Microsoft Shared Computer Toolkit for Windows XP Handbook
Published: September 16, 2005
Shared computers are commonly found in schools, libraries, Internet and gaming cafés, community centers, and other locations. Often, staff members who lack technical training are asked to manage shared computers in addition to their primary responsibilities.
Managing shared computers can be difficult, time-consuming, and expensive. Unrestricted, users can change the desktop appearance, reconfigure system settings, and introduce spyware, viruses, and other harmful programs. Fixing damaged shared computers costs significant time and effort.
Also known as public access computers, Internet kiosks, lab computers, and instructional computers, depending on their purpose.
User privacy is also an issue. Shared computers often use shared accounts where Internet history, online documents, and cached Web pages are available from one person to the next.
The Microsoft® Shared Computer Toolkit for Windows® XP provides a simple and effective way to defend shared computers from untrusted users and malicious software, restrict untrusted users from system resources, and enhance and simplify the user experience. The Toolkit runs on genuine copies of Windows XP Professional, Windows XP Home Edition, and Windows XP Tablet PC Edition.
On This Page
The Microsoft Shared Computer Toolkit for Windows XP is designed for people who install, configure, and manage shared computers in either public or private settings.
Throughout this Handbook, people who manage shared computers are referred to as operators . Shared computer operators include teachers, technology coordinators, librarians, and café staff who have technology skills that span from beginner to expert.
People who are responsible for managing shared computers.
The Toolkit includes the following graphical tools:
Windows Disk Protection. Protects the Windows partition (typically the C: drive) that contains the Windows operating system and other programs from being permanently modified during a user session. Disk changes made are cleared with each restart unless an administrator chooses to save them.
Windows Disk Protection has special disk partitioning prerequisites. For more information, see Chapter 2, "Prepare the Disk for Windows Disk Protection."
- User Restrictions. Restricts user access to programs, settings, Start menu items, and locks shared local user profiles against permanent changes. This tool is specifically for use in environments that do not use the Active Directory® directory service and Group Policy.
- Getting Started. Provides access to computer settings and utilities and helps first-time operators learn the Toolkit basics quickly.
- Profile Manager. Creates and deletes user profiles. Using the tool, you can create user profiles on alternative drives to allow the profiles to persist data even though Windows Disk Protection is on. You can also use the tool to comprehensively delete profiles that have been locked by the User Restrictions tool.
- Accessibility. Makes Windows accessibility options and utilities such as StickyKeys, FilterKeys, and Magnifier available to users who have been restricted from accessing Control Panel and other system settings.
The Toolkit also provides several command-line tools. In addition to a scriptable command-line version of each of the graphical tools, the Toolkit has the following:
- Accounts. Allows you to enable, disable, and list local user accounts.
- AutoDemo. Configures a computer with accounts and profiles so that you can demonstrate the Toolkit. This command should be run only on a demonstration computer, because it configures accounts and performs other Toolkit functions.
- AutoLogon. Configures an account to log on to the computer automatically. This tool is useful if you use third-party authentication software in place of Windows authentication (which is typical in some libraries and Internet cafés).
- AutoRestart. Configures an account so that a program runs automatically each time a user logs on with that account.
- AutoRunOnce. Configures an account so that a program runs automatically the next time a user logs on with that account. Subsequent logons are unaffected.
- CriticalUpdates. Forces the computer to download and install critical updates without waiting for the next critical updates cycle in Windows Disk Protection.
- ForceLogoff. Allows you to log off users or restart the computer.
- SCTReport. Creates a Shared Computer Toolkit report that can be used by Microsoft Support when troubleshooting issues with the Toolkit.
- SleepWakePC. Puts a shared computer into a sleep state at a specific time (to conserve energy) and then wakes it to perform scheduled critical updates.
- Welcome. Removes accounts listed on the Welcome screen, to ensure that users are not confused or tempted by administrative accounts in the Welcome logon list.
The Toolkit can be used in either workgroup or domain environments.
All of the tools in the Toolkit have been designed to help manage individual computers or computers that are members of Windows workgroups. The Toolkit does not need a server infrastructure— you can use it on one computer or hundreds of computers without requiring any server-based management tools.
To use the Toolkit on multiple computers, each computer must have the Toolkit installed. This will allow you to set up each computer as you like using User Restrictions, Windows Disk Protection, and the other tools. Chapters 1 through 7 describe the end-to-end process for using the Toolkit on workgroup computers.
The Toolkit was designed to help protect computers that are part of an Active Directory domain.
Networked computers that share a central directory that contains user accounts and security information.
The Windows directory service for managing users and computers. For more information, see the official Windows Server 2003 Active Directory Web site.
The Windows Disk Protection tool can be used in domain environments to protect computers from unwanted changes. Windows Disk Protection works well on domain-joined computers running Windows XP.
The User Restrictions tool was not designed for domain environments. If you provide, or want to provide, unique accounts and passwords to your patrons, or your computers are already part of a Windows domain, using Active Directory with Group Policy is a better solution for restricting user activities. Group Policy has the added benefits of greater flexibility and central management, whereas the User Restrictions tool is only intended for managing local shared accounts.
Domain account restrictions can be managed centrally using the Group Policy template included with the Toolkit, which offers most of the settings and restrictions available through the User Restrictions tool.
Operators of domain-joined computers should also read Chapter 10, “The Shared Computer Toolkit in Domain Environments.”
The first seven chapters in the Handbook follow the basic process that you will use to install and use the Toolkit and improve the security of your shared computer environment. The remaining chapters and appendix provide additional information that will help you to troubleshoot, perform advanced scenarios, and learn about topics related to the Toolkit.
The first seven chapters represent the steps you should follow to install and use the Toolkit and improve the security of your shared computer environment.
This chapter covers the prerequisites that a computer must meet before you install the Toolkit. It also covers how to validate Windows XP through the Windows Genuine Advantage program, install the Toolkit, and use the Getting Started tool.
This chapter helps you understand the requirements for using Windows Disk Protection. It covers the two best methods for ensuring sufficient unallocated disk space exists for Windows Disk Protection:
- Using a third-party partitioning utility such as PartitionMagic 8.0 to resize an existing partition that contains the Windows operating system and program files.
- Using Windows XP Setup to configure a primary partition and leave unallocated space on the disk.
This chapter covers the creation of local shared accounts, creating profiles for each user account, and configuring each profile by customizing Windows settings, Start menus, and programs. The Profile Manager tool is used to create and copy user profiles on a shared computer.
This chapter describes how to use the User Restrictions tool to restrict and lock user profiles on the computer; to protect against unknown, untrusted users.
This chapter illustrates the experience that typical users will have using a shared account that has been restricted with the User Restrictions tool. It provides an example of a typical restricted desktop, an introduction to the Accessibility tool, and describes available user resources. It covers how to test user accounts by logging on as each user to make sure that restrictions work as you intend.
This chapter describes how to turn on Windows Disk Protection to clear changes to the disk with every restart and schedule critical software update installations. It also describes how to save disk changes or retain disk changes when Windows Disk Protection is on.
This chapter provides important information to improve the security of shared computers and the surrounding environment beyond what the tools in the Toolkit can automate.
This chapter provides troubleshooting advice for each of the tools in the Toolkit.
This chapter focuses on the most common advanced scenarios that operators may need when using the Toolkit to help manage a shared computer environment.
This chapter describes using the Toolkit in environments that have one or more of the following:
- Active Directory and Group Policy
- Central software distribution services
- A need to provide multiple languages on each computer
This appendix covers several technologies and features that are important to understand when you work with the Toolkit.
This section lists the people involved in developing the Shared Computer Toolkit.
The following table lists the style conventions that are used in the Handbook.
|Bold||Bold is applied to file names and user interface elements.|
- or -
< Italic >
Italic is applied to characters that the user types, but which they can choose to change. Italic characters that appear within angled brackets are placeholders which need specific values. Example:
< Filename . ext > indicates that you should replace the italicized filename.ext with another file name that is appropriate for your configuration.
Italic is also used to represent new terms. Example:
A disk partition is a logical compartment on a physical disk drive.
Screen Text font
This font defines output text that displays on the screen.
Left margin text
The left margin is used for terms and definitions.
A Note alerts you to information that can help you to complete a task or understand a concept.
An Important notice alerts you to information that is essential to completing a task. This notice might also be used to warn you to take or avoid a specific action.
Resources and Community
The Toolkit includes a number of resources with useful information about the Toolkit. The following resources are available in the Microsoft Shared Computer Toolkit program folder on the Start menu after you install the Toolkit:
- Shared Computer Toolkit Handbook. This Handbook provides detailed instructions for installing and using the Toolkit. The Handbook also covers advanced topics, best practices, and technical information.
- Shared Computer Toolkit Help. The help files included with the Toolkit detail the features and functionality of each tool.
- Toolkit FAQ. This Web page provides answers to frequently asked questions about the Toolkit.
- Resources for Managing Shared Computers. A Web site and newsgroup dedicated to helping organizations that have shared computers help and learn from each other—while meeting others in the shared access community.
To participate in discussions with other operators, see the Windows Shared Access Newsgroup. It is intended as a place for you post questions, help others, and provide feedback on the Toolkit and this Handbook, including your ideas for future releases.
For users, the Toolkit installation adds two new resources to the All Users Start menu:
- Online Resources for Using Public Computers. An online Web site that contains links to resources for children, teenagers, and adults about how to use computers, learn more about Windows XP, and use the Internet safely.
- Accessibility. A shortcut to the Accessibility tool so that all users can access the accessibility features of Windows, even if they have been restricted.
Download the Toolkit
To download the Toolkit, visit the Microsoft Shared Computer Toolkit for Windows XP page of the Microsoft Download Center.
Downloading the Toolkit requires Windows Genuine Advantage validation.
Support information for the Microsoft Shared Computer Toolkit for Windows XP is available through the following resources:
- Shared Computer Toolkit Web site
- Frequently Asked Questions for the Shared Computer Toolkit
- Known issues list on the Shared Computer Toolkit Download Page
- Shared Computer Toolkit Handbook, particularly Chapter 9, "Troubleshooting"
- Windows Shared Access Newsgroup, for posting free support queries and product questions
- Product Support Services (PSS) can be contacted for paid support, or if you already have a support agreement. Use the Shared Computer Toolkit Product ID when contacting PSS: 77695-100-0001260-04309.
Other Support Resources
Other support resources related to shared computers, security, and Windows XP:
- Resources For Managing Shared Computers
- Security Help and Support for IT Professionals
- Support Options for Windows XP Users
In This Article
- Chapter 1: Installation
- Chapter 2: Prepare the Disk for Windows Disk Protection
- Chapter 3: Profile Management
- Chapter 4: User Restrictions
- Chapter 5: A Restricted User Experience
- Chapter 6: Windows Disk Protection
- Chapter 7: Security Checklist
- Chapter 8: Troubleshooting
- Chapter 9: Advanced Scenarios
- Chapter 10: The Shared Computer Toolkit in Domain Environments
- Appendix A: Technical Primer