We're a small college, where every student is assigned an Active Directory account. We have a couple computer labs where the machines are all joined to the domain and students can log in to any machine. Over the course of a semester, most students will log in to most machines.
In the past, under Windows XP, we have managed this using the old Copy Profile functionality, along with a product called Deep Freeze, such that profiles are effectively cleaned up automatically. A lot of schools have used this technique successfully for a long time.
Unfortunately, Windows 7 breaks all this. We can no longer use the Copy Profile feature to prepare template profiles for the workstations. Group Policy could work for setting up the machines, and this is the official method for handling the problem. Unfortunately, this doesn't work as well, for two reasons. The first is that Group Policy is no where near as friendly for setting up the profile tweaks. We can't move as quickly on changes we want to make, and some things can only be done to the machine before running sysprep (which would require more frequent re-imaging of the entire OS). The result is that we end up with a less-polished desktop experience.
We could bite the bullet on the that first issue, but the second issue is that all the group policy settings result in incredibly slow login times when used in conjunction with Deep Freeze, because you have to re-apply nearly all the GP tweaks with every login. Windows 7's improved security features over XP (namely UAC) allow me to feel comfortable trying a semester without Deep Freeze... except that we'd still end up with hundreds of user profile accounts on each machine by the end of each semester, and that's after putting in more work to get group policy set up to produce a diminished result.
So are there any suggestions for better ways to approach this problem?
We want to do things like map the documents libraries to network shares, set a default wallpaper, add specific shortcuts to the bookmarks toolbars in IE and Safari (we deploy safari because we have a 1:1 iPod Touch program and need iTunes as well), and lots of other tweaks to these public workstations. We want to be able to do it quickly, where we can get good feedback on the results of a change, and we need to do it so that hundreds of users can log in with their Active Directory credentials. We've gone down the roaming profile path in the past, and that's not really a good option either.
Currently our domain controllers are still running Server 2003, and we'd also much rather use CloneZilla than sysprep to handling imaging the machines.
I'm also reluctant to use group policy simply as a matter of workflow. When we could use template profiles, if you found something you wanted to change you just logged in as the correct user, changed it, log out, and the change would be applied the next time we updated the machines. Now we have to hunt down the right GP setting, if it even exists. It could take more than hour to complete what used to be a five minute thing.
Have you used group policy preferences before? We use GPP and it works fantastic. We have a TON of settings that we deploy and it applies fast. The nice thing about GPP, is it can be used to set defaults (for example the default home page) and NOT reapply onces intially set. You can do things like custom reg entries, file copies, mapped drives/printers, desktop backgrounds, etc. Pretty much anything.
Secondly, login scripts compbined with GPP is another nice option. There may be more complex things you need to do (for example with us, we needed to load an office plugin in excel.) that a script is better suited for.
I would simply suggest Googleing "group policy preferences".
One more bit that i forgot about, if you want software to manage this, the solution your might be interested in is a technology called "User Virtualazation". The following two companies have a popular product.
What you really should do is deploy VDI, e.g. Citrix XenDesktop. In the typical configuration each user gets a virtual machine which is reset to a pristine state at logoff. The VM image is being streamed via "Provisioning Services" from one single master image, which is the only thing you need to touch when you want to change the user environment. As a bonus you get easy versioning and rollback because the master image is stored in multiple versions. Make a change and roll back easily if it does not work out.
Implementing VDI is not trivial, though, and needs some time, although Citrix tries to make it look simple.
I'm curious about this one as I do consulting for a school and have settled on group policy. Group Policy with Server 2008 R2 and Windows 7 clients can manage the settings you mention, if login times are long it is possibly due to network or server performance issues that can be fixed with good netork and server design.
Group policy can sometimes seem that it takes a long time to change the setting.
I've found a few things to get this to work faster. One is to create a powershell script that replicates changes between logon servers on command. The other is to create a script that forces a remote gpupdate /force on machines. So you make your changes, run the replication script, then run the gpudate script. Then the user does a restart or log off (depending on the settings, some take restart or two).
I'm wondering if your network shares are up to the performance impact of lots of users Docs directories? Do you have a good enterprise network administrator who can make sure your switching and routing design is solid? I've seen school labs with 60 machines, filled with students trying watch youtube, on a 10/100 uplink to the core network.
Deep Freeze certainly sounds like it could have performance implications, I'm wondering if MS Steady State is better?
You can use Group policies.
With the new GPO available with Windows 7, the GPP ( group policy preference ) you can set settings as default for a user and the give them the choice to change it. You can push printer and set it by default, check it as run-once and this policy will only apply one time, giving the end user possibility to change his default printer.
You can configure settings for IE then import them to the group policy editor.
Setting up default wallpaper, mapping drive are extremely easy with GPP.
As with GPO, preference can be applied to a system or a user.
You can access GPP from any GPO from a windows 7 and windows server 2008 r2. Most of GPP can work on Windows XP if you have Client side extension installed ( available on Windows update)