+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
How do you do....it? Thread, Controlled Assesment. in Technical; Ok, I was asked to set up a controlled assessment environment meeting the following requirements... Coursework in exam conditions. * ...
  1. #1

    Join Date
    Jun 2006
    Location
    Kendal
    Posts
    85
    Thank Post
    2
    Thanked 15 Times in 11 Posts
    Rep Power
    19

    Controlled Assesment.

    Ok, I was asked to set up a controlled assessment environment meeting the following requirements...

    Coursework in exam conditions.

    * No Internet.
    * No Home Drive.
    * No network resources.
    * No pen drives


    Students will need:

    * A log on
    * An area to save work where after the assessment they can no longer access.
    * To be able to gain access again to the same area in a following session.
    * No access to say geography controlled assessment work when sitting a maths controlled assessment (for example).

    -----------------

    Here's what I did...

    Set up an AD group called "exam lock down" This group has denied share permission to all network shares.

    Set up an AD group called "Controlled Assessment" This group is used to allow access to areas.

    Set up an AD group for the subject in question (Business studies) called "controlled assessment business studies"

    Set up an AD group for classes (so students sitting the assessment)

    Created a new hidden share on our file server \\server\CA$ within that a business Studies folder. Share permissions on this only allow access to members of "Controlled assessment" AD group.

    Created a new GPO applied to all school XP workstations.
    This is a subject specific GPO "Controlled assessment business studies"
    This GPO runs a logon script which
    1) creates a new folder \\server\CA$\Business studies\%username%
    2) Maps T: to that folder
    3) deletes all other network drives (doesn't always work but share permission denies access if they still see them)
    4) removes context menus
    5) Merges a .reg file which disables USB drives (This requires editing registry of workstation to allow permission to a specific key for students, done manually but will be changed on our master images and rolled out with next deployment) Reg file hosted in a read only share accessible only to controlled assessment group.

    To reverse the effect of 5) there is a log on script to merge settings that enable it again for all users on all work stations.

    So now when a controlled assessment is on.
    My self or technician adds the correct class to the correct Controlled assessment group and the students log on as normal but in a controlled environment. At the end of the session they need to be removed from the controlled assessment group to receive regular access.

    By adding the students back to the same group they receive the same mapped drive and hence access to the same work.


    An additional useful tool to help supervise this is VNC installed on all desktops (free desktop viewer utility) and another free utility for shadowing the whole room at once. Meaning the teacher can sit at the console and watch whats happening on their desktops. The students don't know they are being watched nor can close the VNC service.
    ---------

    It's still early days and a few things I'd like to improve...

    * This will result in a lot of GPOs but at least no masses of accounts, one per subject

    *The redirection of my documents to T: didn't work but I'm sure this can be solved. (double clicking my documents in the controlled assessment throws an error trying to connect to their normal home drive)

    -------------------

    I guess if this helps leave some Thanks. I'm more interested in questions and potential exploits. The first session just ran without a hitch. Students aren't dismissed until an ICT support staff deactivates the controlled environment.
    Last edited by Finch7; 4th December 2009 at 12:54 PM.

  2. 4 Thanks to Finch7:

    cookie_monster (15th December 2009), Crispin (14th October 2010), gill (5th February 2010), sidewinder (15th December 2009)

  3. #2

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49
    Not even thinking about this seriously till the new year but this does look the best way so far, so much better than creating new accounts

    Could you share the .reg file?

  4. #3

    Join Date
    Jun 2006
    Location
    Kendal
    Posts
    85
    Thank Post
    2
    Thanked 15 Times in 11 Posts
    Rep Power
    19
    To disable (XP clients only, for other O/S you need to change first line)

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
    
    "Start"=dword:00000004

    To enable (XP clients only, for other O/S you need to change first line)

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
    
    "Start"=dword:00000003

    ------------

    Copy into note pad and save as .reg

    For the file to merge successfully with the registry, students need write permission to that key, we assigned it manually but there could be an easier way.

    In theory it's possible to use this in a .adm file and control it though a gpo however I didn't get it working in time, might look into this at a later date.

  5. Thanks to Finch7 from:

    gill (5th February 2010)

  6. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Is this for the new BECTA controlled assessments? I've only just started to hear about this. They sound like an unnecessary extra admin work nightmare.


    1. Can you explain why you needed a GPO applied to all school XP workstations I'm not sure I follow are you using group policy loopback for this?

    2. Rather than use a regedit to block USB can you not just ban access to all drives other than your mapped drive with group policy? (Ah I see you covered that above)

    3. Did you manage to limit the testing to one room or did you have to apply that regedit to all stations on your network?

    4. In point 3 you mention deleting network drives if you used group policy loopback there wouldn't be any network drives other that what you specify in the logon script that is run by the looped back policy.

    Thanks.
    Last edited by cookie_monster; 15th December 2009 at 03:27 PM.

  7. #5

    Join Date
    Jun 2006
    Location
    Kendal
    Posts
    85
    Thank Post
    2
    Thanked 15 Times in 11 Posts
    Rep Power
    19
    Quote Originally Posted by cookie_monster View Post
    Is this for the new BECTA controlled assessments? I've only just started to hear about this. They sound like an unnecessary extra admin work nightmare.
    Yes it is and yes they are.

    Quote Originally Posted by cookie_monster View Post
    1. Can you explain why you needed a GPO applied to all school XP workstations I'm not sure I follow are you using group policy loopback for this?
    All our workstations are XP, I have a GPO that effects them all that applies workstation settings that are common to them all. In this instance I used this group policy to merge the .reg file through a log on script. I do use loopback feature quite a lot.

    Quote Originally Posted by cookie_monster View Post
    2. Rather than use a regedit to block USB can you not just ban access to all drives other than your mapped drive with group policy? (Ah I see you covered that above)
    This way the drive doesn't even install when they plug it in so no sneaky workarounds I might have missed.

    Quote Originally Posted by cookie_monster View Post
    3. Did you manage to limit the testing to one room or did you have to apply that regedit to all stations on your network?
    You can limit it to Organisational Units so if you set up a OU with all the PCs for that room in it and create a group policy for it you can apply all the settings to that room only. I did indeed test it on one PC in its own OU initially with it's own policy.

    Quote Originally Posted by cookie_monster View Post
    4. In point 3 you mention deleting network drives if you used group policy loopback there wouldn't be any network drives other that what you specify in the logon script that is run by the looped back policy.

    Thanks.
    I blocked access to network shares via share permissions so I didn't need to remove anything really. It's just to tidy it up. It was simpler this way than trying to stop all the network drives mapping.

  8. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Sounds like how I would probably set it up as well thanks.

    You said that you use your logon script to create a folder using the %username% variable do you also set permissions on that folder? I'm just wondering if there would be anyway for them to move up a folder level or access via UNC and view other users folders.


    I take it you have to remove all students for the exam lockdown group after each test?

  9. #7

    Join Date
    Jun 2006
    Location
    Kendal
    Posts
    85
    Thank Post
    2
    Thanked 15 Times in 11 Posts
    Rep Power
    19
    Quote Originally Posted by cookie_monster View Post
    Sounds like how I would probably set it up as well thanks.

    You said that you use your logon script to create a folder using the %username% variable do you also set permissions on that folder? I'm just wondering if there would be anyway for them to move up a folder level or access via UNC and view other users folders.

    \\server\CA$
    share permissions:
    Domain admins: Full Control
    SYSTEM: Full control
    Controlled Assessment (group): Full control
    --So no share permission access for any one other than those in controlled assesment

    NTFS permission:

    Controlled Assesment (group): Read only this folder only
    (admins and system): full control

    CA$ is the top level which then splits into subject areas. I create the subject area folders.


    \\server\CA$\Business studies
    NTFS permissions:
    (admins + System): Full control
    Creator Owner: Full control on subfolders and files only
    Controlled assessment business studies (group): Create Folders/Append Data on this Folder only.


    So a business studies student in the controlled assessment can create a folder in "\\server\CA$\business studies" and as "creator owner" gains full control of that folder. They have no read permissions on the parent folder and although permissions are inherited there are no read permissions to pass down to other folders.

    --------

    Quote Originally Posted by cookie_monster View Post

    I take it you have to remove all students for the exam lockdown group after each test?
    Yes. We actually add the students to a group based on their class. So 10A BS and when that class is sitting the business studies controlled assessment we add 10A BS to the Controlled assessment business studies group.

    As the controlled assessment business studies group is also a member of the exam lock down and internet access removed groups they automatically get those restrictions. After the assessment the class is removed from the assessment group. However absent students or students not sitting the assessment then need to be taken out so they don't get locked down. (The class idea is optional you could just add and remove students individually)
    Last edited by Finch7; 16th December 2009 at 10:36 AM.

  10. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Ok you're using the creator owner group so only the folder creator has access excellent. It all looks pretty good then.

  11. #9

    Join Date
    Jun 2006
    Location
    Kendal
    Posts
    85
    Thank Post
    2
    Thanked 15 Times in 11 Posts
    Rep Power
    19
    Just to add this all worked smoothly and will be expanding to other subjects later in the year.

  12. #10

    Join Date
    Dec 2007
    Posts
    867
    Thank Post
    90
    Thanked 165 Times in 140 Posts
    Rep Power
    49
    It's a bit of a nightmare isn't it!

    The dilemma of choosing between keeping 1 student account (and manually modifying the account as and when required) or create separate account(s)!

    The main issue seems to be the manually intervention to enable / disable settings at required times. I can see the benefit of keeping to one logon account etc, but could get messy.

    Iím currently brainstorming this issue as well; Finch7 has come up with a lot of good possible solutions etc, well done. Iíve been told that for some of our controlled assessments Internet access is allowed / disallowed at certain times as well just to add to the mix. Fortunately, all the Teacherís Computers in the ICT Suites have AB Tutor Control so Internet, USB Devices and Monitoring can be enabled or disabled by the Teacher etc real-time as and when required. We can train the Teachers how to do this which will lessen the burden on IT Support.

    At present, on the basis that eventually most subjects will come on board with controlled assessments, I am working on the basis on issuing students with 1 additional logon and password to use for controlled assessments for all subjects.

    A GPO would be setup that only mapped to the required network drive (as Finch7) suggested:

    Server\CA\{Student ID}

    Then subfolders for each subject:

    Server\CA\{Student ID}\Geography
    Server\CA\{Student ID}\History
    Server\CA\{Student ID}\Art etc

    Extending on from what Finch7 suggested with AD Groups relating to each subject (CA Geography, CA History etc) instead of changing the permissions of each subfolder to allow / block access simply extend the UNC Path of the mapped drive.

    For example, if Student is member of [CA Geography] Group then map drive to:

    \\Server\CA$\{Student ID}\Geography

    Or Student is member of [CA History] Group then map drive to:

    \\Server\CA$\{Student ID}\History

    And so on.

    Allowing the correct permissions / access at specific times, to me is the main problem. As Finch7 suggested the IT Techs could enable / disable / modify settings as and when required, or use with Logon Restriction hours (that only have 1 hour window).

    I am toying with the idea of using Group Policy Preferences (Client Side Extensions). I know that vbs scripts can do the same, but itís nice to work in a GUI environment.

    A GPO could be setup that maps the specific required UNC Path using the targeting feature. In here you could create numerous rules based on AD Group Membership (CA Geography, CA History etc) and specific times (1 min increments). Effectively, you could have 1 GPO to manage all exams!

    Simply edit the GPO and create a rule for each upcoming exam, all centrally managed and can be easily changed and updated.

    Only requirement, Windows 7 Workstation to create / manage the GPO and installation of KB943729 on all Windows XP workstations to support Group Policy Preferences.

  13. #11
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Can I just ask is all of this necessary?

    Our head of IT says that just either creating 30 separate general exam accounts without shared drive access or internet should be sufficient. They’re also considering just letting the students use their own accounts without internet access as there’s nothing in the shared area that can help them. Apparently the students are even allowed to use ‘Help’ in some of the tests.

    Is this right I’m a bit confused as to why these super locked down accounts are required?

    Thanks.

  14. #12

    Join Date
    Dec 2007
    Posts
    867
    Thank Post
    90
    Thanked 165 Times in 140 Posts
    Rep Power
    49
    I know what you're saying CookieMonster, personally i don't want to over complicate the issue either (or increase IT Techs workload).

    30 generic accounts would not work (not here anyway) as for example the Geography Controlled Assessment alone is for 109 students over an 8 hour period, some of that time with Internet and the remainder without! This Assessment would run over a 2 week period. History Department coming on board next year.

    There are strict requirements set out from the Exam Board, like can only logon during specific times, cannot access work outside these times, backed up daily etc etc.

    Long term, you can easily see how this could turn into an administration nightmare as more and more subjects have Controlled Assessment, each with different requirements and could even be running during the same lesson times!
    Last edited by MYK-IT; 23rd February 2010 at 11:41 AM.

  15. Thanks to MYK-IT from:

    cookie_monster (23rd February 2010)

  16. #13
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by MYK-IT View Post
    There are strict requirements set out from the Exam Board, like can only logon during specific times, cannot access work outside these times
    Those are the sticky ones which typically necessitate IT Support involvement - how you stop the students logging in at lunchtime and re-tweaking, or going home and preparing something awesome which they save onto the network, USB, email, etc and then copy-paste into their assignment when next they have a session.

  17. #14
    bluesquarething's Avatar
    Join Date
    Jan 2009
    Location
    Beccles
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by enjay View Post
    Those are the sticky ones which typically necessitate IT Support involvement - how you stop the students logging in at lunchtime and re-tweaking, or going home and preparing something awesome which they save onto the network, USB, email, etc and then copy-paste into their assignment when next they have a session.
    You have to disable the account.

    This is necessary, unfortunately. By careful naming of the user areas it might be made a bit easier. Generic ones won't work if work's going to be stored on them - but once the CA for that subject is done with they could be backed up (please...) and then deleted.

    If it helps at all this was QCA's fault rather than the exam boards. You can blame Prince Hal and his art teacher...

  18. #15
    bluesquarething's Avatar
    Join Date
    Jan 2009
    Location
    Beccles
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by MYK-IT View Post
    Long term, you can easily see how this could turn into an administration nightmare as more and more subjects have Controlled Assessment, each with different requirements and could even be running during the same lesson times!
    Fwiw there's rarely anything that says that kids *have* to do their work using IT. I know quite a few people who are moving to all (or most) handwritten stuff.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Controlled coursework?
    By joshcoombs in forum How do you do....it?
    Replies: 5
    Last Post: 4th December 2009, 12:56 PM
  2. Timer-controlled power to IT suites
    By meastaugh1 in forum How do you do....it?
    Replies: 9
    Last Post: 4th November 2009, 11:11 AM
  3. Computer Controlled Bell Ringer!
    By theeldergeek in forum Hardware
    Replies: 8
    Last Post: 2nd July 2008, 01:02 PM
  4. Risk assesment
    By alonebfg in forum Web Development
    Replies: 0
    Last Post: 4th March 2008, 08:47 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •