Solved

Profiles, Policies with Server 2008 for XPP and Vista Bus

Posted on 2009-04-13
2
238 Views
Last Modified: 2013-11-05
I need some advice and instruction on how best to streamline and secure a new network. I have a new 2008 Standard Server.  I have 80+ Students that move around to different classes and in some classes they have computer access and assignments to do on the computer in a variety of programs (Word, Excel, Photoshop, PowerPoint, Typing programs Web browsing, and Printing to classroom computers).  There are a total of 30 computers the students have access too during the school day. They are a mix of XP Pro and Vista Business.

I would like the students to have access to only the items that they need and not to anything else. I would like the desktops to all have the same wallpaper, the same desktop icons, the same start menu, the same programs folder list in the start menu. Students should not be able to browse to other students files. I do not want the students to be able to install any programs or make changes to the computer settings (desktop, icon names, screen sizes, etc).

I have the server and three computers (two Vista B and one XPP) in a lab to test the setup of the above requests. I have tried what I thought would be a simple policy to change the background of a OU to a picture located in a server share, but I cannot get it to consistently work (some users it appears and others it does not, and it never shows up on the XP machines). All Student users (so far just a few test student names) on the server have been assigned to the OU named Students and I applied the policy to that OU.

Here are my questions:

1. What would be best for my scenario Roaming profiles where the users application data, Documents, pictures and  copied to each machine or Redirected folders where the Documents and Pictures are redirected to the users home folder? Could you point me to a link that explains the way to do each one. (Our campus is large and have one building with 20 student computers connected to a managed switch that has a fiber back bone to the server room and another building with 10 computers that also have a managed switch that has a fiber backbone to the server room).

2. How do I create a policy (s) that allow the desktop to be locked, icons assigned, background assigned and permissions to not change or delete the icons to desktops on both Vista and XPP?

3. How do I create a policy that only shows a limited or customized Start menu? For example I would like a folder on the Programs list named PC Courses that contains links to all of the programs that they would need in that course. I would like to list other programs in te Programs list fr general programs, such as Word, PowerPoint and IE. Is there a way to only display shortcuts to programs that are installed on that PC? For example the Library PC's do not have Photoshop, but the PC Lab PC's do. Can I not have the icon for Photoshop displayed on the Library PC's?

4. I would like to limit the size of each Students profile to 1 GB or less. This is to save on storage space and help increase the load time when logging in.

5. Set a default printer to the computer based on it's location (i.e the library computers only print to the library, the classroom printer prints the the classroom printer (all printers in this case are network printers with NIC cards built in, they are not shared via a PC).

If I can provide more information to help clarify anything I will,  just be specific and cordial.

Thank you.

0
Comment
Question by:alansean
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24136842

>> What would be best for my scenario Roaming profiles where the users application data, Documents, pictures and  copied to each machine or Redirected folders where the Documents and Pictures are redirected to the users home folder? Could you point me to a link that explains the way to do each one.

You don't want to use Roaming Profiles for data storage, it's Folder Redirection all the way. This means data is stored and accessed directly from the server, giving very fast and efficient logon/logoff times. Folder Redirection is configured in Group Policy, and is very easy to configure.

>> How do I create a policy (s) that allow the desktop to be locked, icons assigned, background assigned and permissions to not change or delete the icons to desktops on both Vista and XPP?

Create a server share, and configure Desktop redirection to that share. Provided students do not have write privileges to that share, they will have locked down Desktops. You can drop icons into that share to appear on all student desktops, but they won't be able to add to or delete the icons.

Force assigning a background image can be particularly difficult. What I generally suggest is to make your background image as a BMP file, then enable Active Desktop through GPO and assigning that BMP from a network share as the background through that GPO.

>> How do I create a policy that only shows a limited or customized Start menu? For example I would like a folder on the Programs list named PC Courses that contains links to all of the programs that they would need in that course. I would like to list other programs in te Programs list fr general programs, such as Word, PowerPoint and IE. Is there a way to only display shortcuts to programs that are installed on that PC? For example the Library PC's do not have Photoshop, but the PC Lab PC's do. Can I not have the icon for Photoshop displayed on the Library PC's?

Folder Redirection to a "Start Menu" network share would work for the most part. That would, however, show the same shortcuts on all PCs. You could use a Folder Redirection policy for the generic shortcuts which are on all the PCs, but you'd need to use the C:\Documents and Settings\All Users\Start Menu\Programs folder on each PC with Photoshop installed if you just wanted the shortcut to that program to appear on the PCs where it is installed.

>> I would like to limit the size of each Students profile to 1 GB or less. This is to save on storage space and help increase the load time when logging in.

There's probably no need to use Roaming Profiles, so there's no need to limit the actual profile size. You can use quotas server-side (look in File Server Resource Manager, after you've installed the File Server role) to control how large users' documents folders etc. can grow to on the server.

>> Set a default printer to the computer based on it's location (i.e the library computers only print to the library, the classroom printer prints the the classroom printer (all printers in this case are network printers with NIC cards built in, they are not shared via a PC).

Group Policy Preferences would be ideal for doing that. You'd first have to install the Print Server role and map a connection from the server to each printer, then share the printers from the server. You'd need to separate all the Computer Objects into their own OUs based on physical location (an OU for Library, OU for Lab 1, OU for Lab 2 etc.). Then, create a new policy for each location, and configure Group Policy Preferences to push out the printer (\\servername\printer_share_name) for that particular location.

I hate to have to say this, but some of these topics can become very complicated. Can I suggest that if you want to discuss any in more detail, you split them up into separate questions here on the site?

-Matt
0
 

Author Comment

by:alansean
ID: 24138009
tigermatt

Thank you for the reply. I agree that it is a rather long and probably very detailed list of questions.I may still break them up into individual questions, but I first wanted to give a overall picture of what I was doing.

I will try all of your suggestions when I get back to the school and if needed I will create a new question(s).

Thank you
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now