Thanks GShaw. Erm, I don't have Photoshop. Do you think you could colorize it for me?
The technique I use is to add "domain users" to the local administrators group via MMC. It solves a whole range of application related problems which can write locally if required. Using GPOs I hide and deny access to C:\ to users, but applications can still write locally - including BGInfoBut will the currently logged on user have write access to the SYSTEMROOT folder? Think that's why I ended up making it copy via startup script which has machine's rights, plus also changing the rights on the bgibmp folder I made, as bginfo puts the created bitmap in there when it's merged the original background with the text...
It would just have been easier to use the options in BGInfo to write to the USERS temporary folder instead of C. This is mentioned when using BGInfo to create the BGI file.
There is virtually no reason why any user needs local admin rights these days. As I said, it is potentially a DPA issue, and you should at minimum use a different group for admin and student machines when allowing local admin user rights.
I add a Local Admin - Students and Local Admin - Staff group to the admin group on the different sets of machines for the rare exceptions that are needed for a tiny number of staff.
For future searches.
PLEASE READ THIS PEOPLE!
There is an OPTION in BGInfo
Bitmap -> Location -> Users Temporary Directory
Adding "domain users" as local administrators allows applications to cache/write locally. The local C:\ drive is hidden and inaccessible from users, by enabling these two policies:This is a bad idea. Profiles are a security issue as users can easily access them remotely and get at confidential data that is held temporarily/permanently there.
Hide these specified drives in My Computer - Enabled
Prevent access to drives from My Computer - Enabled
I must be unlucky then as schools always want to use old or technically challenged software. I've not had a single incident of a pupil breaking this setup. I can only recommend you try itThere is virtually no reason why any user needs local admin rights these days. As I said, it is potentially a DPA issue, and you should at minimum use a different group for admin and student machines when allowing local admin user rights.
Plug any machine into the network and browse to the admin machines, with domain users as members of local admins anyone entering their password has full access to go snooping through peoples profile. Any file names in the recent docs people shouldn't see? Any cached pst files in there?
You only need give write permissions to the files/folders/regkeys the program/user actually needs to write to. Although educational software can want access to insane places, most of the time at worst you only have to give write access to its own program folder in program files.
Use Filemon and Regmon to see what is accessed. And use CACLS and SubACL to write the permissions as part of your deployment of the application.
dammit! came in this morning and it has stopped working!
im going to try gshaws way
I now have it working for our teaching staff, but not for the student login, very wierd.
ghsaw, what permisions do the users need on the c:\windows\bgibmp folder?
There are currently 1 users browsing this thread. (0 members and 1 guests)