[OPLINTECH] GCPL: Win 7 public computers and Deep Freeze

Wed Feb 13 11:27:56 EST 2013

Jim,

1: I'm actually rolling out some patron workstation changes at one of my
libraries myself. The workstations were originally Win7 + Deep
Freeze...essentially all stand-alone, albeit with access to a networked
share. They were not members of an Active Directory domain.

The changes I'm rolling out include making the Win7 patron computers part
of a domain to make management easier. They also still have DF on them.
I've used Group Policies to lock them down a bit and to auto-configure a
lot of things. They're not locked down "tight as a drum", but they're not
wide open either (as they were). We're still relying on DF as the
bottom-line return to a known state.

You're going to run into a problem about 30 days (I think...been a while)
after you've left Deep Freeze enabled on your workstations. The
workstations will drop off the network and won't connect to AD until the
machine account password is reset. There's a policy setting to remedy that
(this is straight from my own notes, so adjust as needed, but I expect you
should be able to find the policy):

Server Manager:  Features → Group Policy Management → Forest: AD forest →
Domains → Group Policy Objects → Group Policy: All Workstations → Edit →
Computer Configuration → Policies → Windows Settings → Security Settings →
Local Policies → Security Options → Domain member: Maximum machine account
password age = 999

Comment: This policy is required for workstations with Deep Freeze
installed. If a workstation that is a domain member remains frozen longer
than this setting, then it will lose its connection to the domain until the
machine account password is reset.

I can try to export the Win2008 group policy and e-mail it directly to you,
if you like. You can then import it and sort through what I've done.

2: I've not done this myself, but it seems you might have some options
here. You could make the DF installations stand-alone and not centrally
managed. Or, in my own typical WiFi setup, the access points (WAPs) don't
actually hide the wireless devices behind Network Address Translation
(NAT). The WAPs themselves don't provide DHCP, DNS, or any services to the
wireless devices, nor do they hide the wireless devices behind NAT. It's as
if the wireless devices are hard-wired to the network. The WAPs (and all of
the devices wirelessly connected to them) are behind a firewall, which
isolates them from all other wired devices and the Internet. DHCP, DNS,
etc. are provided by the firewall. In that vein, permitting the DF clients
to access the DF server console should be just a matter of creating the
appropriate firewall exceptions.

3: I have no experience with PCReservation, but if session reset isn't
working correctly, perhaps you could set a scheduled task in Windows to
auto reboot x number of minutes after idle. That's what I've done on the
patron computers at the library I mentioned in #1. After machine sits idle
for 15 minutes, a one-minute warning pops up and then, if still idle, the
computer reboots. DF resets it and it's ready for the next patron.

HTH,
Chad

______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*

On Wed, Feb 13, 2013 at 10:35 AM, Mann, James H. <JMann at gcpl.lib.oh.us>wrote:

> GCPL is at long last going to deploy Win 7 public computers and move away
> from Steady State to Deep Freeze.****
>
> I have two areas that I’d appreciate some help with:****
>
> **1.       **Could anyone share how they locked down the computer using
> either local policies or group policies prior to locking it down with Deep
> Freeze?****
>
> **2.       **Could anyone who is using wireless for circulating laptops
> explain how they got Deep Freeze to work through the wireless access point?
> ****
>
> And finally, is anyone having any luck with having PCReservation restart
> public computers between sessions?****
>
> TIA****
>
> ** **
>
> Jim Mann****
>
> Technology Coordinator****
>
> Greene County Public Library****
>
> 76 E. Market St****
>
> Xenia OH 45385****
>
> 937 352 4000 x1210****
>
> *Discover. Learn. Grow. <http://www.greenelibrary.info/>*****
>
> jmann at gcpl.lib.oh.us****
>
> [image: cid:image001.jpg at 01CC67C9.EA681980]<http://www.facebook.com/greenelibrary.info>[image:
> cid:image002.jpg at 01CC67C9.EA681980] <http://twitter.com/#!/greenelibrary>[image:
> cid:image003.jpg at 01CC67C9.EA681980] <http://www.youtube.com/greenelibrary>[image:
> cid:image004.jpg at 01CC67C9.EA681980]<http://www.flickr.com/photos/greene-library>
> ****
>
> ** **
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20130213/3fb262e2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1157 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20130213/3fb262e2/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1074 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20130213/3fb262e2/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1067 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20130213/3fb262e2/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1027 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20130213/3fb262e2/attachment-0007.jpg>