Locking down Windows

[Blind]

What a long strange trip since my first post on this board.

I've mostly survived the year so far with only minor tweaks to the existing mess that I inherited, but I've recently come to realize that I may need more for the home stretch.

My predecessors did not like group policy and almost seemed to design a system to prevent its proper use. I'm aware of the power of group policy, but not a gpo expert or confident enough to use it as a sole means to prevent student (and teacher) misdeeds. I've played with programs like netsupport protect, but it's buggy and does not allow for multiple levels of limitations (just on or off).

I'd really like some kind of kiosk style interface that only shows the programs that students are allowed to run in one severely restricted managed profile and a home folder.

What are you guys doing to keep students out of places they don't belong and only running the programs that they should?

[localzuk]

A mixture of mandatory profiles and group policies is what you want. The easiest thing to do is to grab a couple of books (although I can't recommend which as I have learnt coming from NT4 and haven't got any books on it) and have a read.

It isn't complex really, just long winded picking out all the bits you want and testing it. Just be aware that Microsoft love using double and triple negatives and having multiple, conflicting policy options.

[Gatt]

Blind, If you like i'll post the GOP I use for pupils here. It locks them down pretty tight, start menu redirected, no desktop icons, only their home drives in My computer, etc....

Not in work today though, as I'm at the dentist later but

[djm968]

Folder redirecton for the start menu and desktop is the first place I would start. Setup a test OU in AD create a couple of test users staff and students and have a play.

As long as you only link your test GPO's to the test OU you cannot do any real harm. Also GPO does a reasonable job of explaining most settings and any that you unsure about or need futher information on, just copy and paste into google or even better, post them here.

[eejit]

This any good? :?



(yes, I'm already in the cloakroom handing over ticket)

[farmerste]

try clean-slate from fortresgrand.com

seems to solve 99% of problems

[Gatt]

I've attached our Pupil Policy that we have in effect at MHS, feel free to amend it to suit your school

I also have additional GPO's for WSUS, Software, and a few other bits

Let me know if your interested and I'll get them to you

[Gimbow]

Gatt, Awesome GPO. I am defiantly going to implement a few of these.

[ajbritton]

Wow! That's a complex SRP setup!

[Gatt]

It Works tho

[tarquel]

Wow! That's a complex SRP setup!

hehe You should see mine then

Nath.

[nicholab]

Who needs to used GPO when you got a Fisher price network. I want GPO's I can touch not RM