+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Windows 7 Thread, Students pulingl power at startup, then breaking Group Policy processing in Technical; Oh joy. This has caused some head scratching and stress. Seems like some of our students with far too much ...
  1. #1

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,712
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149

    Angry Students pulingl power at startup, then breaking Group Policy processing

    Oh joy. This has caused some head scratching and stress.

    Seems like some of our students with far too much time and far too little sense have worked out a new trick. It involves pulling out the power cable (or resetting the PC, shutting it down however), possibly during logging on. They then restart the PC and log on again - and Group Policy processing (possibly just the user config) hasn't applied. That means no locking down, no redirected folders, etc. Thankfully, with UAC in place and with a robust super-mandatory profile in place (as well as AD users set as User only) they're still only logging on as themselves, but of course they can still get at many things that they shouldn't. Plus, as they're pulling the power it won't be long until I have a wave of corrupted installs. Cue a slew of 'lol i haz admin rightz'.

    I know this is a classroom control issue. I have tried asking staff to keep an eye on it. I have some names, but it's like anything that's gone into the wild - we've got loads of them doing it now. We can go the brute force approach and warn them all in assembly etc, but I'm wondering if there's anything I can do from a technical view.

    My policies are pretty robust, when things aren't messed with it all works well. The old 'wait for network at startup' GP setting is on (swear this doesn't work in 7). My only thought now is to bodge across the registry changes from the relevant .POL file in the sysvol into the students' .MAN profile hive, if I can - that way, the policies to lock the session down are at least applied. Makes applying changes a real headache though.

    This has been a problem for a while though it seems, so I'd like to squash it.

    Any ideas?

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,843
    Thank Post
    876
    Thanked 1,679 Times in 1,459 Posts
    Blog Entries
    12
    Rep Power
    444
    Have a look for a program on here called Edulock by @Steve21 . This combined with not allowed cached logins should help.

  3. Thanks to FN-GM from:

    3s-gtech (19th December 2012)

  4. #3

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,712
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149
    Cheers. We already run a very similar locking application to Edulock, which locks the PC when the network cable is pulled. This is bypassing the restrictions which it gives, and just seems to break Group Policy processing. All I can think of right now is super-glueing the power cables in!

  5. #4
    adhutton's Avatar
    Join Date
    Dec 2008
    Location
    Northeast England
    Posts
    399
    Thank Post
    164
    Thanked 86 Times in 64 Posts
    Rep Power
    54
    Impero locks up the PC when they pull out the network cable.

    Works really well here

    Andrew

  6. Thanks to adhutton from:

    3s-gtech (19th December 2012)

  7. #5

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,712
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149
    Yup, but that's not the issue we're having - we already have software that does that

    Plus, I'm not a fan of Impero - their phone-sales tactics have got my back up!

  8. #6

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,712
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149
    We had a thought - merge the ntuser.pol from their profiles and registry.pol from the Students GPO into a new ntuser.pol that contains the necessary Group Policy restrictions. That way, even if Group Policy processing fails, the registry changes should still apply. Logons still seem to work okay (and quickly) with this change, so it may work. Don't know if it fixes the issue yet, will have to check on it. Hopefully, if the lockdowns still apply, they'll get bored of this 'hack' and stop doing it...

  9. #7

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,736
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505
    I am intrigued as to why this is happening.
    Surely if you have the wait for network setting enabled gpos should be processed no matter how the machine was shutdown?!

  10. #8

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,712
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149
    You'd have thought! As yet, we haven't been able to emulate exactly how they're doing this, we've just seen the result and they've told us what they did. System Logs show 'Access is Denied' errors on the GPOs as they're applied by the machine on logon, which is truly bizarre. Thing is, I'd expect this problem to occur sporadically anywhere if it was an issue with GP processing system-wide, but the kids have worked out how to invoke it.

  11. #9

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Sometimes poorly grounded power cables are a blessing.

  12. Thanks to Geoff from:

    3s-gtech (19th December 2012)

  13. #10
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    795
    Thank Post
    81
    Thanked 130 Times in 113 Posts
    Blog Entries
    8
    Rep Power
    31
    Computer Configuration > Policies > Administrative Templates > System > Group Policy : Startup policy processing wait time

    Set it to something high and the machine will wait for the network to become available (talk to a DC) before allowing a user to login. Be careful though, if you've got a machine with this policy set and it's disconnected from the domain it'll wait the entire timeout period before letting you proceed. I wouldn't use this on wireless either; I learned the hard way.

  14. Thanks to Duke5A from:

    3s-gtech (19th December 2012)

  15. #11

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,712
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149
    Don't think I have that set - will have a play with it. Cheers.

  16. #12

    Join Date
    Jun 2012
    Location
    Darmstadt
    Posts
    9
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    0
    in your super-mandatory profile (ntuser.man) what are permissions on
    HKEY_USERS\manprofile\Software\Policies
    HKEY_USERS\manprofile\Software\Microsoft\Windows\C urrentVersion\Group Policy
    HKEY_USERS\manprofile\Software\Microsoft\Windows\C urrentVersion\Policies
    ?

    If its not 'full' for authenticated users or everyone GPOs cannot be applied.

    Besides that... with Windows 7 using standard user accounts i cannot see any security problem when machine specific restrictions are in place. (e.g. remove NTFS create rights for standard users)

    Since years i follow the strategy to use as few restrictions as possible - GPOs only where necessary. without a problem (ok its a university not a kindergarten).
    Restrictions via GPOs in many cases do not provide additional security but to help users not to mess up their own desktop.

    In my opinion when its perceived as 'i got admin rights' if restrictions fail its more a psycological problem.

  17. Thanks to wehr from:

    3s-gtech (20th December 2012)

  18. #13

    Join Date
    Nov 2012
    Location
    Lancashire
    Posts
    40
    Thank Post
    2
    Thanked 4 Times in 4 Posts
    Rep Power
    4
    I can't say I have tried this. But it sounds like it could help.
    The policy is called: Startup Policy Processing Wait Time
    Configuring Group Policy Processing - Windows 7 Tutorial
    Windows 7 machines fail to apply software installation group policy on startup
    Hope it helps.

  19. Thanks to techsup1983 from:

    3s-gtech (20th December 2012)

  20. #14

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,712
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149
    Cheers. The permissions on the profile hive were set, but I've made some changes and they hadn't propogated to those keys, so I've reset them all so Authenticated Users have Full Control. That may help! There isn't a security problem really - NTFS permissions are tight, UAC is on and the machines generally look after themselves. The main issue is probably perception - the kids think they're bypassing security so they're continuing to do it - pulling the power is eventually going to kill some of the installs.

    I've enabled Startup Policy Processing Wait Time to see if that helps too - left it at the default 120 seconds which should frustrate anyone trying to mess!

    Thanks for all your help.

  21. #15

    Join Date
    Jun 2012
    Location
    Darmstadt
    Posts
    9
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    0
    lacking permissions on the keys will prevent GPOs from being applied for users.

    The GP Client will modify permissions on these keys when loading the profile. That means if you load the profile to make updates to the mandatory profile you must adjust the permissions every time.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. prevent startup items in group policy
    By browolf in forum Windows
    Replies: 13
    Last Post: 6th September 2013, 10:41 AM
  2. Cross domain group policy processing
    By adamf in forum Windows Server 2000/2003
    Replies: 13
    Last Post: 10th December 2009, 11:26 AM
  3. Power Management VIA Group Policy
    By OutLawTorn in forum Windows
    Replies: 4
    Last Post: 29th July 2009, 10:16 AM
  4. Group Policy guidelines needed for students in years 3 - 6
    By richard in forum Wireless Networks
    Replies: 6
    Last Post: 8th March 2007, 01:36 PM
  5. Same image, differnet themes at startup
    By KarlGoddard in forum Windows
    Replies: 1
    Last Post: 3rd May 2006, 08:40 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •