+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 32
School ICT Policies Thread, Laptop loophole in School Administration; In most organisation the general trend is to have locked down network clients. The problem comes with what to do ...
  1. #1

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    19

    Laptop loophole

    In most organisation the general trend is to have locked down network clients.
    The problem comes with what to do with laptops given to teachers and students with special needs.

    They can reasonably argue that they need to install ISP software or drivers drivers for home hardware e.g. printers. Teachers may say they also need to 'try out' new software.

    What to do? How to strike the balance between enabling students and teachers to get full benefit of 'their' machines and the need to protect the school network from sleep walking malware vectors.

  2. #2

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,447
    Thank Post
    1,537
    Thanked 1,069 Times in 934 Posts
    Rep Power
    305

    Re: Laptop loophole

    We are needing to review this really, as we have had a couple come and say, they want to install there home printer on them, currently the local user account they use on the laptop is just a member of Users / Standard User on the laptop, and thats it, so I am interested in seeing what others do.

  3. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,689
    Thank Post
    756
    Thanked 1,715 Times in 1,526 Posts
    Rep Power
    438

    Re: Laptop loophole

    Yes please can everyone add to this.

    At the moment our laptops are members of the domain so the teacher logs on as a domain user wether they are plugged in or not and their H: drive is available offline. But I presume that with the restrictions we have in GPO etc... that their domain user is a normal user as far as the laptop is concerned therefore they can't install software/hardware etc....

    As far as I am concerned as long as the apps installed on it that the school own works and they can access the school network and Internet via it then thats good enough. But there is always someone that wants the other side of things too.

    There have been some other threads on this I know but it would be nice to have a long list for some ammo.

    Ben

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226

    Re: Laptop loophole

    I've been thinking about this.

    My users have a domain account and a local account. Some users have access to a local admin account for installing software, but run under a normal user account for everything else. They're currently not allowed to connect their laptop to any network but ours.

    My general (and definitely unwritten) policy is as follows:

    1) Can I trust this user to do the sensible thing?
    2) Does the benefit outweigh the hassle?
    3) If user has admin access, we will only restore the ghost - no troubleshooting of additional software.
    4) Any software must have a valid licence (GPL, commercial, free for edu)
    5) How much have you annoyed me in the last month(s)?

  5. #5
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,031
    Thank Post
    202
    Thanked 42 Times in 34 Posts
    Rep Power
    31

    Re: Laptop loophole

    I have about 20 teachers with wireless laptops. The laptops and staff are subject to their normal group policies. However, I've applied a loopback GPO to the laptops which 'undoes' some of the security in their normal GPO to give them more freedom when using the laptops.

    I allow them to install their own software and set up home dial-up/broadband - as well as lot of other things. I originally thought that this would cause me a lot of hassle, but it hasn't.

  6. #6
    Guest

    Re: Laptop loophole

    I setup the laptops as workgroup rather than domain clients. I then create a local laptop admin account that matches their domain account.

    Install any shared drives / printers ect. Then use local Group Polices to lock down any features, eg offline files.

    Seems to work a treat at the 4 schools I look after.

  7. #7

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Laptop loophole

    Quote Originally Posted by OverWorked
    I have about 20 teachers with wireless laptops. The laptops and staff are subject to their normal group policies. However, I've applied a loopback GPO to the laptops which 'undoes' some of the security in their normal GPO to give them more freedom when using the laptops.

    I allow them to install their own software and set up home dial-up/broadband - as well as lot of other things. I originally thought that this would cause me a lot of hassle, but it hasn't.

    So you're not really over worked

  8. #8

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,888 Times in 1,169 Posts
    Blog Entries
    19
    Rep Power
    614

    Re: Laptop loophole

    We run a Laptops for Students scheme here and we give the students 2 accounts, a domain account (locked down via GPOs) and a local account (with local admin rights)

    We give local admin rights so that they can stick their own software on at home, their own printers, internet connection, etc.

    If they bugger it up we say "you have buggered it up and now it doesn't work on the school network. We will fix it this time but if we find software x or you have done y or z and stopped things from working, then we will remove it from our network!" and send a letter home saying the exact same.

    The students and parent learn very quickly that we mean it.

    We also give them local admin access because it means that they have a large responsibility ... and they learn the consequences of buggering about with things when they have been told not to ... see ... even support teams can tick boxes in the "Every Child Matters" stuff ... we are teaching the kids things that also come up in citizenship.

  9. #9
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,987
    Thank Post
    275
    Thanked 52 Times in 46 Posts
    Blog Entries
    2
    Rep Power
    48

    Re: Laptop loophole

    What's to stop them installling hacking software and connecting to the network as local admins a wreaking havok?

    Sounds like deep freeze on the laptops would be a good idea too - tho' the lesson in responsibility is sorta lost :P

  10. #10

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,888 Times in 1,169 Posts
    Blog Entries
    19
    Rep Power
    614

    Re: Laptop loophole

    When they log in we now have a script that writes what software they have installed to a database (a bit clunky but Stephen has got it nearly sorted) and we can see aht they are up to to a certain degree.

    We also run a software restriction list (deny <nasty_stuff>.exe, etc) to cover other things ...

    It isn't perfect. We know some of them will try stupid things. However, they cannot connect to the network to talk to anything when a logged on as the local account, only as a domain user ... and this is when the GPOs and scripts kick in.

    Ideally we would have all the APs in a seperate VLAN with access controlled by a Blue Socket box (or Vernier) ... but we don't have the extra several thousand pounds a year for it yet ... and we won't for some time. That way users would have limited access to most things ... and they couldn't really do much damage.

    This is one of the few times when I would say the educational benefits far outway the risks of sheer stupidity on the part of users ... at the moment. YMMV!

  11. #11
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,987
    Thank Post
    275
    Thanked 52 Times in 46 Posts
    Blog Entries
    2
    Rep Power
    48

    Re: Laptop loophole

    Couldn't they connect to the shares they normally have access to from the local admin account? They just need to know the path \\server\share and/or \\server\home folder then log in with thier network credentials.
    How do you lock out programs outside of GPO control BTW? [just interested ]

  12. #12

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    Boston, MA
    Posts
    7,601
    Thank Post
    110
    Thanked 771 Times in 599 Posts
    Rep Power
    183

    Re: Laptop loophole

    All our laptops are due to be fully networked in the next couple of months so that the staff use them with the interactive whiteboards, etc.

    I will also be installing a very basic virtual machine using the VMWare player. This will have NO applications installed in it but the user will have full admin rights so can use it for testing programs and using their home hardware.

    There is a new policy that states what is permissable within the virtual machine and all staff have a clause in their contracts which state that this must be adheared to.

  13. #13


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,033 Times in 813 Posts
    Rep Power
    341

    Re: Laptop loophole

    @Ric_

    Interesting solution, but do you need separate licenses for each Windows installation... or could I install all our windows servers onto one uber powerfull 16 processor box and never buy a windows license again hehe.

  14. #14


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226

    Re: Laptop loophole

    Quote Originally Posted by Ric_
    I will also be installing a very basic virtual machine using the VMWare player. This will have NO applications installed in it but the user will have full admin rights so can use it for testing programs and using their home hardware.
    ISTR reading something similar about Uni's doing this for student apps (though was a paid, tailored product from VMWare), possibly in El Reg. Students could only use university supplied apps running in the vm, which disabled usual means of copying software (removable disks etc) when vm was running. IIRC they had an expiry date on the vm as well for licensing considerations.

  15. #15
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,987
    Thank Post
    275
    Thanked 52 Times in 46 Posts
    Blog Entries
    2
    Rep Power
    48

    Re: Laptop loophole

    Seems a long winded workaround Ric. Sorta like the sound of it tho'.

    If I were the teachers I wouldn't be happy with the reduced performance and certain types would be demanding something more powerful from the Head Teacher and stressing the investment in the horsepower wasted. These sorts of argument carry weight at my place.



SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Where to buy XP Laptop
    By SimpleSi in forum General Chat
    Replies: 11
    Last Post: 6th January 2008, 10:20 PM
  2. Why would anyone buy this laptop?
    By sidewinder in forum General Chat
    Replies: 4
    Last Post: 5th September 2007, 10:47 AM
  3. best laptop out there
    By callumtuckey in forum General Chat
    Replies: 19
    Last Post: 1st June 2007, 10:31 PM
  4. SEN Laptop
    By Irazmus in forum Hardware
    Replies: 0
    Last Post: 18th December 2006, 01:25 PM
  5. My new laptop
    By Dos_Box in forum Hardware
    Replies: 10
    Last Post: 21st November 2006, 12:05 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •