Skip navigation

Use SteadyState to Manage Shared Computers

Discover numerous advantages over the Shared Computer Toolkit for Windows XP

Executive Summary:
Windows SteadyState replaces the Shared Computer Toolkit for Windows XP and offers several advantages, including an improved Windows Disk Protection (WDP) feature that doesn’t require a dedicated partition, an improved GUI, the ability to import and export users from the GUI, and templates for applying predefined user restrictions.

Windows SteadyState (formerly the Shared Computer Toolkit for Windows XP) is a freely available add-on from Microsoft that eases the administrative burden of managing shared computers (e.g., computers used in Internet cafes, technology labs, or kiosks). SteadyState 2.0 supports only Windows XP SP2; the latest version (SteadyState 2.5, released in June 2008) includes support for Windows Vista. Windows SteadyState includes three main functions: Windows Disk Protection (WDP); the ability to configure restrictions for computer and user accounts; and scheduling of software updates.


New Features 

SteadyState offers several new features that the Shared Computer Toolkit didn’t provide. New SteadyState features include the following:

  • SteadyState offers several new features that the Shared Computer Toolkit didn’t provide. New SteadyState features include the following:
  • WDP no longer requires a dedicated partition
  • An improved GUI for ease of use
  • The ability to import and export users from the GUI and from one computer to another
  • Three templates (low, medium, and high) that let you quickly and easily apply predefined user restrictions en masse
  • A greater selection of restrictions


Windows Disk Protection

Perhaps the most useful component of SteadyState, WDP, lets the administrator configure rollback of the system partition to a known state, either after every restart or at a specified date (after which rollback will occur after every restart, unless the option is reset). A benefit of this option is that any malware, viruses, or unwanted software installed by users can be disposed of at the next system boot, potentially saving the administrator hours of trying to fix or clean broken systems. The disadvantage is that this option is all or nothing—WPD guards the entire system partition, with no exclusions (other than those managed by the scheduled updates feature).


All of SteadyState’s features, including WPD, are compatible with domain-joined computers. The main problem with domain-joined computers is that the authentication method used by Active Directory (AD) requires verification of a locally stored computer account password, which is changed every 30 days by default. When scheduled updates are installed by SteadyState, WDP is temporarily suspended, and a request is made to AD to reset the computer account password. This method lets the new password be included as part of the base image, and the computer can continue to successfully authenticate to AD. SteadyState-scheduled updates also permit the running of custom scripts, which lets administrators perform additional tasks that SteadyState doesn’t directly support, to be completed while WDP is suspended for the purposes of updating the base image. Custom scripts can be written in VBScript.

If WDP is enabled on the system partition, any local user profiles that need to be permanently saved must be located on a different partition. However, if you don’t want to create a second partition, you can redirect My Documents to a USB or network drive to work around this restriction.


Configuring Computer and User Restrictions

SteadyState provides a simplified interface that lets administrators enable the most commonly used restrictions, which might typically be set via Group Policy. In addition, administrators can select a restriction level (low, medium, or high), instead of having to manually configure individual settings. The High restriction level contains the most enabled restrictions. Examples of restrictions that can be configured include the ability to prevent write access to USB drives, deny access to Internet Explorer (IE) settings, and stop users from creating files and folders in the root of the C drive.

Because of its predefined restriction levels and well-designed user interface, SteadyState is particularly useful for inexperienced administrators who must manage shared computers. However, if shared computers are joined to an AD domain, Group Policy is still the most effective management tool for such a configuration.

An intriguing feature of SteadyState’s restrictions, which XP’s Group Policy doesn’t provide natively, is the ability to force a user logoff event. You can force a logoff after a certain number of minutes in use or minutes idle; SteadyState calls this feature a session timer. You can also enable a countdown dialog box that warns users of the imminent logoff event. This feature is useful in situations when a user’s computer must be unlocked so that someone else can use it, and the user is currently out of the office. SteadyState can also replicate the basic functionality of software restriction policies, by providing the ability to block a given executable by name, as Figure 1 shows.

SteadyState comes with a .adm template for configuring its three sets of predefined restrictions via AD Group Policy. If you enable a predefined restriction, such as General Window XP Restrictions, many individual Group Policy settings are enabled by default. You can also enable or disable these settings individually, as Figure 2 shows. Note that the sctsettings.adm template supports only the session timer that logs a user off after a certain number of minutes in use, not minutes idle.

SteadyState must be installed on the computer affected by the policy. A few important privacy and security computer restrictions are included, as Figure 3 shows.


Scheduling Software Updates

SteadyState’s scheduled updates are primarily provided for downloading and permanently applying critical Windows updates, as well as updates to certain supported security products (e.g., McAfee VirusScan 2005, Windows Defender). You can also write custom scripts that SteadyState can run to update other products. Users are logged off as soon as the update process begins, and they can’t log on again until the process completes. Therefore, you should make sure that updates are scheduled during non-business hours.


Installing SteadyState

One of SteadyState’s most visible improvements over the Shared Computer Toolkit is the ability to use WDP without creating a dedicated partition. However, you need 4GB of free disk space in order to use SteadyState’s WDP feature.

Before you install SteadyState, consider starting with a clean OS installation. Then, ensure that all the applications you want users to access are installed. Also, verify that all security updates are current.

To install SteadyState, run the installer package and follow the instructions. During installation, a validation check will confirm that you’re running a genuine version of Windows. After the installation is complete, you can access the program configuration through the All Programs option on the Start menu.

When you create a shared user account (i.e., an account that is used by more than one person), you have the option to change the default location of the shared user profile, as Figure 4 shows. For example, you might want to store the profile on a partition other than the system partition if WPD is enabled. Shared user profiles can be locked or unlocked. Locked profiles can’t be permanently modified by users. When the user logs off, any changes are discarded. This feature is different from WDP, which discards changes to the entire system partition (if configured to do so) on a scheduled date or system reboot. The user’s experience will vary depending on the location of the shared user profile, whether the shared user account is locked or unlocked, and how WDP is configured.


Weighing the Pros and Cons

Windows SteadyState is useful for shared computers that must be maintained in a secure and stable state but on which users need to be able to make changes such as installing software or changing other configurations. However, SteadyState loses some of its appeal on shared computers that must be centrally managed. Although it’s possible to integrate WDP’s scheduled updates with centrally managed software deployment systems, such systems’ flexibility is restricted by WDP’s limitations.

SteadyState 2.0 lacks support for Vista, but version 2.5 offers Vista support. One of SteadyState’s biggest disadvantages is that running WDP on a domain-joined computer requires you to use roaming profiles, redirect folders, or store profiles on a separate disk in order to retain changes made to the profile.

SteadyState lets you import and export user profiles to and from other computers to ease configuration. In addition, Steady State supports XP’s System Preparation tool in case you want to use imaging.

On the whole, SteadyState is a considerable improvement over the Shared Computer Toolkit. SteadyState is much easier to use. In addition, SteadyState relieves you of the burden of having to consider all the configuration possibilities if you need to quickly lock down shared lab computers that don’t require centralized management. SteadyState provides both experienced and inexperienced administrators with a solid lockdown tool and rollback functionality in certain situations.

In many cases, an appropriately locked down and centrally managed computer that is part of an AD domain is a more flexible solution in an enterprise, because users are prevented from making unnecessary changes at the outset. But in situations in which this solution isn’t feasible, SteadyState is a useful alternative.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.