School Admin Tips
Novell Cool Solutions: Trench
Digg This -
Posted: 16 Aug 2002
We asked our school system administrators to share their pet tips and tricks, and we got some nice nuggets. Not only are there some great ideas for managing student IDs, creating and deleting student accounts, and imaging the computers in the labs, but we're also getting tips on battling skanky screen-savers, blocking Napster files, and preventing students from sending obscene system messages to the unsuspecting young girls on the front row. Here are some goodies to tuck into your bag of tricks. Check back each week for more.
And if you think of a tip you'd like to share, send it to firstname.lastname@example.org and you could see your name in lights.
- Scott Wickham
- Cliff Stratton
- Kelly Klein
- David Cooney
- Peter Oth
- Cliff Stratton
- Angela Marquis
- Jos Westerbeke
- Bradley Jerome
- Carl Turner
- Jon Berlin
- Robert Herzog
- Ken Libutti
- Ellen Gaynor
- Anders Gustafsson
- Ron Bradley
- Keith Craig
- David Cooney
- Tom Williamson
- James Rudd
- Mehmet Duran
- Roger Dills
- Daryl Bjerke
- Chad King
- Joe Johnson
- Sindre Westre
- Steven Wood
- Philippe Werle
- Darlene Sawyer
- John Wiles
- David Arre
- Marc Brummer
- Peter Schouten
- Lee Greenough
- Martin Thibeault
- Mark Heinemann
- Matt Varela
- Tiago Abreu
- Richard Peters
- Scott D. Miller
- Charles Hucks
- Steve Coulson
- Maarten Afman
- Klaus Plantius
- Michael Litt
- John Chavner
- Brady Hess
- Matthew Ziegler
- Steve Merriman
- Liz Negro
- Mary Lou Kiser
- Martin Thibeault
- Nathan Parton NEW
- David McDowell NEW
- Steve Lewinsky NEW
- Allison Thompson NEW
This helps me immensely when I am searching for server config. information. (For instance, Free Disk Space.)
- Create a DOS batch file that will map a drive letter to the SYS volume on all your servers. (Example: net use g: \\server\sys for the RENO Server )
- Run Novell's "load config" at the console of each server. I do this weekly as a Cron job for convenience.
- Run the batch file (created in step 1) that maps drive letters.
Create another batch file that will copy the config.txt file from each server (created in step 2) to a local directory on your C: drive
ex. - copy g:\system\config.txt c:\NWStatus\RENOconfig.txt
I named each file depending on which server it came from - that helps later to identify where it is from - when I do my searches.
- Use a text edit / search program that can actually open the file for viewing when it finds the specified text. I use Multi-Edit from American Cybernetics. It is incredibly easy to find information in one location. Multi-Edit is great because it opens just the line of text you are searching for (ie: free disk space per volume or version info for NLM's in your autoexec.ncf file, etc.) It's a great way to compare parameters between servers.
I don't know what I'd do without this technique. Well, I'd be doing A LOT of searching.
For more information you may contact Scott at email@example.com
My number one tip is to be sure to use BorderManager. Having a solid firewall with the ability to use the directory for access control, logging and filtering using CyberPatrol is hard to beat.
For more information you may contact Cliff at firstname.lastname@example.org
We use Novell 5.1, NDS 7, and ZENworks for Desktops 3 in our education system. Anytime a student is off we use Norton's Ghost to multicast a fresh image out to the labs. This keeps our images fresh.
To ward off potential danger ahead of time, we use BorderManager's Cache Logs and convert them into an Excel Spreadsheet where we can sort by student name or keywords. This alerts us to potential problems or students.
Using Symantec's Anti-Virus by Norton management tool, we view viruses as they are captured with real-time virus protection that downloads from the Corporate site as new definition files become available.
Desktop Management with ZENworks for Desktops 3 allows us to set up accounts with criteria built in for more control in our environment.
If you have any questions you may contact Kelly at email@example.com
To prevent students from setting inappropriate pictures as wallpaper, create empty text files named "Internet Explorer Wallpaper.bmp" and "Netscape Wallpaper.bmp". Push these files out to the workstations with ZENworks every time a student logs in. If you try to save a picture as wallpaper, it will give an error. This isn't a fool-proof solution, but it will stop a lot of them!
Update: I neglected to mention the most important part. The files pushed out need to be flagged read-only. If they are not, anyone can simply overwrite the one pushed out.
If you have any questions you may contact David at firstname.lastname@example.org
My macro virus protection tip: I stored the normal.dot file in a protected location on the server, where nobody has write permission (except me :-)). I created a ZEN application that copies this file to the correct place on the workstation. I associated this application object to every user, so when a user logs in to the network, it becomes a guaranteed macro virus free MS Word.
If you have any questions you may contact Peter at email@example.com
This is based on a suggestion I once saw in a "coolsolutions" blurb. The tip recommended using a program from Joe Moore (http://www.caledonia.net/jmttb.html) to solve a problem we and many others may have.
Our district tries very hard to ensure that our students use only their own account. We press hard the message that if "...your account is used for mischief, you will be held responsible... even if someone else was using the account at the time."
We use the TXTTOBMP software to create a desktop wallpaper on the fly for our students as they login. the user's %FULLNAME% is read from edir and placed in BIG letters front and center on the wallpaper. Making the student's name visible like this serves as a powerful deterrent. It makes it very easy to make an over-the-shoulder spot check of "mis-matches" between the account in use and the person in the chair.
If you have any questions you may contact Cliff at firstname.lastname@example.org
Our students often complain of losing their work due to a floppy disk that went bad. Now we are using iFolder so they can travel around with all their files. Each student has a network drive where iFolder points (we change the location of the My Documents folder to their networked drive). They save files there from any computer around campus and once they sync they can access their files at home or upload new files. We expect that 600 of our students will be using it soon as they say goodbye to old fashioned floppy diskettes.
In addition we will soon be using iFolder to save the students Favorites folder so they can be accessed anywhere around campus and at home.
(For more information on Novell iFolder, see http://www.novell.com/products/ifolder/)
If you have any questions you may contact Angela at email@example.com
When you have to use Outlook Express (OE) with roaming profiles (and win2000), change the path of the archive-map in OE and your OE-profile will come with the whole profile to the fileserver. Otherwise when you use the default settings, it will not be copied with the user profile.
To do this:
- In OE, click Extra, options, tab Service and Archivemap.
- Change the path to: C:\Documents and Settings\[username]\Application Data\Microsoft\Outlook
If you have any questions you may contact Jos at firstname.lastname@example.org
We have had many viruses and a few school hackers. To combat this we have put in place a policy that no student is allowed to install or download programs. To enforce this, we have enabled access rules in BorderManager which totally ban them from downloading most common files, such as MP3s, exes, zips, etc.
Also we use ZENworks user profiles to stop workstation changes. Before this was implemented, this was a nightmare network. We also monitor the users' workstations by using the remote feature in ZEN which allows teachers to monitor what students are doing.
For viruses we use a program called NOD32(www.Nod32.com.au) which I have found to be excellent. It makes it easy to update workstations on Netware. Also a new program for keeping users from making changes to workstations is deepfreeze (www.deepfreezeusa.com)
If you have any questions you may contact Bradley at email@example.com
What is the best naming convention to use when setting up students?
Because of the large volume of students that I have to create, I use UIMPORT. UIMPORT works best with a user name of 8 characters or less, especially if you are creating home directories. The best naming standard that I have found is to use the first six characters of Last Name then first character of First Name and the 8th charater would be numerical for users with the same user name after combining the first 7 characters. For example,
Sam Johnson = johnsos
Sarah Johnson = johnsos2
If you have any questions you may contact Carl at firstname.lastname@example.org
I recently found out our high school students were using Yahoo! Messenger. I quickly put a stop to that by adding a deny rule on my BorderManager 3.5EE server blocking the following URLs:
If you have any questions you may contact Jon at email@example.com
We allow students the privilege of accessing the Internet if they go through our BorderManager Proxy server (BM enables us to filter URL's via Cyber Patrol). If the student loses their privileges to the Internet, or if we want to disallow the Internet in a particular lab, we simply change the proxy setting in the browser via a Registration Key or *.reg file. Our kids have figured out that if you simply take away the icon to the Internet they can get there via Microsoft Word or simply by going to the trash bin and typing a URL.
Simply lock down:
Using ZEN you can control Registry settings per person as well as per machine. You could even make a login script to push the change.
If you have any questions you may contact Robert at firstname.lastname@example.org
We use an array of tools to customize, isolate, lockdown, and otherwise prevent the little darlings from visiting their mischief on our computer labs. We first use eDirectory for student accounts. This gives them access to their ZEN applications and NIMS e-mail. Then we use Visual Click's DSRAZOR to import and maintain our user accounts, Symantec's Ghost to capture our workstation images and finally Deep Freeze to lock down the workstations. This summer we will be piloting the use of Novell Portal Services to provide a customized interface for the students to their e-mail, files, schedule, and course work.
If you have any questions you may contact Ken at email@example.com
We have internet-connected computers available to our students from 3rd grade up. Parents are very concerned at the lower grades that their kids are surfing safely. We solved this problem by making a group in NWAdmin called "Mighty Limited." Using BorderManager, we limited this group's access to Ebsco online research and our district web sites.
This group has solved another problem, too. Students in the upper grades who abuse their network privileges are put in Mighty Limited. They can still use network resources sucvh as printers, and they can do research online using Ebsco, but they have no more "free surfing."
If you have any questions you may contact Ellen at firstname.lastname@example.org
We use NetWare auditing to monitor student behavior, and make sure everyone knows we're watching. You could use the legacy one or the new NAAS, it does not really matter for this solution to work. For the sake of argument, let's assume we use legacy auditing on NW 4.x and 5.x.
We monitor logins and logouts as well as a few other important events. To simplify the use of NW auditing we use a commandline utility instead of AuditCon to enable auditing on all new student containers and to export the audit logs for reading.
All students have individual user IDs and passwords. Thus the NetWare auditing lets us see who has been at what PC and when. For completeness we also have the DHCP server logs and the BorderManager logs.
We have a blurb of text in the login script that tells everyone logging in that internet access is monitored, and by word of mouth the students are told that "Big Brother" is watching. All students also have to sign a paper agreeing to abide by school rules.
Since this is not the US, we are not that uptight about kids hitting the odd "nekkid" site. ;) It is not allowed however and the admins regularily probe the BM logs for keywords. This is done with a very simple batchfile that FINDs all lines containing say "sex" in the logs. The resulting output is looked at and if they find that one particular student is hitting forbidden sites over and over again, the teachers talk to him. Word of those "discussions" also tends to spread...
If you have any questions you may contact Anders at Anders.Gustafsson@pedago.fi
Stop students from using Netscape to modify the default desktop wallpaper while browsing the internet.
Create the lab default background as a hidden\read-only file called Netscape Wallpaper.BMP and put it in C:\Windows. Netscape will actually die if they try to choose to set a new wallpaper within the browser.
If you have any questions you may contact Ron at email@example.com
Student Account Setup
We are a relatively small school with a Junior and Senior Campus which are connected via a radio link. We have very low student turn over with the main admissions being in Year 5 & 7 plus a "top up" in Year 9.
Our Student administration system is not compatible with dirXML (this is the least of its weaknesses) so I have an Excel spreadsheet with all the required details that is my master list.
When the account is first created on first enrollment, a random password is assigned. After the Acceptable Use Agreement is returned, the student then chooses a password.
I then export the information in the Excel sheet to a text file that can be imported using Uimport. Each year I roll the student accounts over into the next year and do a periodic purge of leavers during the year.
I used a similar system when I worked at a University - except there the accounts and user data would be purged at the end of each year.
If you have any questions you may contact Keith at firstname.lastname@example.org
One problem we encountered was knowing if a student was logged in with an account with more privileges than we wanted them to have; for example, when a teacher forgets to log out of a workstation that is also used by students.
Solution? Force different color schemes for the students than for the teachers, and also a different one for any local admin accounts. That way, you can tell the type of access by the color scheme.
If you have any questions you may contact David at email@example.com
If you're still running your printing system off of print queues (which I'm sure many a school system is...we were and still do in some cases) make sure you get those print queues off your sys volume! Especially important for system admins who have upgraded from older versions of NetWare and haven't moved their old print queues off that sys volume! Keep sys clean...keep your server alive!
If you have any questions you may contact Tom at firstname.lastname@example.org
We've had problems with students changing the winnt256.bmp, winnt.bmp and nwelcome.bmp on the local HDD. These are the images responsible for background prior to logon and the Novell "Hit Crtl+Alt+Del to logon". The worst case was where the image had been replaced by black screens showing a crash type image, making the computer appear out of order.
I fixed this two ways. On new machines the permissions on this file are changed to only allow admins to modify it. I also created a batch file that is executed from the Novell login script which replaces the local images with ones pulled from the server. This can also be used to set school logo at background on all machines across a network. You can also redistribute school login logo with new Novell installations by modifing nwlcmw2k.bmp and nwlcmnt4.bmp in the Novell installation source ..\NLS\ENGLISH
Bat file used was
- copy f:\logo\winnt.bmp %windir%\winnt.bmp
- copy f:\logo\winnt256.bmp %windir%\winnt256.bmp
- copy f:\logo\nwelcome.bmp %windir%\nwelcome.bmp
If you have any questions you may contact James at email@example.com
I work at a school that we like to call a "green" school. We have all kinds of animals, flowers and trees. We are trying to be as environment-friendly as we can be. (That is the reason I'm so excited about Tip 3 below.)
- We copy the logos.sys and the logow.sys in the loginscript to avoid having the startup screen of windows changed.
- We also have Norton Anti-Virus Corporate Edition, so I can monitor all students with their viruslike activity's and with Symantec Ghost Enterprise I can place an image on a computer or multiple computers from my own desktop computer.
- My last tip is especially for saving paper: we use a program from Aenova software, It's called Maggy for NDS, this is a sort of printserver. When a student prints, he has to type his name on the printserver before the print comes out of the printer. He has 100 pages of free printing, after that he buys printpoints. When we compare this with last year, we find that the printer has printed at least 50% less. We save on printer maintenance, on toner cartridge and, most important, we save so much paper.
If you have any questions you may contact Mehmet at firstname.lastname@example.org
Help the Help Desk with The Password Reset Load.
Problem: The "forced periodic password change" in conjunction with the "limited grace logins" settings in NetWare causes an overload of password reset requests by users to the helpdesk.
Solution: Stagger the expiration dates over a given period of time.
It is not often you can predict the number of problems that will besiege the help desk at a single point in time. This one is pretty predictable, so why not manage it?
If you have any questions you may contact Roger at email@example.com
I have set up a simple script that runs during the login script as a form of double entry to keep track of when kids log in.
This has proven very helpful as I can not only see at a glance which student has been on which machines, I can also see which students have been on a particular machine.
Where this really comes in handy is when there is a security issue and I need a log printed with the student's activity. For example, when I want to prove that a student logged in as someone else and did something, I can see from the log file that Johnny logged in at 10:05, then Billy logged in at 10:10 and Johnny logged in at 10:12. Then I just need to verify (usually from a teacher) that the students were not playing musical seats. Another example is just last week I had a subpoena for information on a threat and I was able to show that a student was logged in on the machine at the time.
I have it set up in two sections. The first section sets the enviroment variables so that all operating systems have the same information. (Win95/98/NT/2000)
Novell Login Script:
set WSOS="%OS %OS_VERSION"
set Time="%HOURS:%MINUTE:%SECOND %AM_PM"
"LogIT.bat" file: B
IF "%COMPUTERNAME%" == "" GOTO NONAME
echo %Date% %TIME% %USER% %SPC% %WSOS% %WS% %FULLNAME% >> \\BHSNW01\SYS\LOGIN\LOG\CMPTR\AWINCPTR.log
echo %Date% %TIME% %USER% %SPC% %WSOS% AWINCPTR %WS% %FULLNAME% >> \\BHSNW01\SYS\LOGIN\LOG\USER\%USER%.log
echo %Date% %TIME% %USER% %SPC% %WSOS% %WS% %FULLNAME% >> \\BHSNW01\SYS\LOGIN\LOG\CMPTR\%COMPUTERNAME%.log
echo %Date% %TIME% %USER% %SPC% %WSOS% %COMPUTERNAME% %WS% %FULLNAME% >> \\BHSNW01\SYS\LOGIN\LOG\USER\%USER%.log
(Your submission window is pretty small so you might have to copy and paste it into notepad and correct the end of lines to read the scripts correctly.)
This produces two log in scripts for each login a student makes. One under his/her username.log and the other under the computername.log
There is a second benefit to this logging. I am able to see (by glancing at the by-computer directory) how many computers I have logging into my Novell servers. I am also able to see how many different users I have by looking at the file count in the by-student directory.
I use the later statistic when talking to administration about how much the computers are used. When I really want to get my point across, I simply import all files in the student folder into Microsoft Excel and look at how many lines there are to give a login total. I know there is probably an easier way to do it, but it gets the job done. Eventually I would like to write a simple script to parse it daily and give totals someplace to look at.
The only thing that I would like to change about my script is that I don't like that it flashes a black MS-DOS window on the screen for about a 1/2 second before it goes away. The kids know that something is going on, but they don't know exactly what. Either way, I get the information I need.
If you have any questions you may contact Daryl at firstname.lastname@example.org
I set up BorderManager VPN on various remote clients. Through this process I have found out (which some people may already know) that if the remote client is trying to use a router to use more than one workstation, this will cause VPN not to work correctly. This is due to NAT which is built in to the router, and also because a router gives an internal address (192.).
The VPN will sign on but GroupWise will hang up and any Intranet sites will time out. Here are some workarounds:
- Set up Web browser access for mail, instead of a client.
- Or use a 208 address with a firewall that does not use NAT.
- Or upgrade to the latest BorderManager 3.7 which addresses the NAT problem.
Whatever you decide, Novell is the best solution, so don't let this pesky NAT BUG YOU!
If you have any questions you may contact Chad at email@example.com
How to prevent Student access to supervisory rights on Novell NetWare 4.11. Don't leave the login supervisor, and your password all in the login screen up in the HighSchool Library. :-)
To commiserate with Joe, you may contact him at firstname.lastname@example.org
We use ZENworks to distribute Windows 2000 group policies, distribute anti-virus definitions, push proxy settings for Internet Explorer etc. We also let the pupils make their own home pages, based on the NetWare Enterprise Web Server. The pupils think this is really cool!
When it comes to a tip to share with other school admins, I feel I really did one thing right when I signed a School License Agreement with Novell! The SLA has provided me with programs like NetWare 6.0, BorderManager, ZENworks for Desktops and -for Servers, GroupWise and NIMS, Portal Services and more, for significantly less then I had to pay for a Windows 2000 Server with less user licenses. This has made it possible for me to use programs and solutions I never dreamed of before. Our school pay a price based on the number of registered users.
Why do school admins purchase Windows servers? Maybe they should look at http://www.novell.com/customers/education/edsales/purchase.html. This really made it possible for me to lift the quality of my network to new heights! And I order upgrades by e-mail. Easy, cool and a bargain!
If you have any questions you may contact Sindre at email@example.com
We used to find lots of unwanted software on the PCs around the campus, software that students had downloaded from the web. To prevent students from downloading exe and zip files we simply added an access rule to our BorderManager server that denied access to http://*.*.*/*.exe and *.zip. We then altered the html error message in BM to tell users that any downloads must go through the IT office. This has had a massive impact: no more games and illegal apps on the PCs. It's great :-)
If you have any questions you may contact Steven at firstname.lastname@example.org
How to disconnect users from Internet Access (BorderManager) 15 minutes before closing:
Use CRON to UNBIND IP from the public interface 15 minutes before closing (18h45) Use CRON to BIND IP back to the public interface to enable access to reverse proxy services and http server behind the BorderManager.
[Editor's Note: For more info on CRON.NLM, see TID 10024685]
If you have any questions you may contact Philippe at email@example.com
In trying to keep up with students getting the sites for free essays, I have used wildcards in BorderManager/CyberPatrol. It seems to not let the user get past the search. When you click on search, it is forbidden. I used the wildcards *free+essays*/* and also *search=free+essays*/*.
I haven't seen this so I hope it's helpful to others. I LOVE it :-)
If you have any questions you may contact Darlene at firstname.lastname@example.org
Of course the simple thing to do is set up rules in BM using the cyber-not list. Make sure logging is turned on. Once a week, usually on Friday, I go in and check the log for attempts at inappropriate sites. If I suspect a student, I create a rule that logs everywhere that student goes. I watch the logs the next week, and bingo I GOT EM!!
Students will argue that "it wasn't me". But I have each student sign an Internet Usage Agreement that states they will not allow anyone to know or use their password. If it wasn't them, then someone must have used their password. In any case, I put them in the Discipline group which is another rule in BM that doesn't allow them access to the Internet. It doesn't take long before the students know they are being watched, but there are still a few who just can't help but try!!!
Thanks for BorderManager.....it's a life saver.
If you have any questions you may contact John at email@example.com
My problem: To comply with a requirement to disallow Internet access to students whose parents request they not be allowed to access the Internet in school (and also for those that have broken the Acceptable Use Policy).
Our Network: NetWare 5.1, ZENworks for Desktops 3.1, Novell BorderManager 3.6, Windows 98 and 2000 workstations.
We already had ZENworks-delivered policies in place which deny access to the Internet Options control panel, and also restrict program execution to only those delivered by the ZENworks Application Explorer. But with Windows 2000 and Windows 98 workstations, it is impossible to simply deny access to Internet Explorer. You can access the Internet by simply opening the "My Computer" icon and typing an Internet Address in the address box.
My Solution: At each login, for every student, I manually set up an Application Object in ZENworks as a Forced Run. This Application Object inserts *incorrect* proxy IP address and port information into the registry of the Local Machine AND the Current User. The current User key is: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer. This results in a default situation where the workstation cannot access the Internet due to incorrect proxy settings.
For those students who are members of the "Internet_Access" group, in ZENworks Application Explorer, Internet Explorer is represented by an Application Object icon that appears to be simply a shortcut to Internet Explorer on the local hard drive. However, the object also contains a registry item I manually added that changes the Local User proxy server key mentioned above back to the correct IP and port settings. This registry item has the "distribute always" check box enabled so that anytime the student clicks on the Internet Explorer Icon, the correct proxy setting is dynamically delivered to their workstation, and the Internet is available transparently.
Those students who are not members of the Internet Access group do not see the IE icon, and can never get the correct registry setting, nor can they try to change this setting due to policy restrictions I set-up through ZENworks User Policies. This makes it impossible for those students to access the Internet, even by typing an Internet address in the "My Computer" address box.
Also, because I send the incorrect settings as a Force-Run at every login, making it the "default" setting, a student who has to have Internet access taken away will no longer be able to use the internet upon his next login after being removed from the "Internet_Access" group with no further work on my part. The student can then, just as easily, be granted access again by assigning him back to the group. He would then be able to use the internet at his next login.
If you have any questions you may contact David at firstname.lastname@example.org
When assigning rights to users (students / teachers) for internet access, try using the time schedule function and align them to the time schedule of the students so they can use internet only in lessons where it is needed.
If you have any questions you may contact Marc at email@example.com
If you have policies that prohibit the use of chat software etc., you'll want to put MSN in BorderManager also. However this doesn't work since hotmail uses the same server address. So on to the next option, putting port 1863 in your firewall, oops, MSN now uses port 80.
Here's the trick:
Put a line in your hosts file on the pc which tells the msn messenger to look for the MSN server on localloopback. Voila! 127.0.0.0 gateway.messenger.hotmail.com is the server address to use.
If you have any questions you may contact Peter at firstname.lastname@example.org
Here is an extensible policy template snapin I created that is useful. It lets you set proxy server settings, default home page and disable download from the internet. The proxy server stuff came out of one of the microsoft .adm files, I put it in here for my convenience. Other stuff I found out the hard way. Copy the text below into a file ?.adm, fire up nwadmin and load it as an extensible policy.
Written for IE5.5, works with IE6 too.
****** adm file text follows******
class user category "Custom IE 5.5 Settings" keyname "Software\Microsoft\Internet Explorer\Main" policy "Set default Home Page for this user" part "Home Page" edittext default "http://192.168.5.3/" valuename "Start Page" end part end policy POLICY "Internet Settings" KEYNAME "Software\Microsoft\Windows\ CurrentVersion\Internet Settings" PART "Proxy Server" EDITTEXT VALUENAME ProxyServer DEFAULT "192.168.5.1:8080" REQUIRED END PART PART "Proxy Override" EDITTEXT VALUENAME ProxyOverride DEFAULT "192.168.5.1:8080" REQUIRED END PART PART "Proxy Enable" CHECKBOX VALUENAME ProxyEnable VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 defchecked END PART END POLICY POLICY "Disable Download for zone 3" KEYNAME "Software\Microsoft\Windows\ CurrentVersion\Internet Settings\Zones\3" VALUENAME 1803 VALUEON NUMERIC 3 VALUEOFF NUMERIC 0 END POLICY END CATEGORY
If you have any questions you may contact Lee at email@example.com
I think my best tip of this year was to use the Deep Freeze Software. This software really FREEZES at 100% all data on a student's computer. It works on Windows 95/98/ME/2000 and XP. DeepFreeze is non-restrictive. Students don't like PC's fully protected with Poledit or registry security, and IT staff members don't like to rebuild computers every day. Deep Freeze makes it easier for everyone. If a student damages a computer, simply shutdown and restart and ALL configurations are reset to the original configuration.
We can create a Thawspace of 100Mb not frozen, to put personal data and PST files for Outlook, to keep computer clean, safe and customized. This software has reduced IT staff calls over 50%. Now we all have more time to work on GroupWise, BorderManager and ZENworks!
If you have any questions you may contact Martin at firstname.lastname@example.org
For those special users such as Principals, Deans, etc., I have a special routine that works well. What I do is in the beginning of the year I build a clean image for them, get everything working perfectly, all their little programs and settings, etc. I wait a day or two so I know there are no issues, and then I ghost it from their hard drive to another HD I have that just has images. I do the same thing in my PC labs, if a PC needs to be imaged I just pull the HD out of a known good PC and ghost disk to disk. You can image a disk in about 6 min.
If you have any questions you may contact Mark at Secluded@earthlink.net
Create a .adm from the following:
------- CLASS USER CATEGORY !!FolderRedirection KEYNAME "Software\Microsoft\Windows\CurrentVersion\ Explorer\User Shell Folders" POLICY !!PersonalRedir PART !!Personal EDITTEXT EXPANDABLETEXT REQUIRED VALUENAME "Personal" Default "%USERPROFILE%\My Documents" END PART PART !!PersonalText TEXT END PART END POLICY POLICY !!PicturesRedir PART !!Pictures EDITTEXT EXPANDABLETEXT REQUIRED VALUENAME "My Pictures" Default "%USERPROFILE%\My Documents\My Pictures" END PART PART !!PicturesText TEXT END PART END POLICY POLICY !!FavoritesRedir PART !!Favorites EDITTEXT EXPANDABLETEXT REQUIRED VALUENAME "Favorites" Default "%USERPROFILE%\Favorites" END PART PART !!FavoritesText TEXT END PART END POLICY END CATEGORY ;FolderRedirection [strings] FolderRedirection="Folder Redirection" Personal="My Documents" PersonalRedir="Default path for My Documents Folder" PersonalText="Enter the default path for My Documents" Pictures="My Pictures" PicturesRedir="Default path for My Pictures Folder" PicturesText="Enter the default path for My Pictures" Favorites="Favorites" FavoritesRedir="Default path for Favorites Folder" FavoritesText="Enter the default path for Favorites" ;End of Strings ---------------
Add the file as a User Extensible Policy and easily change where My Document, My Pictures, and Favorites point to. Kid tested and mother approved on Win95, 98, and 2000. If pointed at a network drive (home directory works perfectly), Favorites, My Documents, and My Pictures will follow the user wherever they login!
Take it one step further:
Several of our schools want student workstations to have the same favorites. We can deploy favorites via group policy to Windows 2000, but that requires a request to an admin (who would need to add/remove each favorite). This also leaves Win9x machines out of the loop.
Instead of pointing favorites to a home directory, a student policy points favorites to a folder on the server that is read-only for students, but read/create/erase/modify for staff. This way, students cannot change the favorites, but their teacher can. It also means not having to visit dozens of workstations to update the favorites.
Did I mention it works with Win 9x and Win 2k?
If you have any questions you may contact Matt at email@example.com
We use MRTG to graph the trends of disk space usage. The Blue line is Total Disk space of a volume. The Green Line is the used disk space. We also increased the X-axis to the maximum of 768 days.
A picture is worth a thousand words and this is true here; with a simple picture we can show the upper management the need to control the users or to buy more disk space.
This has helped us a lot, and I hope sharing this tip can help even more people.
If you have any questions you may contact Tiago at firstname.lastname@example.org
If you lock down your students like I do :) then you know that I don't like to give them rights to My Computer, the desktop, rightclick, leftcheck, etc. But this is a little trick I do to let students manage the Shared Dir and their Home Dirs. I made a app that removes the address bar and opens a Explorer windows for kids.
In the Run Options in C1 Path___ Explorer.exe Parameters___ /e,/root,H:\ Workiing Dir_____ c:\windows\
This is a app for there H Drive. To change replace H with any drive letter you want. It works for all Versions Of Windows.
If you have any questions you may contact Richard at email@example.com
When using ConsoleOne for my administration tasks, I have found two things.
1-- Install it to your local workstation, it loads so much faster.
2 -- For an awesome update, install the new java update from Sun Microsystems. ConsoleOne runs faster and more efficiently than ever. It works like a charm.
If you have any questions you may contact Scott at firstname.lastname@example.org
One of the toughest tasks as a network administrator in K12 education is maintaining thousands of student user accounts. While uimport and bulkload are excellent tools for mass account creation and deletion, a lot of work has to be done to prepare the data files for processing.
Our solution to this problem is to use uimport in conjunction with Microsoft Access to maintain student user accounts. Since our student database resides on an AS/400 system, we use ODBC drivers for client access to pull the current roster lists for each school daily. We store this data in temporary tables and compare it to ldap queries of our NDS tree. From these comparisons, we generate the data files to be used during the uimport process. Using the schedule features in Microsoft Access, we then call uimport every night to process the data files.
Using this method, we can handle the automatic creation and deletion of student user accounts. We have further enhanced this process to add delays between a student being deleted from our student roster and them being removed from NDS.
Although DirXML can handle most of this now, we needed a solution before DirXML existed. DirXML and JDBC drivers can also become rather expensive. One of the most amazing things about using a NetWare network is the level of flexibility a network administrator is given to handle the day to day tasks the job entails.
If you have any questions you may contact Charles at email@example.com
At Kansas State University's College of Engineering we've found a good solution for controlling student printing.
All of our students have Novell e-directory accounts. Printing is controlled by charging their account balance.
Instead of giving out a large number of copies at the beginning of each semester, we add 20 copies to every student's account balance every week, on Friday. We also limit account balances to a maximum of 60 copies to prevent the accumulation of large balances, which tends to lead to both waste and unauthorized account sharing.
At the end of the semester we increase both the copies per week and the account balance limit since students have additional print requirements for assignments.
If students need additional copies, they can purchase them, but with over 2500 student accounts, we usually have only 5-10 people purchasing additional copies each month.
We use simple Perl scripts to update accounts and enforce account balance limits. This procedure works well for our students and we have virtually no user problems or issues that take our time to resolve.
If you have any questions you may contact Steve at firstname.lastname@example.org
At one of our sites we have a bunch of standalone Windows 9x PC's which run some dedicated applications. Unfortunately they tend to get abused as well: color schemes are altered, Internet Explorer startup pages get changed, etc. (You know what I mean.)
I implemented a mechanism that restores the Windows user profile every time the system boots.
It is very simple:
1. Enable user profiles (you can find it in control-panel --> access). Include desktop icons, etc.
2. Login, for example as 'student.'
3. Make every setting right.
4. Logout and go to DOS mode.
5. Make a directory, for example \WINDOWS\BACKUP.
6. Copy USER.DAT from \WINDOWS\PROFILES\STUDENT to \WINDOWS\BACKUP
7. Copy *.LNK from \WINDOWS\PROFILES\STUDENT\DESKTOP tot \WINDOWS\BACKUP
8. In AUTOEXEC.BAT add the following lines:
ATTRIB -s -h \WINDOWS\PROFILES\STUDENT\USER.DAT DEL \WINDOWS\PROFILES\STUDENT\USER.DAT >NUL DEL \WINDOWS\PROFILES\STUDENT\DESKTOP\*.LNK >NUL COPY \WINDOWS\BACKUP\USER.DAT \WINDOWS\PROFILES\STUDENT ATTRIB +s +h \WINDOWS\PROFILES\STUDENT\USER.DAT DEL \WINDOWS\PROFILES\STUDENT\DESKTOP\*.LNK >NUL COPY \WINDOWS\BACKUP\*.LNK \WINDOWS\PROFILES\STUDENT\DESKTOP >NUL
Now the good profile gets restored every time the computer boots up.
9. You now need to get TweakUI from Microsoft. With TweakUI set the user "student" to automatically login and prevent bypassing of the profile setting/usage of another profile. The computer is effectively forced to use the profile above.
When the PC becomes part of a Novell Network it is much easier and more flexible to use policies but I find the above handy for "quick and dirty" securing standalones. :) It works really well with students who aren't that skilled in computers anyway!
If you have any questions you may contact Maarten at email@example.com
How to remove MSN Messenger automatically (we didn't want our students to chat):
Put the following line in a login batch file or script:
if exist "c:\program files\messenger\*.*" RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Remove,5 if exist "c:\program files\messenger\*.*" deltree /Y "c:\program files\messenger"firstname.lastname@example.org
We use UIMPORT at the beginning of each school year to import the newest batch of secondary students into NDS.
We add "Class of ####" in the description field of the User Template. That way, at the end of each school year, we can run a search in NetWare Administrator for Description equal to "Class of (this year)" to quickly delete all the graduates.
If you have any questions you may contact Michael at email@example.com
Use the student's graduating year in his/her user id. That way it will be easier to find and delete them when they (hopefully) graduate. For example, for students graduating in 2007, all user id's end in 2007 (jchavner2007). It works great!! Especially when you have large school populations.
You can also use this to move students around in NDS from junior to secondary schools by tracking which year they should move up.
If you have any questions you may contact John at firstname.lastname@example.org
When adding student users, I create them by starting their login with the last two digits of their graduation year. An example would be 03bhess. This way all students graduating the same year are grouped together for administration purposes.
If you have any questions you may contact Brady at email@example.com
We had a problem with how to handle increasing rights and application delivery on the network from year to year, and how to eliminate old acounts as students graduated and left the school.
Our very simple solution was to create a group for each of the years, with specific rights assignments (ie a group called 1st grade, 2nd grade, etc.) and then assign place all users into OUs dependent upon the graduation year. So the tree followed this pattern.
SCHOOL -->STUDENTS --->2003 --->2004 --->ETC, ETC, ETC
This allowed us to easily change their rights as the students went from grade to grade, as well as modify which applications were made available to them through NAL.
If you have any questions you may contact Matthew at firstname.lastname@example.org
For quick import of students at the beginning of the school year, we export student info from the district's student management database to a comma-delimited file for use with Novell's uimport utility. This way we can automatically create our standard 8-character username from the 1st initial, middle initial and 1st 6 letters of the last name.
We use their birthdate as the password and force it to expire at login so they have to change it. We group them by graduating class year (2002, 2003, 2004...) and create their home directories.
We create a few thousand users in a matter of minutes, and since everyone knows the naming convention, we don't have to mail out login info to the users. At the end of the year, we clean out the student users and home directories and are ready for the next year to start.
If your district likes the student accounts to follow them from year to year, then just create a list for uimport to delete only those students that have graduated or moved out of district, and just roll the users from school to school using uimport, ncopy and tcopy.
If you have any questions you may contact Steve at email@example.com
If your labs are using Internet Explorer with proxy authentication enabled, you may wish to remove the tick box "Save this password in your password list" which appears when the student accesses outside internet addresses. To remove this box follow these instructions:
- Open regedit or regedt32
- Find HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings
- Create a Reg_Dword key
- Value Name = DisablePasswordCaching
- Value = 0x00000001
And that's it, the "Save this password in your password list" box will disappear.
I found this useful as some students in my labs didn't understand the meaning of this tick box and accidentally enabled it, which meant that other students could access the internet using the other student's saved credentials. (Not a good idea, when quota systems are also in place.)
Hope this is useful.
If you have any questions you may contact Liz at firstname.lastname@example.org
We use the autoexec.bat to help save space on the hard drive by deleting the Temporary Internet Files folder, the History folder and the Favorites folder as the machine boots. This also prevents the next student from going to a site that a previous student has gone just by using the history or favorites.
We also copy the normal.dot to the windows folder after we make changes to the Tools\Options section. Since viruses are prone to infect this file, on boot-up we delete and copy a new file to the old location. This really cut down on viruses attacking the normal.dot. This also prevents the students from making changes for the next class.
C:\WINDOWS\COMMAND\attrib -r -h c:\windows\normal.dot > log.txt
C:\WINDOWS\COMMAND\attrib -r c:\progra~1\micros~1\templa~1\normal.dot > log.txt
copy c:\windows\normal.dot c:\progra~1\micros~1\templa~1\normal.dot > log.txt
C:\WINDOWS\COMMAND\attrib +r +h c:\windows\normal.dot > log.txt
C:\WINDOWS\COMMAND\attrib +r c:\progra~1\micros~1\templa~1\normal.dot > log.txt
C:\WINDOWS\command\deltree /y c:\windows\history\ > log.txt
C:\WINDOWS\command\deltree /y c:\windows\favori~1\ > log.txt
C:\WINDOWS\command\deltree /y c:\windows\Tempor~1\ > log.txt
If you have any questions you may contact Mary Lou at Mary.Kiser@cfisd.net
To prevent users from creating several objects on Windows desktops we use a simple batch file. This keeps lab desktops clean for the next users. The batch file uses the DELTREE command to erase anything that is copied or created on the desktop. This is executed at each startup. We need to put a new value in the registry in the run section of HKLM and setup the batch file to be executed in reduced mode. It's 100% transparent to users and they always have a clean Windows desktop.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "INIT"="c:\\windows\\init.bat"
The BATCH File
@ECHO OFF C:\WINDOWS\COMMAND\DELTREE /y C:\WINDOWS\BUREAU\*.*
If you have any questions you may contact Martin at email@example.com
Problem: University runs many short courses and new students enroll throughout the year.
Solution: Every day we run a query on the university's enrollment database which creates a CSV containing all user details. This gets processed by an inhouse app that converts this to LDIF format. The LDIF is then imported using Bulkload.NLM.
The conversion app also creates a file suitable for the GroupWise Import function.
User accounts are deleted in a similar fashion (once a year).
Problem: General Security
Solution: Windows 98SE with Nalwin32.exe as the shell. The 'List of allowed applications' is empty apart from naldesk.exe. Everything is delivered via NAL. A custom written app runs on login, this app removes registry keys relating to user profiles and deletes the contents of c:\windows\profiles. It then looks at the current user name and creates a profile directory (and accompanying reg key) based on the user name.
Workstations are currently imaged using Norton Ghost, although we plan to begin using ZfD imaging soon. We are currently using native Windows policies (.pol file on the server) but are considering migration to ZfD based policies imminently.
Internet Explorer Administration Kit is used to tie down and customise IE. Unfortunately the Netscape equivalent of the Admin kit seems to be quite expensive.
Problem: In the event of network failure users are unable to print.
Solution: Drives are partitioned, with two Windows installations. One is a standard networked build and the other is an "emergency" standalone version of Windows, with drivers for an LPT connected mono printer. The partitions are created and managed with System Commander 7 (www.v-com.com).
If you have any questions you may contact Nathan at firstname.lastname@example.org
Layered Security Approach
My school uses BorderManager behind a firewall appliance. It may be overkill, but it seems to get the job done. The appliance and BorderManager are used as content filters, proxies, and NAT. We use the appliance to setup DHCP and BorderManager for web caching and filtering.
If you have any questions you may contact David at email@example.com
I change MY admin and my power user account password on a daily basis. I also change my Login user name on a monthly basis. I also try only to connect to the "GUEST" machines through a Virtual console software like ZENworks for Desktops. This stops any "Key stroke" capture programs from hijacking my account info.
If you have any questions you may contact Steve at firstname.lastname@example.org
We have a select group of students that needed to be in the GroupWise e-mail system so teachers could send them stuff - but did not have internet permission. Therefore they would not be allowed incoming or outgoing internet e-mail.
So I created a separate post office for those students, went into the access control area of the GWIA object, created a new class of service called "internal only" and put just that one post office in it. Then I went to the SMTP tabs of that class of service and checked "prevent incoming/outgoing messages".
Now those students can participate in the class projects without sending or receiving internet e-mail.
If you have any questions you may contact Allison at email@example.com
To see other tips helpful to school administrators, check out:
- ZENworks Cool Solutions School Admin Tips
- Security in the Schools
- Security in the Schools, Part 2
- Blocking Napster
- Main Vault (See the section marked Especially for School Admins)
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com