We are migrating away from Novell to Server 2008 R2 AD this summer
One of my personal goals is to remove the need for Deep Freeze! Can a computer be protected just as well via the group policies available within Server 2008 R2? (I'm not an expert on the subject by any means!).
We will be using mainly XP workstations until at least Summer 2012
have you thought of trying cleanslate from fortresgrand?, it can be configured to work well with almost any anti-virus suite etc, might be worth a peek.
much easier than group policy tweaking in my view
Yes............but they also thought of the name 'Bing'.
Originally Posted by Arthur
Say no more.
We are not using Deep Freeze with our Windows 7 Pro client machines and have not encountered any notable problems for the six months that we have done so.
We use a GPO to erase the user profile after so many days. This has the same effect Deep Freeze does, at the user profile level, but would not protect the client in the same way anywhere else in the file structure (in C:\windows for example).
Besides making sure students and teachers are not admins, we configure the same GPO to automatically reject UAC elevation (so the prompt never even appears).
Only downside: the CONTENT of the user profiles is deleted but not the top level folder. So we have a multiplication of folders like this:
Logon time seems to take longer on Windows 7 than on XP when the user profile needs to be created afresh too.
EDIT - unfortunately, I do not believe the erase profile settings exists for XP (and obviously not the UAC one).
hey, we came from novell + Zenworks, migrated to 2003 + zenworks 6 years ago and then last year binned zenworks and moved to 2008r2, plus hyper-v/scvmm and App-v instead of zenworks. we also had deep freeze before and it sounds bad, but we didnt put AV on curric machines as it slowed them right down (old p4's, 256mb ram xp) we now have new workstations and win7 enterprise accross the board and have binned deep freeze as it was such a pain, also not patch management/SCCM friendly. we lock the machines right down via GPO and delete local profiles periodically and we have AV locally now.
much better IMO. :)
We've never used deep freeze and for the IT suite and classroom PC's the lockdowns with GPO work a treat. The students only see the icons they need, they don't have access to the c: drive and can't launch EXE's from Temp Folders, USB or My doc's meaning it would be very hard for them to affect the computer. Group policy to delete profiles on logo off seems to work on XP mostly as long as the UserProfileHive cleanup tool is installed. Staff are the problem as we have historically given them way too much access(local admins on PC's), and closing that down is an issue.
I do not believe a computer can be protected just as well with locked down group policies, I am not arguing that a computer can't be protected that way because it can just not as comprehensively as with DeepFreeze.
The opinion within this establishment is keep DeepFreeze - we reviewed it recently.
It does get in the way of any updates to the PC / patch management if you do not configure any maintenance time.
It guarantees a uniformity of operation across entire suites (with the obvious caveat that the maintenance happens across all PCs uniformly).
We have tested PCs without DeepFreeze and we do feel we would be fairly safe to remove DeepFreeze but that is only fairly safe. We no longer have the time to go fixing operating systems that get broken, this time got eaten up with other tasks after we started relying on DeepFreeze to keep our suites in working order.
As with any security there is a trade off against functionality / usability - for our establisment we considered keeping DeepFreeze to be a no-brainer.
For completeness it should be noted that staff here are given administrator level access to local machines - this could cause problems if we did not have DeepFreeze.
We are actually in the progress of getting rid of Deep Freeze in our schools. We have worked for a few months on getting a GPO in place where the students couldn't do any damage to the workstations. We think we have a good one in place with tweaks and tricks all over the place. With the new group policy preferences in 2008R2, it is possible to replace Deep Freeze. Good luck!
What happens when your domain controllers get compromised? :confused:
Originally Posted by TheLibrarian