Give us a call at 262.299.4606 to discuss how FastTrack can help your organization or email us here

FastTrack admin

Building a Thin PC

What if you could just drop a computer into an Organizational Unit (OU) and this computer then turns into a locked down Thin PC that only shows a simple menu or just starts one specific application or web page? This would be a very powerful feature for shared or public computers that should offer only limited availability to applications.

It is actually much simpler than it sounds. With the App Factory and Group Policies, you have all the building blocks you need. You just need to walk through a simple wizard and set a few group policy settings. There is no replacement of msgina.dll or similar system hacks. And when you take a computer out of the OU, it automatically gets restored to a normal Windows PC. Read on for a blueprint on how to do this.
Download FastTrack Automation Studio

Building a Thin PC

Department of Commerce Booking Kpmg Aspen Dental Hamilton Beach Toyota Disney Kawasaki Goodyear Maersk NOAA


Building the Thin PC installer

The first step we need is to build an MSI package that will convert a computer into a Kiosk computer (Thin PC) upon installation, which is a simple process. Click the "Thin PC" icon in the App Factory and walk through the wizard. If you are using Scripting Mode, the icon is placed at the top menu. If you have the Thin PC edition, you will be taken directly to the wizard.
App Factory Thin PC Generator
One of the first pages in the wizard is building the menu. You can basically choose from local programs, Citrix Applications, Remote Desktop sessions, web page views and a private browser session. The menu building page is shown below.

App Factory Thin PC Menu Generator

In some cases, what the menu builder can do for you is not enough. For example, if you would like to ask for a password before starting a local program, this requires an additional script line. The way this scenario is handled is that when you click next, the wizard shows you the script that it has build for you and will embed into the output MSI installation file, as shown below. You can click the button "Continue in Scripting Mode" and make all the modifications you need and then restart the wizard. On the page before the menu page in the wizard, you can select to use a custom script instead of building a menu interactively. You can then simply point to the script that you modified in Scripting Mode and use this as the menu script instead.

App Factory Thin PC Menu Script Generator

Although not recommended because of the higher complexity, it is possible to skip the App Factory method entirely and write your own custom menu and installation script. The only advantage of this method is that the menu will be isolated from the installation MSI file, which means that the MSI file will not be required to be updated, when the menu is changed. Refer to this page for more information.

Using an Organizational Unit and Group Polices to deploy

Once the wizard is completed, you have an installation MSI file. This file you can just execute on a computer to convert it into a Thin PC and uninstall the MSI file to restore it. However, doing just this, you will miss out on the best part. If you instead create a dedicated Organizational Unit (OU) and assign Group Policies to it, you will be able to convert computers into and away from being a Thin PC by simply dragging computers in and out of it. Here's how you do it.

Create a new OU named for example "Kiosk Computers". Next we need to apply Group Policies that only applies to this OU. Start "Group Policy Management" under "Administrative Tools" on a domain controller, identify the new OU and create and edit a new policy named for example "Kiosk Policy":

Creating a new group policy

Naming a new group policy

Editing a group policy

Next we need to install our MSI file on all computers that are dragged into the OU. Select a new Software installation and make sure that you set the installation under Computer Configuration and not User Configuration:

Install software through GPO

You must now place the installation MSI file in a location which can be reached from clients, for example your netlogon share, and point the package to this file. After creating the package, it is extremely important that you open properties on the package, select the "Deployment" tab and check "Uninstall this application when it falls out of the scope of management" (see below). If you don't set this checkmark, the Explorer will not be restored, when you drag a computer out of the OU.

Setting uninstall option for software through GPO

That's it! Now everything is set up and you can drag computers into the OU and next time they restart, the computers are Thin PCs like the one in the movie at the top. When a computer must be restored to a normal Windows PC, you can just drag it out of the OU, as shown below.

Dragging a computer into an OU


Further lock down (optional)

When you build your MSI file with the App Factory, expected lock downs such as blocking USB/DVD drives and removing ctrl+alt+del options are automatically set, but it is possible to make further locking down using Group Polices. In some cases this is necessary under all circumstances, as existing Group Policies may overrule (open) these lock downs. The solution in both cases is creating a dedicated user inside the OU, assign Group Policy settings to it and use this use for the automatic logon.

To assign specific lock down user settings, the user needs to exist inside the same OU as the computers. Inside this OU, create a user for example called "KioskUser", which must then be used as credentials in the App Factory wizard (or custom script). This user must NOT have password expiration, as automatic logon will then stop working eventually.

We will go through here how to set all lock down settings that should have automatically been set, if not overruled by other Group Policies and you can select to make further lock downs. If you go down the route of creating a specific user inside the OU, there is be no drawback of explicitly setting all lock downs for the OU. First we need to make sure that password prompt is disabled for screensavers and resume:

Disable password protect on screensaver

Disable password prompt on resume with GPO

The next thing to do is to remove all options, when ctrl+alt+del is pressed. Normally options are available to lock the computer, switch user, log off, change password and start the task manager. We need to disable all these settings, so when a user hits ctrl+alt+del, no options but shutdown are offered, as shown below.

Disable task manager with GPO

Disable fast task switching with GPO

Ctrl alt del without options with GPO

If the "KioskUser" must share a common logon script to map drives and printers, you can use "If UserIsInOU Kiosk Computers Then" condition to differentiate the logon script for this user.
Outlook Signature Generation

Outlook Signatures

Build mass-deployable Outlook signatures using a Word-like designer. More
Graphical Logon Scripts

Codeless Logon Scripts

Build graphical logon scripts with your own logo by pure point and click. More
IP Printing

Kill your print servers

Print to IP printers directly. More
Software Deploy

Software Deploy and Inventory

Push software without a management server and inventory to the cloud. More
Zero Touch Thin PC

Tired of Desktop Authority?

Same features - less complexity. More
FastTrack Automation Studio Video
Download FastTrack Automation Studio
Laptop Backups

Lockdown Local Admins

Revoke local admins rights and have users request ad-hoc access under full audit. More


Rating: 5 out of 5

"Use this as a replacement for VBScript and PowerShell"

"It's easy to include attractive GUI elements in FastTrack scripts, beyond the basic dialog boxes and text input that VBScript offers ... Another powerful feature is the ability to distribute scripts as Windows Installer (.msi) or standard .exe files. Although interesting in its own right, this ability results in a much more intriguing capability: to repackage -- or wrap -- software installers as .msi files without using snapshots. If you've ever created an .msi installer file from before-and-after system snapshots, for use with a software distribution system such as Group Policy or System Center Configuration Manager (SCCM), then you know how hit-and-miss the results can be."

Read full review


Rating: 8 out of 10

"Faster than the rest"

"We found the FastTrack syntax to be more transparent and easier to learn than Microsoft's PowerShell – the editor in particular provided good support in this regard. Scripting mode offers a large number of options from the command set through to simple output of graphical elements, which cannot be achieved at all with PowerShell or other solutions or only with a significantly greater level of effort."

"Anyone wanting to tackle the many hurdles in everyday admin and especially anyone for whom logon scripts and client automation is a priority will benefit from the variety of functions offered by FastTrack."

Review in English      Review in German
Department of Commerce Booking Kpmg Aspen Dental Hamilton Beach Toyota Disney Kawasaki Goodyear Maersk NOAA

Kill your local admin accounts! Let users request access by request under full audit. Check this page for more info.