit administrator.

To enable the execution of Toolkit-required scripts for users, review the "Set Up Local User Profiles" section in Chapter 3, "Profile Management."  

Getting Started

After the installation process finishes, the Getting Started tool will open (unless you cleared the Show Getting Started check box during installation). Getting Started also opens by default each time you log on to the shared computer with the Toolkit administrator account, which is the account you used to install the Toolkit. Getting Started provides an overview of and shortcuts to the tools and resources available in the Toolkit. Getting Started presents the following steps and advice to help you start using the Toolkit quickly:

  • Step 1. Prepare the Disk for Windows Disk Protection. In this section, the Getting Started tool indicates whether the shared computer’s disk is properly configured for Windows Disk Protection. If it is not, the tool provides advice for configuring the disk. The tool also shows whether Windows Disk Protection is currently on or off. You can learn more about preparing a disk for Windows Disk Protection in Chapter 2, “Prepare the Disk for Windows Disk Protection.”

  • Step 2. Select Computer Security Settings. This section provides valuable options for improving the security of the shared computer. Unlike the restrictions available in the User Restrictions tool, which are applied on a per-user basis, the options in this section apply to anyone who uses the shared computer. Options you can select in this section include:

    • Prevent account names from being saved in the CTRL+ALT+DEL logon dialog. By default, Windows displays the user name that was last used to log on to Windows in the traditional logon dialog box shown when you press CTRL+ALT+DEL at the Windows Welcome screen.

    • Force Windows to store passwords in a secure format (not using LMHash). This setting promotes secure password storage by disabling the LanMan hash form of each password. LanMan hash (or LMHash) is an easily defeated encryption mechanism used for backward compatibility with older operating systems.

    • Prevent Windows from caching Passport or domain credentials within user profiles. When this check box is selected, users must enter their Passport and domain credentials each time they are required. Windows does not save them between user sessions.

    • Prevent users from creating files and folders in C:\. This setting changes the access control list (ACL) in the root of C: to prevent users from creating files and folders within it. The setting does not affect the ACLs for other folders.

    • Prevent logon to locked (or roaming) user profiles that cannot be found. Usually, Windows creates a new (and potentially unrestricted) user profile when a person tries to log on with a profile that Windows cannot locate. This option prevents that from happening.

    • Remove cached copies of locked (or roaming) user profiles to improve privacy and save disk space. When this option is selected, Windows does not save the profiles for locked (or roaming) user profiles. This prevents other people from being able to browse through the profiles of people who have previously logged on.

    • Remove the Shut Down and Turn Off Computer logon options. This option removes the ability to turn off the computer from the Start menu and the Windows Welcome screen.

    • Prevent Microsoft Office documents from opening with Internet Explorer. This option ensures that Office applications host their own documents so the optional Microsoft Office software restriction works correctly.

      Important Important
      Press CTRL+ALT+DEL twice to access the traditional logon dialog box. This allows you to log on to accounts not listed on the Welcome screen.

    • Use the Welcome screen to simplify the log on process for users. This option turns on the Windows Welcome screen, which displays a list of available user accounts on the computer when Windows starts up.

    • Remove < Toolkit administrator > from the Welcome screen. This option prevents the Toolkit administrator account (the account used to install and administer the Toolkit) from being displayed on the Welcome screen. You can press CTRL+ALT+DEL twice to access the traditional logon dialog box, in which you can type the user name and password directly to log on with any user account not shown on the Welcome screen.

  • Step 3. Create a Public Account for Shared Access. This section provides guidance for creating a local limited user account to be used for shared access to the computer. On many shared computers, there is just one user account that is shared by everyone who uses the computer. This section provides a shortcut to the User Accounts tool with which you create the account.

  • Step 4. Configure the Public User Profile. This section provides guidance for logging on with the new Public account to configure Windows settings, printers, and programs for the account. After you configure the Public user profile, you will need to log off and then log back on as the Toolkit administrator to continue with the Getting Started tool.

  • Step 5. Restrict and Lock the Public User Profile. This section provides a shortcut to the User Restrictions tool and guidance for using the tool to lock and restrict the Public user profile.

  • Step 6. Test the Public User Profile. This section provides guidance for logging on to the Public user profile so that you can test the effectiveness of your configuration and restrictions for the account. After testing the Public user profile, you will need to log off and then log back on as the Toolkit administrator to continue with the Getting Started tool.

  • Step 7. Turn on Windows Disk Protection. This section provides a shortcut to the Windows Disk Protection tool, along with guidance for turning on the tool and configuring it to download and install critical updates.

  • Step 8. You’re Done! Learn More About the Toolkit. This section provides links to the Shared Computer Toolkit Handbook and Shared Computer Toolkit Help.

Uninstall the Toolkit

You can uninstall the Toolkit at any time by using the Add or Remove Programs item in Control Panel. However, certain features of the Toolkit will no longer be available after the Toolkit is uninstalled, such as all aspects of Windows Disk Protection.

If Windows Disk Protection is on, the uninstall process will save changes to disk and restart the computer. This is expected behavior.

Before you uninstall the Toolkit, turn off the following specific features within all user profiles that use them:

  • Session Timers. You must turn off timers for mandatory logoff and idle logoff (make sure that each entry is blank) in the General Settings section of the User Restrictions tool.

  • Restart at Logoff. Clear the check box for this setting in the General Settings section of the User Restrictions tool.

  • AutoRestart. Set this command-line tool to disabled, if you used it to automatically restart a specific program.

The following features will still be available after you uninstall the Toolkit:

  • Recommended Restrictions for Shared Accounts. Any restrictions selected in the Recommended Restrictions for Shared Accounts section of the User Restrictions tool remain in effect.

  • Optional Restrictions. Any restrictions selected in the Optional Restrictions section of the User Restrictions tool remain in effect.

  • Locked Profiles. Profiles that have been locked with the User Restrictions tool will remain locked.

  • AutoLogon Settings. Any account configured to log on automatically with the AutoLogon command-line tool will remain in effect.

  • Getting Started. Computer security options selected in the Getting Started tool will remain in effect.

  • Welcome. Settings specified with the Welcome command-line tool will remain in effect.

To uninstall the Toolkit, returning most settings to their original configuration

  1. Use Step 2 of the Getting Started tool to remove any security settings that were applied after installation.

  2. Use the User Restrictions tool to unlock and remove restrictions from all user profiles.

  3. Use the Profile Manager tool to delete any user profiles you do not plan to retain. This will remove all documents and folders stored for the affected user profile.

  4. Delete any user accounts you do not plan to use.

  5. If you have used Shared Computer Toolkit command-line tools to make any configuration changes to your system, use those tools to undo any changes you want to remove.

  6. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and then click Uninstall the Shared Computer Toolkit.

Uninstall will remove Windows Disk Protection and the Shared Computer Toolkit. You can continue to use your system with any remaining Windows user accounts and profiles.

Preserve User Documents

If you want to preserve user documents when you delete a user profile or delete profile folders (as described in the previous section), you can either copy the documents to a safe location or use the Files and Settings Transfer Wizard to store the documents until the new profile folder is established.

To open the Files and Settings Transfer Wizard, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Files and Settings Transfer Wizard.