All 4 one, one 4 naught

  • Thread starter Thread starter DanaK
  • Start date Start date
D

DanaK

I can't belive it...

I have a school that has XP Pro workstations in each room
used by multiple students. Each student has their own
logon and home directory which means a new profile for
each student on each workstation.

Each room has one printer in it, usually a shared printer
connected to the teachers' computers. I set the
workstations in one room, all I had time for that day, in
the Administrator's profile to use the teacher's shared
printer assuming (silly me) that the printer would be
propagated to all students that happened to log onto the
workstations like the old W9x OS's would do. Now I find
after searching these and other tech forums that I need to
set up some kind of script for the workstations, I guess
on the DC, to have the same printer across all profiles?!

Should, or couldn't, this be a login script using the net
use command? Or could it be preformed using Group Policies
assigned to specific computer groups?

Can someone please explain the logic behind this
foolishness? I have zero knowledge of Visual Basic and
less time to get a degree in this stuff just to have
minimal functionality with it.
 
On Fri, 21 Nov 2003 08:06:11 -0800, DanaK wrote:

=>Can someone please explain the logic behind this
=>foolishness? I have zero knowledge of Visual Basic and
=>less time to get a degree in this stuff just to have
=>minimal functionality with it.

AFAIK, it's to increase security. The architecture that
permits "propagation" of the printers from the admin
account to other accounts also permits other admin
functions to propagate. It assumes certain permissions
unless countermanded by explicit prohibition. XP is written
to force explicit permissions, rather than explicit
prohibitions. In fact the WinNT/2000/XP is written assuming
network users, and the security issues that go with it,
unlike the W3x/9x family, which are not much more than
fancy menuing systems built on top of DOS - fine for single
PCs, but with serious deficiencies in a network
environment.

You will have to create a user group other than Standard or
Restricted, and define its permissions. See the Help for
how to do this (basically, you select a group other than
Standard or Restricted.) Then you have to define group
membership for each student account.

A security rant (I used to teach computer studies, back in
Win3x days):

Make sure you don't allow students to mess around with the
system - read, write and print own files are all they
should be allowed to do. IMO, they should not be allowed to
see other people's directories at all, let alone copy files
from them, although some teachers think that's OK because
then they need only store a file for students to copy when
they are ready to work with it. Instead, the teacher should
send files to each student as and when needed - which
shouldn't be a great hardship. Students should not be
allowed to send files to each other over the network. If
they want to communicate, let them use their personal
e-mail accounts.

I recommend that you get a couple of reference books - in
your role they will prove invaluable.

HTH
 
Thanks Wolf. I do have Mr. Minasi's 3rd ed. tome on W2K
Server but it doesn't seem to cover this problem
specifically. Some scripting, yes.

I have set up home directories for the students that are
mapped automatically from their accounts in AD Users &
Computers and these seem to be working just fine. There
is an ongoing discussion regarding security that I keep
having with the teachers, as you seem to allude to.
Impressing on them the need for such has already born
itself out with students sharing passwords and some other
things that they wouldn't believe when I told them.

Re: creation of accounts other than Standard or
Restricted - you're talking about accounts on each XP
workstation? I have created Student and Teacher security
groups on the DC. Students have rights to their home
directory only while teachers have full rights to all
student accounts. Haven't got ALL the teachers to come up
with decent cryptic passwords yet but I'm working on that
too. School administration has rights to just about
everyting for attendance records, etc.

LAN organization is far from finished. I've just put this
together this school year and it's one of several school
projects I'm working on. All you can do is hit a lick
here and there and go on.

Thanks for your answers.
Dana
 
On Sat, 22 Nov 2003 07:26:32 -0800, DanaK wrote:

=>Thanks Wolf. I do have Mr. Minasi's 3rd ed. tome on W2K
=>Server but it doesn't seem to cover this problem
=>specifically. Some scripting, yes.

....snip...

I think you might get much better help on a networking NG,
since your issue really seems to be about how to set up
accounts centrally, and have them be accessible from any
workstation. That's something I could do, once, on Win3x,
but I have no idea what needs to be done w/ XP, especially
since you need limited permissions for the student accounts
(more limited than is usual in business situations.) I only
know how to set up accounts on one machine.

Good Luck.
 
OK, I've just talked to our area guru of networking a
couple of counties away and he's given me a way of doing
this.

He creates a user on each XP Pro workstation with all the
basic programs, printers &etc. After the profile is
created to your liking you then exit the profile and log
back on as an administrator, preferably as the workstation
administrator. In Explorer (I'm writing this as he
described it, I don't have an XP workstation in the office
otherwise I'd look) there's an Avanced Tab, I believe
under Tools, that allows you to copy a highlighted profile
to another profile, in this case Default User. This way
when a new person logs on the Default User profile is used
to create the new user's profile on the workstation and
this will include the printer.

I've used this technique back when I played around with
profiles in W95 but haven't done so since so I've pretty
much forgotten this and certainly didn't know anything
about the tool to copy one profile to another. Much more
efficient - as long as it works and beats taking a crash
course in VB.

Dana
 
On Mon, 24 Nov 2003 09:24:38 -0800, DanaK wrote:

=>OK, I've just talked to our area guru of networking a
=>couple of counties away and he's given me a way of doing
=>this.

thanks for sharing; will file for reference.
 
OK, after playing with this out at the school I need to
correct some things. The User Account copying occurs under
the System icon in the Control Panel, not Explorer. It's
under the Advanced tab.

The only thing I didin't see was a single button approach
to copying the profile into the Default User folder in
Documents and Settings. I preformed this by copying and
pasting everything while in the Administrator profile to
each workstation in that room. Interesting. You can export
but you can't import
 
Back
Top