LUA / Retaining all desktop settings

Discussion in 'other software & services' started by philby, Sep 14, 2010.

Thread Status:
Not open for further replies.
  1. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hello

    I'm trying to help my local nursery school with their computers. They will be running 2 new stand alone Win7 HP 64 machines - no network or internet connections, basically so that the kids can play CD based games and save their art work and docs locally.

    They would like to prevent any changes being made to the desktop, i.e. no file saves, no new shortcuts, no deletions.

    Unfortunately, they are not overly keen on Returnil or any other 'gone-on-reboot' s/w.

    I have tried to simulate what they want to do on my machine (also Win7 64 HP) without any luck.

    There's no GP Edit as it's Win HP.

    I've tried creating an LUA and setting only Read permissions for user\desktop and separately for user\desktop\desktop.ini. This did work for locking down icons/folders but the desktop background could still be changed - and worse, programs such as MyDefrag, PDF Redirect just wouldn't run correctly even though they were installed under the admin account.

    I've also tried creating a number of registry keys as per google - too many to list here, but these made zero difference and all seemed to apply to XP anyway.

    In short, is there a simple way to stop a limited user from changing anything on the desktop without inhibiting the running of programs already installed under admin?

    Thanks in advance

    philby
     
  2. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    This is the right, best way. Anything else will, in the long run, not work as well and will cost more in time spent to set things right again.

    Maybe that's the angle to persuade them from?? Long term cost?
     
  3. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    Rollback Rx?

    I don't use it, but it has many fans on this Forum. But I agree with Han (and you) that a Returnil-like product is the obvious way to go.
     
  4. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hello HAN + LenC

    They don't like the idea of having to save to a different partition, or turn protection off/on for new installs... !!

    I managed to use the 'default user profile' as per here, and this did kill desktop changes on log off / log on, but again, most programs wouldn't run.

    Irksome...

    philby
     
  5. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I searched for "mandatory local profiles windows 7", but didn't find any easy solutions for Windows 7 except those already mentioned.

    I also found a link on the NGN (Dutch Network Administrator Association). It refers to a 14-day trial for User Profile Manager from ForensiT.

     
  6. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    How about a plain old imaging program - restore an image at the end of every day?
     
  7. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    "They don't like the idea of having to save to a different partition" from post #4.
     
  8. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    Okay - I guess I didn't fully understand that comment. I assumed they were against the hidden area that would be setup on the hard drive by Rollback RX. So I thought an imaging program might be acceptable because there is no change made to the hard drive - the images are typically stored on a separate or external drive.
     
  9. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hello All and thanks for the replies!

    I have spent the afternoon (out of a persistent curiosity) revisiting the \user\desktop permissions method and have managed to get an LUA whereby no icons can be created/deleted and nothing can be saved to the desktop at all - only to the LUA folders space. The permissions look like this:

    LUA Permissions.PNG

    What I don't understand is how LUA having 'full control' as above fits with the below setting for Everyone. I had been trying to deny LUA permissions, when all I needed to do was change the owner to philby7(admin account) and allow Everyone only Read access to Desktop:

    Desktop Permissions.PNG

    Programs are working too - with the one exception of MyDefrag; I installed it under philby7 but it just won't run under LUA - the GUI opens and promptly closes if I initiate a task.

    However, I still can't prevent desktop background changes - though this isn't really the end of the world - I'd just like to know how to do it!

    I think I'm going to have to insist that the nursery staff use Returnil (or other) though - as has been mentioned, there's too much to go wrong using the above.

    Problem is that the staff can't see that tweaking things the way they want requires that they themselves take a little bit of responsibilty for how the machine is then used (i.e. saving to a second partition etc.)

    Thanks again for your input - and if anyone can shed more light, I'd really appreciate it.

    philby
     
  10. wat0114

    wat0114 Guest

    This comment will be of no help, but they really should have bought either the Pro or Ultimate versions, then what they were seeking would have been far easier to employ. Actually, what about using only the Guest account? Does it not restrict settings a bit better?
     
  11. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    All of the defraggers I've tried required admin privileges. After all, they are moving files around in areas the LUA has no write privileges. Try right-clicking it and running it as admin. You could also just use the built-in defragger, I think that might work OK even in an LUA if it runs as a system service. This might be your best solution. If they can't be bothered to save their files to a different partition then they probably won't want to play around with defraggers either.
     
  12. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,131
    RollBack Rx would def be the simplest way to go. You can set it up to restore the system automatically at either start-up or log-off. This will not just prevent things on the desktop from being changed (except temporarily of course) but everything else on the PC as well. RollBack has the added advantage that its fast. A system restore/rollback takes under 1 min to accomplish.
     
  13. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    I understand about the defragging - I've tried elevating, but when I 'run as admin', the same thing happens - the GUI opens and the task begins but then disappears. I'm not prompted for the Admin password either (I should be shouldn't I?) so maybe my permission settings are all wrong.

    However, as pointed out, they are not going to be bothered with defraggers - I'm just curious for myself as to why I can't get MyDefrag to run under LUA.

    Thanks for the tip about Rollback RX; I will have a look at that.

    I have finally managed to get some registry keys / Dwords (a GPEdit reference spreadsheet from MS) that I can use to lock down themes,sound,wallpaper etc. so it's looking a bit more promising now.

    If I can use LUAs + registry tweaks, then the staff will have no learning curve at all - any gradient steeper than 1 degree will (apparently) cause them problems!

    Thanks again for the input.

    philby
     
  14. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Did you turn UAC off? If so, then turn it on and try 'run as admin' again.
     
  15. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    I forgot about UAC being off - thank you!

    philby
     
  16. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,131
    You are welcome ------- no learning curve with RollBack, set it up and given what you are after its completely automatic.

    BTW I would think the desktop is not the only area that no changes would be nec. The desktop after all is mostly cosmetic (how it looks) the OS and programs are where changes can have a detrimental effect so reverting any and all of these would be much more important IMO. Thats where RollBack shines, very fast, automatic (if desired), and total restore of the PC to the preferred configuration.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  18. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
  19. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Thank you MrBrian :)

    There's also this massive spreadsheet.

    I downloaded the appropriate .xlsx and converted to .xls using Zambar (I have Office 2003 and haven't installed the Compatibilty Pack).

    Looking good now!

    Thanks again

    philby
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.