how can we "lock down" school computers to prevent customization?

Wish I only had 25 PCs to deal with! Try managing over 600 in a school environment!

All good advise above. If you can have all XP machines that would be ideal. Establishing group policies would be next. I don't have any links at the moment on where to get started. We use steady state (I don't know much about it) but our imaging guy later found he didn't like it. I've seen Deep Freeze used in other schools with great success. Lock down the local administrator account with a password, even the BIOS if you feel necessary. I would recommend re-imaging all the computers in conjunction with establishment of a group policy.

I find the scope of Group Policy is more often than not sufficient for locking down nearly every aspect of a PC. I generally use an imaging tool to store an image file of a freshly built system, so it can easily be restored when necessary.

With your new server and Active Directory domain you will create with it, you will instantly eradicate the user account issue - the administrator has to manage it through AD U&C tool instead.

When configuring permissions on your shared drives, make sure you use security groups for every department and access privilege/right a user may require, rather than hard code usernames into NTFS file/folder permissions. It is much easier when a user wants access to a set of folders to simply add their AD user object as a member of a group, rather than go round changing permissions in hundreds of different places on the system (no doubt you'll forget one!). With groups you only configure the permissions side of things once, then leave it.

AND - the most important thing when it comes to security. NEVER give anyone on the system more privileges than they NEED. (Note, for the purposes of this comment the term "WANT" isn't the same as "NEED") It's all very well if a user wants a particular set of permissions, but if they don't NEED them you will create a potential security threat to your network by granting them access - even just to read data (particularly sensitive data), since read privileges would mean they can take it off the system (i.e. by USB Memory Key) and distribute it.

Another security recommendation would be to lock down the domain Administrator account with a randomly generated password, but don't let anyone use it unless they have to. Instead it is much better to give your administrators their own Administrator_<USER SURNAME> accounts with domain admin privileges for managing the domain. These accounts are in addition to their usual, everyday accounts which should just be standard users like everyone else on the system.

-tigermatt

thank you  all for your ideas.  i have a lot to learn.  i'm doing this as a volunteer.  doing this one pc at a time has been difficult (i knew there was a better way but had no knowledge of it).  it'll be a week or so before the new server will arrive so it'll take a few days before i can communicate more intelligently.

will get back to you.
thank you!
mp

It will make life much easier if all the client machines use the same operting system, especially if you plan to use group policies.

>It will make life much easier if all the client machines use the same operting system, especially if you plan to use group policies.

it sure would.  regrettably the school has bought only a few at a time.  next time they buy pc's i want them to replace all of them & disseminate the viable ones from the lab to teachers for their classrooms.

>A skilled person will be able to break in to any computer.

yes; perhaps my choice of words was not optimal.  my intention is not so much for security as to prevent them from customizing the computer at all.

regrettably there's too much diversity in that computer lab so we'd probably need 8-10 different "restore" images.  additionally they don't have a good setup for storing (or making) "restore" images.

many problems...

thank you for your comments.  i'll let you know how it goes when the new gear arrives.

thank you all for your help.  the gear arrived but i haven't had time to deal with this.  i'll need to close the question and explore this more later once i know more about this and have more specific questions.

Now that you've posted a comment after you started the automated closure process, you've stopped it and there will have to be moderator intervention! I just thought I should post to let you know you'll need to start it again and then don't post any comments after you've started it. (Then the moderators won't need to do anything)

Alternatively I guess you could just use Accept Multiple Solutions and split the points as before between expert comments. This would close this immediately rather than wait the 7 days.

-tigermatt