How to make thin client from old Windows PC?
Sooner or later the question arises about the need to replace one or more PCs due to slow work.
The easiest way, nothing to invent and just replace the PC.
The easiest way to do this is to start implementing “remote desktops” in the terminal server version or virtual desktops.
')
The cost of a thin client HP , DELL or other brands can be compared with the cost of a full-fledged PC, and using an old PC as a thin client will extend the life of the product for a long enough period.
How to deal with obsolete PCs:
- leave Windows PC, the user will connect to the remote desktop.
- boot the PC over the network, one of the linux options thinstation .
- install on the PC a local version of linux, options for the sea .
Next, I will describe the version with Windows, such a thin client has some advantages when compared with linux options.
Why did I do all this:
- I have remote offices with users who needed to be transferred to work on terminal servers, using group policies in the domain allows you to get the desired result without being in the office and without replacing the PC.
“Both Windows and linux versions of HP thin client, Wyse / DELL user interfaces do not suit me for various reasons.
Benefits of the Windows option:
- Full support for RDP / RemoteFX.
- Full support for removable media.
- Ability to use a local printer.
- Ability to use smart cards for bank customers.
- Redirect of video / audio playback to a thin client using Windows Media Player, without brakes and without server load, you can watch 1080p video, but this is a separate story =).
If you start with the result:
This is what the user's desktop will look like if Windows XP is installed on the PC:
This is how the user's desktop will look like if Windows 7 is installed on the PC:
To get the result that you can see on the slides, you need an AD domain and several group policies for PCs and users.
On a PC with XP SP3, you need to install updates for rdp client KB969084 and Fixit50588 , for extended group policies, you need to install update KB943729 .
Key policies:
# 1 - Users need to allow Single sign-on , I extend this policy to the entire domain.
No. 2 - For a PC, we make a separate OU and close the group policies in this OU.
No. 3 - In the new OU, we create a policy where we change the user to “wscript c: \ thinPC \ thinPC.vbs / nologo / b”.
On the target PC, you need to copy 3 files, I use for this extended group policies.
I recommend files to be placed in the central storage of group policies \\ domain name \ SYSVOL \ domain name \ Policies \, this will provide fault tolerance in case of unavailability of one of the domain controllers.
For domain controllers, this network resource corresponds to the folder C: \ Windows \ SYSVOL \ sysvol \ domain name \ Policies
Contents of thinPC.cmd file
mstsc starts the rdp client, after the end of the remote session, the shutdown -l command is executed to end the user session on the thin client.
During the work of the described script, the user will observe the execution of commands in the window, and to hide the window, the script is launched using VBS .
Contents of thinPC.vbs file
Contents of thinPC.rdp file
This is an rdp file with the connection settings that are needed.
That's all, replacing the user’s shell will make the boot process of the thin client as close as possible to the boot process of a regular PC.
The main disadvantage of the proposed script is the inability of the user to choose the screen resolution, but I honestly do not understand when asking for a monitor of 22-24 inches, and then asked to increase the letters on it.
In such cases, I install the VNC server on the target PC and change the resolution using it.
Secondary policies:
No.4 - In order to disable this message, it is enough for the user to tick the checkbox no longer to notify.
To automate the process with administrative tools, you need to add a key to the registry.
No. 5 - It is necessary to increase the cache for the RDP connection, in the cases of Windows XP it is vital, but in the cases of Windows 7 it can be possible without increasing the cache.
# 6 - Interactive logon: Do not require CTRL + ALT + DEL
set the parameter Disabled.
# 7 - Interactive logon: Do not display last user name
set the parameter Enabled.
# 8 - Attempting to log on and Interactive logon:
Fill in the title and text that is intended for users, in the simplest cases, you need to specify the contacts of the support center.
No.9 - To disable visual effects on a thin client, you must add a key to the registry.
â„–10 - Power options
Using advanced group policies, you need to create a power plan in which when you press the power button, the thin client will be turned off.
# 11 - Software Restriction Policies
I recommend setting up software launch control, this mechanism works on WindowsXP and Windows 7 PRO.
AppLocker is more flexible but only works on Windows 7 enterprise and higher.
I believe that in cases of a thin client, flexibility is not needed, the goal is to eliminate the possibility of running malware.
â„–12 - Turn off Autoplay
To disable the automatic launch of removable media, you must set the parameter Enabled for All drives.
# 13 - Allow RDP RemoteFX supported devices
If you plan to forward USB devices, allow the policy for Adminstrators and Users.
# 14 - System Restart
I set the parameter to 180 days, the policy only works on Windows 7.
â„–15 - User Account Control
UAC bothers me and disconnects for this.
# 16 - Replacing the desktop background, beauty requires sacrifice.
For Windows XP, this key in the registry is responsible for the wallpaper on the login and password entry screen.
The background file can be anywhere, but it must be a bmp file.
To change the background of Windows 7, you need to install the key, and transfer the file with the% WindowsDir% \ System32 \ oobe \ info \ backgrounds \ backgrounddefault.jpg background.
You also need to set the background for the user session on the thin client.
About the practice:
- Similar thin clients have been working for over a year.
- On several old PCs, disks had time to be poured, HP thin clients were sent in return, but all user data was on the servers;)
- Several accountants successfully work with BIFIT USB tokens
The easiest way, nothing to invent and just replace the PC.
The easiest way to do this is to start implementing “remote desktops” in the terminal server version or virtual desktops.
')
The cost of a thin client HP , DELL or other brands can be compared with the cost of a full-fledged PC, and using an old PC as a thin client will extend the life of the product for a long enough period.
How to deal with obsolete PCs:
- leave Windows PC, the user will connect to the remote desktop.
- boot the PC over the network, one of the linux options thinstation .
- install on the PC a local version of linux, options for the sea .
Next, I will describe the version with Windows, such a thin client has some advantages when compared with linux options.
Why did I do all this:
- I have remote offices with users who needed to be transferred to work on terminal servers, using group policies in the domain allows you to get the desired result without being in the office and without replacing the PC.
“Both Windows and linux versions of HP thin client, Wyse / DELL user interfaces do not suit me for various reasons.
Benefits of the Windows option:
- Full support for RDP / RemoteFX.
- Full support for removable media.
- Ability to use a local printer.
- Ability to use smart cards for bank customers.
- Redirect of video / audio playback to a thin client using Windows Media Player, without brakes and without server load, you can watch 1080p video, but this is a separate story =).
If you start with the result:
This is what the user's desktop will look like if Windows XP is installed on the PC:
This is how the user's desktop will look like if Windows 7 is installed on the PC:
To get the result that you can see on the slides, you need an AD domain and several group policies for PCs and users.
On a PC with XP SP3, you need to install updates for rdp client KB969084 and Fixit50588 , for extended group policies, you need to install update KB943729 .
Key policies:
# 1 - Users need to allow Single sign-on , I extend this policy to the entire domain.
No. 2 - For a PC, we make a separate OU and close the group policies in this OU.
No. 3 - In the new OU, we create a policy where we change the user to “wscript c: \ thinPC \ thinPC.vbs / nologo / b”.
On the target PC, you need to copy 3 files, I use for this extended group policies.
I recommend files to be placed in the central storage of group policies \\ domain name \ SYSVOL \ domain name \ Policies \, this will provide fault tolerance in case of unavailability of one of the domain controllers.
For domain controllers, this network resource corresponds to the folder C: \ Windows \ SYSVOL \ sysvol \ domain name \ Policies
Contents of thinPC.cmd file
C: \ BGInfo \ Bginfo.exe "C: \ BGInfo \ config.bgi" / NOLICPROMPT / timer: 0BGInfo adds an inscription on the user's desktop with the necessary data, the results of BGInfo are visible on the slides.
mstsc "c: \ thinPC \ thinPC.rdp"
shutdown -l
mstsc starts the rdp client, after the end of the remote session, the shutdown -l command is executed to end the user session on the thin client.
During the work of the described script, the user will observe the execution of commands in the window, and to hide the window, the script is launched using VBS .
Contents of thinPC.vbs file
Dim oShell
Set oShell = WScript.CreateObject ("WSCript.shell")
oShell.run "C: \ thinPC \ thinPC.cmd", 0
Set oShell = Nothing
Contents of thinPC.rdp file
This is an rdp file with the connection settings that are needed.
- It is necessary to disable the display of the connection panel when working in full screen.
- I disable forwarding of local disks, but I allow forwarding of disks connected later, this will allow users to work with removable media that will connect after the start of a remote session.
- In the case of windows 7, to use the RemoteFX protocol, you need to set a color depth of 32 bits and specify a connection speed of 10 megabits / LAN.
- In cases where the server certificate is self-signed, you must disable the warning in the "Server Authentication" section.
That's all, replacing the user’s shell will make the boot process of the thin client as close as possible to the boot process of a regular PC.
The main disadvantage of the proposed script is the inability of the user to choose the screen resolution, but I honestly do not understand when asking for a monitor of 22-24 inches, and then asked to increase the letters on it.
In such cases, I install the VNC server on the target PC and change the resolution using it.
Secondary policies:
No.4 - In order to disable this message, it is enough for the user to tick the checkbox no longer to notify.
To automate the process with administrative tools, you need to add a key to the registry.
[HKEY_CURRENT_USER \ Software \ Microsoft \ Terminal Server Client \ LocalDevices]
"Server address" = dword: 0000000d
No. 5 - It is necessary to increase the cache for the RDP connection, in the cases of Windows XP it is vital, but in the cases of Windows 7 it can be possible without increasing the cache.
[HKEY_CURRENT_USER \ Software \ Microsoft \ Terminal Server Client]A little more detail about graphics optimization, Terminal Services and Graphically Intensive Applications .
"BitmapCacheSize" = dword: 0000ffff
# 6 - Interactive logon: Do not require CTRL + ALT + DEL
set the parameter Disabled.
# 7 - Interactive logon: Do not display last user name
set the parameter Enabled.
# 8 - Attempting to log on and Interactive logon:
Fill in the title and text that is intended for users, in the simplest cases, you need to specify the contacts of the support center.
No.9 - To disable visual effects on a thin client, you must add a key to the registry.
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ VisualEffects]
"VisualFXSetting" = dword: 00000002
â„–10 - Power options
Using advanced group policies, you need to create a power plan in which when you press the power button, the thin client will be turned off.
# 11 - Software Restriction Policies
I recommend setting up software launch control, this mechanism works on WindowsXP and Windows 7 PRO.
AppLocker is more flexible but only works on Windows 7 enterprise and higher.
I believe that in cases of a thin client, flexibility is not needed, the goal is to eliminate the possibility of running malware.
â„–12 - Turn off Autoplay
To disable the automatic launch of removable media, you must set the parameter Enabled for All drives.
# 13 - Allow RDP RemoteFX supported devices
If you plan to forward USB devices, allow the policy for Adminstrators and Users.
# 14 - System Restart
I set the parameter to 180 days, the policy only works on Windows 7.
â„–15 - User Account Control
UAC bothers me and disconnects for this.
# 16 - Replacing the desktop background, beauty requires sacrifice.
For Windows XP, this key in the registry is responsible for the wallpaper on the login and password entry screen.
The background file can be anywhere, but it must be a bmp file.
[HKEY_USERS \ .DEFAULT \ Control Panel \ Desktop]
"Wallpaper" = "C: \\ thinPC \\ rd.bmp"
"WallpaperStyle" = "2"
To change the background of Windows 7, you need to install the key, and transfer the file with the% WindowsDir% \ System32 \ oobe \ info \ backgrounds \ backgrounddefault.jpg background.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Authentication \ LogonUI \ Background]
"OEMBackground" = dword: 00000001
You also need to set the background for the user session on the thin client.
[HKEY_CURRENT_USER \ Control Panel \ Desktop]
"Wallpaper" = "C: \\ thinPC \\ rd.bmp"
"WallpaperStyle" = "2"
About the practice:
- Similar thin clients have been working for over a year.
- On several old PCs, disks had time to be poured, HP thin clients were sent in return, but all user data was on the servers;)
- Several accountants successfully work with BIFIT USB tokens
Source: https://habr.com/ru/post/245183/
All Articles