russdev (8th October 2012)
I'm not sure what's going on but we have group policies that don't seem to be running or we have people getting around them.
In the college we have restricted what students can do and have blocked access to things liek the control panel, display settings, wallpapers etc. yet we seem to have some students who have their own background and today I saw someone with the control panel open and freely chaging settings.
We had a problem with Halo and Minecraft being played across the networl so I created a hash rule for the game and disabled the running of exe files from USB sticks to put an end to it. Neither worked and we ended up using Impero which stopped it dead!
We are running server 2008R2 and Windows 7 Pro desktops. Is there a way to block these students or are GPO's just a waste of time?
russdev (8th October 2012)
Policy restrictions work just fine for us. Is a matter of fact, a lot of the workarounds the kids managed to figure out under Windows XP stopped working in 7. Can you post a screen shot of the of the settings tab of your GPO with all the options expanded? RSOP is also a good utility for seeing if the policies are being applied properly on student machines. GPresult as the command line will let you know if they're being filtered as well.
I've attached the screen shots of the GPO's for students. This was created by a 3rd party (Northgate) and I have just made a few small additions or changes as needed but they don't seem to be doing what they are supposed to.
Any advice would be great!
Two more things to check on the GPO itself under the scope tab:
- Security Filtering
- WMI Filtering
Make sure both of these are as listed.
One more thing to do is run RSOP to see if the policies are actually applying. You're going to have to find a system that is logged in and having the issues and run RSOP against it. From your own workstation open RSOP.MSC, at the top of the tree in the left side right-click and select change query. From there you can type in the machine name and it'll give you the option to run the query as the user who is logged in. Once it completes you'll be able to drill through all the applied user settings.
You can get impero to lock a workstation if the network cable is unplugged (if that's what they're doing) you could allways use Mandatory profiles that should stop this dead.
russdev (11th October 2012)
We've had this a little recently - locked down with GPO, then Super Mandatory profiles. Sometimes the kids will log on with Power User (not full admin) rights and no network drives other than their home. Thankfully they've let us know! I suspected it's an issue with the pensionable ages of our two DCs on this domain (7 and 10 years old!) so I have the replacement kit already in, and I've been working on speeding up the existing kit for now. There's nothing in the event logs at all though, so just going on hunches as yet.
I just blocked most things from students home folders and just made safe folders within a shared drive if anything needs to be saved which might get flagged by the filters. No need for complex hash rules, just set path rules.
There are currently 1 users browsing this thread. (0 members and 1 guests)