Windows 7 Thread, Simple solution for public/lab/library PCs needs testing, deepfreeze, steadystate in Technical; We have used deepfreeze, steady state, and cleanslate in the past. deepfreeze is expensive, steady state doesn't work with 7, ...
Simple solution for public/lab/library PCs needs testing, deepfreeze, steadystate
We have used deepfreeze, steady state, and cleanslate in the past. deepfreeze is expensive, steady state doesn't work with 7, and cleanslate simply breaks on a lot of computers.
I have been looking at a solution for our Lab Computers I was looking at steadierstate (Steadier State), but setup looked complicated, I have images built with pro, and it requires enterprise edition(which at least the version in my volume licensing doesnt have dvdmaker media player). I also looked at putting windows write filter for embedded windows in windows 7 pro (EWF on Windows 7 32-bit or 64-bit (Enhanced Write Filter)) but it is apparently buggy. I also looked at deploying windows thin pc for labs because it has the writefilter build in. but we found it lacked features we needed although you can install pretty much anything on it (like office) it had some .net issues.
The latest thing I have been looking at is mandatory profiles. which are more meant to be hosted on a server pulled down. you are supposed to have all the microsofty goodness to use something like this (windows server/AD) and we run Samba, plus I just want each computer to function independently wihtout outside reliance. you can use these locally (Creating a Mandatory User Profile). This would sort of combine with microsoft's promise that now you don't need to run a admin user to use windows (we will see). Mandatory profiles use a base profile to set up users where all changes to the profile are reverted. which when combined with the fact that the user is a guest should make for a pretty secure machine that a non computer science major can't trash before another re-imaging cycle comes around. the problem with mandatory profiles is that the base profile must be copied with full permissions for Everyone which means that once the intended locked down user logsin they can happily go to the mandatory base profile and start deleting things and adding things that will screw up the whole sync association. what I have found out after two days of looking at permissions is that the files do not need write access to work as a base profile they just need read access it is only the registry entries inside the ntuser.dat (changed to ntuser.man with mandatory profiles) that need full everyone permissions. so that when the user logs in and windows propagates the ntuser.man from the mandatory profile base to the user profiles ntuser.man the user can then make changes to settings. What I also discovered is that if you set read only permissions on the ntuser.man then a guest user that is logged in cannot go and load the hive and make any changes. I have been developing a single click script that will implement after I have sysprepped my maching with copyprofile=true (so that i carries over a lot of the setting that are set up with administrator) after my image is deployed and sysprep and driverpacks finish my setup automatically logs me in as administrator once to finish any addional setup. this is when I would run the script which sets up the mandatory profile, renames ntuser.dat to ntuser.man. changes the permissions to be more secure (need elaboration), creates a guest user that is mapped to the mandatory profile. and sets up that user to autologin on the next reboot. here is the script so far. I hope to get some feed back and document this a little as I test it out myself. If anyone sees any glaring holes in my Idea let me know.
the script is made with autoitv3 it needs to be compiled to run as an exe on a system that doesn't have autoit installed. my to do it to get it to a point where i might be able to distribute the compiled.exe any maybe add some user input to ask for user account name. the code executes one line at a time there is no logic. the first portion just automates a windows gui with keypresses.
getting the permissions right has been the hardest part. I tried to setup an indepedent directory that didn;t inherit permissions from users/ but that didn't work anyway I rolled it. There seem to be some inconsistencies with what i cacls does and what windows does with permission. or I am just missing something. for example these permissions work and are what is created by the first step
c:\users\mandatory.v2 NT AUTHORITY\SYSTEMF)
c:\users\mandatory.v2\AppData NT AUTHORITY\SYSTEMI)(F)
but when trying to copy them with icacls this is the closest I could get which should work as it grants all the same permissions but it doesn't
this is after running
icacls C:\Users\mandatory.v2 /inheritance:r
icacls C:\Users\mandatory.v2 /remove everyone
icacls C:\Users\mandatory.v2 /grant everyoneRX)
icacls C:\Users\mandatory.v2 /grant everyoneOI)(CI)(IO)(RX)
what i ended up doing was noticing the fact that the users directory has rx permissions just for the directory that don't propagate to the individual user profiles. so i just removed the permissions on the mandatory.v2 profile
icacls C:\Users\mandatory.v2 /remove everyone system administrators /c /q
and it works. this might not be the case for different setups i might have borked the permissions on users/ by playing so much with icacls.
I come across a few mentions of drive vaccine. what seems to be getting good reviews now is Reboot Restore RX Saves Your PC's State After Every Reboot. I just wanted something very simple and very integrated and none of the commercial product support junk/price tiers/licensing. I just don't see spending money on licensing and maintenace/updates. for something that can be simplified down and deployed easily. even when we had deep freeze we would get a couple machines where the driver and the redirect store would get out of sync this happens very frequently with cleanstate and there support is IMO bad. I was also trying to update our thought process to run everyone as admin with a driver based restore solution. it simplifies doing alot of system update task like virus updates which can happen using there own user credentials or system. We also looked as using A light weight linux client running kvm that booted a windows vm. there were some disk locking capabilities built in and we could push an image update remotely rather than more of a thing client type environment the usb support wasnt quite there yet. . administration is also easier as their is no "thawing" involved just log in as admin and everything is at your finger tips. and even if some products say that they supports temporary suspension without reboot my experience has been that you still have to put the product in "image mode" /not load the driver at boot in order to do a good number of updates.
Last edited by Ambrous; 30th July 2013 at 08:06 AM.
We've been using Deep Freeze for almost 2 years now and it's worked very well within our environment. We'd tried other products before purchasing Deep Freeze and every product had some or the other issue. Specially the Clean Slate and Drive Vaccine products - it's not recommended at all. We'd valuated it and found it to be completely unstable and buggy.
Deep Freeze works fine with the mandatory profiles that we have setup for the teachers and we don't have to worry about the profile data being lost or slow login issues. Plus Faronics gave us a very good pricing for Deep Freeze which included for Servers and Macs as well.
Contact their tech support team if you are having issues - they are always ready to help you out.
Last edited by smjack813; 25th September 2013 at 05:29 PM.