8

We're a small college, where every student is assigned an Active Directory account. We have a couple computer labs where the machines are all joined to the domain and students can log in to any machine. Over the course of a semester, most students will log in to most machines.

In the past, under Windows XP, we have managed this using the old Copy Profile functionality, along with a product called Deep Freeze, such that profiles are effectively cleaned up automatically. A lot of schools have used this technique successfully for a long time.

Unfortunately, Windows 7 breaks all this. We can no longer use the Copy Profile feature to prepare template profiles for the workstations. Group Policy could work for setting up the machines, and this is the official method for handling the problem. Unfortunately, this doesn't work as well, for two reasons. The first is that Group Policy is no where near as friendly for setting up the profile tweaks. We can't move as quickly on changes we want to make, and some things can only be done to the machine before running sysprep (which would require more frequent re-imaging of the entire OS). The result is that we end up with a less-polished desktop experience.

We could bite the bullet on the that first issue, but the second issue is that all the group policy settings result in incredibly slow login times when used in conjunction with Deep Freeze, because you have to re-apply nearly all the GP tweaks with every login. Windows 7's improved security features over XP (namely UAC) allow me to feel comfortable trying a semester without Deep Freeze... except that we'd still end up with hundreds of user profile accounts on each machine by the end of each semester, and that's after putting in more work to get group policy set up to produce a diminished result.

So are there any suggestions for better ways to approach this problem?

We want to do things like map the documents libraries to network shares, set a default wallpaper, add specific shortcuts to the bookmarks toolbars in IE and Safari (we deploy safari because we have a 1:1 iPod Touch program and need iTunes as well), and lots of other tweaks to these public workstations. We want to be able to do it quickly, where we can get good feedback on the results of a change, and we need to do it so that hundreds of users can log in with their Active Directory credentials. We've gone down the roaming profile path in the past, and that's not really a good option either.

Currently our domain controllers are still running Server 2003, and we'd also much rather use CloneZilla than sysprep to handling imaging the machines.

I'm also reluctant to use group policy simply as a matter of workflow. When we could use template profiles, if you found something you wanted to change you just logged in as the correct user, changed it, log out, and the change would be applied the next time we updated the machines. Now we have to hunt down the right GP setting, if it even exists. It could take more than hour to complete what used to be a five minute thing.

Joel Coel
  • 12,910
  • 13
  • 61
  • 99
  • 1
    What do you consider a "slow" login to be? I work for a college in the UK where we're currently working though planning a w7 migration and we're using mandatory profiles for students, roaming for staff and nothing like deep freeze and get login times that are acceptable for us (about 30 seconds for staff, where the profile already exists and isn't being created as part of the login process). As for the profiles left behind on machines, there is a GPO setting to tidy up unused profiles, if that helps. – Rob Moir Dec 22 '11 at 17:51
  • I may need to read up on mandatory profiles, if that lets me do some of what I'm missing right now. Not sure how you are measuring login times, but right now it's generally pretty quick. Our test so far have shown _much_ slower times having to apply changes from GP vs just loading a profile already on disk. – Joel Coel Dec 22 '11 at 17:55
  • Also, even with cleaning up inactive profiles, we'd still have some machines with upwards of 400 profiles on them at one time, and I don't see how that's a good idea. – Joel Coel Dec 22 '11 at 18:00
  • I have to say that I've not seen any problems from having *active* profiles cached on machines - similar numbers to yours. Where a profile exists on the network, whether as a roaming or mandatory profile, performance has been fine for us. For staff accounts on their first login (e.g. where their roaming profile gets generated for the first (and hopefully only) time ever on the *domain* (not the machine) then yes, its very slow, but this only happens very occasionally for staff and is a none-issue for student accounts for us. – Rob Moir Dec 22 '11 at 18:07
  • 1
    Not trying to criticise with my comments by the way, I'm actually very interested in hearing how other educational establishments are doing things in case there's a neat twist we've missed. Also, are you aware of edugeek? www.edugeek.net – Rob Moir Dec 22 '11 at 18:08
  • No criticism taken. One follow up... our experience is that GP works okay and is fast enough only as long as you take a minimalist approach to the settings... define a setting for only those things you need to, and leave the rest unset. If you have a **lot** of tweaks (which we want to do), it can get very slow. Also, we're only looking to set defaults, and not enforce the settings. Many GP settings lock out the user from making changes, and we really only care about the initial state of each profile. – Joel Coel Dec 22 '11 at 18:28
  • @Joel I think that part of your issue may be with Deep Freeze. Have you considered Windows Steady State? It used to be a separate product from MS, but is now built into Windows 7. – MDMarra Dec 22 '11 at 22:11
  • @MDMarra It was slated to be included in windows 7, but then sadly dropped altogether instead. BTW, I'd love to be proven wrong on this, so if you have a link somewhere that shows how to set it up I'd really like to see it. – Joel Coel Dec 22 '11 at 22:15
  • I don't. Sorry. We don't use it at my university, we manage settings, etc through GPO. I remembered reading abouts its inclusion a while ago. Too bad it seems to have not happened. – MDMarra Dec 22 '11 at 22:18

4 Answers4

2

Have you used group policy preferences before? We use GPP and it works fantastic. We have a TON of settings that we deploy and it applies fast. The nice thing about GPP, is it can be used to set defaults (for example the default home page) and NOT reapply onces intially set. You can do things like custom reg entries, file copies, mapped drives/printers, desktop backgrounds, etc. Pretty much anything.

Secondly, login scripts compbined with GPP is another nice option. There may be more complex things you need to do (for example with us, we needed to load an office plugin in excel.) that a script is better suited for.

I would simply suggest Googleing "group policy preferences".

One more bit that i forgot about, if you want software to manage this, the solution your might be interested in is a technology called "User Virtualazation". The following two companies have a popular product.

  1. AppSence
  2. RES Software
Eric C. Singer
  • 2,319
  • 15
  • 17
1

What you really should do is deploy VDI, e.g. Citrix XenDesktop. In the typical configuration each user gets a virtual machine which is reset to a pristine state at logoff. The VM image is being streamed via "Provisioning Services" from one single master image, which is the only thing you need to touch when you want to change the user environment. As a bonus you get easy versioning and rollback because the master image is stored in multiple versions. Make a change and roll back easily if it does not work out.

Implementing VDI is not trivial, though, and needs some time, although Citrix tries to make it look simple.

Helge Klein
  • 2,031
  • 1
  • 15
  • 22
0

I'm curious about this one as I do consulting for a school and have settled on group policy. Group Policy with Server 2008 R2 and Windows 7 clients can manage the settings you mention, if login times are long it is possibly due to network or server performance issues that can be fixed with good netork and server design.

Group policy can sometimes seem that it takes a long time to change the setting.

I've found a few things to get this to work faster. One is to create a powershell script that replicates changes between logon servers on command. The other is to create a script that forces a remote gpupdate /force on machines. So you make your changes, run the replication script, then run the gpudate script. Then the user does a restart or log off (depending on the settings, some take restart or two).

I'm wondering if your network shares are up to the performance impact of lots of users Docs directories? Do you have a good enterprise network administrator who can make sure your switching and routing design is solid? I've seen school labs with 60 machines, filled with students trying watch youtube, on a 10/100 uplink to the core network.

Deep Freeze certainly sounds like it could have performance implications, I'm wondering if MS Steady State is better?

will
  • 1
  • 1
    MS Steady State is not available for Windows 7. – Joel Coel Dec 22 '11 at 18:01
  • Also, I'd appreciate clarification on how you use group policy. Our experience is that GP works okay and is fast enough... but only as long as you take a minimalist approach to the settings: define a setting for only those things you _need_ to, and leave the rest unset. If you have a **lot** of tweaks (which we want to do), it can get very slow. Also, we're only looking to set defaults, and not enforce the settings. Many GP settings lock out the user from making changes, and we really only care about the initial state of each profile. – Joel Coel Dec 22 '11 at 20:16
  • The things that slows down group policy often relate to permission errors (like a drive mapping that the user doesnt have permissions for). These are easily solved with item level targeting. Another option is to use asynchronously processing (if you can). – pauska Dec 22 '11 at 22:50
0

You can use Group policies.

With the new GPO available with Windows 7, the GPP ( group policy preference ) you can set settings as default for a user and the give them the choice to change it. You can push printer and set it by default, check it as run-once and this policy will only apply one time, giving the end user possibility to change his default printer.

You can configure settings for IE then import them to the group policy editor.

Setting up default wallpaper, mapping drive are extremely easy with GPP.

As with GPO, preference can be applied to a system or a user.

You can access GPP from any GPO from a windows 7 and windows server 2008 r2. Most of GPP can work on Windows XP if you have Client side extension installed ( available on Windows update)

Levesquejfrancois
  • 181
  • 4