WSGlebKavash2022-04-14 21:33:12
WSGlebKavash, 2022-04-14 21:33:12

Temporary access and special rights in Windows?

Problem: Students of an educational organization of additional education have uncontrolled access to both the Internet and the resources of a separate PC. This leads to very unfortunate consequences, such as deleting personal files (even if a separate account is password protected), launching unapproved programs, launching viruses that lead to the reinstallation of Windows.
What we have: 100 stationary PCs and 45 portable ones. Fixed PCs are connected to the network in one way and have a static IP set on them. Laptops can connect to anywhere on the network. There are no shared servers, no domains.
Task:Provide access with a temporary password for each session. Exclude local administrator rights. Send elevated run requests to an administrator. Organize containers to run programs that require administrator rights. Create an administrator password for trusted persons. Restrict access to sites for some users.

How to organize all this correctly? How are networks generally made in educational organizations for children aged 10-18? (we accept from 8 years old, but small ones under the STRICT CONTROL of the teacher)

Answer the question

In order to leave comments, you need to log in

3 answer(s)
shurshur, 2022-04-15

It is best to raise a domain. You can even use samba without buying WinServer (and yes, AD will allow you to do much more and much cooler, so if possible, it's better to use it). Users should be centralized and trained to use a network drive for personal files.
I also had the experience of organizing a large fleet of computers in computer classes for programming olympiads. This is a very specific task of one-time use of the system, different from regular sessions. Unlike the 1990s and 2000s, when the number of development environments familiar to participants could be counted on one hand, nowadays dozens of different compilers and IDEs need to be installed. At the same time, all this should work stably for the Olympics. Even before me, VirtualBox was simply installed on all computers with a reference image, which was re-imported separately on each machine for each Olympiad (a fun activity is to run with a pack of flash drives and do it everywhere), but it was not very convenient, and it confuses the participants, that you need to do something there in the window of the virtual machine.
I prepared on all Linux machines, where a special user runs X without DE and WM with headless fullscreen VirtualBox with the target system from the image (Windows XP). The reference image of the machine itself lay on LVM, and an LV snapshot with the image was transferred to VirtualBox. Accordingly, before the Olympiad, instead of the default system, all machines were manually loaded into Linux, a script was performed from the server (ssh with a key) on all machines to recreate the snapshot, and then you could simply enter the name of the desired user. After the Olympiad, the snapshot could be recreated, having again received a clean reference system.
To the heap, I laid out the system itself and the reference image with udpcast over igmp, this noticeably accelerated the matter, even despite the unmanaged switches. For the first time, all this, of course, took a lot of time, but it was worth it. Most of the participants did not even know that they were working in a virtual machine :)

Roman Bezrukov, 2022-04-15

Ideally - a domain and VDI

Igor, 2022-04-16

If you do not want to bother, buy an inexpensive NAS that has a user-friendly interface and conveniently closes all your tasks. Some simple model, like Synology DS118 .
Get both a centralized storage without a headache, and the closure of all your Wishlist associated with storing files, you can give each person a folder, you can make shared folders, you can fumble resources even on a schedule, even on the Internet.
In order to prevent children from running everything themselves, it is only worth depriving users of administrative rights and password-protecting the administrative account. Any action that requires elevation will explicitly request an administrator password, which can be approached and entered manually. If you want to get confused, you can find cheap tokens on sale (for example,Yubikey : inexpensive, practical), which are inserted into USB and, at the touch of a button, fill the input field with a static string. The teacher has one such key, and passwords can be made even very complex - just so as not to lose the token.
As a container for applications, Sandboxie can be ideal - an open source development for solving exactly these problems.
The options for raising the domain above will undoubtedly solve all the problems, but these options will turn out to be noticeably more expensive (server, server OS, specialist who will set everything up, or a lot of time spent, if on your own). And with the budgets in the education system, they say, it's tight.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question