IT Infrastructure Documentation

Esports Lab: Technical Configuration & Deployment Guide

FACILITY: ESPORTS LAB // UPDATED: January 16, 2026

1. Executive Summary

This document details the technical configuration for the Esports Lab. The environment is designed as a high-security "Kiosk" system that prioritizes gaming performance while utilizing a Zero-Trust security model. Defense is achieved through four layers: Shell Replacement, NTFS File Locking, Group Policy Hardening, and BeyondTrust Privilege Management.

2. System Architecture & Roles

The workstations utilize a "Tri-Persona" architecture. Access to non-kiosk roles is strictly controlled via the ggLeap Web Admin console.

User Account	Role	Interface & Environment	Purpose & Access
Esports	Public Kiosk	ggLeap Shell Only NO Start Menu, NO Taskbar, NO Desktop.	Primary User. Auto-logons to Windows. Requires Entra ID for game access.
General	Event Overflow	Standard Windows Desktop Full Taskbar & Desktop Experience.	Student Life Support. "General Use". Password protected. Requires Staff activation.
Adm	IT Maintenance	Standard Windows Desktop	Full Admin. Used for OIT maintenance, game updates, and image management.

3. Access & Deployment Overview

3.1 Access Workflows

Student Access: The system auto-logons to the Esports Windows profile. Students authenticate via the ggLeap Shell using Entra ID credentials.

Staff Access: Adm and General are hidden. Staff must use the ggLeap Web Admin Console to "Launch Remote App > Switch to General" (shutdown.exe /l) to reach the standard Windows Login Screen.

3.2 Deployment Strategy

The Master Image (CloneZilla) is a "Clean State" containing only the OS, Game Library, and ggLeap Client. All security configurations are applied Post-Imaging (See Section 6).

4. Group Policy Configuration

4.1 Machine Policy (All Users)

Applies to the hardware level, affecting Esports, General, and Adm.

Lock Screen: Branded Wallpaper enforced (C:\Windows\Web\Wallpaper\Windows\Logo.jpg).
OneDrive: Completely disabled to prevent data syncing.

4.2 "General Use" Policy (Event Support)

Designed to function like a standard lab machine for supervised events.

Browser Privacy: Chrome/Edge forced to Incognito (History/Cookies clear on exit) for ALL standard users.
Desktop Interface: STANDARD. Full access to Start Menu, Taskbar, and Desktop icons.
Downloads: ALLOWED. (Files can be downloaded for events).
USB Storage: ALLOWED. (Read/Write access granted).
Windows Settings: STANDARD. (Standard access to Display, Personalization, etc.).

4.3 "Esports" Policy (Kiosk)

Strictly locked down for public gaming use.

Desktop Interface: DISABLED. Start Menu, Taskbar, and Desktop are completely removed via Shell Replacement.
Downloads: BLOCKED.
USB Storage: BLOCKED. (Read/Write denied).
Windows Settings: RESTRICTED. (Audio/Mouse controls only).
Custom User Interface: Replaces explorer.exe with C:\ggLeap\ClientInterface.exe.
File System: C: Drive hidden in file browse dialogs.

5. Nuclear Lockdown & Maintenance

AUTOMATIC UPDATES: Because BeyondTrust is configured to Elevate approved games (Fortnite, Valorant, etc.), the game clients will automatically download and install updates as students play them. Manual intervention is rarely needed for game patches.

To prevent "breakout" attempts where users utilize Game Launchers to browse the file system, critical Windows tools are blocked via NTFS Permissions. This is done using a custom script that modifies Ownership and ACLs.

BLOCKED TARGETS (Esports User Only): - CMD.exe (Command Prompt) - Explorer.exe (Desktop) - Regedit.exe (Registry Editor) - MMC.exe (Microsoft Management Console) - Notepad.exe (Prevents "File > Open" exploits) - PowerShell.exe / WScript.exe (Scripting Engines) - TaskMgr.exe (Blocked via GPO + File Level)

Manual Maintenance: If an OS update or a failed game patch requires intervention, log in as Adm. You do NOT need to unlock the machine. The locks only apply to the Esports user.

EMERGENCY UNLOCK: In rare cases where troubleshooting inside the Esports profile is required (e.g. Audio/Driver issues), run Unlockdown.bat (See Appendix A).

CRITICAL WARNING: You MUST run Lockdown.bat immediately after troubleshooting is complete to re-secure the station.

6. Post-Imaging Workflow

Perform these steps immediately after the CloneZilla restoration is complete. Use the files from the OIT Shared Drive (T:) or Flash Drive.

Phase 1: Network & Hostname Configuration

Log into Adm.
Set Static IP Address for the Station you are configuring (Cloning defaults to Esports-01's IP). (See Appendix B for IP Map).
Rename Computer to match location (ESPORTS-XX).
RESTART.

Phase 2: Create "General" User

Log into Adm.
Go to Computer Management > Users > New User.
Name: General | Desc: RCBC General Use
Password: [REDACTED]
Check: Password never expires and User cannot change password.

Phase 3: Install Security & Policy Files

Connect USB Drive containing the EsportsPolicy folder.
Run Install_PAM.bat (Installs BeyondTrust & Links to Cloud Tenant).
Drag .jpg wallpaper to the "Drag Wallpaper Here" shortcut.
Drag GroupPolicy folders to the "Drag Group Policy Here" shortcut (Select "Overwrite All").

Phase 4: Apply Lockdown & Auto-Logon

Run Lockdown.bat to apply NTFS security blocks to the Esports user.
Move AutoLogon.reg to the Desktop and Run it.
RESTART.

Phase 5: Link ggLeap & Verify

System will auto-login to Esports.
At the ggLeap Employee Login screen, enter your credentials to link the node.
ggLeap will configure itself and auto-load the Student Login Screen.
From the ggLeap Web Console (on another PC), push the "Switch To General" command.
Log into the General user on the machine to populate the profile.
Verify standard desktop loads. RESTART one final time.

Appendix A: Master Scripts

All scripts and registry files are stored on the OIT Shared Drive (T:).

1. Install_PAM.bat (BeyondTrust Installer)

msiexec.exe /i "PrivilegeManagementConsolePackageManagerForWindows_x64.msi" ^ TENANTID="[REDACTED_TENANT_ID]" ^ INSTALLATIONID="[REDACTED_INSTALL_ID]" ^ INSTALLATIONKEY="[REDACTED_KEY]" ^ SERVICEURI="https://[REDACTED]-services.pm.beyondtrustcloud.com" ^ GROUPID="[REDACTED_GROUP_ID]"

2. AutoLogon.reg

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "AutoAdminLogon"="1" "DefaultUserName"="Esports" "DefaultPassword"="" "DefaultDomainName"="" "ForceAutoLogon"="1"

3. Lockdown.bat (The "Nuclear" Option)

@echo off :: 1. BLOCK EXPLORER takeown /f C:\Windows\explorer.exe icacls C:\Windows\explorer.exe /grant Administrators:F icacls C:\Windows\explorer.exe /deny Esports:(RX) icacls C:\Windows\explorer.exe /setowner "NT SERVICE\TrustedInstaller" :: 2. BLOCK REGEDIT takeown /f C:\Windows\regedit.exe icacls C:\Windows\regedit.exe /grant Administrators:F icacls C:\Windows\regedit.exe /deny Esports:(RX) icacls C:\Windows\regedit.exe /setowner "NT SERVICE\TrustedInstaller" :: 3. BLOCK MMC takeown /f C:\Windows\System32\mmc.exe icacls C:\Windows\System32\mmc.exe /grant Administrators:F icacls C:\Windows\System32\mmc.exe /deny Esports:(RX) icacls C:\Windows\System32\mmc.exe /setowner "NT SERVICE\TrustedInstaller" :: 4. BLOCK NOTEPAD takeown /f C:\Windows\notepad.exe icacls C:\Windows\notepad.exe /grant Administrators:F icacls C:\Windows\notepad.exe /deny Esports:(RX) icacls C:\Windows\notepad.exe /setowner "NT SERVICE\TrustedInstaller" :: 5. BLOCK POWERSHELL takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant Administrators:F icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /deny Esports:(RX) icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /setowner "NT SERVICE\TrustedInstaller" echo SYSTEM LOCKED.

4. Unlockdown.bat (Emergency Restore)

@echo off :: 1. UNBLOCK EXPLORER takeown /f C:\Windows\explorer.exe icacls C:\Windows\explorer.exe /remove:d Esports icacls C:\Windows\explorer.exe /setowner "NT SERVICE\TrustedInstaller" :: 2. UNBLOCK REGEDIT takeown /f C:\Windows\regedit.exe icacls C:\Windows\regedit.exe /remove:d Esports icacls C:\Windows\regedit.exe /setowner "NT SERVICE\TrustedInstaller" :: 3. UNBLOCK MMC takeown /f C:\Windows\System32\mmc.exe icacls C:\Windows\System32\mmc.exe /remove:d Esports icacls C:\Windows\System32\mmc.exe /setowner "NT SERVICE\TrustedInstaller" :: 4. UNBLOCK NOTEPAD takeown /f C:\Windows\notepad.exe icacls C:\Windows\notepad.exe /remove:d Esports icacls C:\Windows\notepad.exe /setowner "NT SERVICE\TrustedInstaller" :: 5. UNBLOCK POWERSHELL takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /remove:d Esports icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /setowner "NT SERVICE\TrustedInstaller" echo SYSTEM UNLOCKED.

Appendix B: Station IP Map

Reference table for static IP assignment in Phase 1.

Hostname	Assigned Static IP
ESPORTS-01	172.22.xxx.xx
ESPORTS-02	172.22.xxx.xx
ESPORTS-03	172.22.xxx.xx
ESPORTS-04	172.22.xxx.xx
ESPORTS-05	172.22.xxx.xx
ESPORTS-06	172.22.xxx.xx
ESPORTS-07	172.22.xxx.xx
ESPORTS-08	172.22.xxx.xx
ESPORTS-09	172.22.xxx.xx
ESPORTS-10	172.22.xxx.xx
ESPORTS-11	172.22.xxx.xx
ESPORTS-12	172.22.xxx.xx
ESPORTS-13	172.22.xxx.xx
ESPORTS-14	172.22.xxx.xx
ESPORTS-15	172.22.xxx.xx
ESPORTS-16	172.22.xxx.xx