Mandatory Profiles/Roaming Etc...

[cableguy2003]

Right ive got a company with 35 ish users a win2k3 server with a AD controller setup for permissions etc.. but the computers are getting abused somewhat , i.e installation of bit torrent, firefox etc..

I want to restrict this by setting up mandatory user profiles on the server, which i can do and can sort roaming out etc.. BUT how do i bodge xp/vista so that you cant create any local profiles ? just create an administrator account on that machine and dont disclose the passwords so that they can only log on to the AD ?

Any help appreciated , im a bit lacking on the locking down / security side of things.

 

[Burnsy2023]

How do they have access to install software on their computers anyway? Do they have local admin privileges? If so, just take that away from them.

 

[cableguy2003]

This is true , i could do that. I must admit i was more lenient because i cant be bothered installing adobe reader, flash player etc.. for every user as and when they need it.

Sooo , two birds with one stone is the roaming profiles ? this way i can managed multiple acounts from one desk ( i.e the servers desk )

 

[ruffneck]

roaming profiles won't stop users from installing software if they've still got local admin...

 

[cableguy2003]

Got ya , so the restrictions need to all be setup in the OS as a user and then the roaming profile will just make my life easier from an admin point of view managing shortcuts , network drives, printers etc..

Ill set up a dummy client and server and get some stuff rolled out on to it.

What happens with a roaming profiles installed programs ? can they get installed to a folder on the server so that apps for a particular user are applied to any computer they sit at or would i need to use TS for that ?

 

[ruffneck]

roaming profiles are good for making sure the users local files (ie items in documents and settings\user) are sent back to the server when they log off, mainly for backup purposes

it doesn't store installed applications

 

[cableguy2003]

if it doesnt store the applications on the server, then how can the roaming profile work ? for instance we have one user who needs access to a tnt shipper program , it will only be installed on this machine. If this users manchine failes and he wants to use another computer i need him to be able to use the tnt software. I read that these things get installed to server as long as you use control panel instead of default install programs ?

 

[ruffneck]

roaming profiles work perfectly in the assumption all the hardware and software matches...

as mentioned before, romaing profiles only store the users documents and settings ie: (the desktop, my documents folder, personlised desktop settings like background wallpaper, internet favourites etc)

 

[cableguy2003]

Ah maybe its not possible then we have different departments with different software/different needs. I.e Accounts needs sage , development needs autocad etc...

Is there no way at all to set up roaming in this nature ?

 

[ruffneck]

its possible, but you can't expect a CAD user to logon to a PC without AutoCAD installed and use Autocad. If you know what I mean.

Remove the local admin privledges and use somthing like group policy or microsoft sms to deploy applications.

if you wanted to centerally manage everything (although I wouldn't recomend this on AutoCAD machines) you would indeed be looking at somthing like TS or Citrix

 

[Burnsy2023]

Remove the local admin privledges and use somthing like group policy or microsoft sms to deploy applications.

That'd be my advice.

 

[cableguy2003]

Is that going to allow me to use user specifc applications on any pc they log on to ? Sorry for the AD n00b questions.

 

[a1ex2001]

Is that going to allow me to use user specifc applications on any pc they log on to ? Sorry for the AD n00b questions.

If you install software based on group membership then yes any user specific software would be installed when a user logged onto a machine, this software will then remain installed on that machine.

 

[cableguy2003]

That sounds the most reasonable idea then, i assume the comment above about hardware software being the same isnt totally strict in these terms then ?

All my pc's are different, built at different times etc..

So ill make a default windows image locked down , install it and then update drivers etc.. ( we all use common network cards ) From there all the software a user needs can be assigned using a group policy and im cooking ?

Cheers for the help so far guys.

P.S any tips on locking down an xp /vista machine ?

One thing i am worried about is at the ctrol + alt + del screen you get the option to log on to the domain or log on to the computer locally , i would like to remove the log on locally part of it if possible ?

 

[ruffneck]

One thing i am worried about is at the ctrol + alt + del screen you get the option to log on to the domain or log on to the computer locally , i would like to remove the log on locally part of it if possible ?

Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Deny Logon Locally

 

[cableguy2003]

Cheers, ill have a play with all this and see if i can secure the place up. Thanks very much.

 

[Nanobot]

Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Deny Logon Locally

Ouch! Dont mess with default domain policy! You risk causing major problems.
Create a test OU, put in a test user/computer object in that OU first and link it to a test GPO. Until you're happy with the settings in the test GPO, then I would set up/link it to a new OU and move accounts over. The default Computers container doesnt allow GPO linking.
Use default domain policies for controlling account/password related policy only, not for computer restrictions...