Specific access logins

[mikee]

Haven't posted in a while, since my last Win10 emergency as a matter of fact. I am totally disgusted with the way Windows 10 handles what used to be called user profiles. So now you set up a "family or other user" in Settings, and then you tell that account which application it can have access to (using the Kiosk function -- I have read there is another alternate function to use but I have not been able to find it). First, it appears from everything I have read and tried that the app must be a Microsoft app. Three tries and still only MS apps populate the list. What idiocy! Then, I highly suspect that only one app can be assigned as the app the account has access to, though I haven't been able to get far enough to determine that for sure. What am I missing here, you Win10 gurus?

 

[Regedit32]

I'm not sure whether I'm following you completely because of your use of deprecated terms and current terminology.

In previous editions of Windows 10 Professional, Educational or Enterprise, you had an option to Set up assigned access but this term is now deprecated and renamed Set up a kiosk.

The idea with Set up a kiosk is to set up a device as a Kiosk for a local standard user account using either a single UWP or Windows Desktop application, or multiple UWPs or Windows Desktop applications.

The UWP (Universal Windows Platform) is an API created by Microsoft to allow the development of applications to run in the Windows environment, and while there had been historic issues between Microsoft and some of the larger alternate developer companies, overall, most popular apps will now run in the Windows environment as a result.

In the case, where this is not possible, Microsoft built-in an ShellLauncher node which allows you to start other apps in the Kiosk, which is available when using Microsoft Intune, or MDM services. You can find out more on that here:

https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app ( scroll to bottom of article )

I'm not sure what you meant when you said you could not find another way other than Kiosk function, but perhaps you were referring to these other services Microsoft provides, so you can use the CSP (AssignedAccess Configuration Service Provider) which contains the aforementioned ShellLauncher node.

These other options can be obtained by downloading the Configuration Designer tool built into the Windows Development Kit. You can read more about that here, and follow the instructions provided here to download this tool, if that is how you wish to go about setting up a Kiosk device:

https://docs.microsoft.com/en-us/wi...rovisioning-packages/provisioning-install-icd

Regards,

Regedit32

 

[mikee]

Well, it sounds like you're confirming my two explicit questions. One, that the Kiosk is indeed the only way, and two, that it indeed allows only Microsoft apps. My implied question was, why? Whatever happened to the ability to have more than one user use the same machine but not all have access to the same apps? Thank you by the way.

 

[Regedit32]

One, that the Kiosk is indeed the only way, and two, that it indeed allows only Microsoft apps.

Clearly, you have not bothered to read either article.

1. Kiosk is not the only way, and
2. Using the CSP allows you to run the ShellLauncher node to execute a non Windows app.

 

[mikee]

I didn't say non-Windows. I said non-Microsoft. As to articles, could you explain what you mean? And I would be beholden to you if you would show me a way to ascribe only certain apps to certain logins. Thank you.

 

[Regedit32]

There are a couple of ways of running a non-Microsoft app:

1. The first option as I've already alluded to is to make use of the ShellLauncher node.
   
   
   1. I'm not sure what app it is you are wanting, but possibly your best choice is to use ShellLauncher v2, rather than v1 as the v2 allows you to specify a UWP as the replacement for the Shell.
      
      The following URLs provide more detail on how to do this, and the advantages of v2 over the original v1 release.
      
      https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher
      
      https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
      
      
2. Another more crude way to achieve this is to modify the Registry itself, by replacing the Explorer Shell located here:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Shell
   
   You can replace this Shell with the path to your executable instead. It is a crude method though and likely will lead to a loss of functionality as a result.
   
   Note: If you go down this route, make sure you are not replacing the Shell for you, the Admin, but rather setting up a Standard User account, with automatic logon, and replace the Standard User's Shell. In that scenario you might then use the following Registry key:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
   
   You'd replace this Shell with the Script or application you want to use.
   
   It'd be wise too, to lock the Operating System using GPOs, as you don't want the User to be able to use keyboard shortcuts to override the Kiosk for example.

Regards,

Regedit32

 

[mikee]

Well. Even if I understood any of that, it doesn't sound like what I need. I'm not trying to run a kiosk, or have the computer boot up into an app, though that might do what I want. Frankly, I don't even understand the terminology you're using. But, remember in the old days you could set up what were called "profiles" which were simply logins that gave access to different numbers of files? Or am I thinking of some kind of OS shell? I thought it was login-based. I know for certain that there used to be (and in my field still are) apps whose features could be tailored to the person logging onto the computer.

 

[mikee]

Thank you for continuing to dialogue with me. Here is specifically what I want to do. A church computer being used to run worship software on Sundays is occasionally also used to play exercise DVDs during the week. I am looking for a way to keep the exercise group user from accessing the many files and settings the Sunday user uses. All the exercise group user needs access to is the DVD drive and the media player installed on the computer, which is VLC. Is this possible?

 

[Regedit32]

Yes that is possible.

I need to know what edition of Windows your church computer is using. Home, Professional, Educational, Enterprise?

You can quickly do this for all editions of Windows 10 by modifying the Registry manually, but if you have Professional, Educational or Enterprise then this can also be done using the Group Policy Editor built in to those editions of Windows 10.

I'll post an article on this once we get through your specific issue, for the benefit of all our members.

If you are using Windows 10 Home on the church computer, are you comfortable navigating the Registry? If not, I'll just post a command line method to make the necessary changes, so you don't have to physically go into the Registry Editor app.

 

[mikee]

It's Windows 10 Pro. Thank you for your help.

 

[Regedit32]

Given you only want them using a single application, but want them to be able to use the DVD player, then rather than go into the depths of the Group Policy Editor and the Microsoft Management Console to create a specific snap-in Group Policy for the Exercise group, I propose you do a simple modification of the Registry, which will only take a few minutes tops.

To start with let's create a User account for the group:

• Press Windows key + I to open the Windows Settings dialog
• Select Accounts
• On the left pane, select Family & other users
• Now on the right pane, below Other Users click Add someone else to this PC
• In the dialog that opens, click I don't have this person's sign-in information
• On the next screen click Add a user without a Microsoft account
• On the next screen enter a username, for example Exercise, then click Next
  
  Note: This will create a User account that does not need to provide a password to sign-in with.
  
  If you'd prefer they use a password, then enter the password, and retype the password in the two fields below where you entered the Username. After doing this, some additional fields will automatically appear below the password fields, where you'll need to select three separate clues, and provide an answer, to help recall the password, should it be forgotten at some point. When you've done all that you can then click the Next button to continue.
  
  
• Now you'll be back at the Family & other users screen, and you'll see your new Username (Account). Left-click on this new Username (Account), then click Change account type. Now click the drop arrow and select Administrator.
  
  Assuming all has gone well so far you'll see this:
  
  
  

With the new User account created, we now want sign-in to the new account to make the necessary Registry modifications.

• Left-click on Start, then left-click your Account icon and select Exercise
  
  Sample image
  
  
  
  
  
  After clicking Exercise as above, you'll need to click the Sign-in button, then wait as the Windows Hello message does its thing in preparation of taking you to the Exercise Desktop
  
  
• Now you are signed-in as Exercise, and on the Desktop, press your Windows key once to give focus to the Cortana search field, then type CMD, then press Ctrl + Shift + Enter keys together.
  
  The User Account Control will prompt you. Click yes to allow an Elevated Command Prompt to open.
  
  All going well you should see this:
  
  
  
  
  
  
• Next you need to type the following commands into the command prompt:
  
  

  reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

  
  Press Enter key
  
  

  reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun

  
  Press Enter key
  
  

  reg add reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d 1

  
  Press Enter key
  
  

  reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REG_SZ /d vlc.exe

  
  Press Enter key
  
  Type exit and press Enter key to close the elevated command prompt.
  
  
• Now click Start then left-click on Exercise account icon, and select Sign out
• This takes you back to the Logon page. Select your usual Administrator account and sign-in.
• Press the Windows key + I, then click Accounts, then on the left pane select Family & other users
• Left-click on Exercise and then click the Change account type button and select Standard user, then click OK
  
  You should now see this:
  
  
  

All done!

Next time someone signs in to the Exercise User account, the only app they can open is VLC. Other apps you have installed like Google Chrome, Acrobat Reader, for example will not be able to be run in this account.

If they attempt to, they'll be greeted by this message:

They will still be able to navigate using File Explorer, but if they attempt to open your User account, a warning will appear requiring them to enter your password to access the directory. Thus they cannot access your Church files etcetera without the password.

The one exception is Microsoft Edge. This can be run in the Exercise account, and whilst in theory using the Group Policy Editor, you can restrict Microsoft Edge using the Packages rule, and applying it specifically to the Exercise user account, my experience with this is that the GPO does not always stick.

Thus when you are on the Exercise Desktop, and have finished with the registry modifications, you might want to delete the Microsoft Edge shortcut on the Desktop, and unpin it from the Taskbar too, just to take their minds off thinking about using that browser.

Regards,

Regedit32

ps: When time avails I may post a more thorough article on this topic, including using the Microsoft Management Console, Group Policy Editor, and also cover the Microsoft Packages rules. It is relatively easy to use these tools once you are familiar with them, but if you've not used them before, then its a lot slower than doing the Registry modification yourself.

 

[mikee]

Whew! Now I know what many of my customers feel like who email me needing advice (I restore vintage motorcycles). I am not going to be able to absorb this at one sitting, and I'll want to do it on a spare PC before doing it on the church unit. Thank you very kindly!

 

[Regedit32]

I am not going to be able to absorb this at one sitting, and I'll want to do it on a spare PC before doing it on the church unit.

This is doing the leg work yourself, but given you only have the one User per se (Exercise Group) and the single application you want them to use, its actually easier to achieve that goal manually, than using the MMC tool to create a special Policy for the Exercise group, then integrate that 'Special policy' into the Group Policy object.

One piece of advice when you try this on the Church computer. Create a restore point first! Always a good idea to have a simple way out of a major change.

 

[mikee]

Yeah, Restore point for sure. Used to rely on that when I taught mechanics how to use their laptops! Thanks!