[27052] in resnet
Re: Windows 7 Labs in AD
daemon@ATHENA.MIT.EDU (Doughty, Marc)
Tue Nov 22 12:14:12 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=0015176f03643ff4b204b255e7d0
Message-ID: <CAEPWjzvJvULgrK7u3-hvk-YuTExJoLE4FXMyAMHwzkQ7SQ+Rsw@mail.gmail.com>
Date: Tue, 22 Nov 2011 12:12:08 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Doughty, Marc" <marc_doughty@brown.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <4ECBD02C.5030607@wheatoncollege.edu>
--0015176f03643ff4b204b255e7d0
Content-Type: text/plain; charset=ISO-8859-1
Greetings,
I really feel that DeepFreeze is a cop-out. It can be useful in some
edge cases or in environments with overtly hostile users (like some high
schools), but Windows gives you pretty much all you need to keep computers
clean and safe without having to block-level revert the drives every
restart. With Windows 7's indexing, self-optimizing, and constant updates,
it's just as much work to dance around DeepFreeze as it is to 'build by the
book' using Microsoft's methods.
We have several hundred machines that have been running in the labs
without DF for two years, not a single one has been compromised yet, and
that was our biggest fear when people here started advocating for scrapping
DF.
Also, now I never have to look a user in the eye and tell them that all
their work is gone because the kid across from them accidentally (or
intentionally) pulled the table's power cord.
By the way, if you enable CIFS/SMB on your Novell servers and set the
NTLM Level to 'Send LM and NTLM, use NTLMv2 if negotiated' on the clients,
you can access Novell shares from the Windows boxes without the client
installed. Build Group Policies to map the appropriate Novell resources
as-needed.
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way
vessel."
On Tue, Nov 22, 2011 at 11:39 AM, Brian Gibson <
gibson_brian@wheatoncollege.edu> wrote:
> I'm not 100% sure but I think you might need to scrap DeepFreeze on those
> machines because the Windows 7 desktops need to change it's computer
> account password in the domain periodically (every 30 or 45 days I think).
> If you put a machine back to a previous state the passwords might no longer
> match and the computer will need to be rejoined to the domain (again, not
> 100% sure of this). I do not know if a way to redirect a user's domain
> account to a local account, the two are totally separate. What we have
> found works well for us (after a lot of headache to set up) is VMware View
> set up in a Linked Clone floating (non-persistent) desktop pool. You get
> the same benefit as DeepFreeze in that when you logout the virtual desktop
> is nuked and put back to an original state.
>
> I think you have two options (again, thinking off of the top of my head...
> could be wrong).
>
> 1. Switch over your network and print shares to AD which will make
> printing and file share access seemless.
>
> 2. Maybe there is a connector to 'join' your Novell setup to AD?
>
> On 11/22/2011 11:14 AM, Jenni Piper wrote:
>
> We are in the process of moving our Windows lab machines to Microsoft's
> AD environment and have run into some bumps. Our current environment is
> eDir, which consists of a Novell client running on Windows 7, where a user
> logs in with their network credentials for network resources ( network
> drives, printer access - iPrint). We are using Autoadminlogon to redirect
> all logins to a local account with the user profile configured for the
> various applications installed on the lab image. However, now that these
> machines are joining Microsoft AD, we are running into a problem where
> users are not being prompted for their network credentials if
> Autoadminlogon is enabled.****
>
> ** **
>
> We would like our windows 7 computers that are joined to a domain have
> domain users login with their credentials but instead of creating a new
> local account that matches that domain account we want it to login to a
> pre-configured local account. We have Deep Freeze installed on these
> computers meaning newly created profiles get wiped out at reboot resulting
> in long logins every time. ****
>
> ** **
>
> How is your institution handling computer labs joined to a domain and user
> profiles?****
>
> ** **
>
> ** **
>
> Jenni Piper****
>
> Associate Director of Technology Services****
>
> Eastern Mennonite University****
>
> ** **
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>
>
> --
>
> ++++++++++++++++++++++++++++
> Brian Gibson
> Systems Administrator
> Wheaton College
>
> ___________________________________________________ You are subscribed
> to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--0015176f03643ff4b204b255e7d0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Greetings,<br>=A0=A0=A0=A0 I really feel that DeepFreeze is a cop-out. It c=
an be useful in some edge cases or in environments with overtly hostile use=
rs (like some high schools), but Windows gives you pretty much all you need=
to keep computers clean and safe without having to block-level revert the =
drives every restart. With Windows 7's indexing, self-optimizing, and c=
onstant updates, it's just as much work to dance around DeepFreeze as i=
t is to 'build by the book' using Microsoft's methods.<br>
=A0=A0=A0 We have several hundred machines that have been running in the la=
bs without DF for two years, not a single one has been compromised yet, and=
that was our biggest fear when people here started advocating for scrappin=
g DF.<br>
=A0=A0=A0 Also, now I never have to look a user in the eye and tell them th=
at all their work is gone because the kid across from them accidentally (or=
intentionally) pulled the table's power cord.<br><br>=A0=A0=A0 By the =
way, if you enable CIFS/SMB on your Novell servers and set the NTLM Level t=
o 'Send LM and NTLM, use NTLMv2 if negotiated' on the clients, you =
can access Novell shares from the Windows boxes without the client installe=
d. Build Group Policies to map the appropriate Novell resources as-needed.<=
br clear=3D"all">
<br>- Marc Doughty<br>"If you aren't sure who is the give-way vess=
el, you are the give-way vessel."<br>
<br><br><div class=3D"gmail_quote">On Tue, Nov 22, 2011 at 11:39 AM, Brian =
Gibson <span dir=3D"ltr"><<a href=3D"mailto:gibson_brian@wheatoncollege.=
edu">gibson_brian@wheatoncollege.edu</a>></span> wrote:<br><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex;">
=20
=20
=20
<div bgcolor=3D"#FFFFFF" text=3D"#000000">
I'm not 100% sure but I think you might need to scrap DeepFreeze on
those machines because the Windows 7 desktops need to change it's
computer account password in the domain periodically (every 30 or 45
days I think).=A0 If you put a machine back to a previous state the
passwords might no longer match and the computer will need to be
rejoined to the domain (again, not 100% sure of this). I do not know
if a way to redirect a user's domain account to a local account, th=
e
two are totally separate. What we have found works well for us
(after a lot of headache to set up) is VMware View set up in a
Linked Clone floating (non-persistent) desktop pool. You get the
same benefit as DeepFreeze in that when you logout the virtual
desktop is nuked and put back to an original state.<br>
<br>
I think you have two options (again, thinking off of the top of my
head... could be wrong).<br>
<br>
1. Switch over your network and print shares to AD which will make
printing and file share access seemless. <br>
<br>
2. Maybe there is a connector to 'join' your Novell setup to AD=
?=A0 <br><div><div class=3D"h5">
<br>
On 11/22/2011 11:14 AM, Jenni Piper wrote:
<blockquote type=3D"cite">
=20
=20
=20
<div>
<p><span style=3D"font-size:11.0pt;font-family:"Calibri",=
"sans-serif"">We
are in the process of moving our Windows lab machines to
Microsoft's AD environment and have run into some bumps. Ou=
r
current environment is eDir, which consists of a Novell
client running on Windows 7, where a user logs in with their
network credentials for network resources ( network drives,
printer access - iPrint). We are using Autoadminlogon to
redirect all logins to a local account with the user profile
configured for the various applications installed on the lab
image. However, now that these machines are joining
Microsoft AD, we are running into a problem where users are
not being prompted for their network credentials if
Autoadminlogon is enabled.<u></u><u></u></span></p>
<p><span style=3D"font-size:11.0pt;font-family:"Calibri",=
"sans-serif""><u></u>=A0<u></u></span></p>
<p><span style=3D"font-size:11.0pt;font-family:"Calibri",=
"sans-serif"">We
would like our windows 7 computers that are joined to a
domain have domain users login with their credentials but
instead of creating a new local account that matches that
domain account we want it to login to a pre-configured local
account. We have Deep Freeze installed on these computers
meaning newly created profiles get wiped out at reboot
resulting in long logins every time. <u></u><u></u></span></p>
<p><span style=3D"font-size:11.0pt;font-family:"Calibri",=
"sans-serif""><u></u>=A0<u></u></span></p>
<p><span style=3D"font-size:11.0pt;font-family:"Calibri",=
"sans-serif"">How
is your institution handling computer labs joined to a
domain and user profiles?<u></u><u></u></span></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<p class=3D"MsoNormal">Jenni Piper<u></u><u></u></p>
<p class=3D"MsoNormal">Associate Director of Technology Services<u>=
</u><u></u></p>
<p class=3D"MsoNormal">Eastern Mennonite University<u></u><u></u></=
p>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" tar=
get=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p>
</blockquote>
<br>
</div></div><span class=3D"HOEnZb"><font color=3D"#888888"><div>-- <br>
<br>
++++++++++++++++++++++++++++<br>
Brian Gibson<br>
Systems Administrator<br>
Wheaton College<br>
<br>
</div>
</font></span></div><div class=3D"HOEnZb"><div class=3D"h5">
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
</p></div></div></blockquote></div><br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--0015176f03643ff4b204b255e7d0--
