School setup - very limited user accounts.

[Simon]

Hi,

I am the "network admin" for a school of about 700 kids.
I have some good knowledge, (as a developer), of computers but I wouldn't
say I am a real network administrator.

Everything has been physically setup, (all the computers are linked and so
on).
Currently we have a username and password for each computers and depending
where the kids are sitting they must use that account.

What we would like to do is setup a very limited user account for each kid.
So that when the kids move on thru the years we can delete their account as
needed and the computer will remain free of the usual junk associated with
kids .

What we would like is an account where they cannot save anything to the
local drive.
They would only have one folder, (with their username), on the file server.

This is important so that if a computer goes down or if a teacher moves a
kids to another desk, (for whatever reason), then all their profile, files
will be the same.

As we are a government school our budget is limited so I would like to try
and set this up without having to call in an administrator.
And more importantly I would like to know how it is done so I can fix any
problems in future.

I hope this makes sense.

Is there any tutorial to help me setup such user group/accounts?

Simon

 

[Newbie Coder]

Simon,

I look after 800 schools in the county I live in so understand what you mean.

Why can't you set them to roaming & use the service Microsoft supplies to keep the
redundant profiles clean?

The one folder with their username is their home drive which can be setup on the profile
tab of their AD account then in the login script you can use

net use o: /home

Then if a hard drive goes down the child hasn't lost their settings. You will need to do a
profile quota so they cannot pull too much when logging on/off

 

[Simon]

Many thanks for your reply,

Why can't you set them to roaming & use the service Microsoft supplies to
keep the
redundant profiles clean?

That's what I would need.
Do I need to create a special usergroup?

The one folder with their username is their home drive which can be setup
on the profile
tab of their AD account then in the login script you can use

net use o: /home

Can I not create a usergroup and making them a member of that group would
setup a roaming profile and add the "net use o: /home" to their login
script?

Then if a hard drive goes down the child hasn't lost their settings. You
will need to do a
profile quota so they cannot pull too much when logging on/off

As I would need to create 700 user accounts I would rather create one
account, (surname.firstname), and everything else would be created
automatically, (login script, user profile drive and so on).

Would I be able to prevent them from saving anything onto the local hard
drive?

Simon

 

[Simon]

I look after 800 schools in the county I live in so understand what you

mean.

Why can't you set them to roaming & use the service Microsoft supplies to
keep the
redundant profiles clean?

I found a Microsoft page about roaming accounts.
http://support.microsoft.com/kb/243420

Does anybody any others?

Simon

 

[Gordon]

I found a Microsoft page about roaming accounts.
http://support.microsoft.com/kb/243420

Does anybody any others?

Simon

You might want to have a look at this:
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

 

[Malke]

Hi,

I am the "network admin" for a school of about 700 kids.
I have some good knowledge, (as a developer), of computers but I
wouldn't say I am a real network administrator.

Everything has been physically setup, (all the computers are linked and
so on).
Currently we have a username and password for each computers and
depending where the kids are sitting they must use that account.

What we would like to do is setup a very limited user account for each kid.
So that when the kids move on thru the years we can delete their account
as needed and the computer will remain free of the usual junk associated
with kids .

What we would like is an account where they cannot save anything to the
local drive.
They would only have one folder, (with their username), on the file server.

This is important so that if a computer goes down or if a teacher moves
a kids to another desk, (for whatever reason), then all their profile,
files will be the same.

As we are a government school our budget is limited so I would like to
try and set this up without having to call in an administrator.
And more importantly I would like to know how it is done so I can fix
any problems in future.

I hope this makes sense.

Is there any tutorial to help me setup such user group/accounts?

Simon

You've gotten really good advice from other posters. I'm going to give
you some harder but more practical advice: get an outside computer tech
in to set you up properly and show you what s/he's done. You've said it
yourself - you're a developer, not a network administrator. There's a
lot more to administering a school network than just setting up user
accounts. If you want to do this right and not half-baked, then don't be
afraid to get outside help.

I do not say this to hurt your feelings in any way; I'm just being
pragmatic about it. If you decide you can't get outside help, look at
Deep Freeze by Faronics as a good solution. Also make sure you image all
the machines regularly because you're going to need to do a lot of
wiping/restoring.


Malke

 

[Simon]

You might want to have a look at this:
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Smashing, this really looks like what I might need.

Thanks

Simon

 

[Simon]

You've gotten really good advice from other posters. I'm going to give you

some harder but more practical advice: get an outside computer tech in to
set you up properly and show you what s/he's done. You've said it
yourself - you're a developer, not a network administrator. There's a lot
more to administering a school network than just setting up user accounts.
If you want to do this right and not half-baked, then don't be afraid to
get outside help.

I do not say this to hurt your feelings in any way; I'm just being
pragmatic about it. If you decide you can't get outside help, look at Deep
Freeze by Faronics as a good solution. Also make sure you image all the
machines regularly because you're going to need to do a lot of
wiping/restoring.

No offence at all, I am realistic, I understand that it is not as straight
forward as I try to paint it.
But before/if I go down the route of getting outside help I must make sure I
know what I am talking about.

So reading as much as possible and knowing what can and cannot be done will
help me greatly.
If I could do it myself it would be great, but I will know when I am beat
and require outside help.

And if I have to go to the head teacher I need to be fairly confident of
what I require and what the costs might be.

Simon

 

[(PeteCresswell)]

I'm not a LAN guy either - but I have a 15-year-0ld pounding on
my two PCs at home several hours a day.

I'd venture that:
-----------------------------------------------------------------
1) You're on the right path with a user account for each student.

2) An important thing will be determining what rights to
grant the user groups that most students are put into and
*not* defining the rights of each and every account.

That way if some students need different rights, you have a
set of canned solutions and granting/removing them is as
simple as adding/removing a student's ID to/from a
pre-configured group.

3) You need to master the technology of re-imaging a PC from
afar. I haven't got a clue - but I know it exists.

With "push" re-imaging, you can easily deal a PC whose system
a student has managed to mess up without having to
troubleshoot the PC.

4) When you set up the user accounts, give the students a "Home"
(usually H drive where that student can store their stuff in
a personal directory on a LAN file server - that nobody else
can get to.

5) You might want to look into some way of batch re-imaging all
the PCs' - let's say every Friday night.

That would have the effect of getting the message out that
data is not tb stored on C: and also clean out whatever junk
might be accumulating there.

6) If the PCs are tb accessing the internet, you have a whole
other set of considerations that I can't even begin to
go on about - I just know they're there.

 

[Mike Hall - MVP]

No offence at all, I am realistic, I understand that it is not as straight
forward as I try to paint it.
But before/if I go down the route of getting outside help I must make sure
I know what I am talking about.

So reading as much as possible and knowing what can and cannot be done
will help me greatly.
If I could do it myself it would be great, but I will know when I am beat
and require outside help.

And if I have to go to the head teacher I need to be fairly confident of
what I require and what the costs might be.

Simon

Simon

You should look at 'Deep Freeze' as Malke suggested.

http://www.faronics.com/html/deepfreeze.asp

You can download and evaluate the product and you can also attend
'webinars'. The website pretty much covers all exits.

 

[VanguardLH]

Hi,

I am the "network admin" for a school of about 700 kids.
I have some good knowledge, (as a developer), of computers but I
wouldn't say I am a real network administrator.

Everything has been physically setup, (all the computers are linked
and so on).
Currently we have a username and password for each computers and
depending where the kids are sitting they must use that account.

What we would like to do is setup a very limited user account for
each kid.
So that when the kids move on thru the years we can delete their
account as needed and the computer will remain free of the usual
junk associated with kids .

What we would like is an account where they cannot save anything to
the local drive.
They would only have one folder, (with their username), on the file
server.

This is important so that if a computer goes down or if a teacher
moves a kids to another desk, (for whatever reason), then all their
profile, files will be the same.

As we are a government school our budget is limited so I would like
to try and set this up without having to call in an administrator.
And more importantly I would like to know how it is done so I can
fix any problems in future.

I hope this makes sense.

Is there any tutorial to help me setup such user group/accounts?

If the kids have physical access to the computer, they will find a way
around your protections. You could configure the BIOS to not allow
booting from CD, floppy, USB, or other non-hard drive devices but some
kids can Google, too, and find out how to reset the BIOS if you
haven't locked the cases. You might want to look into save-state
programs so you can restore the system back to how YOU or the teachers
want it configured, like using Microsoft's SteadyState or similar.

 

[Simon]

If the kids have physical access to the computer, they will find a way
around your protections. You could configure the BIOS to not allow
booting from CD, floppy, USB, or other non-hard drive devices but some
kids can Google, too, and find out how to reset the BIOS if you haven't
locked the cases. You might want to look into save-state programs so you
can restore the system back to how YOU or the teachers want it configured,
like using Microsoft's SteadyState or similar.

Thanks, I did not think of that.

The kids have full access to the computers, (USB, CD, etc).

So I guess SteadyState or the other software mentioned would be a very good
option.
I kind of like the idea of running a batch update on Fridays so that the
computers are 'cleaned' once a week and all I would have to worry about is
the state of the servers.

Simon

 

[PA Bear [MS MVP]]

Consider Windows SteadyState (WinXP-only):
http://aumha.net/viewtopic.php?t=27570

 

[(PeteCresswell)]

Per Simon:

I kind of like the idea of running a batch update on Fridays so that the
computers are 'cleaned' once a week and all I would have to worry about is
the state of the servers.

Maybe I'm unduly paranoid..... maybe not.... but my thinking
around periodic cleansing partially involved some kid leaving
porn on a PC - tb discovered by somebody with a significant
capacity for righteous indignation.... and maybe having the
resulting little storm find it's way back to the system admin.

What did they say in the army? "CYA All The Way"?

 

[VanguardLH]

Thanks, I did not think of that.

The kids have full access to the computers, (USB, CD, etc).

So I guess SteadyState or the other software mentioned would be a
very good option.
I kind of like the idea of running a batch update on Fridays so that
the computers are 'cleaned' once a week and all I would have to
worry about is the state of the servers.

Simon

For kids, I was thinking more along the lines that you would add a
scheduled event to run 'shutdown' sometime during the wee hours of the
morning. If the teacher forgot to power down the hosts (so they have
to reboot) then the shutdown takes care of that. Then after the
reboot, the host is returned to the base or clean state. The idea is
that the host would get reset everyday so in the morning the host was
back in the known state. I wouldn't let the kids have their way for a
week.

 

[(PeteCresswell)]

Per VanguardLH:

The idea is
that the host would get reset everyday so in the morning the host was
back in the known state. I wouldn't let the kids have their way for a
week.

Now that you've said it and I've thought about what I said - it's
pretty obvious that I was wrong about the week interval....
especially since the process costs essentially nothing....

 

[VanguardLH]

in message

Per VanguardLH:

Now that you've said it and I've thought about what I said - it's
pretty obvious that I was wrong about the week interval....
especially since the process costs essentially nothing....

Although the admin looks like he wants to leave the CD/DVD, USB drive,
and other devices enabled, he should reconsider whether he lets the
host boot from those devices. Even SteadyState can be circumvented if
a bootable device (other than where SteadyState is ran) is used to
bring up a different instance of an OS. The boot drive order in the
BIOS should be configure to ONLY boot from the hard drive - AND - the
case must be locked to prevent the kids from clearing the CMOS copy of
the BIOS settings.

Kids always push boundaries. After all, they won't know where they
are until they hit them, and they won't hit them unless you set AND
enforce them.