locked
Steady State and Domain Workstation Accounts RRS feed

  • Question

  • Hi All,

    Here's my situation. I work in a school district and currently we have 500+ laptops in the high school. They're on a domain and group policy handles most of the security issues. Unfortunately normal users are allowed to delete the wireless ssid's from wireless network properties. This is a tremendous hole. Entire labs of laptops are routinely disabled by student vandals for fun. I've hidden the wireless icon and entire notification area in an attempt to fight them. This is not ideal, since wireless signal is then no longer visible in the tray. Even then, they still found a way to disable the wireless.

    I would like to enable WDP to effectively freeze the machines in a known good state. However i need a way to make sure they do not fall off the domain when the time comes for workstation domain passwords to be changed. We have no time for regular windows updates, and the machines are powered off and locked up at night. We rarely have time to update windows except in the summer.

    Is there a way for me to use WDP and somehow keep the workstation passwords up to date, without worrying about windows updates? If not, i would like to make a feature request for Steady State to be able to make WDP work without hosing domain membership.

    thanks
    Friday, January 18, 2008 7:30 PM

Answers

  • Hi Bikester,

     

    Thank you for posting here!

     

    Based on my experience, if you have WDP enabled and configure to "Remove all changes at restart", no changes will be saved except Schedule Software Updates. Under this situation, we can only update the computer password through Schedule Software Updates. Another method is manually configure WDP to save changes. WDP then automatically initiates a password change every time disk changes are saved.

     

    Please understand that SteadyState was not designed for domain environment, which has been provided many powerful tools such as Group Policy to manage the clients. This is an expected behavior which has been described in the Handbook.

     

    Based on the current situation, I would like to provide the following suggestions:

     

    Suggestion 1. If you would like to enable WDP, we can run schedule update every week in spare time.

    Suggestion 2. As most of configurations changes are saved to registry. How about making a script/batch file to restore this configuration at system or user logon.

     

    Hope this information helps.

     

    Best Regards,

     

    Monday, January 21, 2008 6:24 AM

All replies

  • Hi Bikester,

     

    Thank you for posting here!

     

    Based on my experience, if you have WDP enabled and configure to "Remove all changes at restart", no changes will be saved except Schedule Software Updates. Under this situation, we can only update the computer password through Schedule Software Updates. Another method is manually configure WDP to save changes. WDP then automatically initiates a password change every time disk changes are saved.

     

    Please understand that SteadyState was not designed for domain environment, which has been provided many powerful tools such as Group Policy to manage the clients. This is an expected behavior which has been described in the Handbook.

     

    Based on the current situation, I would like to provide the following suggestions:

     

    Suggestion 1. If you would like to enable WDP, we can run schedule update every week in spare time.

    Suggestion 2. As most of configurations changes are saved to registry. How about making a script/batch file to restore this configuration at system or user logon.

     

    Hope this information helps.

     

    Best Regards,

     

    Monday, January 21, 2008 6:24 AM
  • Hi,

    Every 30 days a computer tries to change its domain password. This behaviour conflicts with SteadyState. There is a very simple solution for this: change the value on all clients with SteadyState installed to 9999 (which is about 27 years instead of 30 days). I have tested this and this is also the way DeepFreeze (=similar to SteadyState) works. When you install DeepFreeze, this value is automatically changed to 9999. Maybe this is also an option for the next version of SteadyState?

    You can use this .reg file ( 9999 decimal = 0000270f hex ):

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
    "DisablePasswordChange"=dword:00000001
    "maximumpasswordage"=dword:0000270f

    I'm not sure what the DisablePasswordChange setting is for.

    There is one more thing you should do. You should check if some domain policy overrides this setting (which is probably not the case, but just to be sure).

    SteadyState has an option for Windows Updates! You can schedule SteadyState for updates in the weekend.

    Bye

    Tuesday, January 29, 2008 3:05 PM
  • Hi Shawn Shao,

    You state: "Please understand that SteadyState was not designed for domain environment, which has been provided many powerful tools such as Group Policy to manage the clients. This is an expected behavior which has been described in the Handbook."

    Could you tell me where in the handbook it says not to use in a domain environment? I can see several references to domain environment in the handbook but none saying that it is not designed to be used in one.

    I work in a very large environment with no control over Group Policy, is it possible to configure Steady State to retain PC domain passwords? So that they do not drop off the domain every 30 days. Changing the registry does not work as GP changes it back

    Regards

     

    Thursday, April 2, 2009 2:06 PM
  • Hi Huib123

    Do you know how Deep Freeze will react if a Group Policy changed the reg setting back to 29, would it change it back to 9999? I ask becuase we do have a GP running that resets it to 29 and are currently using Steady State on our training PCs which drop off the network every 30 days.

    Regards

    Lawrence

    Thursday, April 2, 2009 2:10 PM
  • "Could you tell me where in the handbook it says not to use in a domain environment? I can see several references to domain environment in the handbook but none saying that it is not designed to be used in one."

    The statement about SteadyState not working well in domain environments was included in earlier versions of the product. However, in the current handbook, it says otherwise.

    Page 57 of the new manual states, "...Windows SteadyState has been designed to work as favorably in domain
    environments as it does for workgroup computers. "

    I will be testing public computers in a domain environment soon. I have been very successful running them in a workgroup, but I would like to take advantage of Group Policies. Since you do not have access to Group Policies, is having these computer on a domain the best way to control them. Or do you have a choice in that matter?

    Sean Hanson
    Thursday, April 2, 2009 8:02 PM