Windows PCs
Summary
- one admin account
- one shared/public user account (
MakeItZone
) - admin account on boot drive
- shared account has all libraries moved to second drive/partition
- data/scratch disk is mapped as
Z:\
- the
MakeItZone
user has a public directory on thesharedluggage
NAS mounted asP:\
- users can mount their own share from the
luggage
NAS - added a login notification re being a shared computer
Backup & Restore
OS
- only boot drive/partition (OS + admin account) are backed up
- backup’s using Veeam
- backed up to NAS
Backups
datastore - Restore not tested yet(!)
User Profiles
- Tried Win 10 Advanced System Settings->Profiles; copy option is not available
- Tried Win 7 backup, configured to only back up
MakeItZone
profile- restore failed to work; didn’t copy user registry hive.
- complete pain to disable; have to manually remove scheduled tasks and remove registry entries
- pseudo backup: common short-cuts, etc can be saved on a shared drive and copied back
- restore/cleanup: delete files/copy templates, remove and recreate account
- will have to update permissions for
Z:\users\MakeItZone
- will have to reinstall apps that install into Users profile (eg Fusion 360 default install is per user.)
- will have to update permissions for
Implementation Notes
Moving User Accounts to Second Partition/Drive
Windows (10+?) may break if User
directory, or a user’s home directory, is moved and (hard) linked.
Recommended process is to move the location of all the ‘libraries’ (My Documents
, Downloads
, etc.)
- Create a destination directory, e.g.
Users
- Correct/adjust it’s
security
settings to be similar toC:\Users
(right click->properties->security)
- otherwise users will be able to see data of every user account
- will need to use the
advanced
security settings to disable/control permission inheritance
- Create sub-directory/directories for each user that will have their libraries moved
- Adjust each sub-directory’s permissions so that only
System
,Administrators
, and that user havefull control
. No other user/group should have access. - login as the user to move
- In explorer go to
c:\users\<User>
. - Show hidden files.
- Go into
AppData
. - right click-> properties on each of the folders. If it has a
location
tab, change the location to your new user directory created above. (Different versions of windows have different parts of theAppData
system as libraries…) - Repeat the above for every other directory in
c:\Users\<user>
Mounting Shares With Different User Credentials from the Same File Server
Windows clients only allow a single user credential for any shares from a given file server.
However, it is based on the DNS name/IP address. You can work around this by setting up aliases for your file server.
Adding a Log in Notice
Used the information from here and here plus an online text to UTF16-LE converter to create:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"="MakeItZone Reminder"
"legalnoticetext"=hex(1):52,00,65,00,6d,00,69,00,6e,00,64,00,65,00,72,00,73,00,3a,00,0d,00,0a,00,2d,00,20,00,74,00,68,00,69,00,73,00,20,00,69,00,73,00,20,00,61,00,20,00,73,00,68,00,61,00,72,00,65,00,64,00,20,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,21,00,0d,00,0a,00,2d,00,20,00,75,00,73,00,65,00,20,00,49,00,4e,00,43,00,4f,00,47,00,4e,00,49,00,54,00,4f,00,20,00,77,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,61,00,6e,00,64,00,20,00,6d,00,61,00,6b,00,65,00,20,00,73,00,75,00,72,00,65,00,20,00,79,00,6f,00,75,00,20,00,6c,00,6f,00,67,00,20,00,6f,00,75,00,74,00,20,00,6f,00,66,00,20,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,0d,00,0a,00,2d,00,20,00,63,00,6c,00,65,00,61,00,6e,00,20,00,75,00,70,00,20,00,66,00,69,00,6c,00,65,00,73,00,0d,00,0a,00,2d,00,20,00,66,00,69,00,6c,00,65,00,73,00,20,00,77,00,69,00,6c,00,6c,00,20,00,62,00,65,00,20,00,64,00,65,00,6c,00,65,00,74,00,65,00,64,00,0d,00,0a,00,2d,00,20,00,6b,00,65,00,65,00,70,00,20,00,79,00,6f,00,75,00,72,00,20,00,66,00,69,00,6c,00,65,00,73,00,20,00,6f,00,6e,00,20,00,61,00,20,00,55,00,53,00,42,00,20,00,73,00,74,00,69,00,63,00,6b,00,2c,00,20,00,6f,00,6e,00,6c,00,69,00,6e,00,65,00,20,00,73,00,74,00,6f,00,72,00,61,00,67,00,65,00,2c,00,20,00,6f,00,72,00,20,00,6f,00,75,00,72,00,20,00,4e,00,41,00,53,00,0d,00,0a,00,00,00
Ideas
- a guest account that is destroyed on logout, and to create system accounts if/as needed
- login banner
Deprecated
RebootRestoreRX
An excellent program, but a little heavy for our situation- especially as any updates to apps or windows have to be done with it disabled (and then update the baseline image when re-enabling.)
Windows VMs
- baseline backed up or snapshot used, unless short term throw away instance
Managing Windows Activation
E.g. to create a baseline VM that is deployed ready to be activated (licensed) for use.
How to Geek: How to Use Slmgr to Change, Remove, or Extend Your Windows License.
Research
- modifying default profile via
CopyProfile
- https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile - remove local profile at logoff- https://getadmx.com/?Category=Vmware_UEM_FlexEngine&Policy=VMwareUEM.Policies.FlexEngine.Advanced.8.6::RemoveLocalProfileAtLogoff
- creating mandatory profiles on windows 10
- Create a Guest Account in Win10
- mandatory vs local profiles on win10
- Change Login Screen Background on win 10
- Group Policy in Windows
- create local mandatory profile
- manage win 10 start and taskbar layout
- create mandatory user profiles
- setting win 10 machine to wipe after each logout
- log off after idle
- even if not activated, can change windows 10 desktop and lock screen images via photos app. Download and open the image, then use the options in the ‘…’ menu.
- suspect changing lock screen image for default profile will also change the default image