Problem Authenticating Network Users

[aceman817]

Let me try to make this as simple and clear as possible. I work part-time at a middle school to help them with their technology. I am about ready to deploy a new Ghost image to a computer lab and have run into a roadblock. The system that will be used to create the image is running Windows XP SP2 and is on a domain with an NT PDC. The system has been configured to sign-on to the domain with 3 users: teacher, student, and admin. The teacher sign-on and the student sign-on both need to access different network shares. The teacher sign-on needs to be able to "reauthenticate" the user once signed-in so a teacher can enter their own user name and password to the share. The students need to do the same with their share. It is not practical for me to make the users sign on to the machine itself because some students don't have a sign-on and it would prove too difficult to manage. The same is true for the teachers. I can map the drive the old-fashioned way by choosing the option to "connect as a different user", but that is not practical. I'm wondering if there is a way to ask for the individuals name in the batch file or if there is a program that can "reauthenticate" once in Windows. I hope this is clear. Any help is greatly appreciated.

 

[GeekDrew]

Whoa... good luck, buddy. I'd personally set up new user accounts for everybody, and assign appropriate permissions. That would be far easier than what appears to be the rather confusing method you've indicated above.

 

[aceman817]

I plan to have user accounts for all the teachers and all the students, but it poses problems if they log on to the machine directly. For starters, it has to setup the environment and comes up with the Windows XP Tour Balloon when a new user logs on to the machine. Then many of the programs, such as Office 2003, need to go through a quick initialization process before opening. There are many other settings, such as a proxy in Internet Explorer, that would have to be set for each user as well. Therefore, it seems like it would be easier to just "reauthenticate" the users once they are signed-in. I know it can be done because it is possible to do it manually by going to "Map Network Drive" and choosing "Connect using a different user name." I also think it is possible to do it at a command line using the user switch with the desired username and password. So, if I can find a way for the batch file to prompt for a username and password, then I should be able to do it that way.

 

[GeekDrew]

Originally posted by: aceman817
I plan to have user accounts for all the teachers and all the students, but it poses problems if they log on to the machine directly. For starters, it has to setup the environment and comes up with the Windows XP Tour Balloon when a new user logs on to the machine. Then many of the programs, such as Office 2003, need to go through a quick initialization process before opening. There are many other settings, such as a proxy in Internet Explorer, that would have to be set for each user as well. Therefore, it seems like it would be easier to just "reauthenticate" the users once they are signed-in. I know it can be done because it is possible to do it manually by going to "Map Network Drive" and choosing "Connect using a different user name." I also think it is possible to do it at a command line using the user switch with the desired username and password. So, if I can find a way for the batch file to prompt for a username and password, then I should be able to do it that way.

You do realize that you can take care of every single one of those issues by using group policy and login scripts, right?

 

[aceman817]

How would I go about doing it with group policy and logon scripts? Presently we are using a program called 1st Security Agent from softheap.com to restrict access to specific users on the system. It is very flexible. We can lock down the control panel, prevent access to changing settings in the control panel, and much more. Can this be done another way? Also, is there an easy way to roll-out updates to the workstations without having to go to each machine directly, turn off security, and perform the needed work? We are also using a piece of security software called "Deepfreeze" from faronics.com which makes sure that any changes to the workstation are undone with a single reboot of the machine.

 

[GeekDrew]

Originally posted by: aceman817
How would I go about doing it with group policy and logon scripts? Presently we are using a program called 1st Security Agent from softheap.com to restrict access to specific users on the system. It is very flexible. We can lock down the control panel, prevent access to changing settings in the control panel, and much more. Can this be done another way? Also, is there an easy way to roll-out updates to the workstations without having to go to each machine directly, turn off security, and perform the needed work? We are also using a piece of security software called "Deepfreeze" from faronics.com which makes sure that any changes to the workstation are undone with a single reboot of the machine.

Which version of NT are you using as your domain controller? NT4, 2000, 2003?

What exactly do you mean by "restrict access to specific users on the system"? Isn't that what a domain controller is used for?

Deepfreeze makes things infinitely more complex, or so I'm told. I've never used it, but I've heard of it being wildly popular in education environments. I just used group policy to lock down users as needed. And if someone managed to do something they shouldn't have... it only takes a couple of minutes to redeploy a fresh image of a machine.

 

[aceman817]

We are using NT 4.0 as the domain controller. We also have a Windows 2000 server on the network as well. The county doesn't let us use the 2000 server as the domain controller because I think it will "try to take over the network" or something. I don't think the NT 4.0 server even has any service packs. I will check into that problem soon. Anyhow, I meant that the 1st Security Agent software secures the workstations by restricting access to resources like the control panel, changing any settings in Internet Explorer, disabling the right-click and much more. It is a standalone, independent program that is included in our Ghost images. I don't know why people think that Deepfreeze is "infinitely more complex." It is a great piece of software that works seamlessly for us. The enterprise edition also allows us to "thaw" or "freeze" workstations remotely. We can remotely start them too with WOL. Without Deepfreeze, we would spend everyday imaging some systems around campus. It is a middle school and community school together with over 300 workstations in the classrooms and computer labs alone. This doesn't include Macs or laptops.

 

[GeekDrew]

Originally posted by: aceman817
We are using NT 4.0 as the domain controller. We also have a Windows 2000 server on the network as well. The county doesn't let us use the 2000 server as the domain controller because I think it will "try to take over the network" or something. I don't think the NT 4.0 server even has any service packs. I will check into that problem soon. Anyhow, I meant that the 1st Security Agent software secures the workstations by restricting access to resources like the control panel, changing any settings in Internet Explorer, disabling the right-click and much more. It is a standalone, independent program that is included in our Ghost images. I don't know why people think that Deepfreeze is "infinitely more complex." It is a great piece of software that works seamlessly for us. The enterprise edition also allows us to "thaw" or "freeze" workstations remotely. We can remotely start them too with WOL. Without Deepfreeze, we would spend everyday imaging some systems around campus. It is a middle school and community school together with over 300 workstations in the classrooms and computer labs alone. This doesn't include Macs or laptops.

It has been many years since I've used a network using an NT4 domain... I can't remember what all is available there, but I know that it can't do nearly what 2000/2003 can do.

You say that DeepFreeze doesn't make things any more complex, but I see the opposite side of the argument... that it's not necessary, and having it there adds complexity. I used to be a network administrator in public education, managing upwards of a thousand machines on our primary WAN, and another thousand or so on our auxilliary networks. I've just never needed DeepFreeze for anything... that's why I don't have much experience with it.

Sorry for having sidetracked your thread. I see you as doing things much harder and complex than necessary, but if you're required to use NT4, then I can't give you any better advice.

 

[aceman817]

Alright. Thanks for trying to help. Maybe someone else with experience in NT 4 domains can chime in here.