locked
Domain Vs. Workgroup RRS feed

  • Question

  •  

    I am moving from Shared Computer Toolkit to SteadyState and I know that SteadyState will work with domain computers (and I've been experimenting with it a little) and I am trying to figure out if it is worth it to switch them all over to being domain computers.  I have never really had much problem with them being on the workgroup, but I understand there may be some benefit as far as keeping them all up-to-date.

     

    Is there anyone that has experience with setting them up both ways that could tell me pros and cons?

     

    Thanks

     

    Monday, March 31, 2008 9:21 PM

Answers

All replies

  •  

    Hi,

     

    Thanks for posting here!

     

    From the post, I understand that you would like to use SteadyState on domain computers.

     

    After checking our forum, I'd like to include the following threads below and please take your time and check if they are helpful.

     

    SteadyState on domain Computers

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1865467&SiteID=17

     

    Windows Disk Protection on Domain-Joined Computers

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1809829&SiteID=17

     

    Also, you can check SteadyState handbook below:

     

    Windows SteadyState Handbook

    http://www.microsoft.com/downloads/details.aspx?FamilyId=D64AF114-336C-4418-BEB7-E074E813B498&displaylang=en

     

    Windows SteadyState 2.5 Beta Handbook

    http://www.microsoft.com/downloads/details.aspx?FamilyId=D173452A-CE26-4F26-9C30-982F705F84D2&displaylang=en

     

    Best regards,

    Wednesday, April 2, 2008 7:08 AM
  • Sean,

     

    I am interested in it, however, I'm a bit leery of it.  I have read those posts and understand that it CAN work - I was just trying to find out if anyone can tell me the benefits of doing it this way.  We actually do not use disk protection, so that part doesn't even come into the equation.  Thanks for any comments.

     

     

    Wednesday, April 2, 2008 12:51 PM
  •  

    Hi,

     

    Thanks for the update.

     

    Since you do not want to use WDP function, we can still get the benefits by using SteadyState:

     

    1.       Creating a Mandatory Profile for Multiple Users

    2.       Creating User Restrictions for Unrestricted Domain Accounts

    3.       Creating Group Policy Restrictions with SCTSettings.adm

    4.       Duplicating Software Restrictions by Using Software Restrictions Policies in Windows XP

     

    For detailed information, you can also refer to SteadyState handbook.

     

    Best regards,

    Thursday, April 3, 2008 7:40 AM
  •  

    Again, thanks for your reply Sean.  In my experience, in the past, there has been need to unlock computers using SCT for one reason or another.  If this is the case, and a computer is on the domain, in order to "unlock" a computer, I'd have to end up unlocked all my computers wouldn't I?  As the policy would be done per user.  This is one point that I makes me a bit uncertain about going this direction.
    Thursday, April 10, 2008 5:27 PM
  • Hi,

     

    Thanks for the update.

     

    If these computers are in a domain environment, we can create Group Policy Restrictions by using SCTSettings.adm to set restrictions.

     

    Group Policy for a domain can be configured either with the Group Policy Management Console, an add-in tool available for download from Microsoft, or by using the Group Policy Editor built into Active Directory Users and Computers. By adding the SCTSettings.adm template into these tools, you gain access to account restrictions and settings that are appropriate for user accounts on shared computers.

     

    The SCTSettings.adm Group Policy template included with Windows SteadyState also includes the capability to set idle and mandatory logoff timers, if Windows SteadyState is installed on your computers.

     

    It is important that you apply these settings only to specific user accounts, so as not to restrict legitimate administrative user accounts on any computers.

       To use Active Directory Users and Computers to manage Windows SteadyState restrictions

    1.    Start Active Directory Users and Computers on a computer running Microsoft Windows Serverä 2003 by clicking Start, and then clicking All Programs.

    2.    Click Administrative Tools. In Active Directory Users and Computers, right-click the organizational unit (OU) for which you want to configure policy, and then click Properties.

    3.    On the Group Policy tab, select the policy you want to modify, and then click Edit.

    4.    Expand User Configuration, right-click the Administrative Templates folder, and then click Add/Remove Templates.

    5.    In the Add/Remove Templates dialog box, click Add and then browse to the location of the SCTSettings.adm template, commonly located in C:\Program Files\Windows SteadyState\ADM.

    6.    Browse the settings in the All Windows SteadyState Restrictions folder and note their similarity to the program and user restrictions settings in Windows SteadyState. Descriptions are given for each setting.

    7.    Make any restrictions changes that you want and then exit Group Policy Editor.

     

    Best regards,

    Friday, April 11, 2008 2:47 AM
  • Sean,

     

    Thanks for the reply, but I'm not sure it answers my question.  Here is the scenario:

     

    In the past, say, in order to get a flash upgrade working on a computer, I have to upgrade flash, unlock the computer, and log in as the "locked down user" and run something, then lock it back down to complete the process.  If I put the computers on the domain, in order to do this, I'd have to unlock ALL of my public computers to do this, is that correct?  Hopefully this isn't confusing, and I'm only using the flash upgrade scenario as a random example.  I just know that in the past for one reason or another, you may need to unlock a single machine, which you would be unable to do any longer, unless they each had their own username that was specific to the computer, correct?

     

    Thanks!

     

     

     

    Monday, April 14, 2008 4:40 PM
  • Hi,

     

    Thanks for your update!

     

    For this scenario, we can use the following steps to set restrictions.

     

    1.       Enter group policy on the server computer.

    2.       Use SCTSettings.adm.

    3.       Locate the following object: User Configuration\Administrative Templates\All Windows SteadyState Restrictions\Internet Explorer restrictions\Prevent access to some Internet Explorer toolbar buttons\.

    4.       Uncheck the option "third party extension buttons".

    5.       After applying the settings, you will be able to install it on those client computers.

     

    As this template includes most of the restrictions in SteadyState, it will be much easier for Administrator to manage and apply restrictions on client computers.

     

    Best regards,

    Tuesday, April 15, 2008 8:12 AM
  •  

    Again I thank you for your response, but the flash example was just a hypothetical.  I've had experiences in the past that for whatever reason, after you upgraded a program, you had to run it once as an unlocked user so that xxx screen wouldn't pop up again.  I am just saying, if that were ever the case, to "unlock" a machine you'd have to unlock all of them if they were on the domain, used the same username to login, and were locked down via group policy.
    Wednesday, April 16, 2008 9:16 PM