- Jan 25, 2009
- 2,798
- 420
- 22,190
Good afternoon.
I work in IT for a large library.
We use a program called Smartshield to stop patrons from making lasting writes to our computers.
I am pretty sure it creates a ram drive and stores all writes there.
Once the computer reboots all changes made are wiped away and its ready for the next user.
Everything works perfectly 99% of the time.
With that 1% failure rate the computer receives the reboot command and gets stuck doing that.
With over 800 computers that breaks down to 8 computers or so each month that need to be manually restarted after Windows patching.
All computers have to be manually unprotected for Windows updates to stick which requires a reboot, even when launched with an admin account.
I had an idea to replace that program with a Windows solution.
1. Give the patron account only access to read and execute for the C: drive.
2. Move all library folders; desktop, pictures, downloads to a D: partition that they can write to.
3. On logoff have a task manager script wipe D:
In addition the above would mean we wouldn't have to manually unprotect our computers before doing Windows updates, streamlining the process
Does anyone see any issues giving a local user account only read and execute permissions to C: ?
I'm assuming any critical windows functions would be carried out automatically with Service level permissions.
Wanted to get some insight before I start testing.
I work in IT for a large library.
We use a program called Smartshield to stop patrons from making lasting writes to our computers.
I am pretty sure it creates a ram drive and stores all writes there.
Once the computer reboots all changes made are wiped away and its ready for the next user.
Everything works perfectly 99% of the time.
With that 1% failure rate the computer receives the reboot command and gets stuck doing that.
With over 800 computers that breaks down to 8 computers or so each month that need to be manually restarted after Windows patching.
All computers have to be manually unprotected for Windows updates to stick which requires a reboot, even when launched with an admin account.
I had an idea to replace that program with a Windows solution.
1. Give the patron account only access to read and execute for the C: drive.
2. Move all library folders; desktop, pictures, downloads to a D: partition that they can write to.
3. On logoff have a task manager script wipe D:
In addition the above would mean we wouldn't have to manually unprotect our computers before doing Windows updates, streamlining the process
Does anyone see any issues giving a local user account only read and execute permissions to C: ?
I'm assuming any critical windows functions would be carried out automatically with Service level permissions.
Wanted to get some insight before I start testing.
Facebook
Twitter
Instagram