Loading ...
Sorry, an error occurred while loading the content.

Re: [fhctech] Re: Windows SteadyState - Possible future Deepfreeze Replacement?

Expand Messages
  • Bill Henderson
    It seems that this battle gets fought every year or so. Deep freeze is cheap, tested, and does the job (read Lynn Shaws reply). If it ain t broke don t fix
    Message 1 of 13 , Dec 1, 2007
    • 0 Attachment
      It seems that this battle gets fought every year or so.  Deep freeze is cheap, tested, and does the job (read Lynn Shaws reply).  If it ain't broke don't fix it.
       
      Bill H.  Santa Clara FHC

      Jonathan Studer <jonokinawa@...> wrote:
      I didn't have time to research it. I just ran across it today.
      Thanks for the info.

      --- In fhctech@yahoogroups .com, "Robert C. Harrison" <gizmo.rch@. ..>
      wrote:
      >
      > Why would you want to use a beta version, there is a stable version
      here http://www.microsof t.com/downloads/ details.aspx?
      FamilyId=D077A52D- 93E9-4B02- BD95-9D770CCDB43 1&displaylang= en
      >
      > RCH
      >
      > ----- Original Message -----
      > From: Jonathan Studer
      > To: fhctech@yahoogroups .com
      > Sent: Thursday, November 29, 2007 11:22 AM
      > Subject: [fhctech] Windows SteadyState - Possible future
      Deepfreeze Replacement?
      >
      >
      >
      > I ran across this today and thought I'd share. The software is
      still in Beta so be warned.
      > I haven't tried it yet, but thought I'd pass it along incase
      someone else has time and wants to try it.
      > You can download it here:
      http://www.microsof t.com/downloads/ details.aspx? FamilyId= 4DE91D3A-
      69F4-4D7B-94B1- C69B8BE029F4& displaylang= en
      >
      > I have nothing against Deepfreeze, I just always keep my eye out
      for new utilities that can make life a little easier.
      >
      > Here's an excerpt from the intro to the documentation.
      >
      > Introduction to Windows SteadyState
      >
      > Windows® SteadyStateT helps make shared computers easier to set
      up and maintain for administrators, and more reliable and consistent
      for computer users. By using Windows SteadyState, you can more
      effectively:
      >
      > -- Defend shared computers from unauthorized changes to their
      hard disks.
      > -- Restrict users from accessing system settings and data.
      > -- Enhance the user experience on shared computers.
      >
      > These capabilities make Windows SteadyState beneficial in
      situations where a computer is used by multiple people, such as
      schools, public libraries, community technology centers, and Internet
      cafés.
      >
      > Protecting Shared Computers
      > A unique challenge exists for shared computer environments.
      Microsoft software is designed to offer users a great degree of
      flexibility in their ability to customize their experience and to
      make changes to their computer settings. However, in a shared
      computer environment, administrators will typically not want to
      provide the full set of customization and change capabilities because
      doing so could allow changes to be made that affect the health of the
      computer and the experience for other users. On a shared computer,
      privacy and uniformity are very important elements of the maintenance
      and use of the system. Windows SteadyState helps an administrator
      protect a shared computer against unwanted changes.
      >
      >
      >
      >
      >
      > ------------ --------- --------- --------- --------- --------- -
      ----------
      >
      >
      > No virus found in this incoming message.
      > Checked by AVG Free Edition.
      > Version: 7.5.503 / Virus Database: 269.16.10/1159 - Release Date:
      11/29/2007 11:10 AM
      >



      Get easy, one-click access to your favorites. Make Yahoo! your homepage.

    • Jonathan Studer
      Thanks everyone for your feedback. I m going to look into using Deepfreeze. Right now I use a combination of local Group Policy settings and folder redirection
      Message 2 of 13 , Dec 3, 2007
      • 0 Attachment
        Thanks everyone for your feedback. I'm going to look into using
        Deepfreeze. Right now I use a combination of local Group Policy
        settings and folder redirection to keep things from getting saved to
        our machines and things from getting changed. I have all the my
        documents folders set to be redirected to a share on our 'server'.
        The desktop is also redirected to the server share and is set to read-
        only so it can't be modified.
        I restrict writing to the root of the C drive as well.
        Our machines are setup to auto login to this restricted user account.

        I don't have any problems with users changing things so I guess I'm
        lucky there. I configured this setup when the universal XP DVD's were
        released from FHC Support and I haven't had to rebuild or correct any
        problems since. I configured my setup and made an image of it. Now,
        when I setup a new machine I just drop the image one it, run the
        landesk config and viola. (I periodically refresh the image). We're
        ready to go. we currently have 15 machines in 2 centers, and 4 more
        machines on there way to a third center. I'm also pretty lucky that
        all of these machines have identical hardware. I work in IT and was
        able to get all these machines donated to us.

        Anyway, just thought that I would share a little about our setup.
        Thanks again for the input.

        -Jon
      • Russell Hltn
        ... I thought about doing that but didn t for two reasons: PAFInsight saves a file to My Documents and it s not designed to be multi-access. That is, I
        Message 3 of 13 , Dec 3, 2007
        • 0 Attachment
          On Dec 3, 2007 8:10 AM, Jonathan Studer <jonokinawa@...> wrote:
          > I have all the my
          > documents folders set to be redirected to a share on our 'server'.

          I thought about doing that but didn't for two reasons: PAFInsight
          saves a file to "My Documents" and it's not designed to be
          multi-access. That is, I wouldn't make all the computers point to a
          common "My Documents".

          Secondly, patrons may not realize that by placing a file in "My
          Documents" temporally they are placing the file where any other user
          at the center can see it. Given that a PAF file can contain names,
          birth dates and mother's maiden name, I didn't want to surprise the
          patron that's trying to be careful with their family's information.


          > The desktop is also redirected to the server share and is set to read-
          > only so it can't be modified.

          Hmmm. So you have a common Desktop? I hadn't thought about that. I
          think I can reset the Patron Desktop to be "read only" without having
          to move it to the server.

          One thing I did do is separate Patron from the "All Users" for the
          Start Menu. I then created my own Start Menu for Patron. So they
          don't see those "uninstall" icons, or any other icon I don't want them
          to see. Plus I don't have to go clearing unwanted icons after I
          install a software package.


          But probably the most important thing I've done is set Patron to be
          just a User, not "Power User" as shipped from SLC. This severely
          limits what the patrons can do with the machine.
        • Jonathan Studer
          ... This was definitely a concern for us too. I talked to the director and we decided that the staff would just inform everyone when they come in that if they
          Message 4 of 13 , Dec 3, 2007
          • 0 Attachment
            > I thought about doing that but didn't for two reasons: PAFInsight
            > saves a file to "My Documents" and it's not designed to be
            > multi-access. That is, I wouldn't make all the computers point to a
            > common "My Documents".
            >
            > Secondly, patrons may not realize that by placing a file in "My
            > Documents" temporally they are placing the file where any other user
            > at the center can see it. Given that a PAF file can contain names,
            > birth dates and mother's maiden name, I didn't want to surprise the
            > patron that's trying to be careful with their family's information.

            This was definitely a concern for us too. I talked to the director
            and we decided that the staff would just inform everyone when they
            come in that if they save something to the My Documents folder it is
            visible to everyone. Having it centralized has really helped a couple
            of people that seemed to only have their PAF file on a floppy disk
            and the disk became corrupt. I can think of at least 5 people that
            were able to grab a slightly older version of their PAF file and were
            very grateful for us having. We just leave all the paf files in that
            central location. It has also helped with someone that found several
            census pages and downloaded them as .jpg's file and then left the
            center forgetting to copy it to her flash drive. The next day she
            came back very stressed that she had lost the images, but to her
            great excitement we had them.

            >
            > > The desktop is also redirected to the server share and is set to
            read-
            > > only so it can't be modified.
            >
            > Hmmm. So you have a common Desktop? I hadn't thought about that.
            I
            > think I can reset the Patron Desktop to be "read only" without
            having to move it to the server.
            >
            > One thing I did do is separate Patron from the "All Users" for the
            > Start Menu. I then created my own Start Menu for Patron. So they
            > don't see those "uninstall" icons, or any other icon I don't want
            them
            > to see. Plus I don't have to go clearing unwanted icons after I
            > install a software package.

            I have also done this, It just keeps everything really simple. The
            only things on the start menu for Patron is IE, the typical research
            databases, and Open Office.

            >
            > But probably the most important thing I've done is set Patron to be
            > just a User, not "Power User" as shipped from SLC. This severely
            > limits what the patrons can do with the machine.

            This is very good practice. I have done that as well.

            I have also setup a web page with links to all the usual websites. I
            then embedded this as an Active Desktop on the Patron Desktop. The
            page is hosted by IIS on the 'server'. I just update or add links and
            refresh the desktop and they show up.

            Another thing we do is leave the computers on all the time. We have
            the monitors set to turn off after 5 minutes of inactivity and have
            the hard disk spin down after 1 hour of inactivity. Then, I have a
            script that runs every night to reboot all of the Patron machines to
            ensure that when the staff comes in the next day everything is reset.
            We have a really busy center that is open 5-6 days a week and leaving
            the machines on really makes my life a great bit easier.

            In my 'spare time', I'm working on a script that will allow me to
            logoff the current user (Patron) and login an service account that
            will then execute a windows update and reboot the machine to have it
            autologin as Patron saving me from having to do this manually.
            My 'spare time' has been few and far between lately as being a
            Scoutmaster takes most of my time.

            One last time saving step that I do involves the DSL Modem and the
            PIX firewall. It seemed like I was getting calls at least bi-weekly
            from the staff telling me that the 'Internet was down' (to which I
            promptly reply, Call Al Gore). The resolution was to power off the
            powerstrip that the modem and firewall were connected to and turning
            it back on. It resolved the problem immediately.
            To keep this from happening, I bought an inexpensive digital light
            timer. I set it to power off at 1:00 AM and power back on at 1:15 AM.
            I did this about 6 months ago and they haven't had the problem since.

            With all these things I've been able to set up the center so I only
            go in once a month. (a week after patch Tuesday) to install Microsoft
            updates if they didn't auto install.

            -J.S.
          • Russell Hltn
            ... I don t see how keeping My Documents on the local machine changes any of the success stories. I m sure any computer user understands that anything left
            Message 5 of 13 , Dec 3, 2007
            • 0 Attachment
              On Dec 3, 2007 11:51 AM, Jonathan Studer <jonokinawa@...> wrote:
              > This was definitely a concern for us too. I talked to the director
              > and we decided that the staff would just inform everyone when they
              > come in that if they save something to the My Documents folder it is
              > visible to everyone. Having it centralized has really helped a couple
              > of people that seemed to only have their PAF file on a floppy disk
              > and the disk became corrupt. I can think of at least 5 people that
              > were able to grab a slightly older version of their PAF file and were
              > very grateful for us having. We just leave all the paf files in that
              > central location. It has also helped with someone that found several
              > census pages and downloaded them as .jpg's file and then left the
              > center forgetting to copy it to her flash drive. The next day she
              > came back very stressed that she had lost the images, but to her
              > great excitement we had them.
              >

              I don't see how keeping "My Documents" on the local machine changes
              any of the success stories. I'm sure any computer user understands
              that anything left behind after they are done with the machine could
              be looked at by others, but to communicate that "My Documents" isn't
              private even temporarily is something that's probably beyond most
              people's computer abilities.



              > I have also setup a web page with links to all the usual websites. I
              > then embedded this as an Active Desktop on the Patron Desktop. The
              > page is hosted by IIS on the 'server'. I just update or add links and
              > refresh the desktop and they show up.
              >

              I've re-pointed the "Favorites" to the server and Patron only has read
              rights. Not unlike what you've done. Since I don't have a true
              server version of Windows, I have to watch the number of connections I
              make to our server. I'm not sure as I can add IIS without causing
              problems with the licensing.



              > One last time saving step that I do involves the DSL Modem and the
              > PIX firewall. It seemed like I was getting calls at least bi-weekly
              > from the staff telling me that the 'Internet was down' (to which I
              > promptly reply, Call Al Gore). The resolution was to power off the
              > powerstrip that the modem and firewall were connected to and turning
              > it back on. It resolved the problem immediately.


              Never had that problem. We leave it on 24/7. It also located well
              away from the patrons so no one can tamper with it.
            Your message has been successfully submitted and would be delivered to recipients shortly.