*Deep freeze, but with 2 partitions on the drive, one frozen, one
thawed. I stopped using "thawspace".

*The Default profile has My docs & IE6 favorites moved to the thawed
partition. All new user profiles end up with the same mydocs.

*profiles go away at restart via deep freeze. There are only 4or5 per
machine permanently. My Docs stays.

*Few have admin rights; almost everything is already installed, little
need for customized machines {Sped, adminassistants}

*re-imaging as things get updated. Once per year? Our vendor starts new
machines with our image.

*turn off most updates, like Java etc.


*Ghost solution suite does auto backup images of servers once per week.
Client licenses for Ghost cost too much for all workstations; I visit
them for re-imaging.

*Images are stored on the network.

*No roaming profiles.


David Isham
Network Administrator
Grand Isle Supervisory Union
5038 US Rte 2
North Hero, VT 05474 
802-372-6921 vox
802-372-4898 fax 

-----Original Message-----
From: School Information Technology Discussion
[mailto:[log in to unmask]] On Behalf Of Eric Hall
Sent: Wednesday, February 13, 2008 1:35 PM
To: [log in to unmask]
Subject: Re: Desktop Security


Craig & All - 

I recall a similar conversation over pizza last fall, in which I was
surprised to discover that many folks have users (even students) with
admin rights running workstations. I have gone back and forth about it,
but will maintain that locking down machines by restricting user rights
still feels like the most efficient method of control. I would rather
have tech staff spend time doing individual software installations as
needed vs. reimaging screwed up machines! The payoff is having
consistency: my early experiences in tech support involved walking up to
machines and never knowing what was installed or what had been done to
the machine. Every one was unique, and the hours spent supporting this
environment were significant. I started imaging for this reason, and if
I allowed everyone to customize and install what they wanted to I would
be back in the same situation! I have occasional "power users" who get
frustrated by this approach, but by and large I hear very few
complaints. There are one or two people with admin rights, but they know
they are supporting themselves.

As additional evidence, I also tend to turn off automatic software
updates except Windows updates. Nothing is more frustrating than to find
that an update has changed file associations so that media players do
not work properly or consistently, OR installation options have not been
chosen carefully, OR users have registered software in their own name,
OR multiple versions of software have been installed (older software
that installs Acrobat 5, for instance) etc. etc. etc. I surprise myself
in sounding like a control freak, but our computers run smoothly and
efficiently and we rarely have to deal with individual machine issues
short of failed hardware! 

Yes, we take on the load "up front" by creating new images over the
summer and scrambling to reimage and reconfigure everything in August.
September is Hell, but the rest of the year is smooth. Over the years I
have developed a pretty solid "base" image for both platforms, and the
work gets easier and easier as we learn how to use the tools (Ghost,
NetRestore) more efficiently. We are even at the point of reimaging labs
and staff machines twice a year to keep all software current. We do
enjoy the benefit of consistent hardware: of our 320 computers there are
only 7 distinct machine types, all running WinXP or OSX. All machines
use the same "base" image, with software packages differentiated by
deployment (lab, teacher, student, etc.)

No roaming profiles, and even in our Mac environment user profiles are
local and we do not manage clients from the server. Simplicity and no
load on servers - the possible "bloat" in user profiles has always
concerned me. 

At home, watching the rain turn to snow at last,

Eric Hall
Technology Coordinator
Waterbury/Duxbury Schools
Washington West Supervisory Union
Waterbury, VT
(802) 244-6100

on 2/13/08 11:02 AM, Craig Lyndes wrote:

Your mail has been scanned by InterScan VirusWall.

Dear Folks,

I know that this topic has been on the list recently (I have been 
lurking).  However at my new job I have observed that their attempt at 
desktop security has some negative consequences that I would like to 
fix.  They are currently using Windows Domain Logins with profiles that 
on their older, slower machines make boot-up take up to 5 minutes 
(creating a new profile for each student) and clutter up the hard drives

with old profiles.

Cut to the chase - Are there any schools out there that are using Disk 
Imaging as a part of their desktop security system? 

What I am proposing is to have some computers where the users have full 
access to the local machine.  They can install plugins, change the 
desktop, do whatever they wish with the computer.  If something happens 
to the machine that causes it to become compromised then the computer is

reimaged from a standard image stored on the network.  If you are using 
an imaging solution, which one, what are its benefits and how much does 
it cost?  Are there any repercussions to having unlocked desktops (not 
everywhere, but where appropriate and requested)?

Question #2 - What are people using for desktop security that is 
installed locally on the computer, not a server/login based solution?

I am not enamored with Windows servers and am thinking of going open 
source for network resources.  This would require the machines that need

to have the desktop managed have something locally installed.  I am 
familiar with Deep Freeze, which seems to work very well.  I've also 
struggled with Fortress, which I found to be very good at disabling the 
machine upon which it is installed, and therefore a less than ideal 
solution.  What are people using?  We are using Icon Lock successfully 
on the Win 98 machines (approx 1/3 of the machines still).

Thanks In Advance
Craig Lyndes
Franklin Central SU