MakeItZone Windows Setup

Reference
#1

Windows PCs

Summary

  • one admin account
  • one shared/public user account (MakeItZone)
  • admin account on boot drive
  • shared account has all libraries moved to second drive/partition
  • data/scratch disk is mapped as Z:\
  • the MakeItZone user has a public directory on the sharedluggage NAS mounted as P:\
  • users can mount their own share from the luggage NAS
  • added a login notification re being a shared computer

Backup & Restore

OS

  • only boot drive/partition (OS + admin account) are backed up
  • backup’s using Veeam
  • backed up to NAS Backups datastore
  • Restore not tested yet(!)

User Profiles

  • Tried Win 10 Advanced System Settings->Profiles; copy option is not available
  • Tried Win 7 backup, configured to only back up MakeItZone profile
    • restore failed to work; didn’t copy user registry hive.
    • complete pain to disable; have to manually remove scheduled tasks and remove registry entries
  • pseudo backup: common short-cuts, etc can be saved on a shared drive and copied back
  • restore/cleanup: delete files/copy templates, remove and recreate account
    • will have to update permissions for Z:\users\MakeItZone
    • will have to reinstall apps that install into Users profile (eg Fusion 360 default install is per user.)

Implementation Notes

Moving User Accounts to Second Partition/Drive

Windows (10+?) may break if User directory, or a user’s home directory, is moved and (hard) linked.

Recommended process is to move the location of all the ‘libraries’ (My Documents, Downloads, etc.)

  1. Create a destination directory, e.g. Users
  2. Correct/adjust it’s security settings to be similar to C:\Users (right click->properties->security)
  • otherwise users will be able to see data of every user account
  • will need to use the advanced security settings to disable/control permission inheritance
  1. Create sub-directory/directories for each user that will have their libraries moved
  2. Adjust each sub-directory’s permissions so that only System, Administrators, and that user have full control. No other user/group should have access.
  3. login as the user to move
  4. In explorer go to c:\users\<User>.
  5. Show hidden files.
  6. Go into AppData.
  7. right click-> properties on each of the folders. If it has a location tab, change the location to your new user directory created above. (Different versions of windows have different parts of the AppData system as libraries…)
  8. Repeat the above for every other directory in c:\Users\<user>

Mounting Shares With Different User Credentials from the Same File Server

Windows clients only allow a single user credential for any shares from a given file server.

However, it is based on the DNS name/IP address. You can work around this by setting up aliases for your file server.

Adding a Log in Notice

Used the information from here and here plus an online text to UTF16-LE converter to create:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"="MakeItZone Reminder"
"legalnoticetext"=hex(1):52,00,65,00,6d,00,69,00,6e,00,64,00,65,00,72,00,73,00,3a,00,0d,00,0a,00,2d,00,20,00,74,00,68,00,69,00,73,00,20,00,69,00,73,00,20,00,61,00,20,00,73,00,68,00,61,00,72,00,65,00,64,00,20,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,21,00,0d,00,0a,00,2d,00,20,00,75,00,73,00,65,00,20,00,49,00,4e,00,43,00,4f,00,47,00,4e,00,49,00,54,00,4f,00,20,00,77,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,61,00,6e,00,64,00,20,00,6d,00,61,00,6b,00,65,00,20,00,73,00,75,00,72,00,65,00,20,00,79,00,6f,00,75,00,20,00,6c,00,6f,00,67,00,20,00,6f,00,75,00,74,00,20,00,6f,00,66,00,20,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,0d,00,0a,00,2d,00,20,00,63,00,6c,00,65,00,61,00,6e,00,20,00,75,00,70,00,20,00,66,00,69,00,6c,00,65,00,73,00,0d,00,0a,00,2d,00,20,00,66,00,69,00,6c,00,65,00,73,00,20,00,77,00,69,00,6c,00,6c,00,20,00,62,00,65,00,20,00,64,00,65,00,6c,00,65,00,74,00,65,00,64,00,0d,00,0a,00,2d,00,20,00,6b,00,65,00,65,00,70,00,20,00,79,00,6f,00,75,00,72,00,20,00,66,00,69,00,6c,00,65,00,73,00,20,00,6f,00,6e,00,20,00,61,00,20,00,55,00,53,00,42,00,20,00,73,00,74,00,69,00,63,00,6b,00,2c,00,20,00,6f,00,6e,00,6c,00,69,00,6e,00,65,00,20,00,73,00,74,00,6f,00,72,00,61,00,67,00,65,00,2c,00,20,00,6f,00,72,00,20,00,6f,00,75,00,72,00,20,00,4e,00,41,00,53,00,0d,00,0a,00,00,00

Adjusting DNS TTL For PiHole

We added a pi-hole server, which among other things, allows us to block access to many web based games.

But we do want to be able to enable them temporarily for break times etc.

For their own reasons, most game sites tend to set short TTLs, but we can try to enforce shorter TTLs (to more quickly “disable” and “enable” access.)

Info from: here.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"NegativeCacheTime"=dword:00000030
"MaxCacheEntryTtlLimit"=dword:00000030

Ideas

  • a guest account that is destroyed on logout, and to create system accounts if/as needed
  • login banner

Deprecated

RebootRestoreRX

An excellent program, but a little heavy for our situation- especially as any updates to apps or windows have to be done with it disabled (and then update the baseline image when re-enabling.)

Windows VMs

  • baseline backed up or snapshot used, unless short term throw away instance

Managing Windows Activation

E.g. to create a baseline VM that is deployed ready to be activated (licensed) for use.

How to Geek: How to Use Slmgr to Change, Remove, or Extend Your Windows License.

Research