Standard desktop image during reboot

All right guys, here's what I need:

I want to have standard desktop image that comes up during a reboot.  For instance, say I have a user who loads WinZip or some other app on the desktop.  When that user logs off, I want that app to not appear the next time the same user logs on.  No matter what that use loads on the PC, I want everything to revert back to a standard image (think a school system network).  

Thanks in Advance for any help
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


I am not quite clear here .

How can opening winzip or any application for that matter change the desktop image.

opening that is nothing to do with desktop image

He means installing it. It sounds like what you need is terminal services.
neowolf219Author Commented:
Sorry about not being clear.  What I should have said, is that if someloads an application (say, Winzip for instance), that when they log off, the application is uninstalled and the PC is like it was during the first login.  

For practical purposes, suppose a student logs into one of the PCs at school and installs a program she/he shouldn't.  I don't want that program to be there on reboot.  I could lock down the PCs with a Group Policy, but in some instances I do need them to install programs so I have to give them rights to do so.  But is there a way when they log off for everything to be "undone".

Thanks for your help guys.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

1st....decide whether you want your users to beable to install software.  You might find that most do not.  So...once you get that down...

you have 2 choices

1.Make two template users.  One for each user class (1 with install permissions and 1 without) and log in and change the profiles how you wish for each of them.  Log on as Admin copy the profiles to a share (or local secured location).  Have a "neutered" users use a mandatory profile, which you would use one of the previousky created profiles as the template.  Do the same for the "enabled" user.  Then through policy, lock down the enviroment.  

This way only specific users CAN install, however since mandatory profiles are Read-Only, their changes will be lost.  And the ones that can't...well...they can't leave a bunch of trash on the HD.  But you will need to periodically clean the orphaned apps.  Use quotas so it doesn't bite you.

2.Use scripts....not as pretty and neat as above.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I would definitely create two user templates and make a custom profile for each of them.  One that CAN install and one that cannot.  When you are doing a lesson that involves installation rights, either ave them logged on automatically, (you can script in AutoAdminLogon reg hacks, and script them out).  Disable changing of PWs they won't ever know the passwords, providing you disable access to the registry.  This can all be done through GP at the server.  With the mandatory read-only profiles when the user logs out changes are lost and you can script in the reg patch to disable the autoadmin logon or to referacne the "neutered" account, for the next class which won't be installing anything.  In cases like this, definetly keep the profiles on a share, they will be small and even 10base shouldn't have any problems serving 30-40 stations with slimlined profiles.

I still think terminal servieces is the way to go, if a user needs a program you can install it and make it acailable to him/her
Sorry....I keep on noticeing small points.
As far as uninstalling....mmmm, since will be read only, HKU will not be modified.  But FYI   anything that installs via .msi  you can script uninstallations.  

to uninstall use:
msiexec.exe <%whatever%>:\whatever\whatever.msi /q /x

get to know your "IF" syntax.

As for others like install sheild, etc., I am sure they have a command for quiet unattended uninstall.

If you are doing heavy scripting consider some scripting mods.  is a good free one.


I disagree, adds more network and system overhead and CALs CALs CALs CALs

Through intelligent profiling and policing you can make it pretty damn rock hard.  Cheaper too.

All except the install and use programs I agree.... the admin overhead alone for that would be worth the CALS to me
Of course depending on what they need to do you could go thin client and linux.
Screw linux....admin overhead.....hello.  I mean use whatever you want, but I think a little extra work on the frontend will do the job and do it right and minimize administration.  Let scripts do all the work such as uninstalls on log out, the instructer and inforce a new policy auto logging in the workstations win new rights and permissions as needed.  That could be a simplet batch on his workstation and I know to solve the program installation changes to the registry, with KiXtart you can load and unload registry hives.  The "loadhive" script subset and the delete routine to remove the installed files is all that would need to be scripted.  Basically System,dat (the equiv) is reloaded, user.dat cannot be modified and a delete or format subset to the enforced installation point is all run on logon.  If he wants to create two users with installl and one without install rights, it is quite easy and infact the script would not need to be changed, just the policy allowing installation.

Free, ability to intergrate without adding or changing the enviroment and actually reduced administration, as opposed to managing a TermSvcs solution and dealing with CALs and TSL and LLS.  See what I'm sayin?

lol one sentence you say something about admin overhead then you say a little frontend extra work... seem to contradict yourself. I am sorry you do not know unix. Nothing easier than terminal services, and it allows a standard desktop, it actually solves his problem nicely.
No I guess I don't see what you are saying
neowolf219Author Commented:
NetwerkMerc and ewtaylor,

I think the mandatory profiles are what I am looking at ... I'm going to simulate it today in-house to see how it goes.  Thanks a million for your help, you've both given me enough to go in the right direction.  

Good luck, keep us posted on how it goes.
Please so keep us in the loop.  Hope it works, I am more than happy to assist should you have any questions or come across any difficulties.


I most definitely did not mean to offend to condescend.  I am big on "choose whatever the hell you want" with the underlying theory; re-architecting an existing solution, is wasteful, especially based off of favoritism.  Assimilate....rounding off the edges so things are snug.  Sometimes, though you have to.  I didn't mean to belittle any suggestion, infact it is through these dialogues that solutions become well-defined.  

Front-end effort is closer to preparation and implementation as opposed to maintenance or back-end, to which there is no end; it defines itself linearly (i.e. there is always tomorrow, yet tomorrow never comes").  Maintenance or back-end effort is what I consider overhead, overhead is typically a liquid variable.  It is the unknown in TCO, however obtaining and maintaining CALs (in this instance) could be both front-end and back-end/overhead or just back-end overhead.  Since this is an existing environment this is what I look at and how I classify phases and requirements.
1. Existing MS (assumed 2k or 2k3) infrastructure, with at least domain organization
2. Since the build out has already been done and without knowledge of systems specs, major infrastructure changes are avoided (I consider switching an unknown number of clients to a TS solution, a major change)
3. Conceptualization to implementation/integration timeframe vs. drop-dead dates : acceptable attrition (lost person-hours, revenue generation, interruption of service, etc.)
3. Costs; software, hardware, licensing, staff
4. Expected maintenance, estimated reliability,
5. Scalability

Based on the environment, a few hours making: a clean up logon and logoff script, a mandatory profile and policies will meet the requirements.  No additional up-front costs, it is simple, reliable, scaleable (to a point, governed by environment), uninvasive and once implemented requires minimal upkeep, actually shouldn't need any.  Unless requirements change, of course.  

Semantics, semantics, semantics    : )


Can we split points?    
Agreed, I just like to think outside the box. I used to be down on TS until I really implemented it and started using it now I think it is great. One job I went in was a factory of the future, they had around purchasing 3000 workstations and a big Windows server with an oracle database and custom java front end. They where congratulating themselves on negotiating a deal with Microsoft to the toon of around 3 million dollars (there where some other server etc also). I looked at what they where doing on the workstations it was all web based. Moved the server over to Linux ran thin clients on the manufacturing floor. Saved them big bucks and helped increase employee a nice bonus. I agree it will not work everywhere, and believe it or not I am a big diehard windows person. I love kixtart and the things it can do, and with the new win2k3 server it looks even nicer.
neowolf219Author Commented:

This is actually what I think my boss was looking for, but it is nice to be able to do it administrativly without spending any money on an app.  Just thought you guys would like to know about it for future reference.
Ahh in that case take a look at the deep freeze software
neowolf219Author Commented:
ewtaylor or anyone else,

Please know that I realize I'm swinging for the fences here, but do you know of any shareware that will (at the least) delete user loaded apps off their hard drive.  Setting up mandatory profiles will work, but I need a way to get rid of the installed applications.

I will reward points for this information.  

PS I wish we would just lock down the systems, but understand that isn't an option.  
The program I pointed out will do that it installs everything to a seperate protected partition that it basically reformats at each reboot. Are you looking for something in a shareware product to do this?
The easiest way (especially if all machines are the same) is to force a common install location on the user.  Since it is a mandatory profile the HKCU will not make persistant changes to the HKU.  A logoff script delete routine for that location (directory, volume, etc.) and on logoff load the, will take care of the files, since it is mandatory profile, all user enviroments will be reset and just call registry hive loads to clear up system referances, preventing orphaned registry referances.  YOu will want to make sure that the default user profile and the all user profiles are read only as well.  

Another way, is making use of RIS.  But I do not know how flexible it is with 3rd party software.  But if you went that route all installs would be done administratively initiated by the server.  Then all users will be on the mandatory profile and you can lock everything down, via policy.  Since installs and uninstalls are handled by you server side, the user install requirement is moot.

What about the registry changes to HKLM, those are global changes (global for the system) and that is persistant.  Deleting the files is not enough....

Q.         What is EZHDD?

A.         EZHDD is a security/recovery system that drastically reduces PC maintenance by preventing users from saving permanent changes to the hard drive.  Each time the PC is rebooted, all changes made by the user are reversed.  EZHDD will not prevent the user from changing the registry, deleting programs, or installing software or viruses.  It will, however, return the PC to its original condition when it is rebooted.
deep freeze will reset the registry back to clean condition on reboot
neowolf219Author Commented:

EZHDD is exactly what we need, but boss man is wanting to see if there is any shareware that will do basically the same thing (don't try explaining that the price is well worth it if you throw in administrative costs of maintaining 200-500 mandatory profiles ... got love politics).  I am going to continue to try and convince him this is good, and to give the trial version a shot, but in the mean time if you know of any shareware that we could use as a comparison, that would be excellent.  

Ahhh....hmm....I might have to check that out.  

Danke! and me are on a few threads together...interesting.

Good luck Neo.

Yes, and I am learning a lot from ya.... Keep up the good work!
What id Deep Freeze?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.