locked
Locking down computers for classroom - Steady State vs group policy RRS feed

  • General discussion

  • First off, great forum.  Thanks for this very valuable resource.  I apologize for the length of this question and hope it's clear enough to make sense.

    I'm trying to wrap my head around the use of Steady State disk protection versus (or, in addition with) Group policy restrictions to "protect" our computers in a classroom environment.

    The requirments:

    I work in a university setting.  We have approximately 6 classrooms (or, labs depending on how you define them).  Each classroom has approximately 50 computers in them.  The students all have domain accounts which they are expected to use to log on to the computers.  Some labs require that the computers retain the user's domain profiles (and info in mydocs, etc.).  Other labs we just need to retain who was on the machine at what time (so, the Security Event viewer is adequate for that).  The computers all have a common set of apps.  Users are not given admin privs, but do need to be able to get to the Internet, etc.  Version of the OS is XP Pro service pack 3 and all computers are in the domain.

    Our experience so far:

    We used Steady State disk protection (version 2 I think; anyway, from summer of 2008) for the past year in several of our labs.  We attempted to protect the C partition with the Steady State disk protection, and place profiles, event logs, and any additional "data" folders on the D partition.  For some classrooms, this worked "OK".  For other classrooms, we had to disable Steady State due to the following issue reported in another thread on this forum:

    "..........I installed windows and configure it to add all profiles from our domain or even local to D:\ drive instead of C:\ drive so I can lock the C drive and don't allow anyone to change anything on it

    I used SteadyState to protect the partition but each time I do log by same domain username it does not load my profile from D:\ but it's create new one called like this

    example:

    domainuser
    domainuser.000

    so is there away to prevent this from happening ? I want to protect the C drive from any change while all users data and profile will be located on D drive
    ............"

    So far we did NOT use any group policy settings.  Such as from "Group Policy template called SCTSettings.adm".  Maybe it was not available in the older version of Steady State (or, more than likely I just missed it).

    Anyway, based on our requirements of user's logging on using their domain account each time (roaming profiles are NOT an option), and wanting to retain their profile info (I assume on a D partition if necessary), and wanting to proctect the C partition (with the apps and OS) as much as possible, what is the best route to go? 

    Use Steady State only?
    Use group policy only?
    Use both together?

    Finally, some upcoming changes for this year will be to roll out System Configuration Manager and Vista (at least to one classroom).  That said, I'm not too concerned about those details.


    Other concerns:

    Note, we would like to keep our setups as easy to maintain as possible (well, ok, that's fairly obvious : ).  So, it seems to us (so far) that Steady State Disk Protection makes things quite a bit trickier to manage and (particularly) update.  So, if we could maintain "moderately good" protection with just group policy, then that would be nice.  My normal mode of support would be "....hey, if the computer OS/application gets messed up somehow, just dump a new image on it in 20 minutes..."

    Comments or ideas?  Particularly the rather vexing issue of "domainuser then domainuser.000, etc. every time the same user logs on".  We could not use Steady State disk protection in several labs due to that issue.

    Thanks again for any insights.

    Geoff Weatherford

    Computing Resource Group

    College of Veterinary Medicine & Biomedical Sciences,

    Colorado State University

    (970) 491-2627

    geoff.weatherford@colostate.edu

     


    • Changed type Sean Zhu - Monday, March 23, 2009 9:54 AM
    Friday, March 20, 2009 10:30 PM

All replies

  •  

    Hi Geoff, thank you for the post. Based on the current situation, it seems to me the only way to accomplish this is to use mandatory profile (roaming profile).


    Sean Zhu - MSFT
    Tuesday, March 24, 2009 8:03 AM
  • OK.  Don't really want to do a roaming profile.  So, I'll probably try using a group policy on our classroom domain OU that is based on the Group Policy template called SCTSettings.adm and see where it gets us.

    I really do appreciate the answer and apologize for taking so long to get back to you.

    Thanks,

    Geoff Weatherford

    Computing Resource Group

    College of Veterinary Medicine & Biomedical Sciences,

    Colorado State University

    (970) 491-2627

    geoff.weatherford@colostate.edu


    Wednesday, March 25, 2009 9:52 PM
  • I'm curious as to how things worked out for you so far using just the Group Policy?

    Thanks

    Norris Arab
    Friday, June 5, 2009 9:25 PM