I use Microsoft office for all of the computers in the computer labs at the high school I'm working for. All the computers are frozen with deepfreeze and students login using their username and password for the windows network.
If they want to use office, they launch office and it goes through the "Preparing to Install..." window that comes up for a few seconds before Office launches.
Unfortunately, the previous techs that were here set all the students as local administrators on each machine. So that didn't really help me much when I found that out. They had higher priveledges than the teachers and administrative staff did. So I quickly went around to as many machines as I could and removed them from the Administrators group.
But now students are getting an error that says an Administrator needs to install Office because it isn't ready for all the users. Is there an easy way around this? It works on some machines, and doesn't work on others. Thanks!
There is no harm setting them as local administrators, or at the very least power users. Many applications require write access to the local disk drive, which is why it makes good sense to make AD security groups or adding "domain users" as local administrators.
What you shouldn't do is make them domain administrators which is as powerful as it gets (for obvious reasons), otherwise you could potentially jeopardise your entire network!
The reason you're receiving that Office message "Preparing to install..." is because there's a high probability the students are using a mandatory profile. NTUSER.MAN instead of NTUSER.DAT. This of course means that any changes are forgotten which is why they always get that message. To get round this problem, you'd have to temporarily setup a temp user, rename NTUSER.MAN to .DAT, logon as this test user, run Office, logoff and then rename NTUSER back to NTUSER.MAN.
Students should then be able to launch Office straight away which is also a lot quicker. It would annoy me if I had that message coming up everytime I ran Office for the first time!
I completely understand the need for setting users as local Administrators. Makes sense. The reason I had them turned off so fast is because kids here frequently install a lot of software to play games etc. and I wanted to lock them down as much as possible. But of course even with security settings in Active Directory and setting them as just local users, users are still able to install software to a place other than program files. They can install software directly to the desktop with no problem, or their network storage drive. Is there any easy way to prevent this?
It is difficult to clamp down on I agree, however if you have XP clients and 2003 server, Software Restriction policies is what you need to look at.
You could also block access to websites where they are potentially downloading MSN Messenger (for example) or games.
How are you controlling user desktops? I use Folder Redirection in Active Directory, so I specify what shortcuts are available to users. Even if users do try to install an application, no shortcut appears on the desktop or start menu. Users quickly give up.
I think the key to making users give up, is to prevent them running a game or MSN for example even if they manage to install it. If there's no shortcut, they cannot run the application. Simple, but it works well in my experience.
Ya I'm workin on creating software restriction policies. But I've never got them to work in the past. I'll keep working on it
Ya we have some clever kids around. Finding interesting ways to do things. Even after I blocked out the registry and restricted users access via group policy and locked down the user interface a ton, even if you couldn't go Start>Run>Regedit, I had one or two users write a VB script to inject data into the registry.
We're using ISA 2000 as our proxy server and website blocker, and it hardly works at all :P Users simply change the proxy setting to something other than the ISA server, and they're done. They can access whatever they want. It's ISA 2000 as well so the security technologies are quite old in it. But I've just ordered a new unit from Barracuda. The web filter 320.