Student computers need to be restricted

[dmm@ras]

I am unsure where to go to clamp down rights/permissions on the "amazing" things students can do to computer workstations. The student computers are on a LAN using SQL server. The workstations are running Windows XPpro. When I tried to make the student logon a "restricted user," some of the interactive educational programs housed on the server were unable to launch. In the past, students have been given full admin rights to the local workstation in order for these educational programs to operate. The long and short of it is after spending tons of time reconditioning 40+ student computers (i.e. uninstalling non-educational programs; running disk cleanup & defragging which took most workstations over 1 hr. for ea. task; installing upwards of 80+ MS updates to a single computer x 40; standardizing desktops/screensavers, etc.) I'd like to now set the student's rights/permissions to restricted user on the front-end, but still be able to launch the programs needed from the server.

Where and how can I best accomplish this final task to protect all that's been done to keep the student computers running more efficiently?

[almn]

What you migh want nto do is make all the accounts limited but have the educational programs run as an administrator 

Al968

[viking]

What you migh want nto do is make all the accounts limited but have the educational programs run as an administrator 

Al968

And how do you do that?
For the "Run as..." command you have to know the administrator password. Or should he start on 40 computers that program, walking from one to another and typing the password? It will take him 30 minutes for the task... At least.
dmm@ras, I imagine that your network now it is part of Active Directory (if I remember right). You have to play with the user settings until you find that you can use the program with a limited account (but that may need write access to some folders, to the program folder etc) or you may find it is impossible to do that.
First thing that I would check are the security permissions on folders for that account, there may be folders inaccessible (with parts of the educational programs) even for reading to the restricted account.

[ale52]

You don't say what the "server" OS is.  Is it 2000 Server / 2003 Server?  If either one of those you can create an OU (Organizational Units), move the students in it then create a GPO (Group Policy Object) for that OU.   

Alan <>< 

[dmm@ras]

It is a 2003 SQL OS. I will try your suggestion. In one of the computer labs, there is only one interactive educational program which opens just fine with the student logon at the workstation designated as a "restricted user" and placed in the admin group on the backend (folder on server). Was this ok or should I go back and do what you suggested? I tried this same set-up in the other computer lab, but there are two other interactive educational programs when opened, the student cannot "write" to them. It's possible there is a temp file/folder on the local workstation that might need admin access to interact properly. I am just not too sure at present and ran out of time last time while attempting the rights/permissions issue.

Another thing, I've scheduled disk cleanup every Friday on all student computers. For the lab where students are restricted users, I had to give them admin rights for that task only and the utility will launch and perform. However, this was not true about disk defragmenter even though I gave the restricted user admin privileges for that utility as well, but the utility still would not launch and the message received kept saying you had to have admin rights to run this utility. Do you suppose to run/execute disk defragmenter on C:\ the utility goes by the logon? Of course, both utilities run just fine in the computer lab wherer students still have full admin rights at the local workstation. Do you have any suggestions in this area as well?

I appreciate everyone's time and effort to help me arrive at the best set-up for student computers at our school. Right now, half of the computers are used with our ESL program and the other half with our HS students. It's the HS students I'm most worried about. Shortly, we will be adding a third computer lab for our LVN students. They, generally, should be rather trustworthy.

Anyway, thanks again for any help!

[viking]

Be careful with the admin roles on your network. You will soon cry after your settings if you give the administrator credentials to many.

If you are talking about "full rights" on certain folders (NOT system folders, I hope), than the possible damage is much smaller. Which way did you go, administrator for some (many) users on the server or full rights on a few folders for some users? I would choose folder rights to many others than administrator rights to many others (and I strongly advise you to do so).

Concerning the disk cleanup, why don't you create a scheduled task with the administrator account credentials? Although I admit you can find a better solution than using the administrator account... Create another account and give him administrator credentials = include it in administrator accounts. I know, it seems to be exactly like the original administrator account. I will look if your problem can be solved otherwise.

On scheduled tasks, when you create a new task, it let you choose what account to use when the task will run. You can specify a different time of the day, it does not matter if the user is logged in or not. The user account has to have the necessary rights to access the diferent folders for the application to be run.

[ale52]

In my experience (I set up a network for a troubled boys school) I found that if you give any student admin rights he/she will exploit it for all it's worth.  That school has a networked program that the students have to write to but with the OU in place and the proper GPO set up, they could do their schoolwork and not get into any mischief.  I had the desktops locked down so all they could do was a word processor & the school program...nothing else.  No changing the desktop / Internet access / no "run" command or DOS access.  Strict I know but necessary.

One suggestion:  if possible set up a test system with a server and 1 or 2 student systems and test your setup there.  NEVER test on production systems. 
BIG Bozo-nono 

Good luck!

Alan <><