Jump to content

How to install XP Pro in school securely?

grasshopper75

By grasshopper75
in Windows XP

 Share

Recommended Posts

grasshopper75

grasshopper75

Posted
Posted

Hi,

I have just started working in a school looking after their pcs. Its only an infant school, so these guys are cool about me picking a few things up as I go along (although Im a+, n+ and have one mcp, NOTHING substitutes experience!) So my question is this - I am using an NT4 server (sp6), that cant yet be upgraded. The clients are being upgraded to xp pro because we have to (I love my local council!). I want to secure the computers so that they cant be messed with, especially the desktops. I also want a generic desktop for all users, preferably deployed over the network so I dont have to keep setting up each pc with shortcuts etc as I go along. Is this possible? What would you regard as the best way to approach this? Please go slowish as this is my first real networking job, so Im hitting the ground running here! Go on, you remember what it was like when you started .....dont ya?? Help!

Link to comment
Share on other sites

I_Broke_My_MHZ

I_Broke_My_MHZ

Posted
Posted

A desktop that is managed by the NT4 server, that's going to be something that you have to let someone else worry about. I don't know much about NT4 server, but I think it's a safe bet that the task is much harder in that dated OS. Securing the computers requires a group policy, which is managed by the server. You will probably have to manually set one up on each of the computers because since NT4 is so old, it doesn't have all the options you should have to set the policy.

Man that old server is gunna give you a lot of fun. Upgrade all the computers to XP pro but keep NT4 on the server, your council is probably just a bunch of idiots who decided they wanted to use XP at work.

Link to comment
Share on other sites
InTheWayBoy

InTheWayBoy

Posted
Posted

I don't know how valid this is for NT4, but you should looking into implimenting a manditory roaming profile. This is a profile that is held on the server, and it supplied to the machines when they login...and since it's a Manditory Profile, it doesn't save any changes. It's essentially read-only...a user can change things while they are logged on, but when they logoff nothing gets saved.

Also, RIS would be an excellent tool for you...it would allow you to boot your client PC's and install an OS over the network. But...that's an feature that came out with Win2000, so you don't get to play with that.

Between Manditory Profiles, RIS, and Group Policy you could lock down the machines very easily...but that would require at least Win2000.

Link to comment
Share on other sites
IcemanND

IcemanND

Posted
Posted

to get xp onto all of the machines:

First how many machines and how many different models?

three options:

1. Create an image they way you want it, sysprep it and then capture it. deploy to other machines, works great if you only have 1 or 2 different kinds of machines.

2. Create unattended cd which does the install of os, drivers, apps. Takes longer to deploy than images, but is flexible for any kind of machine as long as you have the drivers for that machine on the cd (search for BTS driverpacks).

3. Setup a RIS server and install machines remotely over network, great for a large number of machines, once up and working properly it can be done over night to every machine you manage. but it requires a domain controller if I remember correctly, not sure if it will work with nt4.

NExt securing machines, depends upon how nice/cruel you want/need to be. First only give the users User rights. If they need to install something they have to come to you. (alternatively, create and admininstall account which you deny logon rights to but allows user to use to RUN AS for installs.

If you want to be real cruel get a product called DeepFreeze, you can lock down the hard drive so that no changes can be made from within the os. You just reboot and its back to its virgin pristine state, it has built in options for updating the os and virusscan. It's a really good idea to do this on student use machines.

If the users are roaming around and using multiple machine roaming profiles are a good idea but I wouldn't implement it until you've upgradedd the server. I'm assuming that each user has some network file storage of some kind to store their data so they would just have to be trained to keep their files in it.

Link to comment
Share on other sites
grasshopper75

grasshopper75

Posted
  • Author
Posted

Thanks Guys,

I think I need Windows 2000/2003 server, unfortunately, the school spend their IT budget on crapola like "wireless 11b access points, we can run around school with laptops now!" *sigh* The whole networks a mess, 10/100 hubs, daisychained! lol, its true dudes, I might take a pic for your amusement...

Wel, for now, I think Ill just have to edit each comp manually using gpedit.msc. Is there a way to setup group edit, then export its settings to the next comp, so I dont have to keep putting the settings in each time? Also, anyone know anywhere I can get access to some good logon scripts? Man, I know Im gonna look back on all this in 5 years and chuckle, but there's one thing, I love doin this stuff! :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...