+ Post New Thread
Results 1 to 4 of 4
Windows 7 Thread, Windows 7 Netbook Lock-Down Software/ Methods and ideas in Technical; After reading through most of this site (might I add what a useful resource! Thanks for that). Were currently are ...
  1. #1
    nereik23's Avatar
    Join Date
    Jun 2012
    Location
    Brisbane
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Windows 7 Netbook Lock-Down Software/ Methods and ideas

    After reading through most of this site (might I add what a useful resource! Thanks for that). Were currently are looking at upgrading our lock-down software on our system we use and wondering if anyone out there might have a good suggestion for us to try.

    Currently we have about 1000 netbook and notebooks. We're using the Dell Latitude 2110 (years 7-8-9) and the latitude 6220 (year 10) with Windows 7 Pro 32bit. For lockdown we used to use Faronics WinSelect. Do not recommend it!!! It is filled up with hours and hours of headaches.. Basically lasted a few months and the students worked out a way of passing it. Also the support is hopeless as they are in Canada and we are in Brisbane and there is quite a significant time difference which usually made one of us pretty tired the next day.

    We have adopted the policy where the student cannot change anything on the system (hardware - wireless settings, graphical options etc) or customise desktop space, icons and install games all the time!!

    The other thing is we are opting for a dual boot setup, one with a (@ Home) partition and the other for (@ School). Both will be running Windows 7 Pro 32bit, and there will also be a link up between the 2 OS partitions for a data drive. So in total on the hdd there should be about 4 active partitions.

    So what I am wondering is are their options to perform these tasks;
    1)It can't interfere with the partitions
    2) Can be applied and not get effected during the image process using altiris. (Involves the no sys prep and sys prep stages)
    3) The school side can still access domain, not interfere with student shares, and I can add software and usual programs to start menu.
    4) Also is not relied on by network deployment. (Learnt the hard way with winselect)
    5) Block out the settings for the kids.

    With experimenting with local GPO I have found that, (for example if a student wanted to get into control panel with local GPO set) all they had to do was copy a shortcut from sys32 folder within windows, copy it to a usb drive, put it into the computer and run it from there and opens up with no worries. Even though I have set it to deny access to control panel for all users. Funny thing is if you couldn't get a copy of it there's no way of gaining access to control panel. The other thing is we also need the usb ports so we cant disable it which would fix the problem quite quickly.

    Any help with this would be GREATLY appreciated!! Thanks heaps. Kieren

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,297
    Thank Post
    242
    Thanked 1,585 Times in 1,262 Posts
    Rep Power
    343
    Quote Originally Posted by nereik23 View Post
    The other thing is we are opting for a dual boot setup, one with a (@ Home) partition and the other for (@ School). Both will be running Windows 7 Pro 32bit, and there will also be a link up between the 2 OS partitions for a data drive. So in total on the hdd there should be about 4 active partitions.
    Have you thought about having a domain logon, then using .\username (local logon) instead of two Windows 7 installs?

    Quote Originally Posted by nereik23 View Post
    So what I am wondering is are their options to perform these tasks;
    1)It can't interfere with the partitions
    Non admins logging onto a workstation cannot change partitions (even with access to Control Panel).

    Quote Originally Posted by nereik23 View Post
    2) Can be applied and not get effected during the image process using altiris. (Involves the no sys prep and sys prep stages)
    You'll still need to run Sysprep when imaging notebook/netbooks. You should be able to configure local policies without Sysprep changing anything.

    Quote Originally Posted by nereik23 View Post
    3) The school side can still access domain, not interfere with student shares, and I can add software and usual programs to start menu.
    I'd always recommend the notebook/netbook is joined to the domain for central management, AV updates and any MSIs you wish to deploy.

    Quote Originally Posted by nereik23 View Post
    4) Also is not relied on by network deployment. (Learnt the hard way with winselect)
    Not quite sure what you mean!

    Quote Originally Posted by nereik23 View Post
    5) Block out the settings for the kids.
    Using Group Policy Management (on the server) and local policies accordingly.

    Quote Originally Posted by nereik23 View Post
    With experimenting with local GPO I have found that, (for example if a student wanted to get into control panel with local GPO set) all they had to do was copy a shortcut from sys32 folder within windows, copy it to a usb drive, put it into the computer and run it from there and opens up with no worries. Even though I have set it to deny access to control panel for all users. Funny thing is if you couldn't get a copy of it there's no way of gaining access to control panel. The other thing is we also need the usb ports so we cant disable it which would fix the problem quite quickly.
    I suspect the pupil is a local administrator. I've never heard of Faronics WinSelect, but you can achieve everything without it. Not quite sure what it thinks it can achieve Microsoft Group Policy Management cannot.

  3. #3
    nereik23's Avatar
    Join Date
    Jun 2012
    Location
    Brisbane
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Michael, thanks so much for the reply.

    We haven't actually tried that, we usually create a local admin account, but quite possibly that would be a much easy way to go. That can go down on the stuff to do today.

    With local policy, I have created a configuration setup see attached PDF below, but there's 2 problems with that. When I log into the admin account, the local policy is still applied. Will also work with any other accounts that logon to the system (student accounts etc). I would like to be able to login to the admin account and modify the system if needed without to much alteration, getting into the system. I will be trying this out today --> Local Group Policies - Apply to All Users Except Administrators - Windows 7 Forums..

    PDF: http://non-stop-tech.com/ftp/Local%2...%20Systems.pdf

    The other thing is I would like to use local GPO to block other programs as well, but not sure if I'm going to have to use local polilcies as well as something else. I am looking at using AppLocker but I have never used it before and not sure how effective it is.

    Also I am trying to work out, can this be applied to blocking games from being run? Always copies of HALO, and counter strike (just to name a few) on these machines, usually always taking up space and instead of saving their school work, they cant because they don't have any more room left out of 160GB hdd! The other common one is the SWF flash files. We do need to run swf for some classes here so not sure if I can even tackle that one.

    Originally Posted by nereik23
    4) Also is not relied on by network deployment. (Learnt the hard way with winselect)
    If there was software which was going to take the place of local group policy (like winselect) I wouldn't want it to be network deployable. This was such a pain when we used faronics sever management tool to deploy the software out over the machines. When I was creating the initial image at the end of last year, I wanted to have this installed during no sys prep, but for some reason as soon as it came time to capture, the image would corrupt itself each time, then I took out the software and it captured fine. Finally it came to being installed after the final sys prep image. So every time I have to do a re-format on a system, that software has to be installed and setup every time!! Its not too good when you do that nearly 20 times a week. The other thing is, even with a fresh install of the OS, the software doesn't always deploy even though it see the machine in the server..

    I suspect the pupil is a local administrator. I've never heard of Faronics WinSelect, but you can achieve everything without it. Not quite sure what it thinks it can achieve Microsoft Group Policy Management cannot.
    So when I make an image, usually I create two accounts, one for the local admin, and the other is called user. User account is basically used to build up what I want the student to use program wise, start menu etc etc. Eventually we make two copies of the 'default' account in the users folder on C:, one called default_(with date create), and the user account gets renamed to the new default account. Than from their sys prep is captured and the setup I have made in the user account gets used as a standard setup for all student accounts. The admin account is mostly used just as a diag account, or if I need to install additional software I can go into this and install with full admin rights. Both these account are created as Administrator accounts when the system is first setup.

    Should I create the user account as a standard account to prevent tools from sys32 being used?

    Thanks again for your suggestions and help,will be trying them out today and seeing how it goes.

    Kind regards, Kieren
    Last edited by nereik23; 5th July 2012 at 01:16 AM.

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,297
    Thank Post
    242
    Thanked 1,585 Times in 1,262 Posts
    Rep Power
    343
    Quote Originally Posted by nereik23 View Post
    That's a very clear user guide and will get round your problem!

    Quote Originally Posted by nereik23 View Post
    The other thing is I would like to use local GPO to block other programs as well, but not sure if I'm going to have to use local polilcies as well as something else. I am looking at using AppLocker but I have never used it before and not sure how effective it is.

    Also I am trying to work out, can this be applied to blocking games from being run? Always copies of HALO, and counter strike (just to name a few) on these machines, usually always taking up space and instead of saving their school work, they cant because they don't have any more room left out of 160GB hdd! The other common one is the SWF flash files. We do need to run swf for some classes here so not sure if I can even tackle that one.
    Unrestricted is the default, however you can easily setup path rules to block games from installing or being able to run at all. If you look in User Config > Admin Templates > System - Don't run specified Windows applications, you can specify the .exe's of files you'd like to block too.

    Quote Originally Posted by nereik23 View Post
    If there was software which was going to take the place of local group policy (like winselect) I wouldn't want it to be network deployable.
    Local Group Policy (included by default) can only be run as a local administrator, or a domain administrator. You don't need any other third party tools.

    Quote Originally Posted by nereik23 View Post
    Should I create the user account as a standard account to prevent tools from sys32 being used?
    You should create one standard account and one admin account. As above, you can always include path rules and manually add .exe's.



SHARE:
+ Post New Thread

Similar Threads

  1. Windows 7 lock down
    By ricki in forum Windows 7
    Replies: 7
    Last Post: 1st April 2011, 01:52 PM
  2. Standalone Lock Down Software
    By CommodoreS in forum Network and Classroom Management
    Replies: 3
    Last Post: 20th October 2009, 06:53 PM
  3. Windows 2008 Terminal Services Seamless client & Lock Down
    By benIT in forum Windows Server 2008
    Replies: 5
    Last Post: 15th April 2008, 11:39 PM
  4. Locking down Windows
    By Blind in forum Windows
    Replies: 11
    Last Post: 29th March 2007, 10:24 PM
  5. Replies: 61
    Last Post: 14th November 2005, 09:27 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •