Computer /User Restrictions?

[penfold]

OK, I have previously looked at applying restrictions based on computers which I had seperated based on room/department. However after briefly playing around with the settings, I couldn't actually find a good enough reason to start applying restrictions in this way. Currently resrictions are seperated into teachers and pupils allowing slightly different restrictions to allow staff a little bit more control. These policies are then applied to any computers when the user logs on. Having serperated each year group it is possible for me to change the access each year group has individually.

Now I have been speaking to another techie at a different school where they apply restrictions based on computers. Obviously any user who logs on cant do anything that IT support dont want them to. But then this results in having to do some software installs whilst logged on as the local admin rather than a network user.

So how do you do it? And what are the advantages of restricting computer groups over users?

[User3204]

What sort of "restrictions" ?

We have Windows AD \ GPO Policies, we stop:

1) Access to Control Panel (and its CPL files) - for students, but staff can access on the staff network;
2) CMD / RUN
3) Software Restriction Policy, to block all apps apart from specified (read-only) shares, (we have a less restrictive one for Programmers);
4) Other stuff - desktop / startmenu / &c;

But this is all done via user policies.

The only place I have a loopback policy is the staff room, where the Control panel is hidden, so that no-one can mess with the screensaver, as it's an auto-exit one.

[penfold]

We have got similar policies in place to restrict all the usual types of things you have mentioned. But this has been done through the user policies so you can be a bit more flexible when it comes to the restrictions applied to each year group and staff.

Sorry if it's not clear, as I am uncertain to the reasons behind their setup. Here restrictions (what staff & students can access and the layout of their desktop) are applied when a user logs on so that each user may get a slightly different desktop depending on their group. However am I right in thinking that if restrictions are set at computer level that the desktop will be the same for everyone using that computer including Network Admins?

What I was after if someone could give me some advice if they have a similar system setup. What advantages are there of applying settings per computer rather than user and what effects does this have on the administration?

As far as I am aware there has never been an issue here with pupils doing things they shouldn't be doing that couldn't be fixed by changing the user policies. I cant see a reason to apply settings at computer level over user, but should I be looking at applying settings at computer level, or is user level good enough?

[elsiegee40]

You can have more than one group policy applying at a time, so you need to distinguish between user and computer settings and keep the policies separate.

Typically, we have a machine level policy in which only machine type settings are set... this enables us to do different things with different machines (e.g. admin machines, ict suite machines, laptops and classroom desktops are all treated slightly differently)

We also have group pols for different groups of users, so admin users, teachers and pupils are treated differently with user type settings

We don't try to do everything in one group policy. Computer settings in the policy for the PC, user settings in the one for user.

That way a teacher and a pupil can different user settings at the same machine, but anyone logged on that classroom PC will have the same computer settings.

[penfold]

I have split computers into sererate OU so I can easily distinguish between departments and I also have seperate Policies for Users.

Sorry, but I meant applying user settings in computer policies. Doesn't this then limit what the user settings are able to do? Or can these be overridden by the user settings?

I just thought that it would cause extra work in administration to do it that way?

elsiegee40 : That is how I have it at the moment. Departments only get settings based on their rooms from the computer policies, users get their own settings which are applied all over the school from their user policies.

I was just curious to how other people do it as I wanted to make sure I was covering all the bases. It sounds to me like there is not much difference in how the settings are set, just in how they are administered?

[elsiegee40]

I keep computer and user settings in separate policies because it's easier to get my head round and I don't get confused that way.

You can mix them, but it doesn't mean it's the best way to do it. (At least for me anyway )

The only exception I have is 'Logoff when logon hours expire' which is done on the Computer pols - forcing logoffs, no matter who, in the ICT Suite and Classroom PCs.

Office users are only exempt if they're logged on to Office PCs this way! Users logged onto laptops that are allowed to leave the premises are also exempt from this forced loggoff for obvious reasons.