I would love some more detailed directions if you could help out or point me in the right direction.

Thanks

This is designed for Microsoft Windows ThinPC, which is basically a stripped down copy of Windows 7.

Create an OU in Group Policy for your ViewThinPC computers.  Create a new group policy and attach it to the new OU.  Below you'll see a screenshot of the group policy I use on my OU.  Note that some of the settings are from the View Client group policy template (a copy of them is on your View Connection Server).

-

The important ones are:

Use Enhanced Keyboard on Windows Client if available

This can prevent the ThinPC from intercepting a normal CTRL-ALT-DEL and instead sends it to the VM.  For this to work, you have to do the following steps:

• Make sure you are using the VMware View client with local mode. You don't need to use a local mode VM, you just need this install for this feature to work.
• Set the ThinPC's UAC to the lowest setting
• Right-click on "C:\Program Files\VMware\VMware View\Client\bin\wswc.exe" and go to Properties...Compatibility tab.  Click on the "Change Settings for all users" button and set the program to always run as administrator.
• Add the user account (Domain Users or another group) as an administrator of the ThinPC.

Note that in the time before the View session is established, the user can still send a CTRL-ALT-DEL to the ThinPC.  From there, they can launch Task Manager and then Explorer.exe to get a taskbar.  You may wish to set the group policy setting to "Remove Task Manager" in System\CTRL-ALT-DEL Options.  If you do this, be sure to set a different group policy (with permissions) to allow your helpdesk to login and configure the ThinPC.

User Group Policy loopback processing mode

Only allow local user profiles

Prevent Roaming Profile changes from propagating to the server

This will cause the User Configuration in this group policy to override the user's roaming profile settings.  Although not illustrated here, you can use group policy to further lock down the ThinPC.

Delete user profiles older than a specified number of days on system restart

Remove any unused local profiles after 30 days.

Custom User Interface

This will replace the taskbar (explorer.exe) with a vbscript that launches the View client. We use a script instead of launching the view client directly, because if we don't tell the shell what to do when the view client exits, the computer will just display a blank screen with no UI.  For the shell setting, we used wscript c:\view\view.vbs.  This is the vbscript that we use:

set shell = CreateObject("WScript.Shell")

'Launch the View client and wait for it to close

shell.run """c:\program files\vmware\vmware view\client\bin\wswc.exe""",,1

'Logout of the ThinPC

shell.run "shutdown /l"

set shell = Nothing

Some people configure the script to loop and relaunch View, but I think this way provides a more consistent user experience:  they've logged out of their VM, so they are pushed back to a regular login screen.

Default value of the 'Log in as current user' checkbox

This wil cause the View client to automatically login as the current user.

You might also consider using EWF (Enhanced Write Filter) to lock down the ThinPC.  Basically when you enable EWF, the ThinPC becomes read-only in the sense that when the computer is rebooted, any changes are discarded.

Thanks for the quick reply. I will give this a go and let you know how I make out.

Thanks again.

Bill

If you look at the Documents tab, there is a PDF document that talks about how to lock down Windows ThinPC and always log directly into the View client.

I have this up and running thanks to your help. There are a few small issues, and was hoping you could help me out. I have this set up on a Windows ThinPC laptop and one of the issues I have is after your initial log on the View Log On box appears. Is there a way to keep that from happening? I know it is just a simple little click, but the less my users have to do the better. Also, is there anyway to by pass the View Certificate warning that pops up? I also set the policy to "Remove Task Manager" which works great. You mentioned setting a different Group Policy with permissions to allow helpdesk to login and configure the ThinPC, could you tell me where to do that.

Thanks again, even the way it is now it still works better than what we had.

after your initial log on the View Log On box appears. Is there a way to keep that from happening?

The VMware View client should not ask for credentials.  It should automatically login as the current user.  This assumes that: you installed the Single Sign-On option (when installing VMware View Client on the ThinPC) and the Login as current user group policy option is enabled (as specified above).

Also, is there anyway to by pass the View Certificate warning that pops up?

This warning only appears when you have a certificate issue.  If you are using an Active Directory CA cert, be sure that the CA's root certificate is installed on the ThinPC.  You can do this via group policy.  The best option is to just buy a certificate from godaddy.com for $70.  This way if you have users that will connect from home or via an iPad, they won't see the certificate warning.

I also set the policy to "Remove Task Manager" which works great. You mentioned setting a different Group Policy with permissions to allow helpdesk to login and configure the ThinPC, could you tell me where to do that.

So basically what you want to do is add a new group policy that reverses the "Remove Task Manager" setting for your admins.  To do this:

1. Launch Group Policy Management and find the OU you setup for your ThinPCs. 
   
2. Create a new Group Policy object and link it to that OU. 
   
3. Edit the group policy, find that Remove Task Manager setting and set it to disabled.
   
4. Back in Group Policy Management, click on the new GPO.  On the right side, in the Security Filtering section, remove "Authenticated Users" and insert the group for your admins/helpdesk.  This way, only people in this group will apply this group policy.
   
5. Back in Group Policy Management, click on the OU name and on the right side you will see a list of "Linked Group Policy Objects."  Use the arrow buttons to set the priority so that this new GPO is #1.  Since your admins will apply both policies, you need to be sure that the new GPO is applied last.
   

Does anyone have any answers to mcrampton's last post about the power button?

I too would like to be able to have the power button log off, or even better restart, the system as opposed to powering it off.  From what I have read Windows7 may not support this though....... are there any other solutions to get the end user to hav ea restart/logoff option when there is no Windows UI running?

Thank you,