Support NeoGAF

[pollo]

GAF I work at a local college and I want to set some policies that restrict users from saving shit onto desktops. Ideally I want to be able to keep My Network Folder, My Documets, Word, Excel, and a few other items on the desktop -- and thats it. I want it so that when they log out their settings arent saved (save for the stuff in my documents) and so whenever a user logs on he gets the default settings on the desktop with all the preset icons and nothing more.

Anyone know how Ill be able to do this through Group Policy?

 

[SyNapSe]

Is the Active Directory domain native 2000 or 2003? We aren't really restrictive at all where I work, and I typically avoid GPO's unless they are the only option..

I think the easier way to go about this would be to possibly create your default template roaming profile for different groups and then rename the ntuser.dat file to ntuser.man. This should restrict them from making permanent changes to their roaming profile. It will make the changes during the current session, but won't be able to update the network profile upon logging out. So, when they log back in the next time they will have the generic profile again.

 

[pollo]

We dont have individual log ins for where I work - just a basic student account.
Maybe that'd be an easier approach - I'm not really an IT personnell so I know next to nothing about configuring a generic user account. Would you be able to expland?

 

[SyNapSe]

1 generic account that logs into how many PC's?

Here is an article about creating a mandatory profile on a local machine.
http://www.tweakxp.com/article37356.aspx

If you have a lot of computers you could do this same type of thing but have the profile shared out from a server and just map a drive to that share in the profile.

Are these computers just part of a workgroup?

edit: if you just have a handful of computers.. just log into them with your generic account. Set everything up how you want it. Then browse to the account's profile folders..

This is normally C:\documents and settings\%username%\

within that folder rename ntuser.dat to ntuser.man. You will probably have to allow viewing of hidden files. From Windows explorer.. Tools---> Folder Options ---> View Tab ----> select view hidden files.

 

[Zaptruder]

If I studied this week, I'd know exactly how to answer that question...

lemme see...

you'll want to create a mandatory user profile.

If you need it to be roaming, you'll need to do a few things...

create a roaming profile as you nromally would...

rename the profile file from ntuser.dat to ntuser.man ... which will change the profile to read only and thus mandatory.

with a mandatory profile, users can still change their desktop settings, but when they log off, it won't be saved.

 

[pollo]

my boss has never borthered setting a drive to map out user profiles; he claims that much it would be too much upkeep and maintenance for a 3 person staff. I do manual installs on each machine adding the user profiles.

There are about 60 lab machines in this college..and they're organized so inefficiantly that its sad.

 

[Zaptruder]

So... you guys do what? create an account for every student on every machine? assign students to individual machines?

Your boss should probably be fired... or something. I don't know.

Well, in anycase, you'll probably have to cut and paste user files into a new mandatory local user account if you want to modify them.

Not sure. heh.

 

[pollo]

We have a generic local account by the name of student on each machine. It's a basic User profile, so the user cant install crap onto the machines.

The problem we have is that students change the backgrounds and stuff...weve managed to lock that out now with GPO, but I wanted to take an extra step further by instilling restrictions on their ability to affect desktop settings (such as saving files on there and what not)

 

[blahness]

We have a generic local account by the name of student on each machine. It's a basic User profile, so the user cant install crap onto the machines.

The problem we have is that students change the backgrounds and stuff...weve managed to lock that out now with GPO, but I wanted to take an extra step further by instilling restrictions on their ability to affect desktop settings (such as saving files on there and what not)

the folder named "Desktop" in each users profile folder under the C:\Documents and Settings folder is the folder you want to restrict. I'm not sure if there is an easier way to do this or not, but what I would do to restrict this folder for specific users on specific computers is:

1. Create a group for your computers and users you want to restrict.
2. Create a new GPO, set the read and apply group policy permissions for the group you just created. Remove the Authenticated Users group. Make sure Domain Admins has at least read permissions. Open the GPO and select Computer Configuration - Windows Settings - Security Settings - File System
3. Right click and Add File
4. At the bottom of the folder selection popup type in C:\Documents and Settings\%username%\Desktop
5. Set the permissions on this folder where Domain Admins has full control and add your group in there with only read and list folders permissions.
6. Link this GPO to the domain or OU your computers in question are at and then reboot the suckers

 

[pollo]

The computers are running Windows XP professional...

Should that matter? I can't seem to find where I can create a new GPO