GPOs setup on new domain
Just playing with new domain,which I plan to put live next summer.
It is windows 2008R2 and I have few issues with setting up right gpos for students.
I have restricted quite a lot, but kind find few things, so maybe you can help.
How to hide few icons from accessories:
RDP, Run, and Powershell folder
There is quite a lot Administrative templates, so maybe I have missed something.
Thanks in advance
Good to see i'm not the only one starting now with the new domain for summer :) Your most likely doing exactly what i'll be doing over the next few months... Testing testing testing... But anyway, Simple way we got around that was not to show the all users programs(we use redirected instead) and mandatory profiles,
Not sure if there is any other way.. Hopefully someone else can shed some light!
Yeah, preparation begins early, as we are atm RM CC3 school I want to move away. We pay them around £5k for support and we don't really use it often.
Found a kind of solution to my problem, run is not a problem as there is GPO to remove it. With other software there is a gpo which prevent users to open specified programs, you need to provide exe files. Almost everything covered, apart from task scheduler as this is msc file. So users can see those programs, but when they try to launch it, they get info that they can't as administrator restricted it. Not a solution I would like to see, but at least it works. I will look as well at your way with redirection - can you provide bit more details - do you redirect start menu components?
Now I'm looking at mandatory profiles, I know I suppose to copy one profile and than it become one, but I'm not sure where I suppose to copy it from. Only ntuser.dat I can find on my test windows 7 machine is in c:\user\default. Would love to see some kind of detailed guide. Only what I could find is copy profile to shared folder and change ntuser.dat to ntuser.man.
I think the most effective way of sorting out menus is to redirect them so that they only get shortcuts you put there. Some folk redirect to server shares, but for various reasons I sync them to the local machine during computer startup ("them" = several different menus for different user groups).
Note that only sorts out the Programs bit, you still need to fiddle with GPOs to control everything else.
Here we don't focus on removing everything in the start menu, sort of giving them a taste of what is potentially accessible without allowing locked down users to access them (apart from control panel that is). Which is all possible via GP. I can understand if you don't want users to see icons or start menu items that they won't have access to, but giving them a standard start menu is more like what they are used to at home and more intuitive. I have seen some desktop experiences in some schools I have visited and it looks nothing like a standard desktop. I would class this as counter intuitive.
I don't want really to totally change start menu, just limit it, so pupils will not fiddle with it instead of listen to the teacher/do work. We have here few bit more able kids, they did write scripts to try hack security and other sorts of things. I don't want them really to access powershell, or task scheduler. Sometimes they pretend that computer done something weird and they have to get IT help so they come to our office for help, in slowest way they can - they have this special walking technique, where they are slower than turtle - everything to get out of the lesson. I know that most of them will not touch those programs, but small numbers will, and I know I will have teachers complaining about it.
Ye we had the same issue with kids writing vbs scripts etc, hence now nothing can be run without us putting it in required places!
But basically we have the gpo for startmenu redirect to \\servername\menu$\students\etc then have folders in there for each subject and then general for those other things like volume control that is needed by all the students. This way the start menu is always the same for them, and we have full controll of what is on it as only administrators have write access to the folder!
Gotta say not made a mandatory profile yet in windows 7 but they seem to have a little guide going on here Managing Roaming User Data Deployment Guide