rpettit Posted May 15, 2011 Report Posted May 15, 2011 We have a laptop scheme where students have their own school laptops and have a local and domain login. We need to restrict the logon to the local account when the student are in school. We have looked at changing proxy setting etc within the school but it is not just the internet we wish to stop them from accessing. We need to restrict their access to local account. There is a group policy under computer policies to only allow certain accounts to login, this restricts the student from logging in locally (as we only allow administrators, domain admins and other group to login) but we need this policy to be removed on shutdown. This is because they take the laptop home from school and need to login locally. So the policy get applied within the school's domain but not when they turn their machine on at home (as there is no way for the machine to access the domain) so does not apply the restriction. We have looked at a script to allow account access during certain times but we need to allow access during the holidays and this may not be manageable. This has become an urgent issue that needs to be solved. Many thanks for any help or advice.
TheMan100 Posted May 15, 2011 Report Posted May 15, 2011 So you want to disallow local access when connected to the domain, but allow local access when at home?
bart21 Posted May 15, 2011 Report Posted May 15, 2011 How about setting the caches logins gpo then they can use domain account when at school or home. Nick
Steve21 Posted May 15, 2011 Report Posted May 15, 2011 We have looked at changing proxy setting etc within the school but it is not just the internet we wish to stop them from accessing. We need to restrict their access to local account. Why do you need them to have access to anything locally? I mean, assuming you just want them to access files/internet at home, they shouldn't be able to install stuff at home right? or edit any major settings? Steve
rpettit Posted May 15, 2011 Author Report Posted May 15, 2011 So you want to disallow local access when connected to the domain, but allow local access when at home? Yes this is what we need to do.
rpettit Posted May 15, 2011 Author Report Posted May 15, 2011 Why do you need them to have access to anything locally? I mean, assuming you just want them to access files/internet at home, they shouldn't be able to install stuff at home right? or edit any major settings? Steve They do need to install printers and add the laptops to their home network.
clareq Posted May 15, 2011 Report Posted May 15, 2011 Why don't you give them local admin access for the first week they have the laptop - enough time to load printers, local network settings etc, and then remove it? They can then used cached network settings at home.
rpettit Posted May 15, 2011 Author Report Posted May 15, 2011 Why don't you give them local admin access for the first week they have the laptop - enough time to load printers, local network settings etc, and then remove it? They can then used cached network settings at home. Thanks for the advice. I will look at this as a last resort. I was hoping to come an alternative.
TheMan100 Posted May 15, 2011 Report Posted May 15, 2011 (edited) How about a login script which will run on the local user's account, which will check if it's connected to the school network, and if they are connected, the script will log off the local account. I'm guessing this could be done by pinging a server in your network, then if the ping request receives a reply, log the local account off. EDIT: But then again, if they disable wireless on the laptops, they could skip this. Edited May 15, 2011 by TheMan100
featured_spectre Posted May 15, 2011 Report Posted May 15, 2011 Personally I can't see why you want them to have 2 accounts. A cached login would be much more efficient, and you could have the my docs sync when they log in and out in school...
TheMan100 Posted May 15, 2011 Report Posted May 15, 2011 Personally I can't see why you want them to have 2 accounts. A cached login would be much more efficient, and you could have the my docs sync when they log in and out in school... "They do need to install printers and add the laptops to their home network."
featured_spectre Posted May 15, 2011 Report Posted May 15, 2011 And get viruses and Trojan by disabling the firewall and av....which is exactly how I read it...
rpettit Posted May 15, 2011 Author Report Posted May 15, 2011 Personally I can't see why you want them to have 2 accounts. A cached login would be much more efficient, and you could have the my docs sync when they log in and out in school... Are you using cached login? I haven't looked at setting this up before so any additional information would be great.
sister_annex Posted May 15, 2011 Report Posted May 15, 2011 We don't give students laptops but our teachers do have them... We dual boot all our laptop installs and leave over a third partition for data storage that can be accessed from both the 'home' and 'school' sides. Granted this does take a little longer to set up but it does mean that although the 'home' side could be (and sometimes is) used on the school network access to resources like the internet etc. is very difficult as the information for proxies etc. is not readily available. The school side acts as a normal 'school' computer that is joined to the domain and gets all the policies etc whereas the 'home' side is much like a standard shop bought install where they can do as they please install their home broadband software printers and so forth. In short the management of the way do it is very simple in terms of domain non domain uses and there is no additional steps that teachers need to think off (just an extra click at boot )
morganw Posted May 15, 2011 Report Posted May 15, 2011 I think a dual-boot system would require two Windows licences. I'm not sure how this would work if you have a Microsoft agreement, but if you are using OEM licences then I don't think that this is legal approach.
TheMan100 Posted May 15, 2011 Report Posted May 15, 2011 In the Microsoft Agreement (for Windows 7, but I'm guessing this can be applied to the rest of the operating systems), it states: "The software is licensed on a per copy per computer basis. A computer is a physical hardware system with an internal storage device capable of running the software. A hardware partition or blade is considered to be a separate computer." and... "One Copy per Computer. You may install one copy of the software on one computer. That computer is the “licensed computer.” b. Licensed Computer. You may use the software on up to two processors on the licensed computer at one time. Unless otherwise provided in these license terms, you may not use the software on any other computer. c. Number of Users. Unless otherwise provided in these license terms, only one user may use the software at a time."
glennda Posted May 15, 2011 Report Posted May 15, 2011 Surely with regards to licensing - if you are under the new schools agreements it doesn't matter? as its all down to number of full time staff rather then pc quantities? so you could have hundreds and hundreds of installs? EDIT: sorry to remove off topic - also i'm not 100% sure of new licensing model as purchased out of it
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now