Here in Nebraska we’re going to be giving grants to give libraries who don’t already offer public access WiFi a Linksys WiFi router and a choice between a Dell laptop and a Samsung Q1. The question I have deals with how I should set up the laptops/Q1s. Before I describe the options keep the following in mind: a) They both run Vista. b) The fact that one’s an UMPC and one’s a traditional laptop is irrelevant. (At least I think the hardware is irrelevant. If you think it isn’t please explain.) and c) The computers will be made available for public use. So, which would you choose?
Option #1
Set up a staff account with admin privileges and a public account as a standard user. This way the staff can run updates and change settings and the public can’t alter anything.
Option #2
Have just one user account but install Windows Steady State so that no matter what the public does, a reboot solves everything. To make changes permanent the staff would just need to turn off Steady State first.
I have my opinions but I’m trying to see if I’ve missed anything. What do you think?
Why not do both together?
Why would I do both? In that case users would log in and not be able to change anything and it would reset on reboot. If they can’t change anything, what’s to reset at reboot?
Bookmarks, getting rid of documents saved on the desktop, getting rid of temporary files, and much more. We have the equivalent of both on our public machines and public laptops using Deep Freeze. A reboot restores the machines to the clean state using. An administrative login allows for updates and control of settings. There may at times be an unexpected need for an administrative login as well. Not everything is predictable.
Good point on the bookmarks but then why have two logins? Why not just let the public do whatever by giving them admin access and then undo it all on a reboot. In other words: why prevent them from doing things if everything is undoable. (This is what we do in our lab.)
I’m skeptical about everything being undoable.
Even if everything is undoable, they can use admin priv. to install software, scan your network, hack other PCs, etc.
So make sure the network is secure if you are going to allow PCs with admin priv.
I would agree about giving your users admin rights and then allowing a clean reboot afterward. Windows offers programs as well. (It even causes problems for me when I need to adjust something and forget to allow the change for the next restart.) If you are doing laptop check-out, the public wouldn’t have enough time to do something truly malicious to the laptops (like downloading Limewire and downloading a bunch of bad files.)
Generally, I lean towards let them do what they want and clean it up afterward if you can do the clean re-boot. Doing the power user thing doesn’t work out that well. I have experimented with both and patrons don’t really do many bad things with the laptops with admin privledges, but the power user laptops are never touched. It is too much set-up and fussing around and you don’t get what you want.
Hope that helps.
I can’t believe people are suggesting setting up the user account with administrator rights. Giving public users administrator access is just stupid.
What would stop them from uninstalling/deleting SteadyState, Deep Freeze or any other restoring software you install? There would be nothing stopping them from disabling SteadyState, installing a keylogger or some other information logger, then re-enabling SteadyState. Then they return the laptop and comeback next week to retrieve all the previous users personal logins to their email accounts, bank accounts, etc.
Ask any real system administrator and you’ll get the same response…NEVER give any public user administrator rights. You’ll be asking for trouble. And when someone finds out their identification has been stolen because you gave admin rights to public users you’ll be talking to their lawyers.
Scuba Steve,
Thanks for your comment as it reminded me to write a follow-up post about the decision that was made regarding this situation. You can find it at here.