How to Set Group Policy using an MSI

[jdrogin]

Hello,
I am looking for guidance on how to build something like the following:

I have an application that will reside on Kiosk style PCs that are out there in public settings. While the application is running on the Kiosk I’ll need to restrict the access to certain PC features (reboot, command prompt, download files, etc.) so they don’t mess with the PC. I need to build a Windows Installer that deploys the application and does all the set up needed to lock down the PC. The installer needs to do all the work; there can’t be any manual steps besides running the installer.

Here is what I’m thinking but, I don’t have experience with this type of installation so please let me know if there is a better way to approach this problem.

The installer will install the application, this part is standard. In addition it will create a local user and use Local Group Policy Objects to restrict the user’s access to the machine. Then the machine administrator will log in as that local user and run the Kiosk application under this account. The hope is that the account is locked down and people playing with the application won’t be able to stop the application or do anything malicious to the PC.

I have been looking for a way to create GPOs in C# code. This way I can implement the GPOs as a CustomAction in my installer. So far I am not finding the right API for GPO management so I’m starting to wonder if I’m even on the right track.

If you know of a nice solution for how to accomplish the Kiosk lockdown via a Windows Installer or you know something about managing Group Policy in a C# application please share your ideas.

Thanks in advance, Jesse

[nathang]

Will this 'kiosk' machine be connected to a domain network (in which case you'd be better to just create an OU or security group for this type of machine, and apply policy from the network) or will it be 'offline' from your domain (in which case you'll need to apply local policy).