Answer the question
In order to leave comments, you need to log in
What are the best practices when setting up a computer lab for workgroups?
Win7Pro system So far,
the list is as follows:
- close the BIOS with a password
- Admin with a password and admin rights
- Student without a password with user rights (loaded automatically at system startup)
- Preinstalled set of programs
Group policies:
- Disable all desktop settings (wallpaper, colors, fonts , cursors...)
- Prohibition of connection and removal of the printer
-
Fixing
and prohibition of all taskbar settings (changing the composition of shortcuts, resize, drag and drop
) switch to Python)
(added) Software Restriction Policy (SRP):
- prohibition of launching programs except: Windows, ProgramFiles, ProgramFiles (x86), drive Z
Folders:
- "Student Files" folder on D with modification rights
- "Desktop" with removal of modification rights (so as not to turn the table into a trash can)
Not found how to prevent pinned apps from being dragged across the taskbar and desktop shortcuts.
Can you suggest something else?
Answer the question
In order to leave comments, you need to log in
You forgot one essential detail.
There are many programs that do not require installation, or are installed directly into the user's profile.
Therefore, you should configure software restriction policies - Software Restriction Policy.
Here is an example setup.
As a result, the user will be able to run only the programs specified in the policies.
Other executable files, even if it downloads, will not be able to run at all.
Regarding the ban on files - the entry should be allowed only in your folder and in your profile.
All other places are prohibited.
Desktop - yes, let them write, it's convenient for many, just delete everything superfluous with a script when the user logs in. As a result, every time a clean table.
You can also backup user profiles and restore them if necessary.
1. Disable booting from removable media (USB, etc.) in the BIOS.
2. Be sure to set a password for the built-in "Administrator" account, even if it is not used and is disabled.
3. Disable "System Restore" or delete restore points, otherwise a "surprise" is possible.
4. Deny flash drives for writing / reading in Windows if this does not interfere with the educational process. For example, you can copy any files to the "Windows\tracing" folder without administrator rights and, accordingly ... well, you understand))
5. If you have access to the Internet, then prohibit the installation of extensions in the browser ... I would use Chrome and limit it opportunities through GPO.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question