Looking for a little guidance ...

Started by mhall, September 11, 2014, 10:38:47 AM

Previous topic - Next topic

mhall

Hi All,

I am shortly going to being taking delivery of 40-50 new Windows 8.1 laptops for use as kiosk browsers in our photography business.

These are going to be used in public spaces with supervision, but I would like to "lock them down" to limit the chance of mischief while we aren't looking. This type of user management is an area I'm not extremely familiar with so I'm not really sure where to begin. I would like to create a winbatch script I can run on each laptop to configure user permissions, rather than having to manually configure each one. It's my intent to configure each laptop exactly the same - same user account, password, privileges, etc.

In the end, what I would really like is a user account which, on initial login, starts the web browser, loads the default page and doesn't allow the user to do much, if anything, else other than log out. No printing or accessing explorer, or the start screen. I'd even like to disable particular USB ports, and the track pad (we'll be supplying a mouse) if that is possible. I'm also looking at how to easily restart the browser automatically if it is closed or re-activate the window if it loses focus.

Any pointers or advice or examples would really be appreciated.

And now I'm off to start perusing the Tech Database to see if I can come up with anything ...

~Micheal

JTaylor

You may wish to consider setting up one of the stations as you want and then creating an image that you apply to the rest.   This assumes they are all the same brand/model.   While a script can be useful in this situation it doesn't alleviate all the initial work of the beginning setup, updates, etc.   The other upside of the image is if you have a problem with a station you can simply reapply the image and you are ready to go.

Some trackpads are automatically disabled if you plug in a mouse.   Depends on the brand/model.  You can normally turn them off either way.

Some web searches can provide numerous registry options for disabling certain Windows features.   

If you have a good library in your area talk to them about what they do for their workstations.   There is software you can buy which will do a lot of what you want and may be worth it in place of the time spent researching and writing scripts to do the same thing.  A search like "lockdown pc software" will provide a list of options.

Jim

morenos1

Windows 8.1 has someting called an "Assigned Access" feature to configure a local user account to essentially function in kiosk mode.

td

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

mhall

Thanks guys,

I've spent the morning reading up on the Group Policy Editor and some pre-created group policies from Microsoft, then found and got excited about that Assigned Access feature ... only to find out it is not available in Windows 8.1 - only Windows 8.1 RT, Windows 8.1 Pro and Windows 8.1 Enterprise.  >:(

However, that point wasn't mentioned in the link you posted, Tony. Does anyone know if that requirement has changed? I'll be able to find out this weekend - the machine comes in tomorrow.

Also, this caught my eye:

QuotePlease note that traditional desktop apps donââ,¬â,,¢t provide the same level of security and therefore cannot be used in Assigned Access. You will need Windows Embedded to lock a machine in a desktop application.

This would be unfortunate, as I need to use Firefox as the browser and there is no Modern equivalent for that.

~Micheal

td

Quote from: mhall on September 11, 2014, 01:26:43 PM
Thanks guys,

I've spent the morning reading up on the Group Policy Editor and some pre-created group policies from Microsoft, then found and got excited about that Assigned Access feature ... only to find out it is not available in Windows 8.1 - only Windows 8.1 RT, Windows 8.1 Pro and Windows 8.1 Enterprise.  >:(

I am a bit surprised that a corporate user wouldn't be using Pro or Enterprise with quantity discounts even on a kiosk system given that is the targeted market for those versions. But then I don't have to deal with MSFT volume license purchases either.

Quote
However, that point wasn't mentioned in the link you posted, Tony. Does anyone know if that requirement has changed? I'll be able to find out this weekend - the machine comes in tomorrow.

"Just one example"

Quote
Also, this caught my eye:

QuotePlease note that traditional desktop apps donââ,¬â,,¢t provide the same level of security and therefore cannot be used in Assigned Access. You will need Windows Embedded to lock a machine in a desktop application.

This would be unfortunate, as I need to use Firefox as the browser and there is no Modern equivalent for that.

Is there a reason why you can't use the 'Modern' version of IE?

Obviously, using Windows 8.1's kiosk mode appears to make the task a lot simpler. 
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

td

You have probably already read this but in case you haven't

http://stackoverflow.com/questions/22750670/kiosks-in-windows-8-running-regular-software-non-windows-store-app

There are several desktop app suggestions toward the bottom but its seem to imply the need for Pro or Enterprise because you need Pro or Enterprise to support Group Policy according to MSFT.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

mhall

Quote
I am a bit surprised that a corporate user wouldn't be using Pro or Enterprise with quantity discounts even on a kiosk system given that is the targeted market for those versions.

That's fair. :) The gist of it is that I'm just one guy - my studio that is. Most of the year, it's just me as sole proprietor working alone in my studio office. My busy season sees me traveling around the country photographing youth athletic events (indoor volleyball). For that, I have a crew with several additional photographers and booth staff that comes out ... but aside from that time everything is left to me. So it's simply me not being informed on the subject. I am buying this hardware to replace our 10 year old current solution. They will be used onsite by customers for viewing and ordering photographs.  The current solution uses tower PCs running Windows XP and a multi-user solution from a company called nComputing so that I can log up to 10 users into a single computer at once. But, this requires cabinets for the PCs as well as custom boxes to mount/store the monitors, keyboards, mice, network switches, power supplies, etc. It works, but it's bulky and heavy. So while I say 'kiosk' - that's more in terms of functionality and limiting user interaction. It's not an unsupervised unit that will remain in one place for a long period of time. We always have staff to help and we need to be able setup/teardown quickly and (since I'm also one of two roadies and setup/teardown guys), it's nice to keep them small and light!

Here's our final booth of the travel season this past June.



What I am investigating at the moment are these ASUS laptops:

http://www.amazon.com/gp/product/B00L49X8E6/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1

At $220 each, the price is really reasonable and I can afford to purchase 50 of them to make a full replacement of our current hardware. At only 4.75lbs each and being a laptop they are lighter and collapse into a smaller package than anything we have now for transport and storage.

Quote
Is there a reason why you can't use the 'Modern' version of IE?

While IE has gotten much better these past few years, it's still not capable of what I need from a purely standards based JS/CSS3 standpoint. It's not that I'm against it just because it's IE. I do keep my eye on it (and I'm updating it now to see if anything has changed recently). Even Google Chrome, which is advanced in some areas, is lacking in its font handling making it unusable for my purposes.

What I have written is a web based solution for presenting, selecting, ordering and producing our photography products. Our most popular products are our sports posters/collages and - aside from just browsing photos - the main point of interaction that customers will have is the WYSIWYG designer that relies heavily on CSS3 features:



With Firefox I can reliably display and position all elements, including text like that in the lower right corner. When it comes time for production, I can translate the position, size, rotation, border and shadow values, etc. into absolute pixel values and built a Javascript script which I run in Photoshop and which builds the posters. This allows me to output the posters with no additional user intervention (other than cases where some sort of custom retouching is needed). With IE or Chrome, their font rendering and kerning are not as capable and I can't reliably position them which means I would need to manually position each text element in Photoshop after the fact ... That's how I do things now and it's time consuming!

Ultimately, it's not a deal breaker to not be able to fully lock down a system. The systems we use now aren't. And no one has really ever messed up a system. But there are plenty of times I've had to close print dialogs and empty emails, or clear the desktop wallpaper after athletes have been messing around. So, I thought I would take the time to investigate.

Thanks for the links and the time looking into it, I really appreciate it.

I'll keep investigating. It looks like my best bet is through the GroupPolicy Editor. I found some pre-created Group Policies which MS distributes and there is one for kiosk scenarios so I'll be looking into that. I'll post back my findings, if anyone is interested!

Regards,
Micheal

JTaylor

Maybe IE 11 will do more of what you need.   It supposedly reports as not being IE as someone at Microsoft apparently heard about something called "standards" and they thought they'd see if a browser would work using them  ;)

Jim

td

IE is kind of an outlier with the other major web browsing applications settling on either some flavor of WebKit or Gecko and I have never used IE for Web browser so I have no personal experience to reference.  As already mentioned IE 11 is supposedly more adherent to standards as MSFT can no longer dominate the market like it once did.

I am one of the "setup/teardown guys" for my wife's business so I can appreciate the need for speed and reduced mass.

In case I didn't make the point clear (an all to common occurrence), MSFT flatly states that regular Windows 8.1 does not support Group Policy.  That doesn't mean that there isn't a hack someplace to make GP work on regular Windows 8.1.  Here is a link to the various Windows 8.1 skew differences

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-8-1/compare/default.aspx
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

mhall

Quote
It supposedly reports as not being IE as someone at Microsoft apparently heard about something called "standards" and they thought they'd see if a browser would work using them

Yes I had heard that as well! :)


Quote
MSFT flatly states that regular Windows 8.1 does not support Group Policy

Ah, damn. I'm going to sit in the corner and sulk. Oh, well. I suppose my best bet at this point is to setup an account with as little permissions as possible, clear the start screen of icons, etc. and keep an image on hand I can restore quickly if things go badly.

I can still run Firefox in its own kiosk mode (no window chrome or address bar) and have that set to start automatically. With boot to desktop enabled, that at least gets me right into the browser.

Thanks guys!

~Micheal




mhall

Thanks for that!

Unfortunately, the software price is more than 50% of the cost of the hardware/OS ($120/seat @ 50 seats), which is more than I'm willing to spend on it. But I do appreciate the info!

Regards,
Micheal

MW4

you should be able to set up local policy to do what you need

td

Quote from: MW4 on September 18, 2014, 11:28:28 AM
you should be able to set up local policy to do what you need

Maybe consider either reading or rereading a few the replies concerning group policy in this topic.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

MW4

That's why I said LOCAL POLICY.

Control Panel
Administrative tools
Local security policy

http://www.tomsitpro.com/articles/windows-8.1-local-security-policy-editor,2-728.html

see:
If you are troubleshooting why secpol.msc does not seem to exist in your copy of Windows 8.1, then the reason is probably that you have the Basic version of Windows 8.1; unfortunately, you need to upgrade to Pro or Enterprise, or else try another machine that runs either of those Windows versions and remotely edit the security policy of your target machine.

td

The 'Local Policy' (MSFT formally makes the distinction Local Group Policy vs. Domain Group Policy so both local and domain policy are called Group Policy.) you are referring may or may not work because there is no guarantee that a basic skew will recognize any of the registry keys/values set using a remote Secpol.msc.

As mentioned about seven replies above there may be a hack out there that will work and modifying the registry may be that hack but until I tried it, I would not make any claims about its usefulness.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

Kenny

When I run Treasure.wbt
I get a lot of errors:
Here are a few:
Error 3052
On line: ROC=DiceRoll(1,100,"N",0)
Error 3052
On line: If ROJ=20 Then MagicItemsFound [MIS]=Scarab of Protection (cursed)
Error 3052
On line: DieRoller (2,4,"N",0,"J")

Fell free to let me know if you would like anymore information,

Kenny

Kenny

When I open the WinBatch, File Browser It only sees WrightPriestSpellDescipt.wbt
In my list I also have, just above it, WrightMageSpellDescipt.wbt
File Browser does no see the Mage one.
WBTFileList.txt has a very large list of WBT files.

Please Help,

Kenny

td

Guessing that you are not the author of the scripts generating the error.  If that is the case then you probably need to contact the author of those scripts. 

FWIW, the error 3052 means you have an undefined function or variable on the line.


And in the future please start a new topic when the subject of your post are not logically related to an existing topic.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

Kenny

This forum is "Looking for a little guidance ..."
So please explain:
"And in the future please start a new topic when the subject of your post are not logically related to an existing topic."

Kenny

This is From My Psionics Handbook Page 28
When I use your XML Writer program I enter the following:
Power Aura Sight
Power Discipline Clairsentience 
Power Score: Wis -5
Initial Cost: 9
Maintenance Cost: 9/round
When I hit [OK]
It tells me, "Error: 1077 FileOpen: Open failed. On line XML File=FileOpen(StrCat(Pathname, Filename)" "Wright"

JTaylor

Kind of hard to argue this point as the topic title does seem to invite everyone to post their questions within this one topic but...

The original poster was asking for "a little guidance" for a specific issue and if you have a question unrelated to the topic it would be appropriate to start a new Topic.   Otherwise it gets confusing.


Jim

Quote from: Kenny on September 22, 2014, 07:50:25 AM
This forum is "Looking for a little guidance ..."
So please explain:
"And in the future please start a new topic when the subject of your post are not logically related to an existing topic."

td

Quote from: Kenny on September 22, 2014, 07:50:25 AM
This forum is "Looking for a little guidance ..."
So please explain:
"And in the future please start a new topic when the subject of your post are not logically related to an existing topic."

Fair enough.  Let me rephrase, "please start a new topic when the subject of your post is not logically related to a existing topic's subject."  The subject of this topic is running Windows 8.1 basic in some form of kiosk mode...
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

td

Quote from: Kenny on September 22, 2014, 08:14:00 AM
This is From My Psionics Handbook Page 28
When I use your XML Writer program I enter the following:
Power Aura Sight
Power Discipline Clairsentience 
Power Score: Wis -5
Initial Cost: 9
Maintenance Cost: 9/round
When I hit [OK]
It tells me, "Error: 1077 FileOpen: Open failed. On line XML File=FileOpen(StrCat(Pathname, Filename)" "Wright"

Perhaps you are referring to an XML related Tech. Support database script or a third party extender but Wilson WindowWare does not have an 'XML writer program'.   
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

MW4

Way too funny...WBT being used as a Dungeons and Dragons tool, who'd a thunk it?

td

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

kdmoyers

Heck, I just wrote a program in winbatch to generate ziggurat pyramid structures in MineCraft.
-Kirby
The mind is everything; What you think, you become.

DAG_P6

Quote from: MW4 on September 18, 2014, 01:31:14 PM
That's why I said LOCAL POLICY.

Control Panel
Administrative tools
Local security policy

http://www.tomsitpro.com/articles/windows-8.1-local-security-policy-editor,2-728.html

see:
If you are troubleshooting why secpol.msc does not seem to exist in your copy of Windows 8.1, then the reason is probably that you have the Basic version of Windows 8.1; unfortunately, you need to upgrade to Pro or Enterprise, or else try another machine that runs either of those Windows versions and remotely edit the security policy of your target machine.

That isn't at all the same as Local Group Policy. That bit in the control panel is for changing your local security policy, which is a tiny subset of the things you can change in Group Policy.

I have a vague recollection of attempting to run the local Group Policy Editor, gpedit.msc, on a Windows XP Home machine about six years ago, without success.
David A. Gray
You are more important than any technology.

Kenny

[Run WBT file]
Dialog box, "WinBatch"
Look in: [Scripts]
select: WrightMageSpellDescript.wbt [Open]
It gives me a dialog box. "Priest Spell Description File"
Now when I select: WrightMageSpels.txt [Open]
I get a dialog box, "Please pick initial Spell Level"
It lists 1 to 7.
I select: 3 and [OK]
Error: 1713: ItemExtractCsv: Invalid delimiter On line: newfile=StrCat(priestdesc",ItemExtractCsv(1,Spell.txt

Kenny

DragonDatTblXML.wbt
Dialog box. ââ,¬Å"Die Sizeââ,¬Â
ââ,¬Å"Breath Weapon Die Sizeââ,¬Â
[24d10+12]
[Ok] [Cancel]
Dialog box. ââ,¬Å"Base Lengthââ,¬Â
ââ,¬Å"Low body length:ââ,¬Â
[174]
[Ok] [Cancel]
Dialog box. ââ,¬Å"Base Lengthââ,¬Â
ââ,¬Å"High body length:ââ,¬Â
[183]
[Ok] [Cancel]
Dialog box. ââ,¬Å"Tail Lengthââ,¬Â
ââ,¬Å"Low tail length:ââ,¬Â
[162]
[Ok] [Cancel]
Dialog box. ââ,¬Å"Tail Lengthââ,¬Â
ââ,¬Å"High tail length:ââ,¬Â
[171]
[Ok] [Cancel]
Dialog box. ââ,¬Å"Breath Weaponââ,¬Â
ââ,¬Å"Breath Weapon damage:ââ,¬Â
[24d10+12]
[Ok] [Cancel]
Dialog box. ââ,¬Å"Spellsââ,¬Â
ââ,¬Å"Wizard/Priest Spells:ââ,¬Â
[2222/21]
[Ok] [Cancel]
now it gets caught in a loop:
Dialog box. ââ,¬Å"Base Lengthââ,¬Â
ââ,¬Å"Low body length:ââ,¬Â
[174] It goes through all of those questions again.

Kenny

My WinBatch scipt, DragonTblXML.wbt work works perfectly fine for a Great Wyrm Red Dragon.
Now I have:
Gosub DragonCat
Askes, "What age category of Dragon:"
drca=AskLine("What age category of Dragon: ",bl2) 
Gosub DragonCol
Askes, "What color of Dragon:"
drco=AskLine("What color of Dragon: ",bl3)
I have:
While
Select
for both.
12 Case Age
10 Case Color
Now WinBatch Studio:
Step into,
When it does the Gosub DragonCat,
It Askes, "Dragon data found. Do you want to use the old data?"
[Yes] [No][Cancel]
I click on no.
Then it starts all over.

feel free to ask for the Selection codes I have

Kenny

I have these help Files:
CtrlMgr.hlp
WILX Extender.hlp
Network Extender.hlp
WinBatch.hlp
Windows Interface Language.hlp
WMI.hlp
Cpu.hlp
FileSrch.hlp
HugeMath.hlp
IpGrab.hlp
Reggie.hlp
WILX Extender.hlp
WMI.hlp
The error I get is. "Why can't I get Help from this program?
The Help for this program was created in Windows Help format, which depends on a feature that isn't included in this version of Windows. However, you can download a program that will allow you to view Help created in the Windows Help format.
For more information, go to the Microsoft Help and Support website."

td

You have very old help files.  MSFT operating systems have not supported the old 'hlp' format for 8 years.  Wilson WindowWare stop shipping files with the old format when MSFT quit supporting it. You will need to install a newer version of WinBatch and download newer extenders in order to have access to the newer integrated help file system. 

IIRC, MSFT does not support the old format viewer after Vista and I don't know if they even provide a link to it anywhere so the support program mentioned in the error may not be an option.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

td

You can download pdf versions of the WIL reference manual and the WinBatch user's guide from our download page.  Click the 'Downloads' menu item at the top of this forum to go directly to the site.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade