Windows PCs

Summary

• one admin account
• one shared/public user account (MakeItZone)
• admin account on boot drive
• shared account has all libraries moved to second drive/partition
• data/scratch disk is mapped as Z:\
• the MakeItZone user has a public directory on the sharedluggage NAS mounted as P:\
• users can mount their own share from the luggage NAS
• added a login notification re being a shared computer

Backup & Restore

OS

• only boot drive/partition (OS + admin account) are backed up
• backup’s using Veeam
• backed up to NAS Backups datastore
• Restore not tested yet(!)

User Profiles

• Tried Win 10 Advanced System Settings->Profiles; copy option is not available
• Tried Win 7 backup, configured to only back up MakeItZone profile
  • restore failed to work; didn’t copy user registry hive.
  • complete pain to disable; have to manually remove scheduled tasks and remove registry entries
• pseudo backup: common short-cuts, etc can be saved on a shared drive and copied back
• restore/cleanup: delete files/copy templates, remove and recreate account
  • will have to update permissions for Z:\users\MakeItZone
  • will have to reinstall apps that install into Users profile (eg Fusion 360 default install is per user.)

Implementation Notes

Moving User Accounts to Second Partition/Drive

Windows (10+?) may break if User directory, or a user’s home directory, is moved and (hard) linked.

Recommended process is to move the location of all the ‘libraries’ (My Documents, Downloads, etc.)

1. Create a destination directory, e.g. Users
2. Correct/adjust it’s security settings to be similar to C:\Users (right click->properties->security)

• otherwise users will be able to see data of every user account
• will need to use the advanced security settings to disable/control permission inheritance

3. Create sub-directory/directories for each user that will have their libraries moved
4. Adjust each sub-directory’s permissions so that only System, Administrators, and that user have full control. No other user/group should have access.
5. login as the user to move
6. In explorer go to c:\users\<User>.
7. Show hidden files.
8. Go into AppData.
9. right click-> properties on each of the folders. If it has a location tab, change the location to your new user directory created above. (Different versions of windows have different parts of the AppData system as libraries…)
10. Repeat the above for every other directory in c:\Users\<user>

Mounting Shares With Different User Credentials from the Same File Server

Windows clients only allow a single user credential for any shares from a given file server.

However, it is based on the DNS name/IP address. You can work around this by setting up aliases for your file server.

Adding a Log in Notice

Used the information from here and here plus an online text to UTF16-LE converter to create:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"="MakeItZone Reminder"
"legalnoticetext"=hex(1):52,00,65,00,6d,00,69,00,6e,00,64,00,65,00,72,00,73,00,3a,00,0d,00,0a,00,2d,00,20,00,74,00,68,00,69,00,73,00,20,00,69,00,73,00,20,00,61,00,20,00,73,00,68,00,61,00,72,00,65,00,64,00,20,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,21,00,0d,00,0a,00,2d,00,20,00,75,00,73,00,65,00,20,00,49,00,4e,00,43,00,4f,00,47,00,4e,00,49,00,54,00,4f,00,20,00,77,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,61,00,6e,00,64,00,20,00,6d,00,61,00,6b,00,65,00,20,00,73,00,75,00,72,00,65,00,20,00,79,00,6f,00,75,00,20,00,6c,00,6f,00,67,00,20,00,6f,00,75,00,74,00,20,00,6f,00,66,00,20,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,0d,00,0a,00,2d,00,20,00,63,00,6c,00,65,00,61,00,6e,00,20,00,75,00,70,00,20,00,66,00,69,00,6c,00,65,00,73,00,0d,00,0a,00,2d,00,20,00,66,00,69,00,6c,00,65,00,73,00,20,00,77,00,69,00,6c,00,6c,00,20,00,62,00,65,00,20,00,64,00,65,00,6c,00,65,00,74,00,65,00,64,00,0d,00,0a,00,2d,00,20,00,6b,00,65,00,65,00,70,00,20,00,79,00,6f,00,75,00,72,00,20,00,66,00,69,00,6c,00,65,00,73,00,20,00,6f,00,6e,00,20,00,61,00,20,00,55,00,53,00,42,00,20,00,73,00,74,00,69,00,63,00,6b,00,2c,00,20,00,6f,00,6e,00,6c,00,69,00,6e,00,65,00,20,00,73,00,74,00,6f,00,72,00,61,00,67,00,65,00,2c,00,20,00,6f,00,72,00,20,00,6f,00,75,00,72,00,20,00,4e,00,41,00,53,00,0d,00,0a,00,00,00

Ideas

• a guest account that is destroyed on logout, and to create system accounts if/as needed
• login banner

Deprecated

RebootRestoreRX

An excellent program, but a little heavy for our situation- especially as any updates to apps or windows have to be done with it disabled (and then update the baseline image when re-enabling.)

Windows VMs

• baseline backed up or snapshot used, unless short term throw away instance

Managing Windows Activation

E.g. to create a baseline VM that is deployed ready to be activated (licensed) for use.

How to Geek: How to Use Slmgr to Change, Remove, or Extend Your Windows License.

Research

• modifying default profile via CopyProfile- https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile
• remove local profile at logoff- https://getadmx.com/?Category=Vmware_UEM_FlexEngine&Policy=VMwareUEM.Policies.FlexEngine.Advanced.8.6::RemoveLocalProfileAtLogoff
• creating mandatory profiles on windows 10
• Create a Guest Account in Win10
• mandatory vs local profiles on win10
• Change Login Screen Background on win 10
• Group Policy in Windows
• create local mandatory profile
• manage win 10 start and taskbar layout
• create mandatory user profiles
• setting win 10 machine to wipe after each logout
• log off after idle
• even if not activated, can change windows 10 desktop and lock screen images via photos app. Download and open the image, then use the options in the ‘…’ menu.
  • suspect changing lock screen image for default profile will also change the default image