No announcement yet.

Kiosks - policies applying to local admin

  • Filter
  • Time
  • Show
Clear All
new posts

  • Kiosks - policies applying to local admin

    hi all,

    I am trying to make a kiosk using directions found throughout the web. The issue I am running into is that the further I lock down the kiosk - using local policies (gpedit) - the closer I get to locking out the local admin account.

    Is there a way - using local policies - to deny the effect of the policy on the local admin?


  • #2
    Re: Kiosks - policies applying to local admin

    Which OS? - if it is Win7 there is a separate local policy for administrators
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Kiosks - policies applying to local admin

      Having lockdowns in place thru a local policy affects everyone the same that logs on. Since these settings are in the local policy for users, that means the admins are included since they are, by definition, users. We have portable PCs that have the users heavily locked down (no Run, no cmd prompt, can't browse to C, lots of others), but there's a simple way to deal with this.

      To allow admins to make needed changes, they log into the local admin account (renamed, of course), and that account's desktop has a shortcut to the GPEdit.msc console. The admin opens that, removes lockdowns to allow whatever the work is, then re-applies the lockdowns before re-booting. Granted that makes it a bit tedious, but since these devices are only changed occasionally, it protects the devices well.

      Even a kiosk, if not networked and therefore accessible thru RDP, must have a local admin account to log into. As long as the device boots to the user desktop by default but allows for the need to log the user off and let an admin log in, that should give you what you need.
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **


      • #4
        Re: Kiosks - policies applying to local admin

        In the past we used Kiosk software instead of GPO's. I'd believe it was called site kiosk but it's a long long time ago...
        Technical Consultant

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"


        • #5
          Re: Kiosks - policies applying to local admin

          What OS is installed on the Kiosks? If it's Windows Vista or newer you can use MLGPO to lock down the Kiosk for all non-administrator users, leaving the Administrator unaffected.