Date: 10/12/06 (IT Professionals)    Keywords: programming, software, security, microsoft

Are any of you familiar with the Microsoft Shared Computer Toolkit? It's a handy little tool from Microsoft that allows you to optimize a user profile for shared usage, or as we've found, for stations or kiosks that need to perform a very specific task. We primarily use it as a means to prevent Windows from accumulating profiles as AD users log in - part of the toolkit is Windows Disk Protection, which saves redirects all "writes" to the Windows partition to a seperate partition, then simply discards the changes upon a reboot.

I work at a university computer lab with approximately 4000 users connected to a school-wide Active Directory domain forest. Part of the predicament we are having is Administrator access. See, to even get into the door you have to be a computer science major, so these kids are a little more intelligent than your standard computer user. As CS majors, they're required to write programming assignments using Visual Studio and god knows how many debuggers. We fear that while one student uses his computer all night to further his research, another student is writing and installing a rootkit or a keylogger, another is serving porno movies he downloaded from Bittorrent, yet another is using his administrative rights to steal his peer's homework assignments, and another is logging everyone out with the shutdown command so he can build a botnet. As such, we've denied them Administrator rights.

If you can imagine hell, it's getting 30GB of specialized software to run in anything but Administrator mode. Students can't install it themselves, so we have to install it on an image and deploy it to a set of computers using Ghost. We use the Toolkit to facilitate this, as it automatically saves Microsoft Updates and is capable of running a maintenance script of our choosing when it runs (which calls another script on a network share). However, we have students and professors screaming at us to give us Administrator rights on the machines, and we're trying our damndest to provide that to them. My questions for all of you are as follows:

As Administrator, the student would have full access to the hard drives, including the folder which holds the Toolkit. It holds that even if we lock the folder down with permissions, ownership, and security, another Administrator can just reverse all that an unlock it. Is there any way around this, so that only ONE administrator can modify ownership and permissions for a folder?

They can modify our maintenance scripts to run whatever they want, provided they disable or save changes to the drive with the toolkit first. I'm vaguely aware that Group Policy can forbid access to certain programs, but I've never used it. How simple is it to set up? Does that apply to EVERY profile created on the machine, including our own?

We're specifically eyeballing Faronics Deep Freeze to replace the SCT if necessary, but the free SCT appears to do all we need it to do. If you've used both, which did you prefer?

If you were in my situation, realistically how would you accomplish this? Assume you have roughly 200 identical computer shared between 4000 users in an Active Directory environment. You don't control the domain controller, but you have full control over a specific OU on the controller. We're simply looking for a way to allow Administrator access without the student saving any changes to the Windows Partition.

Thanks for your help!

~Elliot

Source: http://community.livejournal.com/itprofessionals/44673.html