School Admin Tips

Novell Cool Solutions: Trench

Digg This - Slashdot This

Posted: 22 Aug 2002

Updated on 22 Aug 2002
Current Version: ZENworks for Desktops 3.2

Here are some tricks of the trade...We asked our school system administrators to share their pet tips and tricks, and we got some nice nuggets from the school of hard knocks. These suggestions range from basic to advanced, but they're all tried and true by working professionals. No matter how basic an idea is, if it solves your problem, it's perfect.

You have one of the most challenging IT environments. As one of our readers recently observed, "Our educational site has about 2000 computers at 5 different sites (WAN), and we are currently maintaining 20 Novell servers, in one NDS. We also have strict work deadlines, and students and teachers are the most demanding users I have ever met."

Hope these ideas will help make your life easier...

David Cooney

To prevent students from setting inappropriate pictures as wallpaper, create empty text files named "Internet Explorer Wallpaper.bmp" and "Netscape Wallpaper.bmp". Push these files out to the workstations with ZENworks every time a student logs in. If you try to save a picture as wallpaper, it will give an error. This isn't a fool-proof solution, but it will stop a lot of them!

Update: I neglected to mention the most important part. The files pushed out need to be flagged read-only. If they are not, anyone can simply overwrite the one pushed out.

If you have any questions you may contact David at davidwcooney@catholic.org

Peter Riesett

On our campus we use a variety of solutions to keep ahead of the students. The best combination I've found is as follows:

  1. Using ZENworks policies to lock the students out of sensitive areas, such as network drives and system settings (some of them anyway.)
  2. Using Centurion Guards (Or Guardians, as we like to call them). I can't stress these little devices enough. They basically create a partition on the hard drive, and show the contents of the C: drive. When a student thinks they are making the change to the C drive (IE, deleting the Windows directory), the change is actually written to the temporary partition. Once the computer is restarted, the partition is blown away and re-created! Everything is always stable, and you only have to worry about hardware failures. Plus, they've got network management for these little guys soon. Worth every penny. http://www.centurionguard.com/centurionguard.htm
  3. Creating an Internet Explorer Wallpaper.bmp and a Netscape Wallpaper.bmp with our standard background for students, placing them in the Windows directory, and making them read-only. This isn't too much of a problem with our Guardians in place, but it keeps the students from changing the wallpaper to something obscene during that session.
  4. If you are restricting the programs that can be run, make sure you disable the Task Scheduler, and access to Novell's scheduler, because they can emulate the system, not the user, and will therefore run the programs anyway.

Hope this helps someone!

If you have any questions you may contact Peter at priesett@ccbc.cc.md.us

Chris Gotstein

Resetting MS Office XP autocorrect list with ZENworks

Students were adding words to the autocorrect as you type feature in MS Word XP. So when the next student sat down and typed "the", a different, vulgar word would replace it. To solve this problem I used ZENworks to delete the config file everytime a student logged on. The file that needs to be deleted is located in the c:\windows\application data\microsoft\office\ on Windows 9x and is called mso1033.acl. If you delete the file, Word will recreate it with the default settings. I setup ZfD to force run an app that will delete this file. Now when students try to change words, the file is reset every time another logs in.

If you have any questions you may contact Chris at gotstecm@foxbay.k12.wi.us

Mark Pace

We use generic user names for our students and teachers. These are based on room number and station number, i.e. R30S2 and T204. Policies are enforced based on the type of login. This way we don't have to redo user names each semester.

If you have any questions you may contact Mark at mpace@pcssd.org

Sali Kaceli

I use ZENworks 2.0 for controlling the labs here at Philadelphia Biblical University (http://www.pbu.edu). I use it to lock down the desktops and also for the distribution of the applications. The application folders are of great help too. "Run only allowed applications" has restricted the students from installing and running new applications too. However, some have figured out to rename the new application to something that is already allowed (e.g. notepad.exe for AOL IM). I would be interested in knowing more on how to really lock this down.

Editor: Sali, you should definitely read the tips in these two articles:

There's a wealth of experience here to be tapped.

You may contact Sali at skaceli@pbu.edu

Neal Harper

We use the ZENworks Application Launcher as the Windows shell (NAL.EXE /S) to totally hide away the normal desktop. This nicely confuses the students as they have no Start Menu, Taskbar or My Computer to play with (or destroy).

We also use the 'Run only allowed Windows applications' policy setting which stops them from running anything that we don't want them to, like their favourite games.

This means they can login and load our applications and that's about all!

If you have any questions you may contact Neal at N.Harper@tees.ac.uk

Joseph Zitnik

We force McAfee Anti-Virus updates out using ZENworks for Desktops v3.2. We download the Dats from McAfee and increment the distribution number every time a new DAT file is released. [See Distributing McAfee Updates for more ideas.]

We also use ZEN in conjunction with one of your Cool Solutions suggestions, Program Killer. We use ZEN to push out the original application, and we use another NAL to push out updates to the program whenever a new chat program is released. The latter takes a little dastardly work on my part. I usually go to the leading download site, find the most popular downloads, and add their executables to the list of apps killed by the ProgramKiller.

If you have any questions you may contact Joseph at jzitnik@hfcc.net

Mark Barnes


Library and Lab computers that always look and function identically with multiple applications and printing requirements.


Using Windows NT workstations, ZENworks 3.2, and Netware 5.1 in an IP only environment we locked down the workstations using user and workstation based policies. Policies restrict access to desktop modifications, "C" Drive, run, task manager, password change ability, shutdown, etc. The scheduling feature of the policy is used to reboot the workstations weekly back to its original configuration. The policy is also used to allow remote control for helpdesk and support individuals to remotely fix workstation issues.

Student accounts are not created but instead we use the autologin feature normally used for a lights out distribution with a unique login for each workstation. Students do have e-mail accounts but they are only accessible through the web. We do have a special shortcut created in the application launcher that goes directly to their iNotes login even though that is not the normal IE home page for the students.

All applications are distributed from ZENworks, with shortcuts being supplied through the application launcher window instead of to the desktop or start menu. This removes the ability to delete or modify shortcuts and users are given the "verify" ability to try to fix any application issues.

We looked at allowing only select applications to run through the policy, but we have a large number required by these computers and that would be a lot of overhead. We decided to live with a few IE "features" that allow a user to put what has been to date non-damaging system tray items such as Gator and Chat.

We will soon be migrating the students file access to the Novell system. At that point we will begin the need to have large quarterly updates of student accounts. They will be in their own special container and DS partition. We will be working with the registrar office to get a text file dump of account information and use uimport to create the student accounts.

This solution has been developed and is managed by my Novell team. Appropriate recognition goes to : Kelly Carrington, Brian Barnes, Chris Blake, Sean Greaney, and Daphne Jemison.

If you have any questions you may contact Mark at mark_r_barnes@rush.edu

Scott Carter

We use ZfD 3.2 to delete a specific registry entry in Windows 95/98 that disallows program execution unless from inside the NAL window itself. It's the backbone of our shell security, and has proved itself vs every possible way to execute programs! Simply have your App Obj force run and delete the following entry each time a user logs in, and have it add it back for your admin package, using whatever information you have in the entry to start with:

To Remove Exec ability, set your app object to delete the following key:


To Restore Exec ability, set you app object to add the following key (which may or may not work in your situation, although it's worked on every Windows 95/98 machine we've tried):






@="\"%1\" %*"




If you have any questions you may contact Scott at scarter@ci.franklin.va.us

Christian Hayes

Problem: With over 500 computers in student labs to manage, I constantly deal with software-related problems due to students installing 'unauthorized software' and wrecking the configuration. I tried using the ZENworks user extensible policies to turn on the 'Run only allowed Windows applications' feature, which worked well to solve the problem.

However, since the policy is user-centric, some new problems were created there. Some labs on campus gave students free access to install necessary software, but when they logged into NDS with their student accounts, they were unable to use their software.

Solution: These other free, open labs did not require the ZENworks Application Launcher to run, so I set an environment variable on each of those machines, and excluded them from running NAL by use of the container login script. Then I created a ZENworks Application Object to distribute the Windows registry settings (2 of them) that enabled the 'Run only allowed Windows applications' feature.

In this way, the machines that could be installed on by students never received the registry settings that restricted application usage, and were able to function normally, while the other machines received the restricting registry entries. All in all, most of the lab machines run better for longer, since the students can no longer install 'unauthorized software'.

If you have any questions you may contact Christian at hayesc@suu.edu

Cara Posner

My Computer Icon

At our school we had a problem with the little darlings renaming the My Computer icon. Although there's no reg key to disable renaming, there is a key that changes it back to what it should be. I added it to the reg keys that are pushed down through ZEN during student login. Here's the key (Win98):

[HKEY_CURRENT_USER\Software\Classes\CLSID\ {20D04FE0-3AEA-1069-A2D8-08002B30309D}]
@="My Computer"

If you have any questions you may contact Cara at cposner@lhric.org

Steve Zartman

The teacher in the classroom acts as our eyes and ears, but they can never catch a kid red-handed when surfing inappropriate sites. The teacher knows the student is on a "bad" site, and the student knows the teacher knows, so as soon as the teacher approaches the PC the kid clicks on Close and you can't prove a thing.

Cool Solution? Teacher calls the network admin and tells us to remote view PC number such and such in the lab. We pull up nwadmin, locate the workstation object and zoom in remotely, and do a quick screen print (the pc name shows up as part of the remote view window so they can't deny it). Then we bring that down to the teacher and wait to see the look on the kid's face when presented with an image of the site they were on! Caught red-handed AND now red-faced as well. This works time and time again.

If you have any questions you may contact Steve at szartman@edgerton.k12.wi.us

Shane Taubman

Here are a few things that we do to stop the students from damaging the computers:

  • Set multicast imaging with ZENworks to re-image overnight or once a week
  • Have a snAppShot of a program killer which runs once when a student logs in the first time on that computer. The program killer kills any programs that are not schoolwork-related, like chat and unauthorized software.
  • Have ZENworks remote control to check on students to make sure they are doing the right thing.
  • Use an Access database to update and add our new students to Novell using an ODBC database driver. We first get the details from an admin program that exports csv files to Excel, then Excel import to Access, and then Access works with Novell to create the students. That means we are always up to date with the current list of students, because the original admin program is where the admin staff add when new students come.

If you have any questions you may contact Shane at taubmas@eumsc.vic.edu.au

Bradley Butcher

Our students figured out how to run any program by using Task Scheduler to run the application. Deleting the task and turning off the Task Scheduler just slowed them down.

I did a snAppShot of a lab computer with a scheduled task, then I turned off the task, and as a final step I deleted mstask.exe from the system folder and finished my snAppShot. I associated the application to the students with a forced run and hidden distribution. Our teachers' computers would not be affected, so they could continue to use the Scheduler if they wanted. The student can still schedule events, they just don't run.

If you have any questions you may contact Bradley at Bradley.Butcher@granite.k12.ut.us

Aaron Le Saux

Kids always like setting the default homepage - especially to sites that aren't meant to be seen in educational institutions. Here is an easy way using ZENworks to stop this from happening.

In the Windows system (w95/98) or system32 (nt/2000) directory there is a file called inetcpl.cpl. This file is responsible for displaying the internet options. If the file is renamed or deleted, anyone clicking Tools, Internet Options will not gain access to the configuration page!

If a ZENworks Application object is created to delete the file, kids will not be able to get into the internet options menu. However, administrators can gain access to this menu if another ZEN object is created that calls the inetcpl.cpl file from a network drive and executes it through the windows shell/appload.

Hope this helps someone out.

If you have any questions you may contact Aaron at alesaux@rescuegroup.com

Marvin Buckmaster

I work for Calvert County Public Schools in Maryland. We rely heavily on ZENworks for Desktops to manage our 5000+ node network. We tightly lock down student workstations in the high schools and middle schools. We also remove certain features from the teacher's workstations which really cuts down on service calls. We install all of our applications using Snapshot and the Novell Application Launcher.

We recently outfitted a new school with 200 computers in two days. There were only six guys to get this project completed! I created an account called "newcpu" and assigned all of our apps to install automatically (force run). The apps were installed as fast as we could unbox the systems, install client 32 and login! After the apps were installed, we logged the workstation into the appropriate container which automatically installed the network printer and displays the user's applications in the Novell Application Launcher.

We us Novell's Account Manager to sync passwords and user accounts between NDS and Microsoft Active Directory. We are now implementing ZEN for Servers! I can't wait!

The school system employs one network engineer (me), a network manager/administrator and four hardware guys. We rely on our Novell reseller to help out. Most people don't believe what we are accomplishing with such a small staff!

If you have any questions you may contact Marvin at buckmasterm@calvertnet.k12.md.us

Greg Wurst

Kids at our high school and many others are installing file-swapping program like Morpheus and Guntella so they can download files over our fast T1 lines. We have the workstations locked-down pretty well, but in order for certain educational programs they "must" have to work, there are openings that allow them to install these programs. Most can be blocked at the router level, but we don't control our outside communications, and our provider does a poor job of blocking them.

My solution has been to download all the file-swapping programs I can find, make snAppShots of each one's install, then create an application object that uninstalls each one at startup if a certain program-specific registry key is found. The kids can always install them in a non-standard directory, but they won't work without the needed registry keys that are deleted no matter where the program was installed. I've got the PC's set to not allow Windows access without a network login, so ZEN has to run before they can use the PC (we also use a program to prevent access to the C:\ drive from a floppy or from breaking-out of the startup sequence).

It's not a perfect solution, since some file-swapping programs will work without a reboot, but at least they get uninstalled the next day. Then. they have to sneak the program back on the PC (which is unfortunately pretty easy depending on the teacher).

If you have any questions you may contact Greg at gwurst@miamisburg.k12.oh.us

Tony Skalski

Because we have labs of computers that we need to lock down, and because the most effective Group Policy settings are user based, we elected to use local Group Policy on lab machines.

I set up a directory with the Group Policy files, and configured the group policy with ConsoleOne. However I did not associate it to any users. Instead, I created a workstation policy to copy the Group Policy files to the local lab PCs every night. This ensures these machines stay locked down.

Then I created a policy to reverse the above GP settings and associated it to admin users.

Thus, when a student logs into a lab machine, the PC is locked down.

When lab admin user logs in, because the user-associated GP takes precedence over local GP, the PC is no longer locked down.

I tried using loopback processing, however, this does not allow for a lab admin's user GP to override the machine-associated GP.

If you have any questions you may contact Tony at ajs@stolaf.edu

Patrick Scissons

I use ZENworks policy-based management in computer labs to

  • Restrict students to the C: prompt
  • Prevent them from adding or deleting printers
  • Prevent them from browsing the network
  • Require validation by the network (can't bypass the login screen)

I also have the CMOS protected so that a student cannot boot from a floppy, or enter the CMOS to make any changes. I have disabled the network tab and display properties. Screensaver passwords are restricted via ZENworks as we had problems with students setting this passwords and the next student would literally lose what they were working on as a result of not knowing the password and having to reset the computer.

If you have any questions you may contact Patrick at pscisson@kemptvillec.uoguelph.ca

James Greene

I've never had any reason to write in to you, until now that is. I have come across a little program that has greatly helped the administration of computers on my training WAN/LAN. The name of the program is RNA this stands for Remote Networking Administrator. It's a free program, and there are actually two versions of it - a home edition and a professional edition. Both are freeware, though.

The program works on 2000 and NT, and it seems to utilize the program shutdown.exe, which (as I understand) is included in the Resource Kit for 2000. It presents a graphical interface that allows you to shutdown a PC anywhere on your network by using its IP address or name. You have options to reboot, display a message, delay for a period of time, save programs before closing, force programs to close, and so on.

This program has been a godsend for me. I remotely administer both NT and 2000 training workstations, and sometimes I am unable to connect to them, but I can ping them. If it is night time, there is no way to have someone reboot the computer that is at a class that is closed. So, with this program I can force a shutdown and reboot.

Check it out at http://www.understealth.com/

If you have any questions you may contact James at jamesigreene@hotmail.com

Nadr Rajab

Staying a step ahead of students is always a cat and mouse job! Saying that, I've gotten to the point where things aren't too bad!!

First off, I needed a method for quick recovery of a system in case of failure or corruption. I created a master system with all the programs they use installed. From this a ghost image is made and put on to a bootable CD. Note: all system hardware configurations are the same.

Now that everything is in place, here's how to stop students messing about initially:

I use ZENworks to remove all Documents, Favorites, Programs and Settings from the Start Menu and drives (C: most importantly) so that they see nothing. Using NAL, I send them ICONS that point to the programs installed on their systems, thus only allowing them to use programs that they should be using.

To tweak the systems, I use TweakUI to redirect the "MY DOCUMENTS" folder to their home directory on the Server (Z: in this case).

Still using TweakUI, I set it to clear any cookies and remove any history files that may have been created once they logout of the system. This way they leave no mess behind.

Naturally, using ZENworks, the Desktop is set to not save any settings but to revert back to the default that I initially set, with all restrictions applied.

That said, through ZENworks, I've set it so that they cannot access the Control Panel, cannot change the display settings, passwords, and printers. They are given a set of printers which cannot be modified. But better to be extra sure because they always seem to find a way round.

If all that fails, or any corruption pops up on the system, I just put my Master CD in and reinstall the system which only takes a few minutes.

On the Anti-Virus side, the best solution I've found so far is to use Symantec Corporate Edition from which I can see and Control Definitions and any Virus attacks from a workstation in the server room. Updated virus definitions are automatically installed when the machine is logged into first thing in the Morning.

How to restrict internet access:

Internet access is restricted using BorderManager and the Internet explorer Icon is hidden using ZENworks, and is only available to those who are allowed access.

This system works on Win98 and the complete system installed (Programs and all) with compression is about 500MB but with WIN ME and XP the Ghost Image is too large to fit on a CD although I could probably have it on the server and get the image from there. I've tried it on ME and it works well, but have not tested it on XP Pro and the extra security features that it has.

Other features of ZENworks, such as remote control and workstation manager are also installed, allowing me to restrict students to particular labs.

What happens at the end of the year: Nothing, since the systems are generally "clean," nothing needs to be done except for routine maintenance and testing.

If new software needs to be installed or changed, a new master disk is created. (Although I could create AOT files and send them to the workstations to install or update programs, I haven't got round to doing that yet.)

If you have any questions you may contact Nadr at nrajab@trmkt.com

Matthew Schlawin

Problem: In a lab of Win95/98 computers, we want all icons on the desktop to be the same. We don't want students to be able to add icons or delete icons. We can push icons down with ZENworks, but students can still add their own.

Solution: We used ZENworks for Desktops to push down the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

and pointed the keys for desktop, program, startmenu and startup to folders on one of our NetWare servers. We gave the students read-only rights to those directories. If a student tries to delete or add an icon to the desktop, they get an "access denied" error.

Additional benefit: I can add an icon to the desktop of all computers in the lab just by putting one icon in the shared desktop directory. I can also have all lab computers run a program on startup by putting that program into the shared startup directory.

If you have any questions you may contact Matthew at mschlawin@fvlhs.org

Sheryl Clingerman

ZENworks for Desktops 3.2 curbs the students from easily getting to places, etc. I use extensible workstation and student policies to keep them out of run, printers, desktop settings, regedit, network neighborhood, etc.

If you have any questions you may contact Sheryl at sherylc@iavalley.cc.ia.us

John Goldin

We use ZENworks policies to lock down the desktop so students cannot make changes. Also, we use images to reinstall workstations in our labs once a week.

If you have any questions you may contact John at john_goldin@gwinnett.k12.ga.us

Jan van de Voort

My tip is nothing more than a smart mixture of Novell and other products to keep viruses out while never ever updating anything manually.

Problem: in a school environment, keeping out viruses permanently and in an automated way from mail AND any other source without ever changing any workstation or server setting.

Products involved:

- Novell eDirectory
- Novell ZENworks
- Novell NDS Corporate Edition
- Novell GroupWise GWIA
- Novell toolbox (free)
- Novell cron (free)
- McAfee standard antivirus software
- McAfee WebShield SMTP
- McAfee superdat
- SecureCast Channel
- Microsoft NT server 4.0
- Microsoft Scheduled Tasks
- Autoadminlogon (documented)
- Xxcopy (shareware)

Basically, the problem for my organization is that we have very few persons to administer quite a lot of locations. So any process we are able to automate, we automate. Much time is involved in eradicating viruses, especially in a school environment, where the virus source can be various, but mostly limited to mail (attachments) or just plain files from diskettes.

I had to find a way to:

- Block viruses from mail sources
- Update antivirus software without any manual task involved in order to block viruses in general

Here's how to do it.

  1. At the internet border, have an NT server 4.0 with McAfee Webshield SMTP. This relatively easy-to-configure product will block mail viruses. Configure it to relay all incoming mail to the real mail server which is GroupWise GWIA on a NetWare 5.x or 6.x server. Configure GWIA to route all outgoing mail to WebShield SMTP. WebShield SMTP will be nothing more than a front end to the mail system. This solution is not spectacular, it is just an implementation of existing commercial software. But this way, and since WebShield SMTP can be configured to retrieve virus update files from McAfee automatically, you already block viruses at the border right before they enter your network. So you diminish the risk of virus by a factor x.
  2. To keep the machine manageable, install eDirectory CE so you don't have to worry about extra accounts.
  3. Now use this same machine to retrieve superdat files from McAfee. The superdat files are a fine way to update your antivirus software on the workstations. SecureCast update channel with the McAfee channel will periodically push superdat files to this front end computer automatically.
  4. So on this "internet border" NT machine, you will get superdat files automatically, about every two weeks. These are named e.g. sdat4180.exe or similar.
  5. These files, that will be the source for virus updates on the workstations, are located in a subdirectory of c:\program files\securecast\?
  6. The trick is then to:
    • - Have a routine on this NT server to regularly check for the most recent superdat files, and copy if necessary.
    • Have a routine that, at the same time, copies the most recent file to another location, e.g. c:\transfer
    • Have a routine that renames sdatversionnumber.exe to superdat.exe
    • Copy superdat.exe at night to remote locations
    • Silently check for new superdat files at startup of the workstations in the morning

How to do this?

  1. Have a routine that checks for most recent superdat files: the best tool that I found is xxcopy. Xxcopy allows you to use wildcards for subdirectories AND to specify that copy should only take place if the file (SDATversionnnumber.exe in some subdirectory in c:\program files\) is not more than nn hours old. So with xxcopy, you can accomplish something like:
    copy the sdatverssionnumber.exe file only to location c:\transfer only if it's not older than 24 hours
    Automate this process with Ms Scheduled Tasks.
  2. If xxcopy finds a "to copy" file, allow it to xxcopy the file with the original name to a transfer directory, e.g. c:\transfer
  3. In the same batch job (scheduled with ms scheduled tasks) that runs xxcopy, put a simple copy command, that would look like:
    copy c:\transfer\sdat*.exe t:\transfer\antiviru\superdat.exe
    where t: is a mapping to a NetWare server
  4. Since the old copy command still allows you to rename the file during the copy routine, you will end up with a servername:volumename\transfer\antiviru\superdat.exe file.
  5. Copy this file during the night to other servers. Best results with toolbox.nlm (copy command included) and cron.nlm (for automation)
  6. With ZENworks application launcher, create an application object with the following command:
    \\servername\volumename\directoryname\superdat.exe, and in command line parameters /s.
    Associate it with users, as a forced run.

That way, each morning the user will check for mc afee virus signature updates automatically using superdat.exe, and the best is: since the file is always called superdat.exe?you never create an application object for virus updates again!

Details: use autoadmin logon for this: in case the NT server goes down, while rebooting, all services and scheduled tasks are performed without interruption.

If you have any questions you may contact Jan at j.van.de.voort@osbgroep.nl

Noah Broadwater

We use Workstation Association to accomplish several tasks to make our lives easier. First we associate all of our lab workstations and import them with unigue identifiers for the workstation object (using the MAC address can get hard to keep track of). Through the workstation object we associate applications so they only appear in the labs where we want them. Ok, everyone knows this already as a wonderful way to control licensing and application conflicts, but it can also be used to monitor usage, set up printers correctly for the proper location, and to enhance security measures.

We use a single image for ten different locations each with a printer. Using an application object that is set to force run the first time the workstation is imaged, we set up the printers based on the subnet of the rooms to ensure that every room prints to the proper location without having to visit each machine to set up the printer or create seperate images.

Also, we can look at the workstation objects and see how many people have logged into each computer (we force everyone to use there own account and you can't login without one). When a class wants to meet in a lab, we can tell which lab is least used and where in that lab is most appropriate for a class based on low usage.

Lastly, if someone finds a computer to have a problem related to either malicious or ignorant use, we can track who the person was who made the change through the workstation object and turn them over to our security group if they were, in fact, attempting to circumvent security.

These are only three of many ways we use ZENworks for Desktops and Workstation Association to control and maintain our labs.

If you have any questions you may contact Noah at scsnab@hofstra.edu

Eric Brown

I recently figured out a very simple method to prevent users from accessing the internet on specific machines.

We have a very sensitive machine with all kinds of extra hardware (i.e. scanner, CD writer, Video capture card, Smart Card reader, and accompanying software). Every time a pupil is allowed to use this particular computer without supervision, some or all the software on this computer ends up being unable to work properly. Since last fall I have re-imaged and reinstalled the software too many times on this particular machine, until the famous 'Eureka situation' hit me.

Quite a while ago, I implemented ZENworks policies which prevent the average user from accessing the Networks Icon in Control Panel. So all I had to do was open the control panel as a user with admin rights and define another IP address and subnet mask than the one used on our network. All the other machines get their address via DHCP, but this particular machine has a fixed address of 192.168.x.x, which leaves it unable to access the internet via our gateway.

Our school network is based on a Novell 4.2 server with Win 9.x workstations running ZENworks for Desktops 2. Somehow I expect this solution is usable with most versions of Novell software and most versions of Windows on the workstation.

If you have any questions you may contact Eric at eric.brown@get2net.dk

Doug Streit

We had a dilemma that we overcame with ZENworks. We needed to change the password for the administrative account and perform other administrative account changes on 2000 Windows NT/2000 workstations. We needed the process to maintain the security of our passwords and account information. The changes required Administrative rights to perform, and ZENworks normally uses System rights, so we could not push the change out via a NAL object or an action on the workstation without other significant changes being done. We decided on a solution that leveraged ZENworks with simple batch files and were able to make the change and maintain security.

  1. We placed the batch file with the account changes in a directory and gave read/file scan rights to one DLU administrative account that we would use for the upgrade.
  2. In ZEN we configured a push which only pushed down autoadminlogon information for that account. On the next logout or shutdown, the workstations performed the autoadminlogon.
  3. On the account used for autoadminlogon, we associated four force run NAL objects. One cleared the autoadminlogon information. One was set to run on WindowsNT 4.0 or below to make the account changes. One was set to run on WindowsNT 5.0 and above to make the account changes. One was a forced workstation shutdown.
  4. In order to protect against anyone hijacking the update process (giving them administrative rights on the workstation and also the ability to view the account information) we created a force run NAL object which forced a timed shutdown of the machine whether the update ran or not, significantly hindering any possibility of compromise. Even if someone was able to stop the account update, the machine would shut down with the account information cleared from the registry.
  5. The upgrade was virtually transparent to users and ran with very few problems and remains associated in order to update any machine that is put on the network without the proper accounts configured.

If you have any questions you may contact Doug at jstreit@odu.edu

Paul Muhlbach

We have a program where we needed to limit the number of students who could have access to it. The program is Adobe Photoshop. We are using Win98 on our workstations with Novell Client 3.31 and ZENworks 2.0.

We installed Photoshop on every computer system. We decided to use the login script for our student context to delete a .dll file from the Photoshop directory. If a student tries to run the program, they get a message saying library file not found, and Photoshop won't run.

The students who are authorized to run the program are part of a group. They click on the ZEN-delivered icon which copies the DLL file to the appropriate directory, then starts the program.

We have used this for four semesters - it works great!

If you have any questions you may contact Paul at pmuhlbac@apmcomp.com

Adam Kristenson

We create our student accounts every year using Bulkload. This does a good job of populating NDS with the account names, and temporary passwords and gives the appropriate groups and rights when used with a template. We also have default server locations for our word processing packages and programs. The difficult part was getting the directory structure created under the user's home directory for each account.

We elected to let ZENworks create them for us. With each login, ZENworks checks for and creates, if necessary, the directories under the student's account at each login.

If we create an account at a later date, the directories are created when that user logs in the first time. This has saved the IT team from having to ensure all of the proper directories are in before the start of term and takes the load off of the server disk drives by spreading the time those directories are created over a longer time.

If you have any questions you may contact Adam at krista@augustana.ca

Sami Kapanen

Use NetWare and Volume Space Restrictions to restrict homedirectory size. Otherwise students will take it all!

Then use ZENworks and NAL to launch NwQuota at Windows workstations. NwQuota is a small utility which loads to systray and monitors the students' homedir space restrictions. You can set it up to give warnings too!

If you have any questions you may contact Sami at sami.kapanen@hamk.fi

Aaron Gagnon

In labs we use ZENworks User Policies to lock and unlock the desktops. Also we store desktops icons, backgrounds, startup, and program menus on a network volume. One user called labguru unlocks the machines by using a less restrictive user extensible policy, and another called lackey locks the machine. This helps since we have students that need different access to machines around campus.

Also when we ghost the machines the registry setting that are in the image are pushed out. We also use a vbscript that I found on Cool Solutions to block students from chatting, as it checks for instances running every 1 second. These measures seem to cut down on the amount we have to ghost. With the introduction of the ZENworks imaging engine a lot of our imaging has started to be automated.

Novell has made lab management a small task for me as I oversee between 250 and 300 lab machines along with other tasks. If only there were ZEN on the Mac...

If you have any questions you may contact Aaron at aaron@maine.edu

Matt Sprout

We had a problem with students making changes on desktop computers. ZENworks Policies have helped tremendously, but sometimes there must be registry edits done at each workstation to prevent certain processes. For instance, we use Internet Explorer for our Internet browser. There is a security feature that doesn't allow downloads, but we didn't have time to go to each workstation to make the necessary changes. Plus we wanted to allow adults to be able to download, but not students even though they may use the same machine. Here's what we did:

  1. Create two applications objects--Internet Exp1orer (note the l in explorer is a 1 (one)). The second application is Internet Explorer (spelled correctly).
  2. Within the application objects we made the registry changes (see Microsoft's Q179221) so that each application disabled/enabled the ability to download.
  3. Assign the appropriate groups to the appropriate Applications objects and wala! We plan on hiding more registry changes within these applications since the use of the Internet is so high we are sure to get the necessary changes to the appropriate computers.

If you have any questions you may contact Matt at sproutm@fcsc.k12.in.us

Debbie Bordelon

We had a problem with students changing the desktop settings for various computers. If all students are computer literate that isn't a problem. For us, it was. We had seniors using the lab, then a class of first graders would come in and it would create havoc. First graders NEED to have their computers look the same.

What we ended up doing was creating policies through the use of ZENworks. Our students can change their settings, but when they log out the computer reverts to its previous state. We have accomplished this using roaming profiles, ZENworks policies, and a Windows 2000 OS. Our students are "guests" on the computers, yet they can still make their operating environment comfortable.

(We have only one more issue, we have to sometimes copy profiles when new software is installed and push it out via ZENworks Application Launcher.)

If you have any questions you may contact Debbie at Debbie.Bordelon@wca.pvt.k12.al.us

Ron Bradley

We are able to customize Internet Explorer for platform and user when we use the IE Administration Kit to lockdown internet settings of all kinds. It also puts the college name in the title bar and will allow the changing of icons. So you can personalize the links as well as stop the use of cookies or ActiveX controls per student population.

Then just snAppShot your new version of IE based on OS version or student type and distribute with NAL or ZENworks.

If you have any questions you may contact Ron at ron.bradley@snow.edu

Greg Pott

I do use very restrictive policies for students using ZENworks, but as a "belt and braces" approach the following is in place. These measures can catch those machines which have been "played with" for whatever reason. These are partly along the lines of previous postings, but here goes.

I use a force run application associated with students which currently does the following.

  1. Deletes "Internet Explorer Wallpaper.bmp", "Netscape Wallpaper.bmp", c:\windows\sol.exe, winmine.exe, mshearts.exe, freecell.exe and logo.sys (if they exist).
  2. Pushes down custom c:\windows\logow.sys and c:\windows\logos.sys (yes, I did have problems with students editing these files).
  3. Edits various registry entries, such as this one which trashes annoying screensaver passwords:
    [HKEY_CURRENT_USER\Control Panel\Desktop] and [HKEY_USERS\.DEFAULT\
    Control Panel\Desktop]
    # deletes entry below
  4. Changes/adds control.ini entries:
    [Screen Saver.3DText]
    Text=text of your choice
    [Screen Saver.Marquee]
    Text=text of your choice
  5. Pushes down virus definition files (if newer).

Because this app is always in place and runs every time a student logs in, it is handy for rolling out odd things, fonts, file updates, changes to text files etc.

If you have any questions you may contact Greg at gpott@abpat.qld.edu.au

Bryan Berns

You said basic. :-) Here are my 'general' tips -- I could go on for hours.

Read-Only Applications Volume

Managing over 300 applications can cause problems when every application thinks it's the only thing you'll ever be running on your machines. Using ZENworks to customize programs through registry settings and INI files has allowed us to make read-only network installs of most of our applications and has prevented a lot of headaches with applications being infected with viruses, machines' hard drives filling up, and users' files accidentally getting placed where they shouldn't.

One can easily set the initial working directory so that File -> Save will put the files where you actually want them to go (usually the home drive)! Users don't like hunting through directories to find places they can actually save files.

Using environment variables, one can temporarily extend paths, make pointers to specific license servers, and add any program-specific variables. This keeps the general workspace clean and essentially does let the program think that it's the only program you're using :-).

MSI Transforms

Many ZENworks administrators users don't know that you can easily apply a transform to an MSI application. In the application object, this is under [Common] -> Transforms. Applying transforms via command line isn't fun or organized.

Large Application Distribution

In the cases of large applications that require installs to the local machine, users do not like to wait. (I typically like to call these applications 'Microsoft' products.) In this situation, associating an application to machines has simplified life. Associating applications via their workstation object will cause these applications to install their files when the user is not logged in, typically on the next boot.

Remote Control

Moving around from building to building, and room to room to test certain applications/configurations can sometimes be a hassle. Solution: Remote Control. The ability to remote control imported workstations has saved me hours of transportation time that was better spent doing my job.

If you have any questions you may contact Bryan at berns@cae.wisc.edu

Winfried Thomas

I have to prepare the same classroom several times a year. To do so I store the AOT-files for all my applications on a single CD-ROM. That way I can easily access the data for a fast reliable setup.

If you have any questions you may contact Winfried at Winfried.Thomas@Thomas-EDV.de

Carol Billingsley

Our school district has some very effective procedures for protecting the desktops. We use desktop policies to restrict access to the control panel, which helps prevent students from changing wallpaper and screensavers, network, sound and other configuration files. All our hard drives are configured in a central location called the Prep Room and then we use Ghost to copy the setups to the student workstations.

On all new setups we create two folders called XXXD and XXXS. After all the programs are loaded on the drive and the desktop icons are created, everything from the C:\WINDOWS\DESKTOP folder is copied to XXXD. Everything from C:=WINDOWS\START MENU\PROGRAMS IS COPIED TO XXXS.

We have a batch file called H.BAT that is copied to C:\WINDOWS. The properties for both the XXXD and XXXS directories and the H.BAT file are all set for HIDDEN. We use the policy editor tool to edit the local computer policy. On the Local Computer\System policy we check the box for Run Services and add the H.BAT FILE. Every time Windows starts, the H.BAT file runs and the desktop and program files are restored to the original values.

We also create a shortcut called RESTORE DESKTOP that points to the H.BAT file and put it on the Accessories Menu so that the desktop can be restored without restarting Windows.


deltree /y c:\windows\desktop > log.txt
md c:\windows\desktop
xcopy32 c:\xxxd\*.* c:\windows\desktop\*.* > log.txt
xcopy32 c:\xxxs\Programs\*.* c:\windows\startm~1\Programs > log.txt

This has worked very well for us. Thanks for giving me the opportunity to share. I'm looking forward to seeing tips and tricks from other schools.

If you have any questions you may contact Carol at Carol.Billingsley@cfisd.net

Peter Asp

To prevent software installations on NT/2000/XP, we use regperm (downloaded from Cool Solutions) to lock out the registry. Example: Yahoo toolbar. We created a registry entry HKCU\Software\Yahoo. (With freeware from TameDOS called DTREG.EXE). Then, using REGPERM.EXE, grant only READ rights to all users. The last part is to distribute the batch using ZfD 3.2. Now users (in my case, students) can download to their heart's content but that toolbar won't show. Woohoo.

If you have any questions you may contact Peter at peter.asp@sunywcc.edu

Joe Langan

Use your NDS directory that all students are loaded into as the main reference for updating all other programs that depend on student enrollments for accuracy. Two in particular are the student management program and the school lunch program. Have NDS generate user listings that can be imported into other programs thus devising a consistent manner with which to populate the other programs with users.

If you have any questions you may contact Joe at Jlangan@villagenet.com

Wayne Bowlin

In my labs I use a policy with custom folders for Desktop, Startup, Startmenu, Programs. I create two groups, one with read and filescan access to the custom folders, and one with write and erase access to the folders. Lab users are put in the group with read-only access and lab administrators are put into the group with write and erase access. Put the policy on both groups. When the lab admin logs in they can make changes to the desktop that will affect all lab users. This allows the environment to be controlled by the lab administrators and not the students.

If you have any questions you may contact Wayne at wbowlin@wagoner.k12.ok.us

John Farmer

While I was looking through the ADMs for Internet Explorer I could not find one that prevented downloads. I did a little research into which reg key disabled downloads and I made a small ADM called InternetExplorerDLRestriction. I tested it for awhile on a few users and it worked as intended. I then added this policy to a school site that I work at, and so far it has been working fine. This ADM is a user extensible policy that, when applied, prevents downloads. Here's the ADM file:


	CATEGORY !!InternetExplorerRestriction
		KEYNAME "Software\Microsoft\Windows\
		POLICY !!DisableFileDownload
		VALUENAME "1803"

InternetExplorerRestriction="Internet Explorer Download Restriction"
DisableFileDownload="Disable Internet Explorer File Download"

If you have any questions you may contact John at farmerj@lompoc.k12.ca.us

Tim Callahan

I found that creating an application object that points to notepad can be used as a great way to push out a notice to users. I just associate the app object to the appropriate group, make it run once, and select force run. All you have to do then is change the version stamp and point it to a different .txt file in a network directory that users have R/F to and you're good to go. Whenever they login or refresh the NAL, they get the network notice. This works with html files as well.

If you have any questions you may contact Tim at trcallahan@dmacc.org

John Pilmore

In order to give our administrative staff documentation to help with problem students who like to mess with the workstations or server, I created an application that force runs whenever anyone logs in to the network.

  1. Simply create the application and associate to everyone with Force Run.
  2. Select Distribute Always.
  3. Under the reporting options, check Log events to a file and type in the location and name of the text file you wish to create.
  4. Under Events to Report, select Distribution Success.

This will give you Date, Time, user name and location the login ocurred as well as MAC address. This info has allowed us to prove who deleted files on workstations, track stolen staff and student logins, track specific changes made to workstations, and a whole lot more.

A couple of things to remember,

  • Rename the log file regularly to keep it small. A new file will be created when the old one is renamed.
  • And, copy the log file to your workstation for viewing. If you open the original on the server, you stop logging while you have it open.


If you have any questions you may contact John at jpilmore@sd273.k12.id.us

Skip Thompson

My most valuable tips are not ground breaking ideas, but they save me so much time, I wanted to share them. (And I really want a t-shirt.) :-)

1. When we prepare a workstation image for deployment, we change the Start Button to NOT include MS DOS Prompt, Windows Explorer, Internet Explorer. If we want any user to have these things, we put a shortcut in the NAL window and Associate it to their account. This way, in combination with a User Policy, we have a very restricted environment, without having to use NAL as the shell.

2. Forcing stations to login. There???s lots of ways, but the simplest is this registry key which I distributed with a ???Force Run - Once???

    DWORD  -   MustBeValidated
     Value = 1   (yes)

Of course, I have another icon to turn this off which only the admin sees, just in case.

3. When snAppShotting applications, I rarely leave the shortcuts on the desktop or Start button. They only exist in the NAL window. This serves two purposes.

a. They MUST be logged in for practically anything to work, so it eliminates any support issues like "I don't usually have to login to "..." They just have to Login.

b. It creates a little better security for our gradebook. Our gradebook is not very secure natively. So the application may actually get installed to C:\ (data files on secure drive) but the shortcuts don't get created on the desktop or Start button. Only teachers see the shortcut in the NAL window. So students don't have the opportunity to poke/prod on it for vulnerabilities.

4. When snAppShotting applications, go through the whole process once BEFORE you run snAppShot so you can understand what's about to happen. Then switch machines (or re-image it) and run snAppShot.

5. When snAppShotting applications, go ahead and register, set defaults, etc., THEN end the snAppShot.

6. Combine the functionality of your old DOS batch files with ZEN by creating a folder for them that users can see as RF, then use the NAL window to point to them. I do this for backing up Accelerated Reader, Accelerated Math and various others. Further, it places the primary responsibility for backup onto the folks who care the most about the data!

If you have any questions you may contact Skip at s@alma-admin.wsc.k12.ar.us

Trey Anderson

We have had several issues with people changing important settings or file save locations in our labs with MS Office applications. Once students change the settings they tend to quite rapidly degrade into service calls on the machines. In order to prevent some of this we have used ZfD 3.2 to apply .adm files during the login. In the .adm file it is possible to lock down specific menus and settings in the MS Office applications such as forcing the program to save to the users home directory instead of the C:\ drive. It has proved quite useful to prevent damage to this particular set of apps.

If you have any questions you may contact Trey at treya@manhattan.k12.ks.us

Nathan Hensal

We have implemented a solution that takes care of many of our problems with one step and one solution.

When students have set wallpapers, saved files in the My Documents folder, saved items to the desktop, dowloaded screen savers, and accumulated cache in the browser, we clean them all up each the next user logs in.

By using Novell's ZENworks for Desktops, we have taken a batch file that is stored in the public directory and set it to force run in a hidden mode each time a user logs in. This batch file has several erase commands in it with the path to the directory which is to be erased.


@echo off
erase c:\windows\desktop\*.* <y
erase c:\windows\*.bmp <y
erase c:\windows\*.scr <y
erase c:\windows\*.pwl <y
erase c:\mydocu~1\*.* <y

(y is a text file that has just the letter y in it, which answers "yes" to the question, "Are you sure you want to delete all files?")

We have found this ZENworks for Desktops solution to eliminate all desktop backgrounds, screen savers, PWL Password files for security, internet cache, and others.

As we see a problem creep up on workstations that can be fixed with the use of our batch file, a simple line added to one file fixes the problem on all the workstations on the network.

If you have any questions you may contact Nathan at nathan@le-win.net

Michael Lerner

I am the computer systems administrator for a technological college. In most of the computer labs, the internet needs to be closed most of the time, otherwise the students surf instead of listening to the teacher's lesson. There are a whole bunch of tips and suggestions on the ZENworks Cool Solutions site for dealing with controlling internet access, however many of them require products that I am not fortunate enough to have (like BorderManager or a proxy server). But I found several ideas on the site, and by playing around with some of them I came up with a solution which works well for me. Here it is:

When the computer logs in, it automatically runs an ZW application called Disable Internet. At first all this app did was put in incorrect values for the DNS servers in the registry. This prevents the users from accessing any sites using IE or Netscape, since on Win9x the registry key for DNS can be dynamically changed, and is not consulted until you start surfing. That was fine for a while, but the students then realized they could still chatter away with chat programs such as mIRC and Odigo. Apparantly these applications do not rely on DNS.

So I got more sophisticated, and now the Disable Internet app also modifies the computer's dynamic routing table. The app has a path to the executable file c:\windows\route.exe, and in the environment tab I add the command line parameter "-f". That effectively removes the gateway from the routing table, and now there is no access to the internet. If you want to see exactly what it does, try running route print before and after executing this app, or run WINIPCFG.

The only drawback is that if a student gets wise to what I did, and knows the gateway address, he can re-modify the routing table. However, I am not too concerned, for 2 reasons: first, nobody knows this ROUTE command (I didn't until I saw mention of it on the ZW Cool Solutions site), and second, they have no way of changing the DNS back since access to the network properties is disabled.

The Enable Internet app does the opposite - sends over the correct DNS addresses to the registry, and adds the gateway back to the routing table. The command line parameter for adding the gateway back is ADD MASK xxx.xxx.xxx.xxx where the xxx's represent the gateway address.

So I have 2 apps, one that disables internet access and one that enables it. The computers all run the Disable Internet app upon login. This app is scheduled to run at all hours of the day with a force-run priority set to 1, meaning its the first app executed. Lets say that the 3rd period of the day at 10:15am needs internet, but the classes before it and after it don't. So I schedule the Enable Internet app to run at 10:10am (with force-run priority of 2), knowing that each workstation will receive the app by 10:20am. This is because the launcher configuration of their container object has user refresh frequency set to 600 seconds (ie. 10 minutes)and enable timed refresh (user) set to Yes. And if a workstation is first turned on at say 10:30am, it actually first runs the Disable Internet app and then the Enable Internet app, since its force run priority is 2. Then lets say the next class at 12:00pm does not want internet. So I schedule an app called Re-Disable Internet, which is the same as the Disable Internet app except that it has a force-run priority of 3 in case there is anytime-overlap between that and the Enable Internet app.

This works fine with ZFD 2, NW 5.0 and Win9x workstations. I have not tried it on WinNT 4.0. I am now evaluating ZFD 3 on a test server, and it appears that I can do the routing table change on Win2K computers if I set the app to run as a secure system user. I hope to be purchasing ZFD 3 soon so I can manage my new Win2K classroom in the same way.

Hope this tip helps somebody!

If you have any questions you may contact Michael at michael@nitc.co.il

Martin Thibeault

To prevent users from creating several objects on the Windows desktop we use a simple batch file. This task keeps lab desktops clean for the next users. The batch file uses DELTREE command to erase anything that is copied or created on the desktop. This is executed at each startup. We need to put a new value in the registry in the run section of HKLM and setup the batch file to be executed in reduced mode. It's 100% transparent to users and they always have a clean Windows desktop.


The BATCH File


If you have any questions you may contact Martin at martin.thibeault@cjonquiere.qc.ca

Billy Beaudoin

For use when distributing command-line programming development kits through the NAL (i.e. JDK, ActivePerl, Tcl).

SnAppShot the application install on a clean box in order to get the needed environmental variables that the DK will need. They will be in HKLM\System\CurrentControlSet\Control\Session Manager\Environment and added to autoexec.bat. This is just to keep track. Generally registry keys and file associations are not integral to the DK environment running smoothly.

After the install you can simply copy the entire install directory out of program files to any location (new_path) and if you SET PATH = new_path;%PATH% and the CLASSPATH variables it will be quite happy.

The application object that you should push down to the workstations should include a batch file that you will set to be the executable for the application object. Create one that includes all of the settings for environmental variables and displays whatever information is useful to the user.
(Note: Echo. for a blank line does not work in Win2k).

If you are distributing multiple SDK's to the same box, this will allow you to run each environment (protected memory!) in its own window (not to mention they have a way of nabbing extensions from other apps).

This has been found to be very useful in Computer Science classes.

If you have any questions you may contact Billy at wrbeaudo@unity.ncsu.edu

Related Reading

To see other tips helpful to school administrators, check out:

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© Micro Focus