RE: [ActiveDir] Limiting User Logon to Specific Machines

[Steve Rochford]

I'd guess that one problem is that the OP is trying to train people on how to use the software which is avaialble on the main network and life's an awful lot easier when you use that network (but only a subset of it). things like email are going to be hard to deal with on an isolated network (but I would have hoped that anyone who's got to a university could use email...)   Not sure that ADS would help - as I understand it, it's only for deploying servers - but there are other ways to "heal" machines which work well and I'm sure would be used.   I think also that your point about someone having years of experience is less relevant here - these are classes intended for those without experience (and I work in a college so I know the difference between the problems caused by those who are malicious and know what they are doing and those who don't know what they're doing but are just blundering around!)   Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: 04 November 2005 11:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Limiting User Logon to Specific Machines Hello Everyone:   Why not make them stand alone machines?  These are in fact “learning play toys” for the “inexperienced user” therefore a domain is not necessarily required.   If it is possible, I would suggest isolating that room from your existing network and building an ADS machine.  I would make sure that the workstations support PXE before doing so.  The machines in the classroom would all then be configured to listen to PXE requests and have images pushed to them as needed.  Using this method would do a couple of things.   100% isolation from the existing domain leaving no possible risk to the rest of your network infrastructure. If the user were to somehow break something because you thought something was configured that should have denied access, you can simply push a new image at the machine with minimal effort.  You can also update your image so that you can update any new security changes you would like to implement. You will not have to waste the time and resources in your current environment managing workstations that are not a critical aspect of the entire network.   Another thing that I think is the most important is the fact that you have isolated the communal user from doing anything outside of the classroom.   If I were a student of the class taking entry level computer training sessions and had years of computer experience under my belt including several personally written virus I would be very upset and bored.  I would be finding a way to break something.  Add to that the fact that I know everyone is using a global user, therefore if I did anything malicious I could probably get away with it because it is not tied to my unique account ID.  I could do anything I wanted to with minimal risk to myself of getting caught.   If it were me and I were in this situation this is what I would do.  You could also expand upon this and create a new domain that has a specific purpose for this classroom environment.  The domain would have nothing to do with the rest of the network.  Then you can eliminate the communal user, still manage all workstations within the isolated domain and provide the highest level of security to the rest of the network.  You would also be under the protection of the ADS server should anything go bad to where you had to push out new images to the workstations.   My two cents, Edwin