|
-
January 25th, 2006, 04:53 PM
#11
Junior Member
steve.milner:
Please elaborate and educate on : "Citrux?"
-
January 25th, 2006, 05:09 PM
#12
Junior Member
You could use deep freeze on everything. http://www.faronics.com/index.asp
-
January 25th, 2006, 10:40 PM
#13
I'm guessing I would have had to create a generic user and enabled Computer Configuration, lock it down and use "re-direct". Is my reasoning sound? Can the objective be done with locking down the computer only (I thought so, but I could not get it right)?
I am not sure exactly what you are getting at here but from what I know, all you should have to do is.
On the OU that the state workstations reside in define a GP that applies to machines only in the OU - There is a checkbox in GPMC to disable user policy. i.e your filesystem settings basically making C:\ and all subdirectories read only
Then if you want the user settings, they should already be inherited from the GP on whatever OU your user accounts currently reside in.
** Be careful that they don't conflict - may want to have the Machine policy override the user policy (again an option on the policy in GPMC)
Or you could define a new OU with the users in the State that needs to be locked down and define a User only policy on that OU that have the complimentry settings to your machine settings.
As far as still being able to write a text file is concerned I would:
Check which directories they can write to -> check the ACLs against your policy (the relevent directory may not be inheriting properly)
If the ACLs look right, check your policies to make sure lower level policies or user policies are not overwriting the settings you are after.
Basically if the ACLs has the user having read only access they won't be able to write so I would suggest it is an issue with your policy (the inheritence down the directory structure) or how it is being applied (is another policy overwriting it)
Reiterating my warning to be careful:
Note: - Be very careful changing ACLs on all folders, some applications may run with the users context and not be able to write critical application files (or temporary files) if you lock out the normal user accounts from writing to all folders such as temp.
The other thing to think of is you will need to redirect their entire user profiles to State2 servers as many applications use folder in the user profile to write temporary or configuration data, the user will definately need write access to that so this will need to be redirected to State2 Servers.
As I said be very careful, make sure any changes you make are THOROUGHLY TESTED before you implement them otherwise you will have a few SCREAMING clients. You need to be especially careful about removing SYSTEM and the Administrators group from ACLs - this is especially NOT recommended.
Good Luck but as I said you need to be VERY careful when doing this and personally I don't recommend doing it at all but particularly in a hasty/hurried manner.
-
January 26th, 2006, 11:18 AM
#14
Originally posted here by sard0nicpan
steve.milner:
Please elaborate and educate on : "Citrux?"
Goole is your friend:http://www.google.co.uk/search?q=citrix+overview
Try this one:
http://helpdesk.its.uiowa.edu/citrix...s/overview.htm
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
January 26th, 2006, 05:32 PM
#15
Citirix isn't really an option to solve the problem as its only a way of connecting to a remote system. That part is easy. Its the securing of the local machine that he is having issues with.
My question to you is, how far are they taking this? When you say you cannot save anything locally, does this include... swap file? tmp files? I think to really give an answer you need to know what is driving this request. The answer really depends on how far into the rabbit hole you are going.
For the local servers, you can change the shares to be "read only" shares and not have to worry about the ACLs that are on the local drive (assuming noone logs in directly and that IT support is allowed to save stuff to them by this policy).
-
January 29th, 2006, 03:17 AM
#16
Junior Member
The answer was: nothing, nada, nyet on the local hard drives.
This is why we pushed for the WYSE terminals--which we already possessed (see my earlier post). They bascially wanted to turn PC's into terminals (rdp to terminal sever), so we argued and argued and finally convinced upper management that what they really wanted were thin clients in State1.
I'm still curious as to how the original task could be accomplished. We did some partial testing and found that either we would shut the PC down totally(make inoperable), or only get partway to the requested solution. One of us could always find a way to write locally--temp folders were an obvious hole.
Thanks for the responses.
-
January 29th, 2006, 04:50 AM
#17
Might want to have a look at Windows Disk Protection from the MS shared access toolkit...
That being said, you should have been able to set ACLs to do what you wanted...
Ammo
Credit travels up, blame travels down -- The Boss
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
