How to configure domain so that the limited domain users loose their data and settings when they logs off...??

Hi friends !

I am System and Network Administrator in an educational institute. I am running Windows 2003 Server Enterprise Edition as Domain Controller and DNS Server. On all the desktop computers in labs, Windows XP Professional Edition is installed and I have bought all the computers under the domain so now they can be controlled by centralized server.

I made two partitions C and D.

C is system and boot partition ( I will only allow local and domain administrator group on this partition and remove everyone and domain users group to access this partition by removing them from ACL.)

D will be used for Data and students will be able to save their work temporarily on this partition.
 
2. I have created normal domain users named: LAB1, LAB2, LAB3 and LAB4 for each lab. All the students in LAB1 will use LAB1 username and corresponding password. Likewise, students in LAB2/LAB3/LAB4 will use LAB2/LAB3/LAB4 usernames and corresponding passwords.

I know that because LAB1, LAB2, LAB3 and LAB4 user accounts are limited user accounts so they cant install or uninstall anything, they can format the partition. BUT&

Now, I want to know how can I configure all these computers so that when students use them and save some documents on D, then when they will log off or when the computer will shut down, there data will be automatically erased. If they have changed desktop screen or screen saver or change home page of internet explorer, every setting should not apply after they log off and log on again.

 (I will notify all the students on the screen of the computer that they save their data in flash or floppy (Removable Media) before logging off.

Thanks,

Hemant
JatinHemantAsked:
Who is Participating?
 
KCTSConnect With a Mentor Commented:
You can use a roaming profile for "limited users" and make it mandatory, that will help. however in your situation something like "deepfreeze" may be invaluabe. It can be used to "feeze" a computer settings, forgetting everyrhing that has happened at log off - see http://www.faronics.com/html/deepfreeze.asp
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
Get the steady state  from microsoft for windows xp http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
0
 
Firmin FrederickConnect With a Mentor Senior IT ConsultantCommented:
I'm sure there's a group policy for domains settings under administrative templates that caters for that - as far as the workstations are concerned.  You should check that out...or not :)
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
JatinHemantAuthor Commented:
Thanks ve3ofa, KCTS and SHIELD1 !

Hi KCTS !

You see, I explored the site link that you gave for Deepfreeze. But I can't buy any product like this because right now my department has some financial bars.

Second thing, you told me about mandatory profile for the user. You know my case. I have four labs and suppose in lab no. 1 I have 30 PCs, so if I create one user account named lab1user and make it roaming, then how to make it mandatory ? (I know that we need to rename one file user.dat to user.man, please tell me if I am right or wrong)

I have made roaming profile but not mandatory profile. Once I changed the user.dat to user.man but it didn't work. I don't know why ?

And one thing more...if all the 30 students will use this single account on differnet differnent PCs and logon simulteneously then there will be no problem and once again...How to make a mandatory profile ?

And as SHIELD1 suggested, there are some goup policies, I will check them. If you have some advises here in Group Policy then plese give.

Regards,

Hemant
0
 
Firmin FrederickConnect With a Mentor Senior IT ConsultantCommented:
well here's a possible scenario - i haven't tested it so be wary of unpredictable results!

Open group policy for editing - if you have the group policy management update, use this to open group policy to ensure you have the right one.

go to computer configuration, administrative templates, system, user profiles.

In the right hand screen enable these items:

delete cached copies of roaming profiles
prevent roaming profile changes from propagating to the server

and or

only allow local user profiles

have a play :)
0
 
KCTSConnect With a Mentor Commented:
Group policies and mandatory profiles have their uses but if you want to completely "reset" a machine to a pre-defined state while not restricting what users can do then DeepFreeze or something simialr will have to be used.
0
 
Firmin FrederickConnect With a Mentor Senior IT ConsultantCommented:
Acronis True Image, i believe, has an option to reset the PC image to a previously stored state upon reboot - I'm not sure how the automation of that works...in addition it's fairly cheap.
0
 
JatinHemantAuthor Commented:
Thanks for your suggestions !

Let me do this exercise...I will let you know what I did but here, tomorrow and day after tomorrow, we have non-working days (Saturday and Sunday). So please continue your support.

Regards,

Hemant
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
SteadyState is free from microsoft.. And it is designed for exactly what you want.
0
 
JatinHemantAuthor Commented:
Thanks again for your suggestions !

I am exploring the utilities like SteadyState and Deepfreeze. Meanwhile, I tried to create a mandatory profile but I completely failed. In my question, I had also asked how to create mandatory profiles ?

Please see, what I did...

1. On domain controller (192.168.5.1), I created a user named: acuser
2. Again on domain controller, I created a folder for storing roaming profiles named: roaming. I gave read and write permission on this folder to domain users.
3. Then in the Active Directory Users and Computers, I went in the properties of acuser and in profile path I gave //192.168.5.1/roaming/acuser
4. Then I made an organizational unit and put the acuser and a computer named AC-PC001 in that OU.
5. Then I went in the properties of that OU and created a new group policy named: Roaming Profile.
6. Then I edited this GPO. I went in User Configurations--->Windows Settings--->Folder Redirections and then in Desktop and My Documents, I redirected them to //192.168.5.1/roaming

Now when I use computer AC-PC001 and log on as acuser, then I can clearly notice that my My Documents and Desktop folders are roaming and no longer exists on the local PC. They are on the server. Means Folder Redirection is OK

Now when I again logged on from client PC AC-PC001, I found that there is the local profile for this user and in that profile there is the file ntuser.dat

On AC-PC001, the file path is C:\Documents and Settings\acuser\ntuser.dat
and
On RDC domain controllder in Roaming Profile of acuser the file path is ( \\192.168.5.1\roaming\acuser\ntuser.dat ), so I changed this filename on RDC to ntuser.man

BUT...whenever I logoff or I will log off from the client PC then in the logoff synchronization, the local file ntuser.dat will again replace the file ntuser.man in roaming profile. And if I change some settings on desktop of client machine while logging from acuser, those changes are replicated to domain controller profile and again reflect to the client machine. I don't want that the desktop wallpaper or any changes that I make should reflect in the roaming profile. Then what is the use of mandatory profile !!!!!!!!!!


Now please tell me where I am wrong. Where I made mistakes ?

Regards,

Hemant
0
All Courses

From novice to tech pro — start learning today.