How do you do....it? Thread, Laptops, how do you lock yours down? in Technical; As an old thing before my time here people have always had completely unrestricted access to their staff laptops, they ...
16th May 2011, 12:27 PM #1
Laptops, how do you lock yours down?
As an old thing before my time here people have always had completely unrestricted access to their staff laptops, they can plonk as many games and trojans on there as they wish but i think it's time to change all that!
To be honest it should have changed long ago but it's always been left for last as it's going to no doubt be a power struggle trying to pull those rights away from staff, but i have seen AOL, limewire, norton security **** and kids games enough times now that i want to chuck the things out the window.
Now i don't even know where to begin here, we're using windows 7 on all our new laptops and due to the fact we've never used offline files we've been giving people the local administrator account on them (stupid as that sounds, i know i know) to save them having to type "PCNAME\ACCOUNTNAME" which is one of very few number of things that annoys me with windows 7.
90% of staff are on mandatory profiles with EVERYTHING redirected. So....how does one go about sorting this out? I will not switch the profiles from mandatory as they've been brilliant like they are, and i will not remove folder redirection, so i need a solution to this that involves a new way of doing it rather than bodging the current way of doing it.
Thanks for any help on this, PLEASE SAVE ME FROM NORTON INSTALLATIONS!
16th May 2011, 12:34 PM #2
Set up the Group Policy for them which sets the default logon domain. That auto fills in \PCNAME with the school domain name (don't log them on as local users). Now, set them up with Power User accounts on your domain. They'll have a seperate 'admin' account which is only able to logon to their laptop (set that in ADUC). We have them set this way - they have local access to drives etc, but not admin - they can't make system wide changes. Works fine off the network - just turn off mandatory profiles on these admin accounts, and set the GPs accordingly.
16th May 2011, 12:57 PM #3
16th May 2011, 01:28 PM #4
Domain Accounts: Setup offline files on the redirected deployment shares and also on the mandatory profile share then give them membership in the network administrators group on the laptops so that they can setup their own wireless and your soted. Teachers break stuff when they have the option. It does mean a bit more work up front installing some stuff but saves endless hassle in the long run.
luckly Windows 7 is good with drivers so mot usb printers will just install when they plug them in at home.
16th May 2011, 01:40 PM #5
That sounds good to me, question though: setting offline files for the mandatory profile, do i need to enter the .v2 in the folder name or leave it out as per the AD route? (I'm assuming with as it no doubt won't know to put .v2 on like AD would? Thought it'd be best to check though just in case)
Originally Posted by SYNACK
16th May 2011, 01:42 PM #6
Sorry, I rushed the explanation a bit. Yes - add the domain user to the Power Users group on the laptop. That domain user for us is also much less restricted via Group Policy (obviously synced when logged onto the network). Yes - a secondary roaming profile that isn't their normal school login. I'm sure there are other solutions to this, but it works well for us here.
Originally Posted by mrbios
16th May 2011, 02:05 PM #7
Easiest to use the full path to the actual folder, its just pay attention to what you tell it and won't make assumptions like .v2
Originally Posted by mrbios
You will need to define it in the machine policy as it will need to be machine cached so that it can be accessed by whichever user. Documents however should be assigned under the user policy otherwise you get sync errors. Syncling Appdata can be a bit troublesome with certain files that refuse to unlock so you may need to add some exceptions for those files or live with the reported sync errors.
Personally I would not even give them access to the power users group. We have a machine admins group that is a domain group which is a member of the local dmins group on the laptops. The team leaders have seporate accounts with these rights so if a teacher wants to install something UAC will prompt them and they need to talk to a team leader to install it. Having to justify why super-mega-ultra-shiny-neon-savings-bar is needed to a collegue slows down silly behaviour and still gieves them some freedom (rope) if they want it.
Note: I only tried the full redirect and sync once on a Vista PC so although it should still work I can't be 100% sure. We use a slightly different method on our systems now.
16th May 2011, 03:06 PM #8
Agreed with above - should have explained that we use these accounts for senior staff only (duh) - we use a similar method for normal teaching staff just without adding them to Power Users. Very few of them take their laptops off site though.
18th May 2011, 04:50 PM #9
This has very nearly worked, i've got the start menu, desktop, home folder, desktop wallpaper all syncing using offline files. They can login in school, loads their profile and syncs the offline files, they can go home and login again and use the laptop offline and do exactly what they can do in school, they could turn off the laptop and then turn it again later on at home to carry on working offline BUT as soon as they come back into school and attempt to login while connected to the network problems occour!
I get the user profile service could not be loaded message when attempting to connect to the network again if i unplug the laptop from the network, log them in offline then connect the cable in while they're logged in it'll sync (albeit it takes 2 minutes to notice the connection to the home drive has returned in order for you to tell it to do a manual sync...assume it'd do that it self on a set time limit though) and people can carry on as normal.
Question is now how do i make it stop giving me the user profile service could not be loaded problem when they reconnect to the network? I'd have to get staff to turn off the wireless, login, turn the wireless back on and wait 2 minutes this way, which isn't good enough (BUT at least i've got the sync working! )
19th May 2011, 02:03 AM #10
Any event log clues as to why the service is failing?
19th May 2011, 09:06 AM #11
The only one i can see of interest is:
Originally Posted by SYNACK
"Windows cannot copy file \\domain.local$NOCSC$\dfs\studentprofile$\staff.v2 \NTUSER.man"
........While typing that out i may have just solved my own problem, im going to try something.
EDIT: 6 months ago i changed the staff mandatory profile to a different location to where it was before, i put it with the student on in a different dfs share......i was pointing the offline file to the wrong location, but sadly it didn't solve it
Last edited by mrbios; 19th May 2011 at 09:16 AM.
19th May 2011, 10:24 AM #12
It looks like there are two possible issues with it, one it is looking to a $NOCSC$ location forcing it not to be cached and possibly due to permissions it could be having an issue trying to cache that particular file or at least resolve it properly. Can you check in the sync center errors and also in offline mode under the path to see if it is cached under offline files properly.
It may end up being nessisary to copy the mandatory profiles from the server locally on all machines using a machine script and something like robocopy to keep it up to date and still avalible. This would get around the issue and probably speed up logon times but you would want to have the script up and running for a little while to make sure it was pushed sitewide before switching over the path in AD for the users.
19th May 2011, 10:48 AM #13
I think i've completely messed something up, even disabling the policies i was using, clearing the profiles and registry and going back to the standard setup, logging on then off again as a standard account, the next logon fails no matter what GP is applied >_<
God i hate computers at times. Just going to re-image this laptop and start again with the policy applied from the start. At the moment im using a loopback policy set to replace on the machine account and that policy is effectivly the normal large teacher policy but with a load of settings changed for offline files.
Last edited by mrbios; 19th May 2011 at 10:50 AM.
19th May 2011, 11:37 AM #14
eep, don't bother with loopback policies for offline files, enable it in the teacher user one directly and then switch it off at machine level for any machines that you don't want using it (workstations). This will remove the need for loopback policies which can be massive trouble but will still allow the policies to be be granular and only apply to the machines that you want them to.
19th May 2011, 04:18 PM #15
I solved this in the end, no idea if it's a different way to what you guys are doing it but this is how i did it:
I set the policy: "Set roaming profile path for all users logging onto this computer" and now every user who logs in gets a locally created profile, i set the users home folder to syncronise using offline files and that works perfectly, and all the folders like documents, desktop etc all syncronise with the users home folder. They can login with domain credentials on or offline, effectivly using a very slightly more privilaged setup than they do when in school (they can save to the desktop and see a local start menu instead of redirected) but can't install or uninstall programs and they can't make system changes else the admin box pops up and so on, just like in school. Effectivly i've achieved with this a better system than i ever intended to!
No more Aol, norton, 1 million IE toolbars etc etc Chuffed to bits with this, thanks for all your help guys, especially synack (Though you'll be disapointed to hear that i am using a loopback processing policy, it works really well though and keeps all the settings specific to the laptops seperate from the rest of the school which i prefer)
Now to **** off each member of staff who brings us a laptop by destroying all their access rights
Only thing i needed to ask you synack was what permissions were required in order to freely change wireless settings?
By Arthur in forum Downloads
Last Post: 22nd April 2011, 02:21 PM
By Psymon in forum Hardware
Last Post: 24th March 2011, 11:10 AM
By DaveP in forum Downloads
Last Post: 27th December 2010, 12:02 PM
By techyphil in forum How do you do....it?
Last Post: 12th May 2009, 03:17 PM
By contink in forum Windows
Last Post: 29th September 2008, 04:09 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)