[27055] in resnet
Re: Windows 7 Labs in AD
daemon@ATHENA.MIT.EDU (Isaac Holmes)
Tue Nov 22 15:18:34 2011
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_086960B2AF09CC458C0AE60BE5D19D48189F07988FICEMBX6icende_"
MIME-Version: 1.0
Message-ID: <086960B2AF09CC458C0AE60BE5D19D48189F07988F@ICE-MBX-6.ice.nd.edu>
Date: Tue, 22 Nov 2011 15:15:01 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Isaac Holmes <iholmes@nd.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CAEPWjzvJvULgrK7u3-hvk-YuTExJoLE4FXMyAMHwzkQ7SQ+Rsw@mail.gmail.com>
--_000_086960B2AF09CC458C0AE60BE5D19D48189F07988FICEMBX6icende_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
We use DeepFreeze and currently are transitioning to Cleanslate. Normally =
when Deepfreeze is installed it will set the machine password reset policy =
to the maximum value. If you have a GPO security policy in place to force =
the reset you need to override this setting.
For user login each user logs in with their own user name and password and =
we have configured the Default user account that is applied to every new lo=
gin the way that we want users to see their profile. Anything that could n=
ot be configured this way we handle via GPO preferences or user login scrip=
ts. The user has to wait a little longer while their profile is recreated=
after a reboot but it has worked out well for us so far.
Isaac Holmes
Client Engineering Specialist
OIT Distributed Engineering Support
University of Notre Dame
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Doughty, =
Marc
Sent: Tuesday, November 22, 2011 12:12 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: Windows 7 Labs in AD
Greetings,
I really feel that DeepFreeze is a cop-out. It can be useful in some e=
dge cases or in environments with overtly hostile users (like some high sch=
ools), but Windows gives you pretty much all you need to keep computers cle=
an and safe without having to block-level revert the drives every restart. =
With Windows 7's indexing, self-optimizing, and constant updates, it's just=
as much work to dance around DeepFreeze as it is to 'build by the book' us=
ing Microsoft's methods.
We have several hundred machines that have been running in the labs wit=
hout DF for two years, not a single one has been compromised yet, and that =
was our biggest fear when people here started advocating for scrapping DF.
Also, now I never have to look a user in the eye and tell them that all=
their work is gone because the kid across from them accidentally (or inten=
tionally) pulled the table's power cord.
By the way, if you enable CIFS/SMB on your Novell servers and set the N=
TLM Level to 'Send LM and NTLM, use NTLMv2 if negotiated' on the clients, y=
ou can access Novell shares from the Windows boxes without the client insta=
lled. Build Group Policies to map the appropriate Novell resources as-neede=
d.
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way vessel=
."
On Tue, Nov 22, 2011 at 11:39 AM, Brian Gibson <gibson_brian@wheatoncollege=
.edu<mailto:gibson_brian@wheatoncollege.edu>> wrote:
I'm not 100% sure but I think you might need to scrap DeepFreeze on those m=
achines because the Windows 7 desktops need to change it's computer account=
password in the domain periodically (every 30 or 45 days I think). If you=
put a machine back to a previous state the passwords might no longer match=
and the computer will need to be rejoined to the domain (again, not 100% s=
ure of this). I do not know if a way to redirect a user's domain account to=
a local account, the two are totally separate. What we have found works we=
ll for us (after a lot of headache to set up) is VMware View set up in a Li=
nked Clone floating (non-persistent) desktop pool. You get the same benefit=
as DeepFreeze in that when you logout the virtual desktop is nuked and put=
back to an original state.
I think you have two options (again, thinking off of the top of my head... =
could be wrong).
1. Switch over your network and print shares to AD which will make printing=
and file share access seemless.
2. Maybe there is a connector to 'join' your Novell setup to AD?
On 11/22/2011 11:14 AM, Jenni Piper wrote:
We are in the process of moving our Windows lab machines to Microsoft's AD =
environment and have run into some bumps. Our current environment is eDir, =
which consists of a Novell client running on Windows 7, where a user logs i=
n with their network credentials for network resources ( network drives, pr=
inter access - iPrint). We are using Autoadminlogon to redirect all logins =
to a local account with the user profile configured for the various applica=
tions installed on the lab image. However, now that these machines are join=
ing Microsoft AD, we are running into a problem where users are not being p=
rompted for their network credentials if Autoadminlogon is enabled.
We would like our windows 7 computers that are joined to a domain have doma=
in users login with their credentials but instead of creating a new local a=
ccount that matches that domain account we want it to login to a pre-config=
ured local account. We have Deep Freeze installed on these computers meanin=
g newly created profiles get wiped out at reboot resulting in long logins e=
very time.
How is your institution handling computer labs joined to a domain and user =
profiles?
Jenni Piper
Associate Director of Technology Services
Eastern Mennonite University
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
--
++++++++++++++++++++++++++++
Brian Gibson
Systems Administrator
Wheaton College
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_086960B2AF09CC458C0AE60BE5D19D48189F07988FICEMBX6icende_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span style=3D'f=
ont-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We use De=
epFreeze and currently are transitioning to Cleanslate. Normally when=
Deepfreeze is installed it will set the machine password reset policy to t=
he maximum value. If you have a GPO security policy in place to force=
the reset you need to override this setting.<o:p></o:p></span></p><p class=
=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-se=
rif";color:#1F497D'><o:p> </o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'=
>For user login each user logs in with their own user name and password and=
we have configured the Default user account that is applied to every new l=
ogin the way that we want users to see their profile. Anything that c=
ould not be configured this way we handle via GPO preferences or user login=
scripts. The user has to wait a little longer while their prof=
ile is recreated after a reboot but it has worked out well for us so far.<o=
:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;fo=
nt-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p=
><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri"=
,"sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=3DMsoNorm=
al><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color=
:#1F497D'>Isaac Holmes<o:p></o:p></span></p><p class=3DMsoNormal><span styl=
e=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Cli=
ent Engineering Specialist <o:p></o:p></span></p><p class=3DMsoNormal><span=
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D=
'><o:p> </o:p></span></p><p class=3DMsoNormal><span style=3D'font-size=
:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>OIT Distributed E=
ngineering Support<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D=
'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Univers=
ity of Notre Dame<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'=
font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nb=
sp;</o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;fo=
nt-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p=
><p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-family:"Tahom=
a","sans-serif"'>From:</span></b><span style=3D'font-size:10.0pt;font-famil=
y:"Tahoma","sans-serif"'> Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] <b=
>On Behalf Of </b>Doughty, Marc<br><b>Sent:</b> Tuesday, November 22, 2011 =
12:12 PM<br><b>To:</b> RESNET-L@LISTSERV.ND.EDU<br><b>Subject:</b> Re: Wind=
ows 7 Labs in AD<o:p></o:p></span></p><p class=3DMsoNormal><o:p> </o:p=
></p><p class=3DMsoNormal style=3D'margin-bottom:12.0pt'>Greetings,<br>&nbs=
p; I really feel that DeepFreeze is a cop-out. It can be =
useful in some edge cases or in environments with overtly hostile users (li=
ke some high schools), but Windows gives you pretty much all you need to ke=
ep computers clean and safe without having to block-level revert the drives=
every restart. With Windows 7's indexing, self-optimizing, and constant up=
dates, it's just as much work to dance around DeepFreeze as it is to 'build=
by the book' using Microsoft's methods.<br> We have seve=
ral hundred machines that have been running in the labs without DF for two =
years, not a single one has been compromised yet, and that was our biggest =
fear when people here started advocating for scrapping DF.<br> &=
nbsp; Also, now I never have to look a user in the eye and tell them that a=
ll their work is gone because the kid across from them accidentally (or int=
entionally) pulled the table's power cord.<br><br> By the=
way, if you enable CIFS/SMB on your Novell servers and set the NTLM Level =
to 'Send LM and NTLM, use NTLMv2 if negotiated' on the clients, you can acc=
ess Novell shares from the Windows boxes without the client installed. Buil=
d Group Policies to map the appropriate Novell resources as-needed.<br clea=
r=3Dall><br>- Marc Doughty<br>"If you aren't sure who is the give-way =
vessel, you are the give-way vessel."<br><br><o:p></o:p></p><div><p cl=
ass=3DMsoNormal>On Tue, Nov 22, 2011 at 11:39 AM, Brian Gibson <<a href=
=3D"mailto:gibson_brian@wheatoncollege.edu">gibson_brian@wheatoncollege.edu=
</a>> wrote:<o:p></o:p></p><div><p class=3DMsoNormal>I'm not 100% sure b=
ut I think you might need to scrap DeepFreeze on those machines because the=
Windows 7 desktops need to change it's computer account password in the do=
main periodically (every 30 or 45 days I think). If you put a machine=
back to a previous state the passwords might no longer match and the compu=
ter will need to be rejoined to the domain (again, not 100% sure of this). =
I do not know if a way to redirect a user's domain account to a local accou=
nt, the two are totally separate. What we have found works well for us (aft=
er a lot of headache to set up) is VMware View set up in a Linked Clone flo=
ating (non-persistent) desktop pool. You get the same benefit as DeepFreeze=
in that when you logout the virtual desktop is nuked and put back to an or=
iginal state.<br><br>I think you have two options (again, thinking off of t=
he top of my head... could be wrong).<br><br>1. Switch over your network an=
d print shares to AD which will make printing and file share access seemles=
s. <br><br>2. Maybe there is a connector to 'join' your Novell setup to AD?=
<o:p></o:p></p><div><div><p class=3DMsoNormal><br>On 11/22/2011 11:1=
4 AM, Jenni Piper wrote: <o:p></o:p></p><div><p><span style=3D'font-size:11=
.0pt;font-family:"Calibri","sans-serif"'>We are in the process of moving ou=
r Windows lab machines to Microsoft's AD environment and have run into some=
bumps. Our current environment is eDir, which consists of a Novell client =
running on Windows 7, where a user logs in with their network credentials f=
or network resources ( network drives, printer access - iPrint). We are usi=
ng Autoadminlogon to redirect all logins to a local account with the user p=
rofile configured for the various applications installed on the lab image. =
However, now that these machines are joining Microsoft AD, we are running i=
nto a problem where users are not being prompted for their network credenti=
als if Autoadminlogon is enabled.</span><o:p></o:p></p><p><span style=3D'fo=
nt-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p>=
</p><p><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif"'>=
We would like our windows 7 computers that are joined to a domain have doma=
in users login with their credentials but instead of creating a new local a=
ccount that matches that domain account we want it to login to a pre-config=
ured local account. We have Deep Freeze installed on these computers meanin=
g newly created profiles get wiped out at reboot resulting in long logins e=
very time. </span><o:p></o:p></p><p><span style=3D'font-size:11.0pt;font-fa=
mily:"Calibri","sans-serif"'> </span><o:p></o:p></p><p><span style=3D'=
font-size:11.0pt;font-family:"Calibri","sans-serif"'>How is your institutio=
n handling computer labs joined to a domain and user profiles?</span><o:p><=
/o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-b=
ottom-alt:auto'> <o:p></o:p></p><p class=3DMsoNormal style=3D'mso-marg=
in-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=
=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>J=
enni Piper<o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:a=
uto;mso-margin-bottom-alt:auto'>Associate Director of Technology Services<o=
:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-marg=
in-bottom-alt:auto'>Eastern Mennonite University<o:p></o:p></p><p class=3DM=
soNormal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> =
;<o:p></o:p></p></div><p class=3DMsoNormal>________________________________=
___________________ You are subscribed to the ResNet-L mailing list. <o:p><=
/o:p></p><p>To subscribe, unsubscribe or search the archives, go to <a href=
=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http:/=
/LISTSERV.ND.EDU/archives/resnet-l.html</a> _______________________________=
____________________ <o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p><=
/p></div></div><div><p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><sp=
an style=3D'color:#888888'>-- <br><br>++++++++++++++++++++++++++++<br>Brian=
Gibson<br>Systems Administrator<br>Wheaton College<o:p></o:p></span></p></=
div></div><div><div><p class=3DMsoNormal>__________________________________=
_________________ You are subscribed to the ResNet-L mailing list. <o:p></o=
:p></p><p>To subscribe, unsubscribe or search the archives, go to <a href=
=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http:/=
/LISTSERV.ND.EDU/archives/resnet-l.html</a> _______________________________=
____________________ <o:p></o:p></p></div></div></div><p class=3DMsoNormal>=
<br>___________________________________________________ You are subscribed =
to the ResNet-L mailing list. <o:p></o:p></p><p>To subscribe, unsubscribe o=
r search the archives, go to <a href=3D"http://LISTSERV.ND.EDU/archives/res=
net-l.html">http://LISTSERV.ND.EDU/archives/resnet-l.html</a> _____________=
______________________________________ <o:p></o:p></p></div></body></html>=
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_086960B2AF09CC458C0AE60BE5D19D48189F07988FICEMBX6icende_--
