+ Post New Thread
Page 1 of 5 12345 LastLast
Results 1 to 15 of 62
Windows Thread, Locking down desktops and mandatory profiles in Technical; Hi there Just joined this after seeing the letter in PC Pro a month back. Well done. I'm trying to ...
  1. #1

    Join Date
    Sep 2005
    Location
    Gloucestershire
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Locking down desktops and mandatory profiles

    Hi there

    Just joined this after seeing the letter in PC Pro a month back. Well done.

    I'm trying to set up a new network at a Primary School which consists of the following so far:

    Windows 2000 Server SP4.
    Clients running XP Pro SP2.
    Domain + Active Directory + GPOs to configure PCs.
    (The GPMC for XP and WS 2003 makes GPO management a lot easier!)
    Redirected My Documents via GPO.

    I'm now trying to arrive at the best way to stop those meddling fingers by locking things down tightly. What I want to do is use mandatory profiles on the server, i.e. by changing NTUser.DAT to NTUser.MAN. My questions are:

    - Is this a typical scenario that people are using in schools?
    - What are the implications for installation of new software (i.e. additions to start menus, new icons, etc) if the desktops use mandatory profiles?
    - Is there another way?

    All help gratefully received.

    Thanks

    Andy

  2. #2
    ninjabeaver's Avatar
    Join Date
    Jun 2005
    Location
    Norfolk
    Posts
    1,089
    Thank Post
    182
    Thanked 100 Times in 88 Posts
    Rep Power
    46

    Re: Locking down desktops and mandatory profiles

    Hmmm, I'd probably look at introducing Group Policies to lock down desktops for students and staff who can be a bigger pain.

    I'm now looking into Group Policies for the school I'm working at, but I've got alot of other mini projects going on as well. Staff don't want a massive change to the system yet as we are being Ofsteaded very soon.

    I might be wrong but I believe that GPO's are the best route of locking down the system without spending money.

  3. #3
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62

    Re: Locking down desktops and mandatory profiles

    Hi Andrew,

    There have been a few threads on Profiles and all pretty much say the same, NO PROFILES

    Although it is a matter of taste and how many users you have but in our case we have 1600 + users and if you use mandatory profiles info is being carried across the network at logon will slow down that network to a crawl yes this was happening when I took over.

    I have basically setup the following:

    1 - Using an unattended XP install which has been slimmed down (from 568Mb to 234Mb) and slipstreamed with SP2 + Hotfixes. Slimming down the source of XP is good on two counts it makes the install faster as there are very few files to copy and it also removes the programs that cause the problems in the first place, for example MSN, MEssanger, Games, etc.
    2 - Logon script removes all unwanted shortcuts from the menus for both all users and the logged on user.
    3 - Using GPO to restrict everything else.

    Result: A completelt locked down desktop that when a stundent logs in all they have is Start > LogOff & Start > Programs with only the software that they can use visible.

    Software is deployed view GPO at machine startup so no user actually needs to be logged in for the install to take place.

    Right click context menus have been removed from everywhere, no access to local drives at all just the network share for thier personal folder and trhe assignments folder, students cannot install software nor can they run certain files from pen drives/memory sticks.

    All this and not a profile in site.....

  4. #4
    marco84's Avatar
    Join Date
    Jul 2005
    Location
    Manchester
    Posts
    146
    Thank Post
    4
    Thanked 5 Times in 4 Posts
    Rep Power
    19

    Re: Locking down desktops and mandatory profiles

    I have a mandatory profile set up for pupils, and locked down with Group Policy.
    Staff have roaming profiles and logon is still down to only a few seconds, for pupils and staff.
    I found a combination of a mandatory profile and use of group policy works best for us.

  5. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,987
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    107

    Re: Locking down desktops and mandatory profiles

    How are you controlling file types on pen drives ICTNUT?

  6. #6

    Join Date
    Sep 2005
    Location
    Gloucestershire
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Locking down desktops and mandatory profiles

    Thanks everyone for the quick feedback.

    Quote Originally Posted by ICTNUT
    There have been a few threads on Profiles and all pretty much say the same, NO PROFILES
    I did look through the threads but the ones I saw seemed to be anti-roaming profiles rather than mandatory ones.

    Quote Originally Posted by ICTNUT
    Although it is a matter of taste and how many users you have but in our case we have 1600 + users and if you use mandatory profiles info is being carried across the network at logon will slow down that network to a crawl yes this was happening when I took over.
    I will only have around 30-40 PCs max. I assumed that by redirecting My Documents via GPO the bulk of the data would not get transferred at logon.

    Quote Originally Posted by ICTNUT
    2 - Logon script removes all unwanted shortcuts from the menus for both all users and the logged on user.
    Any chance of seeing an example of what this script looks like?

    Quote Originally Posted by ICTNUT
    3 - Using GPO to restrict everything else.

    Result: A completelt locked down desktop that when a stundent logs in all they have is Start > LogOff & Start > Programs with only the software that they can use visible.
    I must be missing something here. I can find a GPO for most things but I can't find anything to stop files and icons being saved on to or moved on the desktop. How do you achieve that via GPO? That was one of the main reasons I was looking at a mandatory profile.

    Quote Originally Posted by ICTNUT
    Right click context menus have been removed from everywhere, no access to local drives at all just the network share for thier personal folder and trhe assignments folder, students cannot install software nor can they run certain files from pen drives/memory sticks.
    All this via GPO?

    Thanks for the help, much appreciated.

    Andy

  7. #7
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62

    Re: Locking down desktops and mandatory profiles

    @Andrew:

    Attached is an Excel Spreadsheet of all GPO's available under Windows 2003 and is broken down into easy to search sections this should help you find what you need.

    I would concentrate on the following areas:

    User Configuration -> Administrative Templates -> Start Menu & Task Bar
    User Configuration -> Administrative Templates -> Desktop

    This will control all aspects of the desktop itself and the task bar / start menu.

    You will need to go a stage further and hit the following:

    User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer

    This will allow you to control local drive access, and remove all non essential options from the menus i.e. map network drive, remove windows hot keys etc...

    Hope it helps

    File Can Be Found Here

  8. #8
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Re: Locking down desktops and mandatory profiles

    I have a mandatory profile set up for pupils, and locked down with Group Policy.
    Staff have roaming profiles and logon is still down to only a few seconds, for pupils and staff.
    I found a combination of a mandatory profile and use of group policy works best for us.
    We use exactly the same for our users as above. 1600 + kids and 140 staff.


    Works well for us with no problems......The thought of kids having roaming profiles................no thanks.

  9. #9
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,966
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Locking down desktops and mandatory profiles

    @Andrew - I notice ICTNUT refers to server 2003 when you state you have server 2000.

    You can access 2003 policies using the correct updates to 2000 server [links please ppl! ], and using the GPMC from an XP SP2 workstation. This is necessary to completely lock down an XP SP2 client, and the newest ADM's for 2003 server/XP SP2 will work for all previous OS versions.

  10. #10

    Join Date
    Sep 2005
    Location
    Gloucestershire
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Locking down desktops and mandatory profiles

    Quote Originally Posted by ICTNUT
    Attached is an Excel Spreadsheet of all GPO's available under Windows 2003 and is broken down into easy to search sections this should help you find what you need.
    Thanks for the spreadsheet, really useful to see it all in one place.

    Quote Originally Posted by ICTNUT
    User Configuration -> Administrative Templates -> Start Menu & Task Bar
    User Configuration -> Administrative Templates -> Desktop

    This will control all aspects of the desktop itself and the task bar / start menu..
    I've already made use of many of these and they seem to do the job but the one thing I can't stop is the ability to save shortcuts & icons or move things on the desktop itself. "Don't save settings on exit" doesn't prevent it". Any idea which one should I use for that, as it's not obvious to me after reading through everything.

    Quote Originally Posted by mark
    @Andrew - I notice ICTNUT refers to server 2003 when you state you have server 2000.

    You can access 2003 policies using the correct updates to 2000 server [links please ppl! ], and using the GPMC from an XP SP2 workstation. This is necessary to completely lock down an XP SP2 client, and the newest ADM's for 2003 server/XP SP2 will work for all previous OS versions.
    You're right, I am using 2000 but I do use the GPMC on one of the XP SP2 machines to manage everything. I'd be interested to know what the extra updates to 2000 are and what extra lock-down they provide.

    Thanks again.

    Andy

  11. #11

    Join Date
    Sep 2005
    Location
    Gloucestershire
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Locking down desktops and mandatory profiles

    Quote Originally Posted by marco84
    I have a mandatory profile set up for pupils, and locked down with Group Policy.
    Staff have roaming profiles and logon is still down to only a few seconds, for pupils and staff.
    I found a combination of a mandatory profile and use of group policy works best for us.
    Thanks for this info. Going back to one of my earlier questions, if you do use mandatory profiles, how does the installation of new software, new icons, start menu items, etc get affected. Surely the use of NTUser.MAN prevents any updates or other changes to these things?

    Andy

  12. #12

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,951
    Thank Post
    1,345
    Thanked 1,800 Times in 1,118 Posts
    Blog Entries
    19
    Rep Power
    597

    Re: Locking down desktops and mandatory profiles

    Any new software installed (which can also be done by Group Policies ... search in the forums for Group Policy or GPOs for other threads) usually sticks the start menu items in the All Users profile which applies to everyone when they logon as an extra to whatever profile you have (mandatory, roaming or local).

    Sometimes it doesn't, but you can move the icons afterwards so they are in the right place (c:\documetns and settings\all users\start menu, etc)

  13. #13
    marco84's Avatar
    Join Date
    Jul 2005
    Location
    Manchester
    Posts
    146
    Thank Post
    4
    Thanked 5 Times in 4 Posts
    Rep Power
    19

    Re: Locking down desktops and mandatory profiles

    Andrew Wrote:

    Thanks for this info. Going back to one of my earlier questions, if you do use mandatory profiles, how does the installation of new software, new icons, start menu items, etc get affected. Surely the use of NTUser.MAN prevents any updates or other changes to these things?

    If i want to amed the desktop, icons, start menu etc i log on with the user used to creat the mandatory profile. edit the profile and upload it back to the server with the changes.

  14. #14

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,951
    Thank Post
    1,345
    Thanked 1,800 Times in 1,118 Posts
    Blog Entries
    19
    Rep Power
    597

    Re: Locking down desktops and mandatory profiles

    When a user logs into an XP or W2K Pro box it has the following settings from the AD take effect.

    Firstly those specified by any computer policies from the GPOs (these actually happen when the machine starts up)
    Then you have the user policies (as the user logs in)
    You can actually have more computer policies here by using a feature/bug called loopback (DON'T!!! when it goes wrong it goes majorly wrong ... IME)
    Then you have any local settings from the computer itself.
    Finally you have profiles.
    Whatever profile you have, roaming, mandatory or local, it first takes any settings it needs from the "all users" profile (stored on the local machine) and the "default users" profile (also on the local machine in a hidden folder). It then applies the user's own profile.

    So, it makes no difference that NTUser.MAN prevents updates ... the updates are applied to the "all users" or "default user" settings.

    HTH

  15. #15

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,011
    Thank Post
    613
    Thanked 2,194 Times in 1,006 Posts
    Blog Entries
    23
    Rep Power
    632

    Re: Locking down desktops and mandatory profiles

    and the "default users" profile (also on the local machine in a hidden folder).
    Or from the netlogon share where it is the first location to be checked before the local folder. Not advisable though as it will work on ALL your desktop pc's.

SHARE:
+ Post New Thread
Page 1 of 5 12345 LastLast

Similar Threads

  1. Mandatory Profiles
    By jcollings in forum Wireless Networks
    Replies: 7
    Last Post: 9th September 2009, 03:36 PM
  2. Mandatory Profiles and Desktops
    By faza in forum Wireless Networks
    Replies: 14
    Last Post: 19th December 2007, 11:05 AM
  3. Outlook with Mandatory Profiles
    By Zoom7000 in forum Windows
    Replies: 10
    Last Post: 30th May 2007, 12:59 PM
  4. Mandatory Profiles
    By HodgeHi in forum Windows
    Replies: 2
    Last Post: 6th December 2006, 11:56 AM
  5. Cant create Mandatory profiles
    By spike in forum Windows
    Replies: 10
    Last Post: 4th April 2006, 10:42 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •