+ Post New Thread
Results 1 to 6 of 6
Wireless Networks Thread, Computer /User Restrictions? in Technical; OK, I have previously looked at applying restrictions based on computers which I had seperated based on room/department. However after ...
  1. #1


    Join Date
    Sep 2008
    Posts
    1,858
    Thank Post
    354
    Thanked 264 Times in 216 Posts
    Rep Power
    121

    Computer /User Restrictions?

    OK, I have previously looked at applying restrictions based on computers which I had seperated based on room/department. However after briefly playing around with the settings, I couldn't actually find a good enough reason to start applying restrictions in this way. Currently resrictions are seperated into teachers and pupils allowing slightly different restrictions to allow staff a little bit more control. These policies are then applied to any computers when the user logs on. Having serperated each year group it is possible for me to change the access each year group has individually.

    Now I have been speaking to another techie at a different school where they apply restrictions based on computers. Obviously any user who logs on cant do anything that IT support dont want them to. But then this results in having to do some software installs whilst logged on as the local admin rather than a network user.

    So how do you do it? And what are the advantages of restricting computer groups over users?

  2. #2
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    35
    What sort of "restrictions" ?

    We have Windows AD \ GPO Policies, we stop:

    1) Access to Control Panel (and its CPL files) - for students, but staff can access on the staff network;
    2) CMD / RUN
    3) Software Restriction Policy, to block all apps apart from specified (read-only) shares, (we have a less restrictive one for Programmers);
    4) Other stuff - desktop / startmenu / &c;

    But this is all done via user policies.

    The only place I have a loopback policy is the staff room, where the Control panel is hidden, so that no-one can mess with the screensaver, as it's an auto-exit one.

  3. #3


    Join Date
    Sep 2008
    Posts
    1,858
    Thank Post
    354
    Thanked 264 Times in 216 Posts
    Rep Power
    121
    We have got similar policies in place to restrict all the usual types of things you have mentioned. But this has been done through the user policies so you can be a bit more flexible when it comes to the restrictions applied to each year group and staff.

    Sorry if it's not clear, as I am uncertain to the reasons behind their setup. Here restrictions (what staff & students can access and the layout of their desktop) are applied when a user logs on so that each user may get a slightly different desktop depending on their group. However am I right in thinking that if restrictions are set at computer level that the desktop will be the same for everyone using that computer including Network Admins?

    What I was after if someone could give me some advice if they have a similar system setup. What advantages are there of applying settings per computer rather than user and what effects does this have on the administration?

    As far as I am aware there has never been an issue here with pupils doing things they shouldn't be doing that couldn't be fixed by changing the user policies. I cant see a reason to apply settings at computer level over user, but should I be looking at applying settings at computer level, or is user level good enough?

  4. #4

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,225
    Thank Post
    1,926
    Thanked 2,425 Times in 1,775 Posts
    Rep Power
    842
    You can have more than one group policy applying at a time, so you need to distinguish between user and computer settings and keep the policies separate.

    Typically, we have a machine level policy in which only machine type settings are set... this enables us to do different things with different machines (e.g. admin machines, ict suite machines, laptops and classroom desktops are all treated slightly differently)

    We also have group pols for different groups of users, so admin users, teachers and pupils are treated differently with user type settings

    We don't try to do everything in one group policy. Computer settings in the policy for the PC, user settings in the one for user.

    That way a teacher and a pupil can different user settings at the same machine, but anyone logged on that classroom PC will have the same computer settings.

  5. #5


    Join Date
    Sep 2008
    Posts
    1,858
    Thank Post
    354
    Thanked 264 Times in 216 Posts
    Rep Power
    121
    I have split computers into sererate OU so I can easily distinguish between departments and I also have seperate Policies for Users.

    Sorry, but I meant applying user settings in computer policies. Doesn't this then limit what the user settings are able to do? Or can these be overridden by the user settings?

    I just thought that it would cause extra work in administration to do it that way?

    elsiegee40 : That is how I have it at the moment. Departments only get settings based on their rooms from the computer policies, users get their own settings which are applied all over the school from their user policies.

    I was just curious to how other people do it as I wanted to make sure I was covering all the bases. It sounds to me like there is not much difference in how the settings are set, just in how they are administered?

  6. #6

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,225
    Thank Post
    1,926
    Thanked 2,425 Times in 1,775 Posts
    Rep Power
    842
    I keep computer and user settings in separate policies because it's easier to get my head round and I don't get confused that way.

    You can mix them, but it doesn't mean it's the best way to do it. (At least for me anyway )

    The only exception I have is 'Logoff when logon hours expire' which is done on the Computer pols - forcing logoffs, no matter who, in the ICT Suite and Classroom PCs.

    Office users are only exempt if they're logged on to Office PCs this way! Users logged onto laptops that are allowed to leave the premises are also exempt from this forced loggoff for obvious reasons.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 20
    Last Post: 30th April 2012, 02:26 PM
  2. Setting a time limit a user can use a computer
    By FN-GM in forum Wiki Announcements
    Replies: 3
    Last Post: 20th August 2008, 04:23 PM
  3. Replies: 4
    Last Post: 12th July 2007, 09:11 PM
  4. Replies: 4
    Last Post: 27th September 2006, 03:31 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •