Wednesday, March 4, 2009

The question of wireless profiles on laptops with new users

This post is a bit more of a technical nature…so if you casually read my blog, this may fly over your head :)

I was at work today, and a very interesting question came up from one of my colleagues… here’s the scenario:

We have a couple of laptop carts in some labs in the schools, and these laptops are to be used by students who have their individual Active Directory logins. These laptops connect primarily with a Wireless connection.


  • We know that that in order to connect to a network account, you need a network connections.
  • We know that a wireless profile on a computer is profile based, not machine based.


In order for a user to have a wireless connection, they need to have a profile, and in order to create the profile, you need a network connection. The verdict: it’s a catch 22!


There’s always the possibility to connect the laptop to a wired connection in order to login for the first time to the computer. However, given that there are hundreds of students, and each of those students may very well grab a different laptop each time they visit the lab, there will be a constant plugging, unplugging, questions, confusions, you get the idea…

Ideal Solution:

Have a wireless profile setup in Windows Group Policy to allow for the wireless setup automatically on the machine: That’s a great idea IF:

  • All the machines logging in have Windows XP Service Pack 3
  • If the servers on which the GPO resides have Windows 2003 servers or higher . (Windows Server 2008 and Vista natively have this functionality, and no schema changes would be required for them.)
  • If the servers have Windows 2003, that you are willing to make some changes to the Active Directory schema, following the instructions in this article: , that’s pretty high risk if you ask me.

My Workaround:

The following is a theory at this point, as I haven’t implemented it, though I have pretty high confidence that I can bring it to fruition.

1- Setup a Default profile that's configured with the appropriate Wireless configuration 2- Create a local, no privilege account on the laptop with no password or a very simple password. 3- Place a batch-file and/or other script that launches on login, that asks the user for their network login and password: The batch file/script will contain a routine to trigger some process that will "RUN AS..." that user, therefore, triggering the creation of that user's profile on that workstation using the default profile which contains the wireless configuration, and then logs off. 4- Now the user can logon with their network account, to which the default profile has been copied, and the Wireless configuration has been applied. 5- (Optional) Enable the GPO to wait for login until network connectivity has been established.

I will post a follow up to this post if and when I decide to implement this solution. What do you think about this workaround? do you have any better ideas to implement wireless configuration for non-logged on users aside from the GPO method?

No comments: