Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Group Policy, Login Scripts, eh?

  • 31-03-2005 8:20pm
    #1
    Moderators, Category Moderators, Entertainment Moderators, Science, Health & Environment Moderators, Regional East Moderators Posts: 18,661 CMod ✭✭✭✭


    Not sure if this is in the right place, apologise if not.

    I help out with computers at a local primary school. Most of the machines in the main computer room are Win 98 and login scripts work fine one those. Currently the system is setup up so that when pupils logon to the network they can't access the Control Panel, Display Properties, Run and a few other bits n' pieces.

    Thanks to Tesco tokens there's now a few XP machines waiting to be used.
    For the handful of XP machines I've set the pupil accounts to limited so they can't install anything but they can still get into the Control Panel and muck about with the desktop, screensaver etc. Is there anything I can do so the students can't access these things? These machines have been networked but haven't been dished out yet as there's one or two kids who like to tinker with things a bit too much if they get the chance, especially on the "best" machines.

    I'm also wondering if the same is possible for Windows 2000 Pro, most of the machines dotted around the classrooms are Win 2000. The machines in the classrooms get maintained less often and the majority of the teachers know very little about mucking about with settings, in some cases the pupils probably know more. So it would be handy if these machines could remain somewhat similar rather than going into each room and finding that some muppet has changed the desktop background to something dodgy. Pupil accounts under 2000 are set to "restricted user".

    Would I have to create a new login script specific for the XP machines, can I edit the current ones but without mucking up the settings that kick in when someone logs onto a Win 98 machine. Do I need to bother tweaking login scripts for XP, is there something I can mess with in User Accounts?

    Let's say I'm not bothered about editing login scripts, I've heard Group Policy is better for applying restrictions. So maybe I could go with that? There's probably some existing Group Policy in place I just haven't looked around the server properly.

    The main server is 2000 Server and the older one is NT.

    Just looking around my own machine at home (XP Pro, not networked), if I (I'm admin) go to gpedit.msc and mess about there I can mess with things in there. Is there some way of setting a policy so that it can differentiate between an admin (full access) and a more limited account (no Control Panel, Display, Run etc.)

    This is the main thing I want to figure out for the school before dishing out the XP machines. Is there something specific I need to do for XP and 2000 re: not giving access to the Control Panel, etc. Pupil's already have limited accounts and that kicks in fine on the 98 machines but I want to take a few more things out of action, yet if I need to check them out (i.e. login under admin) I'll have access to everything.

    If it's an individual tweaking I could set all XP machines up as heavily restricted one by one. However if it's a group thing, I'll need most XP machines heavily restricted yet I'll need the Principal and Secretary's machines to remain full access, they're both XP and login to the network using the admin account.

    Suggestions on the back of a leabhair notai obair bhaile...

    EDIT: I was in the local library the other day and they had XP machines setup with many restrictions: you couldn't right click anything, and you only had access to Start> some basic Programs. So perhaps something like that.


Comments

  • Registered Users, Registered Users 2 Posts: 816 ✭✭✭Cryos


    Why are you setting up pupil accounts on the local machines ??

    Your running windows server 2000 and NT (btw NT server isnt compatable with Windows XP), in windows server just create a User "pupil" with a password. Automatically they will not be able to install any software on the computers (if its an xp or 2000 system, however if your using windows 98 your buggered), why not upgrade the 98 machines to 2000 (remembering 2000 needs 750mb, p1 166 and 64 meg ram or better).

    98 is not a N.O.S its a bog standard O.S, so your not going to have the same restrictions as you will have on nt, 2000 or xp.

    You dont need to do anything on you local machines, just do it all on the server theres loads of articles on this stuff on http://technet.microsoft.com


  • Moderators, Category Moderators, Entertainment Moderators, Science, Health & Environment Moderators, Regional East Moderators Posts: 18,661 CMod ✭✭✭✭The Black Oil


    Blitz wrote:
    Why are you setting up pupil accounts on the local machines ??

    Sorry, do you mean upon setting up why do we go, add a user to the domain and set it up as a restricted account on each individual machine? Rather than just logging in with pupil, password and the domain, letting the server pick it up straight away? Just the way it has always been done, or how I was shown how to do it.
    Your running windows server 2000 and NT (btw NT server isnt compatable with Windows XP), in windows server just create a User "pupil" with a password. Automatically they will not be able to install any software on the computers (if its an xp or 2000 system, however if your using windows 98 your buggered), why not upgrade the 98 machines to 2000 (remembering 2000 needs 750mb, p1 166 and 64 meg ram or better).

    Easier said than done, some of the machines aren't worth/don't have the spec to bother upgrading. Also there might be a licensing issue re: educational software (we're grand re: Win 2000 licenses thanks to the Microsoft Fresh Start programme for schools). On some machines there's many bits and pieces such as: Maths Circus, Maths Blaster (various age groups), Type To Learn...the list goes on, so upon wiping the computers and reinstalling we wouldn't really have the licenses for them. Being a school we have do things as officially as possible. ;)

    I would like to wipe those 98 machines however, it's a case of time. The principal is probably other most knowledgeable IT person but he obviously doesn't have time to go in to starting wiping, and reinstalling 20+ machines. The IT teacher/co-ordinator is mainly there to teach pupils how to use the educational software, and supervise them. She knows a bit of techy stuff but not enough to go from scratch. Myself, I don't really have the time to start, supervise, and fully reinstall an OS, plus the education software as I have lectures to go! However, I have setup most of the machines around the classrooms, (probably 2 dozen) though given time constraints it took about a week to bring a machine fully up to scratch.

    It would be no harm to get rid of 98, as it's/is becoming obsolete.

    The Win 2000 server is probably the main workhorse now, I think the NT one is mainly for storage and perhaps some games/apps.
    You dont need to do anything on you local machines, just do it all on the server theres loads of articles on this stuff on http://technet.microsoft.com

    Thanks, I'll check that out, and see if I can do much when the school reopens.


  • Registered Users, Registered Users 2 Posts: 328 ✭✭Bebop


    Presumably your Win 2000 server is the domain controller, the NT4 box is just a member server, this is the only way they could work on the same domain
    your windows 2000 server looks after logons and user authentication etc, so this is where you can apply group policies, I look after Server 2003 domains and the group policies are applied to each OU [Organisation Unit]

    In Active directory users and computers, create a new OU and put a few of the XP machines in it,
    Then select the properties of the OU, there should be a Group Policy tab..if you select edit or new..the Gpedit opens and you can tweak any of the settings that will be applied to this OU,
    This is how I do it in S2003, Server 2000 is roughly the same, you can play around with the GPO settings and see the results when any of the group of XP machines log on, you can also apply logon and logoff scripts in the GPO, remember that GPO's only apply to computers, not users

    Group Policy can only be applied to XP and 2000 workstations, it will not work with Win98, you might also consider moving up to Server 2003, it handles GPO's better and the volume shadow copy acts like a recycle bin for the network, Microsoft licence deals like Education Select or Campus Agreement mean that Education bodies only pay a fraction of the normal price


Advertisement