back to article Managing the Windows desktop estate: Your view

Some things in life, it is often considered, should ‘just work’ - and so it is for the desktop and laptop PCs (the majority running Windows) that are in general use across organisations of all sizes. Pity the poor person who has to keep these facilities running, often in the face of complete disinterest from the users themselves …


This topic is closed for new posts.
  1. Inachu

    My ultimate setup.

    I use the profiles not for different user but to perform different fucntions.

    So I have a:

    WORK profile

    Gaming profile

    Web browsing profile

    Research profile

    This way I keep my mind focused on the task at hand for what I want to

    accomplish without being distracted by different items on the desktop that may tempt me to do something unrelated.

    So that is my ULTIMATE DESKTOP SETUP......

    Thank you!


  2. Pete 2 Silver badge

    disable everything

    It's a work tool, not a plaything.

    No external devices - apart from those supplied by the company (whch should only really be a network cable, power cable, mouse, keyboard, monitor and maybe some sort of biometric security device).

    No USB ports

    No CD / DVD drives

    No media slots

    No user accessible WiFi

    No audio of any kind

    No bluetooth

    and definitely no internet access

    You never know, with a config like that some people might actually spend their days working.

  3. BillboBaggins
    Big Brother


    "and definitely no internet acces"

    And how did you post this during work time?!

  4. Geoff Mackenzie

    W, as they say, TF?

    1.7 To what degree have netbooks started to be deployed as a fully supported piece of kit?

    Extensive deployment

    Some deployment

    Little or no deployment

    1.8 To what degree have netbooks started to be deployed as a fully supported piece of kit?

    Already happening quite a bit

    A few users are doing this

    Not aware of any significant activity

  5. Daniel 1

    Yeah, I'm wondering about 17 and 1.8, too

    It's a no, for both, anyway.

  6. Jon Collins

    1.7 and 1.8

    Well spotted - and sorted, thanks!

  7. Bruce 9

    XP Power Users + logon scripts + AV

    Make your users less than admins. Power users seems to work.


    Logons scripts that check for latest DATs. Force load if necessary. Shutdown if it can't be forced.

  8. KarlTh

    Power users?

    Stuff that; they shouldn't be able to install anything. Make them users and nothing more. No user should have an account that can write to %systemroot% or %programfiles% or anything under HKLM in registry. That's your job as an admin, as is making software which assumes the user has more rights than that work for standard users. It always can be.

    DATs should not rely on logon scripts; that's what the AV vendors' management suites are for. Ditto Windows updates - turn it off and use SMS or WSUS. That way you have control over what goes on.

  9. Henry Wertz 1 Gold badge

    I've "put it back in the box"

    "We’ve had your stories about the kind of calls you may have had from your user base, for some of whom the best advice can only be: “Put it back in the box, because you are clearly too stupid to actually use a computer.”"

    I've actually done that. We had someone who just kept hounding us because their web pages printed too big. We sell surplus computers, they are very inexpensive, they are tested but there is no tech support and a 1 week warranty against DOA. Well, he just kept calling -- he set the size to like 150% or so onscreen and was all shocked it printed big too. I say "So set it to 100%, print it, then make it big again". "Oh I can't POSSIBLY do that, you have to solve it." "Umm, no I don't, we sell surplus computers as-is, we don't provide tech support". Finally I had him bring it in and just stuck it behind the counter -- "You wouldn't quit calling, you can have a store credit NOT FOR A COMPUTER, or a refund check."

    My solution? We do not sell computers with Windows any more. Ubuntu? I get the question "What is the username and password" (despite there being a sticker on the front). I tell them the username and password. I don't get other odd tech-support questions any more.

  10. John Sanders
    Paris Hilton


    No admin rights of any kind, not even power user.

    Anything that going beyond opening word, writing a letter or browsing is forbidden without admin approval.

    We're not bastards, if anyone needs a tool we try to find a suitable one and we will maintain it, but the less the users decide or do on their own the better for the network.

    Draconian scripts configures every inch of the computer to match work specifications.

    Virus free and stupid free. Of course from time to time a loose windows box has an issue, backup user data, delete user profile, restore user data, there you go.

    Paris because she knows work computers are just for work and not for fancy stuff.

  11. Anonymous Coward
    Anonymous Coward


    You store Personal & Credit Card Data - Security? You mean, the sticker on the server in case we forget the password - it works most of the time.

  12. This post has been deleted by its author

  13. mmiied


    ""and definitely no internet acces"

    And how did you post this during work time?!""

    it is called an admin account and password and it is wanderfull

  14. Pawel 1

    @Power Users?

    You guys do remember that Power Users have SE_DEBUG_PRIVILEGE, which means they are essentially local admins (as they using this, they can change the operation of any process, including winlogon or lsass, to run any code they want)?

  15. nematoad Silver badge
    Big Brother

    Security by weight

    I left the desktop support scene long ago but the best antidote to users opening their boxes was, in my opinion, a 21" CRT monitor. Those beasties weighed a ton and took two people to unpack and put them on top of the desktop form PCs we had. It would have taken someone with the physique of Arnold Schwartzenegger to lift one of those off to get inside. Pity it was only the CAD department that had them. A lot of grief would have been avoided if all the PCs had been as inaccesible.

  16. Michael C

    Old Hat

    This is not exactly new science here...

    1) users are NOT local admins of their machines

    2) Group Policy locks down nearly every aspect of their machine

    3) centralized security and monitoring, AV can not be disabled, all patches/DATS auto pushed from central serevrs.

    4) strict internet controls (monitored access, and only for those who need access). Internet access further protected by a white list.

    5) imaged machines based on roles. Machines are never fixed for a user. If there's an issue, drop another pre-configured machine on their desk and then fix the other one (by starting with re-imaging to eliminate software issues).

    6) users can not save files locally, period. MyDocuments folder is relocated to a network share through policy or logon scripts.

    7) Strict corporate policies on software used in the company, electronically audited through something like SpiceWoerks or CA e-audit.

    8) USB ports can not be booted from, BIOS locked out with a password. No CDRWs. Additional drives connected will only show up to admins (remove all drives other than C: and D:). Selected users who are approved to move files from the company systems to home systems only do so electronically through a web portal or through citrix etc. No thumb drives or portable media.

    9) All portable computers use encryption of the whole drive. Hibernate automatically on lid close, and can only be logged onto when a domain connection is available or as local user.

    10) e-mail secured by not less tha 2 different filtering technologies (from different vendors). Ability to send/receive e-mail from external sources approved on a per user/department/job role basis only. (most users should not require full e-mail access, only internal e-mail).

    11) No Wifi except in conference rooms, public areas, etc. Even that is either a DMZ zone for guests, or requires MAC address pre-approval and 802.11x authentication.

    It sounds harsh, but we don;t go to that extreme. MOST users (except call center folks who are monitored by the minute and simply don;t have TIME to surf when on the clock) do have limited internet access, at least to some approved news sites, local banks, and a few other places, so in a spare minute you can get some personal time without having to lug in your own personal computer and a tether-enabled cell phone... We're not cruel, but having a locked in system where users simply can't make changes to computers solves a lot of issues. If they can't store data locally, and their machines are roll based inaged, then if theyre's an issue, and they call helpdesk, the response it "someone will be by in less than 30 minutes with a replacement machine, let us know if you have trouble after that" Or "Yes, we know, that service is currently unavailable, did you not check the self help site and read the service advisory?" Help desk no longer requires technicians, only ordinary call center folks, and desktop support becomes a bunch of untrained computer movers. If there's ever a software issue, all effected machines can be identified by groups and re-imaged across the network (this is rare as the images are thourally tested, and software is a few revisions back from the bleeding edge and generally bug free, and patches can 99% of the time be uninstalled successfully if they break something).

    We have 14,000 workstations. We have about 25 people in the workstation helpdesk supporting them all in a central call center, and about 3-4 people at each campus maintaining the hardware. We used to have over 100 people in the helpdesk. if we could only get our SERVERS onto the same process (it;s in the works, but quite a bit more complicated as we support over 1000 applications across 3500 servers on 12 differnet Os platforms...)

  17. Anonymous Coward
    Anonymous Coward

    @Michael C

    I agree with your list, but would add:

    The apps a user can load are listed in their profile as groups, apps are secured so that the binaries can only be loaded by the person with the applicable security group, and icons are placed into a start menu which is dynamically built by your logon sciprt. This way you can centrilise your licence monitoring and easily add a new app with the AD. If you are really flash you can have the apps' binaries installed on a file server so that all parts of the apps that don't change are provided centrally and anyone can logon from anywhere with only the very essential DLLs that have to be on the local machine on it. You do need to have your app binaries servers fairly local though.

    Workstations should shut themselfs down at night. If they are required for a patch to be installed they can be WOLed by maintaining a database of mac/ip based on what the DHCP server has.

  18. Andy 97

    Tail wagging the dog

    Blimey, some of you lot....

    It was my understanding that IT works for the business .

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022