Content policy?
September 14, 2006 6:06 PM Subscribe
sysadmin filter: Anyone know a way to enforce data location policy?
Telling users over and over to not keep data on their local drives but instead to leave it on their network drives doesn't seem to be working. Does anyone know of software that would stop certain file types from being written to a local drive?
Telling users over and over to not keep data on their local drives but instead to leave it on their network drives doesn't seem to be working. Does anyone know of software that would stop certain file types from being written to a local drive?
On Unix it's possible to host the local drives on an NFS (or smb for that matter) partition. That would mean that for them it would be local, but you could manage the data better.
However, as usual, since you didn't mention the OS, I'd assume that you are talking about Windows users.
posted by Kickstart70 at 6:19 PM on September 14, 2006
However, as usual, since you didn't mention the OS, I'd assume that you are talking about Windows users.
posted by Kickstart70 at 6:19 PM on September 14, 2006
Response by poster: Yeah, sorry, I assumed it would be assumed that these end users would be Windows users.
posted by Cosine at 6:21 PM on September 14, 2006
posted by Cosine at 6:21 PM on September 14, 2006
Deep Freeze, Altiris Protect, Clean Slate, etc.
What you need is disk protection software. You deploy image, allow local administrator so that user's can (and will) install whatever software they like during their session (or, use roaming profiles if applicable) and any content written to the local disk is automatically wiped on logout or reboot. It has a remarkable way of forcing users to use network storage when they continually lose their data.
It's really the only reliable way that's non-intrusive (to a certain extent) to prevent users from using their local drives to store data.
A word of caution though. If you're going to do it, make sure you provide enough network storage space for work-related material. You'll notice a rather sharp spike in network storage space utilization so be prepared.
posted by purephase at 6:43 PM on September 14, 2006
What you need is disk protection software. You deploy image, allow local administrator so that user's can (and will) install whatever software they like during their session (or, use roaming profiles if applicable) and any content written to the local disk is automatically wiped on logout or reboot. It has a remarkable way of forcing users to use network storage when they continually lose their data.
It's really the only reliable way that's non-intrusive (to a certain extent) to prevent users from using their local drives to store data.
A word of caution though. If you're going to do it, make sure you provide enough network storage space for work-related material. You'll notice a rather sharp spike in network storage space utilization so be prepared.
posted by purephase at 6:43 PM on September 14, 2006
In my experience, users who fail to comply with reasonable requests from sysadmins generally do so not out of bloody-mindedness, but out of sheer ignorance.
There are many users for whom the whole notion of where their data goes is vague and fuzzy - how many times have you asked "where did you save your file?" and been told "In Word!"
If that's what you're fighting, and I suspect it is, you'll fix 80% of your problems just by making sure that My Documents points to a network folder, and that My Documents is the default location for saving things in whatever apps you're using.
You'll fix 80% of the remaining 20% by adapting your policy to fit your users instead of doing things the other way around. This is easier, because there's one policy but many users. So: what are your priorities? What's the main problem the present policy is designed to solve? Are you trying to prevent unauthorized access to data, or are you trying to ensure that backups are made, or are you trying to minimize support requests, or what?
The last 4% of problems are never going to go away whatever you do, so don't sweat those.
posted by flabdablet at 7:11 PM on September 14, 2006
There are many users for whom the whole notion of where their data goes is vague and fuzzy - how many times have you asked "where did you save your file?" and been told "In Word!"
If that's what you're fighting, and I suspect it is, you'll fix 80% of your problems just by making sure that My Documents points to a network folder, and that My Documents is the default location for saving things in whatever apps you're using.
You'll fix 80% of the remaining 20% by adapting your policy to fit your users instead of doing things the other way around. This is easier, because there's one policy but many users. So: what are your priorities? What's the main problem the present policy is designed to solve? Are you trying to prevent unauthorized access to data, or are you trying to ensure that backups are made, or are you trying to minimize support requests, or what?
The last 4% of problems are never going to go away whatever you do, so don't sweat those.
posted by flabdablet at 7:11 PM on September 14, 2006
In 2000/XP/2003, edit the user, go to the Profile tab & set their Home Folder to a network drive. I think the network drive has to be mounted first.
Under nix, mounting /home via NFS isn't really a problem.. just make sure you have the entry in /etc/fstab. The only thing you have to avoid is having /root be there, but it shouldn't be anyway (that's the whole point..) unless your distribution is really exceptionally braindead.
posted by devilsbrigade at 8:17 PM on September 14, 2006
Under nix, mounting /home via NFS isn't really a problem.. just make sure you have the entry in /etc/fstab. The only thing you have to avoid is having /root be there, but it shouldn't be anyway (that's the whole point..) unless your distribution is really exceptionally braindead.
posted by devilsbrigade at 8:17 PM on September 14, 2006
(not to hijack this thread, but am I the only one who utterly HATES this kind of "policy"? sometimes i NEED to have the files saved locally, as the network drive is slow, or the connection is unreliable, etc.)
posted by slater at 2:12 AM on September 15, 2006
posted by slater at 2:12 AM on September 15, 2006
In Windows, setting the home folder to a network drive just establishes a drive letter mapping. It doesn't actually change where My Documents goes. I'm sure there's some separate Group Policy juju for that; personally, I just make sure my default (new user) profile (under \\your-logon-server-name-here\netlogon\Default User) has My Documents mapped to N:\Documents (N: being the drive letter I assign to user home folders).
posted by flabdablet at 5:08 AM on September 15, 2006
posted by flabdablet at 5:08 AM on September 15, 2006
slater: I would get bitter complaints from the 20% of users who know what they're doing if I actively prevented them from writing to their local hard drives, and quite rightly so. It's easy to explain to the clueful that I can't back their stuff up if they choose to do that. But clueful users are not, in general, problematic.
posted by flabdablet at 5:13 AM on September 15, 2006
posted by flabdablet at 5:13 AM on September 15, 2006
As a former sysadmin who solved this problem:
1. Don't let your users be local admins. This can effectively end the saving-files-locally problem.
2. Use roaming profiles. This means that files saved to the desktop are mirrored out onto a server location on a regularly reasonable interval.
3. Use Group Policy. It has a Folder Redirection feature that will enable you to redirect the locations of interesting folders like My Documents to a networked location.
4. Educate your users about why you are making this policy. Explain to them that the changes that you made (steps 1-3) were done in the interests of protecting their hard work. Ask for their help in protecting their data. Simply making rules without explaining them, especially in this arena, tends to generate a lot of resistance.
posted by rachelpapers at 6:36 AM on September 15, 2006
1. Don't let your users be local admins. This can effectively end the saving-files-locally problem.
2. Use roaming profiles. This means that files saved to the desktop are mirrored out onto a server location on a regularly reasonable interval.
3. Use Group Policy. It has a Folder Redirection feature that will enable you to redirect the locations of interesting folders like My Documents to a networked location.
4. Educate your users about why you are making this policy. Explain to them that the changes that you made (steps 1-3) were done in the interests of protecting their hard work. Ask for their help in protecting their data. Simply making rules without explaining them, especially in this arena, tends to generate a lot of resistance.
posted by rachelpapers at 6:36 AM on September 15, 2006
This thread is closed to new comments.
posted by shepd at 6:16 PM on September 14, 2006