Standard desktop image during reboot
All right guys, here's what I need:
I want to have standard desktop image that comes up during a reboot. For instance, say I have a user who loads WinZip or some other app on the desktop. When that user logs off, I want that app to not appear the next time the same user logs on. No matter what that use loads on the PC, I want everything to revert back to a standard image (think a school system network).
Thanks in Advance for any help
I want to have standard desktop image that comes up during a reboot. For instance, say I have a user who loads WinZip or some other app on the desktop. When that user logs off, I want that app to not appear the next time the same user logs on. No matter what that use loads on the PC, I want everything to revert back to a standard image (think a school system network).
Thanks in Advance for any help
He means installing it. It sounds like what you need is terminal services.
ASKER
Sorry about not being clear. What I should have said, is that if someloads an application (say, Winzip for instance), that when they log off, the application is uninstalled and the PC is like it was during the first login.
For practical purposes, suppose a student logs into one of the PCs at school and installs a program she/he shouldn't. I don't want that program to be there on reboot. I could lock down the PCs with a Group Policy, but in some instances I do need them to install programs so I have to give them rights to do so. But is there a way when they log off for everything to be "undone".
Thanks for your help guys.
For practical purposes, suppose a student logs into one of the PCs at school and installs a program she/he shouldn't. I don't want that program to be there on reboot. I could lock down the PCs with a Group Policy, but in some instances I do need them to install programs so I have to give them rights to do so. But is there a way when they log off for everything to be "undone".
Thanks for your help guys.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Continued.....
I would definitely create two user templates and make a custom profile for each of them. One that CAN install and one that cannot. When you are doing a lesson that involves installation rights, either ave them logged on automatically, (you can script in AutoAdminLogon reg hacks, and script them out). Disable changing of PWs they won't ever know the passwords, providing you disable access to the registry. This can all be done through GP at the server. With the mandatory read-only profiles when the user logs out changes are lost and you can script in the reg patch to disable the autoadmin logon or to referacne the "neutered" account, for the next class which won't be installing anything. In cases like this, definetly keep the profiles on a share, they will be small and even 10base shouldn't have any problems serving 30-40 stations with slimlined profiles.
-Eric
I would definitely create two user templates and make a custom profile for each of them. One that CAN install and one that cannot. When you are doing a lesson that involves installation rights, either ave them logged on automatically, (you can script in AutoAdminLogon reg hacks, and script them out). Disable changing of PWs they won't ever know the passwords, providing you disable access to the registry. This can all be done through GP at the server. With the mandatory read-only profiles when the user logs out changes are lost and you can script in the reg patch to disable the autoadmin logon or to referacne the "neutered" account, for the next class which won't be installing anything. In cases like this, definetly keep the profiles on a share, they will be small and even 10base shouldn't have any problems serving 30-40 stations with slimlined profiles.
-Eric
I still think terminal servieces is the way to go, if a user needs a program you can install it and make it acailable to him/her
Sorry....I keep on noticeing small points.
As far as uninstalling....mmmm, since user.man will be read only, HKU will not be modified. But FYI anything that installs via .msi you can script uninstallations.
to uninstall use:
msiexec.exe <%whatever%>:\whatever\wha
get to know your "IF" syntax.
As for others like install sheild, etc., I am sure they have a command for quiet unattended uninstall.
If you are doing heavy scripting consider some scripting mods. www.kixtart.org is a good free one.
-Eric
As far as uninstalling....mmmm, since user.man will be read only, HKU will not be modified. But FYI anything that installs via .msi you can script uninstallations.
to uninstall use:
msiexec.exe <%whatever%>:\whatever\wha
get to know your "IF" syntax.
As for others like install sheild, etc., I am sure they have a command for quiet unattended uninstall.
If you are doing heavy scripting consider some scripting mods. www.kixtart.org is a good free one.
-Eric
I disagree, adds more network and system overhead and CALs CALs CALs CALs
Through intelligent profiling and policing you can make it pretty damn rock hard. Cheaper too.
-Eric
Through intelligent profiling and policing you can make it pretty damn rock hard. Cheaper too.
-Eric
All except the install and use programs I agree.... the admin overhead alone for that would be worth the CALS to me
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Screw linux....admin overhead.....hello. I mean use whatever you want, but I think a little extra work on the frontend will do the job and do it right and minimize administration. Let scripts do all the work such as uninstalls on log out, the instructer and inforce a new policy auto logging in the workstations win new rights and permissions as needed. That could be a simplet batch on his workstation and I know to solve the program installation changes to the registry, with KiXtart you can load and unload registry hives. The "loadhive" script subset and the delete routine to remove the installed files is all that would need to be scripted. Basically System,dat (the equiv) is reloaded, user.dat cannot be modified and a delete or format subset to the enforced installation point is all run on logon. If he wants to create two users with installl and one without install rights, it is quite easy and infact the script would not need to be changed, just the policy allowing installation.
Free, ability to intergrate without adding or changing the enviroment and actually reduced administration, as opposed to managing a TermSvcs solution and dealing with CALs and TSL and LLS. See what I'm sayin?
-Eric
Free, ability to intergrate without adding or changing the enviroment and actually reduced administration, as opposed to managing a TermSvcs solution and dealing with CALs and TSL and LLS. See what I'm sayin?
-Eric
lol one sentence you say something about admin overhead then you say a little frontend extra work... seem to contradict yourself. I am sorry you do not know unix. Nothing easier than terminal services, and it allows a standard desktop, it actually solves his problem nicely.
No I guess I don't see what you are saying
No I guess I don't see what you are saying
ASKER
NetwerkMerc and ewtaylor,
I think the mandatory profiles are what I am looking at ... I'm going to simulate it today in-house to see how it goes. Thanks a million for your help, you've both given me enough to go in the right direction.
I think the mandatory profiles are what I am looking at ... I'm going to simulate it today in-house to see how it goes. Thanks a million for your help, you've both given me enough to go in the right direction.
Good luck, keep us posted on how it goes.
Neo:
Please so keep us in the loop. Hope it works, I am more than happy to assist should you have any questions or come across any difficulties.
-Eric
EW:
I most definitely did not mean to offend to condescend. I am big on "choose whatever the hell you want" with the underlying theory; re-architecting an existing solution, is wasteful, especially based off of favoritism. Assimilate....rounding off the edges so things are snug. Sometimes, though you have to. I didn't mean to belittle any suggestion, infact it is through these dialogues that solutions become well-defined.
Front-end effort is closer to preparation and implementation as opposed to maintenance or back-end, to which there is no end; it defines itself linearly (i.e. there is always tomorrow, yet tomorrow never comes"). Maintenance or back-end effort is what I consider overhead, overhead is typically a liquid variable. It is the unknown in TCO, however obtaining and maintaining CALs (in this instance) could be both front-end and back-end/overhead or just back-end overhead. Since this is an existing environment this is what I look at and how I classify phases and requirements.
1. Existing MS (assumed 2k or 2k3) infrastructure, with at least domain organization
2. Since the build out has already been done and without knowledge of systems specs, major infrastructure changes are avoided (I consider switching an unknown number of clients to a TS solution, a major change)
3. Conceptualization to implementation/integration
3. Costs; software, hardware, licensing, staff
4. Expected maintenance, estimated reliability,
5. Scalability
Based on the environment, a few hours making: a clean up logon and logoff script, a mandatory profile and policies will meet the requirements. No additional up-front costs, it is simple, reliable, scaleable (to a point, governed by environment), uninvasive and once implemented requires minimal upkeep, actually shouldn't need any. Unless requirements change, of course.
Semantics, semantics, semantics : )
-Eric
Can we split points?
Please so keep us in the loop. Hope it works, I am more than happy to assist should you have any questions or come across any difficulties.
-Eric
EW:
I most definitely did not mean to offend to condescend. I am big on "choose whatever the hell you want" with the underlying theory; re-architecting an existing solution, is wasteful, especially based off of favoritism. Assimilate....rounding off the edges so things are snug. Sometimes, though you have to. I didn't mean to belittle any suggestion, infact it is through these dialogues that solutions become well-defined.
Front-end effort is closer to preparation and implementation as opposed to maintenance or back-end, to which there is no end; it defines itself linearly (i.e. there is always tomorrow, yet tomorrow never comes"). Maintenance or back-end effort is what I consider overhead, overhead is typically a liquid variable. It is the unknown in TCO, however obtaining and maintaining CALs (in this instance) could be both front-end and back-end/overhead or just back-end overhead. Since this is an existing environment this is what I look at and how I classify phases and requirements.
1. Existing MS (assumed 2k or 2k3) infrastructure, with at least domain organization
2. Since the build out has already been done and without knowledge of systems specs, major infrastructure changes are avoided (I consider switching an unknown number of clients to a TS solution, a major change)
3. Conceptualization to implementation/integration
3. Costs; software, hardware, licensing, staff
4. Expected maintenance, estimated reliability,
5. Scalability
Based on the environment, a few hours making: a clean up logon and logoff script, a mandatory profile and policies will meet the requirements. No additional up-front costs, it is simple, reliable, scaleable (to a point, governed by environment), uninvasive and once implemented requires minimal upkeep, actually shouldn't need any. Unless requirements change, of course.
Semantics, semantics, semantics : )
-Eric
Can we split points?
Agreed, I just like to think outside the box. I used to be down on TS until I really implemented it and started using it now I think it is great. One job I went in was a factory of the future, they had around purchasing 3000 workstations and a big Windows server with an oracle database and custom java front end. They where congratulating themselves on negotiating a deal with Microsoft to the toon of around 3 million dollars (there where some other server etc also). I looked at what they where doing on the workstations it was all web based. Moved the server over to Linux ran thin clients on the manufacturing floor. Saved them big bucks and helped increase employee productivity...got a nice bonus. I agree it will not work everywhere, and believe it or not I am a big diehard windows person. I love kixtart and the things it can do, and with the new win2k3 server it looks even nicer.
ASKER
http://www.centuriontech.com/driveshield.htm
This is actually what I think my boss was looking for, but it is nice to be able to do it administrativly without spending any money on an app. Just thought you guys would like to know about it for future reference.
This is actually what I think my boss was looking for, but it is nice to be able to do it administrativly without spending any money on an app. Just thought you guys would like to know about it for future reference.
Ahh in that case take a look at the deep freeze software http://www.ezhdd.com/main.htm
ASKER
ewtaylor or anyone else,
Please know that I realize I'm swinging for the fences here, but do you know of any shareware that will (at the least) delete user loaded apps off their hard drive. Setting up mandatory profiles will work, but I need a way to get rid of the installed applications.
I will reward points for this information.
PS I wish we would just lock down the systems, but understand that isn't an option.
Please know that I realize I'm swinging for the fences here, but do you know of any shareware that will (at the least) delete user loaded apps off their hard drive. Setting up mandatory profiles will work, but I need a way to get rid of the installed applications.
I will reward points for this information.
PS I wish we would just lock down the systems, but understand that isn't an option.
The program I pointed out will do that it installs everything to a seperate protected partition that it basically reformats at each reboot. Are you looking for something in a shareware product to do this?
The easiest way (especially if all machines are the same) is to force a common install location on the user. Since it is a mandatory profile the HKCU will not make persistant changes to the HKU. A logoff script delete routine for that location (directory, volume, etc.) and on logoff load the, will take care of the files, since it is mandatory profile, all user enviroments will be reset and just call registry hive loads to clear up system referances, preventing orphaned registry referances. YOu will want to make sure that the default user profile and the all user profiles are read only as well.
Another way, is making use of RIS. But I do not know how flexible it is with 3rd party software. But if you went that route all installs would be done administratively initiated by the server. Then all users will be on the mandatory profile and you can lock everything down, via policy. Since installs and uninstalls are handled by you server side, the user install requirement is moot.
-Eric
Another way, is making use of RIS. But I do not know how flexible it is with 3rd party software. But if you went that route all installs would be done administratively initiated by the server. Then all users will be on the mandatory profile and you can lock everything down, via policy. Since installs and uninstalls are handled by you server side, the user install requirement is moot.
-Eric
EW:
What about the registry changes to HKLM, those are global changes (global for the system) and that is persistant. Deleting the files is not enough....
-Eric
What about the registry changes to HKLM, those are global changes (global for the system) and that is persistant. Deleting the files is not enough....
-Eric
Q. What is EZHDD?
A. EZHDD is a security/recovery system that drastically reduces PC maintenance by preventing users from saving permanent changes to the hard drive. Each time the PC is rebooted, all changes made by the user are reversed. EZHDD will not prevent the user from changing the registry, deleting programs, or installing software or viruses. It will, however, return the PC to its original condition when it is rebooted.
A. EZHDD is a security/recovery system that drastically reduces PC maintenance by preventing users from saving permanent changes to the hard drive. Each time the PC is rebooted, all changes made by the user are reversed. EZHDD will not prevent the user from changing the registry, deleting programs, or installing software or viruses. It will, however, return the PC to its original condition when it is rebooted.
deep freeze will reset the registry back to clean condition on reboot
ASKER
ewtaylor,
EZHDD is exactly what we need, but boss man is wanting to see if there is any shareware that will do basically the same thing (don't try explaining that the price is well worth it if you throw in administrative costs of maintaining 200-500 mandatory profiles ... got love politics). I am going to continue to try and convince him this is good, and to give the trial version a shot, but in the mean time if you know of any shareware that we could use as a comparison, that would be excellent.
Thanks.
EZHDD is exactly what we need, but boss man is wanting to see if there is any shareware that will do basically the same thing (don't try explaining that the price is well worth it if you throw in administrative costs of maintaining 200-500 mandatory profiles ... got love politics). I am going to continue to try and convince him this is good, and to give the trial version a shot, but in the mean time if you know of any shareware that we could use as a comparison, that would be excellent.
Thanks.
Ahhh....hmm....I might have to check that out.
Danke!
EW...you and me are on a few threads together...interesting.
Good luck Neo.
-Eric
Danke!
EW...you and me are on a few threads together...interesting.
Good luck Neo.
-Eric
Yes, and I am learning a lot from ya.... Keep up the good work!
What id Deep Freeze?
I am not quite clear here .
How can opening winzip or any application for that matter change the desktop image.
opening that is nothing to do with desktop image
Sunray