Setting up Disk Quota on Client Machines

[liger]

I have a Domain Controller (Windows Server 2003 SP1) with AD and 22 client machines (Windows XP Pro SP2) under this domain.

I am having trouble setting up the client machine to do the following. I need to setup the client machines in this domain so that when a user logs on to the machine they can only use upto 50 MB of the HDD space temporarily. That is, any changes a user makes won't be permanent. The disk quota on the local hard drive volume doesn't seem to accomplish this task.

What I think I have to do is:

1. restrict users to write to a certain location (ex. folder) in the HDD

2. write a script to wipe out contents in that location whenever a user logs in or out

Has anyone done a similar task before? Please let me know if there is a better way to implement this.

I am having trouble finding out any references to doing this. If anyone knows where to begin, please let me know.

Thank you very much in advance.

[fizban2]

Mandatory profiles would be a good way to go, once you set one up, each time the user logs on it will reset the profile to the original settings. as for the 50 Mb limit, is there a real specific reason to have this?

[cluberti]

You could probably have better luck with 3rd party utilities, because although you can set some quota policies in a GPO, there's no real easy way to "roll back", nor limit users to specific areas of the disk (short of locking the box down tight with NTFS permissions, which usually ends up breaking applications). DeepFreeze comes immedately to mind for this scenario...

[liger]

Thank you for both of your suggestions. I will look into mandatory profile as well as DeepFreeze.

As for fizban2's question about why we are implementing this restriction, I am working at a school and people increasingly uses those machines to download illegal files from the internet. To minimize the abuse, the school decided to put this restriction on those machines. They will still be able to save their work on their NFS share, but not on the local machines.

I have seen machines which has two partitions and disallow users from accessing the primary partition. I think I can do this, but it seems to me that it is absurd to make 50 MB partition for such purpose. I will keep looking for a better way to implement this.

Edited August 2, 2006 by liger

[fizban2]

if you looking to deal with illegal file downloads you may be better off at not allowing apps like bit torrent and such to be installed, also blocking the ports they go through, also blocking webpages that host those files, that may proved easier to do or at least have a more universal approach to effectively block all such activities on all machines.

[playsafe]

if you looking to deal with illegal file downloads you may be better off at not allowing apps like bit torrent and such to be installed, also blocking the ports they go through, also blocking webpages that host those files, that may proved easier to do or at least have a more universal approach to effectively block all such activities on all machines.

I agree, but what if a user simply download files from different sites. Blocking bit torrent or specific ports will not do it. And by adding web pages to block list it will be a continous procedure (although i do it, ans it is very helpfull but you do it when u now about that website).

1. restrict users to write to a certain location (ex. folder) in the HDD

2. write a script to wipe out contents in that location whenever a user logs in or out

What if for some reason system goes out of network and a student has worked on some document. In that case, user will not be able to save it on his network share, and if he saves the file locally it will be removed at log off. That will not be a good senario.

IMO, system should have two partitions. C should have readonly and List Folder for Users. Same for D drive, but then a local user folder in D drive should have full rights for users (by not inheriting parent properties down to this folder only). And then simply apply qouta.

what is your opinion, I may be wrong..

Edited August 3, 2006 by playsafe