setting permissions so restricted users can't change backkground/ screen savers, or create passwords

[niteowl]

Hi all,

I'm the IT guy for a small charter school, and have been having
challenges with students creating wallpaper, screensavers, etc. that
are inappropriate.. is there a way to make it impossible for them to
access these services in restricted profiles??

I'm currently on my home computer, so may not be able to give specific
details, but all computers are running XP Pro with SP2, on a high
speed LAN.

Some students were also creating passwords and that shouldn't have
been possible either I would have thought... is there any way to make
it impossible for them to accomplish that also?

All computers have a "Teacher" profile which is an administrative
acct. and a "Student" profile which is a restricted acct.

Thanks for any info.

niteowl

 

[WTC]

Hi all,

I'm the IT guy for a small charter school, and have been having
challenges with students creating wallpaper, screensavers, etc. that
are inappropriate.. is there a way to make it impossible for them to
access these services in restricted profiles??

I'm currently on my home computer, so may not be able to give specific
details, but all computers are running XP Pro with SP2, on a high
speed LAN.

Some students were also creating passwords and that shouldn't have
been possible either I would have thought... is there any way to make
it impossible for them to accomplish that also?

All computers have a "Teacher" profile which is an administrative
acct. and a "Student" profile which is a restricted acct.

Use the Group Policy.

Start>run and type

gpedit.msc

then naviagte to here:
User Configuration>Administrative Templates>Desktop.

You will fing the items you require here.

 

[Nepatsfan]

These suggestions apply to a computer in a workgroup. Let us know
if you have a server acting as a domain controller.

Log on to the computer with the Student account.
Set up the wallpaper and screensaver that you want displayed.
Go to Control Panel -> User accounts and change the Student
account password. You can reset it to a blank password if you
want.

Log off and log back on with the Teacher account.
Go to Start -> Run and enter gpedit.msc in the Open box.
Navigate to the following location:

User Configuration\Administrative Templates\Control Panel\Display

You will find two policies in the right hand pane that you might
find useful.
1. Prevent changing wallpaper
2. Screensaver executable name
Right click on each of these policies and select Enable.
Click on the Explanation tab to see what effect these settings
will have.

As for the password issue, right click My Computer and select
Manage from the drop down menu.
Expand Local Users and Groups.
In the Users folder, right click on the Student account and
select Properties.
On the General page, put a check mark in the box next to "User
cannot change password".


You might want to become familiar with Local Group Policy. You
can use it to limit the changes that the students can make to
these computers. The only downside is that the changes you make
are applied to all the users, including members of the
administrators group. You can get around this problem by
following either of the procedures outlined in these articles:

http://www.theeldergeek.com/gp07.htm

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

 

[Malke]

Hi all,

I'm the IT guy for a small charter school, and have been having
challenges with students creating wallpaper, screensavers, etc. that
are inappropriate.. is there a way to make it impossible for them to
access these services in restricted profiles??

I'm currently on my home computer, so may not be able to give specific
details, but all computers are running XP Pro with SP2, on a high
speed LAN.

Some students were also creating passwords and that shouldn't have
been possible either I would have thought... is there any way to make
it impossible for them to accomplish that also?

All computers have a "Teacher" profile which is an administrative
acct. and a "Student" profile which is a restricted acct.

You've gotten good answers, but I just wanted to add a few things. We
have our computers in the school lab on a domain with a server running
Win2003, which gives you far more control than a Workgroup. I highly
suggest you look into that if you aren't running a domain already. If
you can't use a server, you can still create a locked down workstation
using Group Policy Editor, test it, and then image that to the other
workstations. Your students should only be able to run the programs
they need to and to save their files to a specific folder on the
server. They should not be able to do anything else on a workstation.

You might also want to look into DeepFreeze, which is excellent software
to return workstations to a pristine state. Here's the url:

http://www.faronics.com/index.asp

Malke

 

[niteowl]

Thank You for the detailed instructions.. I'm really a webmaster who
has kind of been expected to take over the entire schools system, so
I'm learning this as I go... this will be very helpful.

This is a workgroup situation, no server acting as a domain, and I
don't know how to set that up yet anyway, that's for another time.

All these computers are on a "workgroup" but none are shared so that
they can be accessed that I know of... that would be handy at times
to transfer files directly to the teachers stations. (which are their
laptops)

I will do this tomorrow.... the computer lab has 50 stations, all
independently setup... and all slightly different as teachers add this
and that to some.. it's kind of a hodge podge, summer time will be
redoing everything and starting fresh for the fall, so I need to learn
how to that "image" thing, what do I need for that?

again, thanks for the info,

niteowl

 

[niteowl]

Thank you for the info, I will check this out and see if we can get a
server machine... I don't know how to set that up, as I said to
someone else, but it's on my list of things to learn..


thanks again,

niteowl

 

[T. Waters]

' that "image" thing, what do I need for that?'
You use imaging software, like Norton Ghost or Acronis TrueImage.

 

[Malke]

Thank you for the info, I will check this out and see if we can get a
server machine... I don't know how to set that up, as I said to
someone else, but it's on my list of things to learn..

You're most welcome, Niteowl. Win2003 server is quite easy to set up,
especially since all you'd basically be using it for would be a file
server and not doing mail, web hosting, etc. Of course there is a
learning curve, but the initial setup "wizard" makes it relatively
easy. Post back if you need more help.

Best of luck,

Malke

 

[niteowl]

ok, I have Acronis, and I have actually done that once on my home
computer, but had to open the case and mess with removing hard drives
then transferring the image, then rehooking up the hard dirves... is
there an easier way? Would a USB portable hard drive work? I have a
USB portable case that I can put a hard drive in, or a CDRW or
whatever and I'm thinking that would be easeir than having to open up
the cases and mess with cables.

Am I correct in this assumption?

thanks again.

btw, the info you gave me worked great, and I've fixed the offending
computers. now I just need a way to maintain them easily. The
network setup that was done on them originally is very lacking in
controls I'm finding.

It's looking to be a learning summer.

thanks again for your help.

niteowl

 

[T. Waters]

Yes, you can easily do imaging with an external drive.

 

[niteowl]

thanks Malke,

As to your offer of help, if you could clarify a few things for me
that would be great.... the main question is one of physical
placement of the server machine...

the school has internet access, into a Cisco switch, that then goes
into a patch bay (I guess that's what you'd call it)which is the link
from the switch to each of the computer drops via the cat5 cables -
throughout the school.

Does it matter where the server machine is located?
How is it hooked up to the switch to let it work as the server?
Is that determined by simply where it's connected to the cisco box?
(I told you I was new to this)

If it works the way I think it will, then I think it shouldn't be that
difficult to set this up. Will I need to setup a domain or leave it
as a workgroup? or is that not a consideration when using win2003?

Will I have to reconfigure all the computers as part of setting up
win2003? Will the win2003 machine work with the XP Pro machines, or
do I have to upgrade all the machines to win2003? That could get to
be more expensive than we have funds for... ??

I better quit, the questions are coming too fast....

thanks for the info.

niteowl

 

[NobodyMan]

You have some serious reading up to do on network architecture,
setting up/installing Win2003 Server, AND setting up a Domain. You
need to have at least a rudiumentary understanding of DNS and Active
Directory, and for the number of workstations you are looking at you'd
be foolish to not also consider using your server as a DHCP server.
More reading.

There are several good books out there, and many schools offer classes
that will help.

The other thing you need to consider is cost. A low grade server can
be bought for around $500, but that is rock-bottom cheap with hardly
any memory, and IDE drive instead of SCSI, and that drive will be on
the low side of GBs of storage. Add to that the cost of the software
(Win2003 Server isn't cheap) and all the licenses you'll need to
obtain...well, you are easily going to sink thousands of dollars into
this venture. It's not a bad venture, but make sure you go in knowing
the amount of capital you'll be needing.

 

[niteowl]

Thank You for the detailed instructions.. I'm really a webmaster who
has kind of been expected to take over the entire schools system, so
I'm learning this as I go... this will be very helpful.

This is a workgroup situation, no server acting as a domain, and I
don't know how to set that up yet anyway, that's for another time.

All these computers are on a "workgroup" but none are shared so that
they can be accessed that I know of... that would be handy at times
to transfer files directly to the teachers stations. (which are their
laptops)

I will do this tomorrow.... the computer lab has 50 stations, all
independently setup... and all slightly different as teachers add this
and that to some.. it's kind of a hodge podge, summer time will be
redoing everything and starting fresh for the fall, so I need to learn
how to that "image" thing, what do I need for that?

again, thanks for the info,

niteowl

both of these links make reference to having a windows 2000 server
machine... which I don't have... unless WindowsXP is considered a
windows2k machine.. ?????

Will these changes work on an XP machine?

thanks,
niteowl

 

[Nepatsfan]

both of these links make reference to having a windows 2000
server machine... which I don't have... unless WindowsXP is
considered a windows2k machine.. ?????

Will these changes work on an XP machine?

thanks,
niteowl

Yes, they will. Sorry for not pointing that out.

This one is the easiest to implement:

Group policy in a workgroup
http://www.theeldergeek.com/gp07.htm

If the policies you want to change are all in the User
configuration branch of the local group policy then you can avoid
having them apply to the administrator's group by changing the
NTFS permissions on the Windows\System32\Group Policy folder to
explicitly deny Read permissions, and only Read permissions, for
the Administrators group. Don't be tempted to deny Full Control
or you won't be able to reset the group policy. The downside
of this approach is that every time you want to run gpedit.msc
you're going to have to remove the deny Read permission on the
Group
Policy folder for the Administrators group. Keep in mind that in
order to change the permissions, you have to disable Simple File
Sharing on each machine.

Even thought the Microsoft article is written for Windows 2000 it
will work with XP. This approach is slightly more involved. The
advantage is that you would not have to disable Simple File
Sharing.

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

If you use this approach make sure that in step 10 you change
the settings to Disabled and not to the default "Not Configured".
That's a mistake I kept making when I first used this procedure.

While Group Policy is an excellent tool it is not without risks.
Make sure you understand the impact changing a policy will have
before you enable it. Click on the Explanation tab if you're not
sure. Until you get familiar with the procedure, I'd suggest only
enabling policies that affect the Widows environment. Once you
feel confident in your knowledge level you can start working with
the policies which deal with security and logon issues.

Post back if you have any questions.

Nepatsfan