+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
How do you do....it? Thread, Laptops, how do you lock yours down? in Technical; As an old thing before my time here people have always had completely unrestricted access to their staff laptops, they ...
  1. #1
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,419
    Thank Post
    343
    Thanked 250 Times in 206 Posts
    Rep Power
    97

    Laptops, how do you lock yours down?

    As an old thing before my time here people have always had completely unrestricted access to their staff laptops, they can plonk as many games and trojans on there as they wish but i think it's time to change all that!

    To be honest it should have changed long ago but it's always been left for last as it's going to no doubt be a power struggle trying to pull those rights away from staff, but i have seen AOL, limewire, norton security **** and kids games enough times now that i want to chuck the things out the window.

    Now i don't even know where to begin here, we're using windows 7 on all our new laptops and due to the fact we've never used offline files we've been giving people the local administrator account on them (stupid as that sounds, i know i know) to save them having to type "PCNAME\ACCOUNTNAME" which is one of very few number of things that annoys me with windows 7.

    90% of staff are on mandatory profiles with EVERYTHING redirected. So....how does one go about sorting this out? I will not switch the profiles from mandatory as they've been brilliant like they are, and i will not remove folder redirection, so i need a solution to this that involves a new way of doing it rather than bodging the current way of doing it.

    Thanks for any help on this, PLEASE SAVE ME FROM NORTON INSTALLATIONS!

  2. #2

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,697
    Thank Post
    143
    Thanked 542 Times in 486 Posts
    Rep Power
    148
    Set up the Group Policy for them which sets the default logon domain. That auto fills in \PCNAME with the school domain name (don't log them on as local users). Now, set them up with Power User accounts on your domain. They'll have a seperate 'admin' account which is only able to logon to their laptop (set that in ADUC). We have them set this way - they have local access to drives etc, but not admin - they can't make system wide changes. Works fine off the network - just turn off mandatory profiles on these admin accounts, and set the GPs accordingly.

  3. Thanks to 3s-gtech from:

    mrbios (16th May 2011)

  4. #3
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,419
    Thank Post
    343
    Thanked 250 Times in 206 Posts
    Rep Power
    97
    Quote Originally Posted by 3s-gtech View Post
    Now, set them up with Power User accounts on your domain. They'll have a seperate 'admin' account which is only able to logon to their laptop (set that in ADUC). Works fine off the network - just turn off mandatory profiles on these admin accounts, and set the GPs accordingly.
    You've lost me I can add a domain group or users to the power users group on the laptop itself, is that what you mean? (They way you've put it suggests there should be a power users group in AD, which there isn't, at least as far as i know)

    As for the seperate admin account, you lost me a bit there too, are you suggesting we manually create a roaming profile that syncronises with the domain secondary to their profile they would use when in school? as again your post suggests this is automatically created through the power users route which has confused me somewhat

  5. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,986
    Thank Post
    850
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Domain Accounts: Setup offline files on the redirected deployment shares and also on the mandatory profile share then give them membership in the network administrators group on the laptops so that they can setup their own wireless and your soted. Teachers break stuff when they have the option. It does mean a bit more work up front installing some stuff but saves endless hassle in the long run.

    luckly Windows 7 is good with drivers so mot usb printers will just install when they plug them in at home.

  6. Thanks to SYNACK from:

    mrbios (16th May 2011)

  7. #5
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,419
    Thank Post
    343
    Thanked 250 Times in 206 Posts
    Rep Power
    97
    Quote Originally Posted by SYNACK View Post
    Domain Accounts: Setup offline files on the redirected deployment shares and also on the mandatory profile share then give them membership in the network administrators group on the laptops so that they can setup their own wireless and your soted. Teachers break stuff when they have the option. It does mean a bit more work up front installing some stuff but saves endless hassle in the long run.

    luckly Windows 7 is good with drivers so mot usb printers will just install when they plug them in at home.
    That sounds good to me, question though: setting offline files for the mandatory profile, do i need to enter the .v2 in the folder name or leave it out as per the AD route? (I'm assuming with as it no doubt won't know to put .v2 on like AD would? Thought it'd be best to check though just in case)

  8. #6

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,697
    Thank Post
    143
    Thanked 542 Times in 486 Posts
    Rep Power
    148
    Quote Originally Posted by mrbios View Post
    You've lost me I can add a domain group or users to the power users group on the laptop itself, is that what you mean? (They way you've put it suggests there should be a power users group in AD, which there isn't, at least as far as i know)

    As for the seperate admin account, you lost me a bit there too, are you suggesting we manually create a roaming profile that syncronises with the domain secondary to their profile they would use when in school? as again your post suggests this is automatically created through the power users route which has confused me somewhat
    Sorry, I rushed the explanation a bit. Yes - add the domain user to the Power Users group on the laptop. That domain user for us is also much less restricted via Group Policy (obviously synced when logged onto the network). Yes - a secondary roaming profile that isn't their normal school login. I'm sure there are other solutions to this, but it works well for us here.

  9. Thanks to 3s-gtech from:

    mrbios (16th May 2011)

  10. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,986
    Thank Post
    850
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by mrbios View Post
    That sounds good to me, question though: setting offline files for the mandatory profile, do i need to enter the .v2 in the folder name or leave it out as per the AD route? (I'm assuming with as it no doubt won't know to put .v2 on like AD would? Thought it'd be best to check though just in case)
    Easiest to use the full path to the actual folder, its just pay attention to what you tell it and won't make assumptions like .v2

    You will need to define it in the machine policy as it will need to be machine cached so that it can be accessed by whichever user. Documents however should be assigned under the user policy otherwise you get sync errors. Syncling Appdata can be a bit troublesome with certain files that refuse to unlock so you may need to add some exceptions for those files or live with the reported sync errors.

    Personally I would not even give them access to the power users group. We have a machine admins group that is a domain group which is a member of the local dmins group on the laptops. The team leaders have seporate accounts with these rights so if a teacher wants to install something UAC will prompt them and they need to talk to a team leader to install it. Having to justify why super-mega-ultra-shiny-neon-savings-bar is needed to a collegue slows down silly behaviour and still gieves them some freedom (rope) if they want it.

    Note: I only tried the full redirect and sync once on a Vista PC so although it should still work I can't be 100% sure. We use a slightly different method on our systems now.

  11. #8

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,697
    Thank Post
    143
    Thanked 542 Times in 486 Posts
    Rep Power
    148
    Agreed with above - should have explained that we use these accounts for senior staff only (duh) - we use a similar method for normal teaching staff just without adding them to Power Users. Very few of them take their laptops off site though.

  12. #9
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,419
    Thank Post
    343
    Thanked 250 Times in 206 Posts
    Rep Power
    97
    This has very nearly worked, i've got the start menu, desktop, home folder, desktop wallpaper all syncing using offline files. They can login in school, loads their profile and syncs the offline files, they can go home and login again and use the laptop offline and do exactly what they can do in school, they could turn off the laptop and then turn it again later on at home to carry on working offline BUT as soon as they come back into school and attempt to login while connected to the network problems occour!

    I get the user profile service could not be loaded message when attempting to connect to the network again if i unplug the laptop from the network, log them in offline then connect the cable in while they're logged in it'll sync (albeit it takes 2 minutes to notice the connection to the home drive has returned in order for you to tell it to do a manual sync...assume it'd do that it self on a set time limit though) and people can carry on as normal.

    Question is now how do i make it stop giving me the user profile service could not be loaded problem when they reconnect to the network? I'd have to get staff to turn off the wireless, login, turn the wireless back on and wait 2 minutes this way, which isn't good enough (BUT at least i've got the sync working! )

  13. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,986
    Thank Post
    850
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Any event log clues as to why the service is failing?

  14. #11
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,419
    Thank Post
    343
    Thanked 250 Times in 206 Posts
    Rep Power
    97
    Quote Originally Posted by SYNACK View Post
    Any event log clues as to why the service is failing?
    The only one i can see of interest is:
    "Windows cannot copy file \\domain.local$NOCSC$\dfs\studentprofile$\staff.v2 \NTUSER.man"

    ........While typing that out i may have just solved my own problem, im going to try something.

    EDIT: 6 months ago i changed the staff mandatory profile to a different location to where it was before, i put it with the student on in a different dfs share......i was pointing the offline file to the wrong location, but sadly it didn't solve it
    Last edited by mrbios; 19th May 2011 at 08:16 AM.

  15. #12

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,986
    Thank Post
    850
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    It looks like there are two possible issues with it, one it is looking to a $NOCSC$ location forcing it not to be cached and possibly due to permissions it could be having an issue trying to cache that particular file or at least resolve it properly. Can you check in the sync center errors and also in offline mode under the path to see if it is cached under offline files properly.

    It may end up being nessisary to copy the mandatory profiles from the server locally on all machines using a machine script and something like robocopy to keep it up to date and still avalible. This would get around the issue and probably speed up logon times but you would want to have the script up and running for a little while to make sure it was pushed sitewide before switching over the path in AD for the users.

  16. #13
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,419
    Thank Post
    343
    Thanked 250 Times in 206 Posts
    Rep Power
    97
    I think i've completely messed something up, even disabling the policies i was using, clearing the profiles and registry and going back to the standard setup, logging on then off again as a standard account, the next logon fails no matter what GP is applied >_<

    God i hate computers at times. Just going to re-image this laptop and start again with the policy applied from the start. At the moment im using a loopback policy set to replace on the machine account and that policy is effectivly the normal large teacher policy but with a load of settings changed for offline files.
    Last edited by mrbios; 19th May 2011 at 09:50 AM.

  17. #14

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,986
    Thank Post
    850
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    eep, don't bother with loopback policies for offline files, enable it in the teacher user one directly and then switch it off at machine level for any machines that you don't want using it (workstations). This will remove the need for loopback policies which can be massive trouble but will still allow the policies to be be granular and only apply to the machines that you want them to.

  18. #15
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,419
    Thank Post
    343
    Thanked 250 Times in 206 Posts
    Rep Power
    97
    I solved this in the end, no idea if it's a different way to what you guys are doing it but this is how i did it:

    I set the policy: "Set roaming profile path for all users logging onto this computer" and now every user who logs in gets a locally created profile, i set the users home folder to syncronise using offline files and that works perfectly, and all the folders like documents, desktop etc all syncronise with the users home folder. They can login with domain credentials on or offline, effectivly using a very slightly more privilaged setup than they do when in school (they can save to the desktop and see a local start menu instead of redirected) but can't install or uninstall programs and they can't make system changes else the admin box pops up and so on, just like in school. Effectivly i've achieved with this a better system than i ever intended to!

    No more Aol, norton, 1 million IE toolbars etc etc Chuffed to bits with this, thanks for all your help guys, especially synack (Though you'll be disapointed to hear that i am using a loopback processing policy, it works really well though and keeps all the settings specific to the laptops seperate from the rest of the school which i prefer)

    Now to **** off each member of staff who brings us a laptop by destroying all their access rights

    Only thing i needed to ask you synack was what permissions were required in order to freely change wireless settings?

  19. Thanks to mrbios from:

    SYNACK (19th May 2011)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 22nd April 2011, 01:21 PM
  2. Laptops and Num Lock Enabling
    By Psymon in forum Hardware
    Replies: 1
    Last Post: 24th March 2011, 10:10 AM
  3. Replies: 0
    Last Post: 27th December 2010, 11:02 AM
  4. How to you lock down foreign laptops?
    By techyphil in forum How do you do....it?
    Replies: 7
    Last Post: 12th May 2009, 02:17 PM
  5. Replies: 3
    Last Post: 29th September 2008, 03:09 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •