+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
Windows Server 2000/2003 Thread, What are the general group policies a primary school would apply? in Technical; We're about to set up a new server in our primary school, but before we do that we'd like to ...
  1. #1

    Join Date
    May 2007
    Posts
    43
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    What are the general group policies a primary school would apply?

    We're about to set up a new server in our primary school, but before we do that we'd like to know what group policies other primary schools tend to implement. Thinking about the restrictions we should put on the pupil's accounts.

    Any examples of the group policies other primary schools have used would be much appreciated. Is there any standard set of group policies other schools use?

    Thank you very much.

    Steve

  2. #2

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 595 Times in 446 Posts
    Rep Power
    170
    I'll give you one side of the fence

    I don't have any group policies in any of myschools and all users have full admin rights

    The only times this has negative repercussions is with Reception classes who can trash a desktop in about 15 seconds and with 1 of my schools where year 6 recently discovered screen rotation via hotkeys

    Thats the disadvantages I can remember.

    Advantages are that any adult can install software/sort out printer problems etc without a computer (or a techncian/ICT co-ordinator) saying no

    This is with surburban schools near Preston in Lancs.

    regards

    Simon

    PS I use another method called WPKG to deploy software to workstations so I don't miss that facility.

  3. #3

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    616
    Thank Post
    93
    Thanked 75 Times in 67 Posts
    Rep Power
    26
    Ours a locked down heavily.
    Remove all desktop and start menu items and redirect both to where we want. No System tray for pupils, remove windows commands such as run and System properties.
    IE is where we do a lot of restrictions such as proxies, control panel, security.
    Rich

  4. #4
    krisd32's Avatar
    Join Date
    Feb 2006
    Location
    Longridge, Preston
    Posts
    545
    Thank Post
    85
    Thanked 68 Times in 47 Posts
    Rep Power
    43
    Quote Originally Posted by Tricky_Dicky View Post
    Ours a locked down heavily.
    Remove all desktop and start menu items and redirect both to where we want. No System tray for pupils, remove windows commands such as run and System properties.
    IE is where we do a lot of restrictions such as proxies, control panel, security.
    Rich
    All the primaries i go to have been locked down similar to this.

  5. #5


    Join Date
    Sep 2008
    Posts
    1,854
    Thank Post
    352
    Thanked 264 Times in 216 Posts
    Rep Power
    121
    Quote Originally Posted by SimpleSi View Post
    <Snip>
    Advantages are that any adult can install software/sort out printer problems etc without a computer (or a techncian/ICT co-ordinator) saying no

    This is with surburban schools near Preston in Lancs.

    regards

    Simon

    PS I use another method called WPKG to deploy software to workstations so I don't miss that facility.
    Not sure if your joking or not there...but there is normally a reason for saying no, such as copyright/licencing issues. Who ends up responsible for them if your running a load of illegal software on machines?

    Sorry, if I missed the point of your post, think I need to go for lunch

  6. #6
    BrianG's Avatar
    Join Date
    May 2009
    Location
    Yorkshire
    Posts
    163
    Thank Post
    64
    Thanked 25 Times in 18 Posts
    Blog Entries
    4
    Rep Power
    21
    My schools are locked down heavily. They have no rights over the machines at all other than to open applications, print, view the internet and access shared drives. Their documents are redirected to the server. The students can't do anything. The can't even right click on the desktop.

    The staff are the same. They are locked down too. I find it's often staff who are better at breaking computers than the kids.

    We have one GRO sitting at the top which covers all the security settings, proxy settings, wallpaper etc.. We then have a GPO for the staff OU and the student OU which deals with mapping drives in. ( The staff have student and staff shared drives mapped in. The students just have the students drive mapped in)

    I give each department an OU which i then link GPOs for mapping printers

  7. #7
    TechSupp's Avatar
    Join Date
    Mar 2007
    Location
    South Yorkshire
    Posts
    1,995
    Thank Post
    326
    Thanked 127 Times in 107 Posts
    Rep Power
    42
    Yes, we are similar in that most things are locked down, redirected desktops, locked profiles, no control panel etc etc, but I can see where Si is comming from. We dont generally get children messing (unless its as the case with Si the very young ones) and so its only the adults that mess things up generally. Locking things really down does have its downside especially blocking acces to c: drive with some of the primary software. Got around some of the restrictions using RunAs. As with most things GPO's in primary have their pros and cons but in general I'm in favour the more I have used them.

  8. #8
    Craggus2000's Avatar
    Join Date
    May 2008
    Location
    Chelmsford
    Posts
    64
    Thank Post
    1
    Thanked 8 Times in 5 Posts
    Rep Power
    15
    Quote Originally Posted by SimpleSi View Post
    I'll give you one side of the fence

    I don't have any group policies in any of myschools and all users have full admin rights

    The only times this has negative repercussions is with Reception classes who can trash a desktop in about 15 seconds and with 1 of my schools where year 6 recently discovered screen rotation via hotkeys

    Thats the disadvantages I can remember.

    Advantages are that any adult can install software/sort out printer problems etc without a computer (or a techncian/ICT co-ordinator) saying no

    This is with surburban schools near Preston in Lancs.

    regards

    Simon

    PS I use another method called WPKG to deploy software to workstations so I don't miss that facility.
    I'm with you on this one. We apply very few policies and restrictions, all users have full admin rights to the machine. Except we go one step further...
    We use Reborn cards, kind of a hardware version of deepfreeze kind of thing. If a kid trashes a machine, just switch it off and on, and voila
    They also have the added benefit of being able to clone from a master PC to the rest. Better than imaging, as I have cloned nearly 90 PCs within an hour!
    Imaging is usually nearer 15...

    Let me know if you want to know about our reseller.

  9. Thanks to Craggus2000 from:

    SimpleSi (10th February 2010)

  10. #9

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 595 Times in 446 Posts
    Rep Power
    170
    Not sure if your joking or not there...but there is normally a reason for saying no, such as copyright/licencing issues. Who ends up responsible for them if your running a load of illegal software on machines?
    The head/govenors are responsible not me

    The way I work is that if I find that a piece of software has been installed without the number of licences - I point it out to the head/ICT Co-ord and point out that I cannot help with problems with such software as I would be aiding and abetting with illegal software - those words ususally have an effect

    I also generally don't install more copies if I think the licences don't permit it.

    regards

    Simon

  11. #10


    Join Date
    Sep 2008
    Posts
    1,854
    Thank Post
    352
    Thanked 264 Times in 216 Posts
    Rep Power
    121
    Quote Originally Posted by SimpleSi View Post
    The head/govenors are responsible not me

    The way I work is that if I find that a piece of software has been installed without the number of licences - I point it out to the head/ICT Co-ord and point out that I cannot help with problems with such software as I would be aiding and abetting with illegal software - those words ususally have an effect

    I also generally don't install more copies if I think the licences don't permit it.

    regards

    Simon
    Fair enough. It's just that I have always worked somewhere where it has been my responsibility to check licences which meant I didn't allow other people to install stuff. Of course this mentality came from starting my first job in a school which had about 30 licences for MS Office but installed allsorts of software on the entire network. They weren't happy when I told them either buy more licences or I remove them.

  12. #11

    Join Date
    May 2007
    Posts
    43
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for all your comments. I got a lot more than I bargained for here. I'm still quite keen to apply some group policies, but not lock down all the PCs fully.

    @ SimpleSi
    We're due to start fresh a suite of 30 PCs, so I'm quite keen not to allow unrestricted access. I do however like the advantages that you've stated:

    'Advantages are that any adult can install software/sort out printer problems etc without a computer (or a techncian/ICT co-ordinator) saying no'

    WPKG is one thing I shall explore further, nice one )

    @Tricky_Dicky
    I like what you've suggested:

    Remove all desktop and start menu items and redirect both to where we want. No System tray for pupils, remove windows commands such as run and System properties.

    @BrianG
    'The staff are the same. They are locked down too. I find it's often staff who are better at breaking computers than the kids.'

    I agree, although restricting our staff to such an extreme may hinder creativity within the team, so I'm quite keen to have good 'restore' procedures (not the Microsoft variety!) in place should the worst happen.

    @TechSupp
    Wowzers, I can see how restricting access to C: would be beneficial, but I envisage there being problems associated with this.

    @Craggus2000
    Nice one, I'll take a look into those cards. May be relevant for future projects. Just off the top of your head; how much a machine?

    Great, thanks for all your responses, you've given me something to chew on, looking forward to the implementation )

    Steve
    Last edited by mrstephenw; 10th February 2010 at 08:07 PM.

  13. #12
    Craggus2000's Avatar
    Join Date
    May 2008
    Location
    Chelmsford
    Posts
    64
    Thank Post
    1
    Thanked 8 Times in 5 Posts
    Rep Power
    15
    Quote Originally Posted by mrstephenw View Post
    Nice one, I'll take a look into those cards. May be relevant for future projects. Just off the top of your head; how much a machine?
    The cards are about £30 off the top of my head, and come in 100mb or 1gb options, pci or pci-express.
    They also do a software version for laptops for about £20, also has the clone function.

    You can do other fancy stuff like auto ip allocations (if you don't use dhcp) and host names, but the best bit is the being able to set up 1 PC as you want it, and then clone to nearly 100 in less time than it takes to sneeze.

  14. #13
    t_h
    t_h is offline
    t_h's Avatar
    Join Date
    Aug 2009
    Location
    Manchester
    Posts
    131
    Thank Post
    7
    Thanked 20 Times in 18 Posts
    Rep Power
    15
    Wow, full admin rights on client machines for staff and pupils? *shudder*

    I work in a Primary/Nursery and ALL of our user accounts, including my own day-to-day account, are standard user accounts. My philosophy is to keep things as simple as possible. With Group Policy I redirect the Desktop and My Documents to the NAS, run a couple of login scripts to map network drives and printers and configure little things like the IE homepage and favourites.

    This works well for us - it keeps computers across the network consistent, doesn't allow individuals to trash the configuration and keeps malware to a minimum.

  15. #14

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,078
    Thank Post
    160
    Thanked 940 Times in 732 Posts
    Blog Entries
    3
    Rep Power
    275
    Y'see, Simon likes fixing problems so that is probably why he does that also, he probably has quite understanding staff that may/maynot abuse it and if you have seen Simon you would know not to mess with him

    But Seriously, I do understand why.. and espeically as they do not have someone there full time it does save them making Simon's ears hurt and if it is working and not causing any problems then i suppose it is fine...

    Would never see that happen round the schools i live by, but i suppose the area is worse here than there

  16. Thanks to EduTech from:

    SimpleSi (11th February 2010)

  17. #15
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,491
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    52
    Quote Originally Posted by Craggus2000 View Post
    I'm with you on this one. We apply very few policies and restrictions, all users have full admin rights to the machine. Except we go one step further...
    We use Reborn cards, kind of a hardware version of deepfreeze kind of thing. If a kid trashes a machine, just switch it off and on, and voila
    They also have the added benefit of being able to clone from a master PC to the rest. Better than imaging, as I have cloned nearly 90 PCs within an hour!
    Imaging is usually nearer 15...

    Let me know if you want to know about our reseller.
    We can image a classroom of 25/30 in like an 30 mins or less. I do know some switch settings and stuff can make images take longer to deploy though and/or the actual images themselves and the compression they are done at depending on the imaging solution.

    Quote Originally Posted by SimpleSi View Post
    The head/govenors are responsible not me
    You are employed to manage the IT systems so it falls under your duties... so unless you have it clearly documented otherwise in your contract.....
    Last edited by p858snake; 11th February 2010 at 02:23 AM.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 16
    Last Post: 30th April 2013, 11:00 AM
  2. Group Policy Will Only Apply With gpupdate /force
    By FN-GM in forum Windows Server 2008
    Replies: 21
    Last Post: 2nd October 2009, 10:30 AM
  3. Group Policies
    By leco in forum Windows Server 2008
    Replies: 4
    Last Post: 29th March 2009, 10:15 PM
  4. Help with Group Policies etc.
    By chris7 in forum Windows Server 2008
    Replies: 4
    Last Post: 30th January 2009, 09:40 PM
  5. Cannot get group policy to apply
    By flexyjerkov in forum Windows
    Replies: 18
    Last Post: 8th March 2007, 04:42 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •