Slashdot Mirror
Management Tools for Computer Labs?
dorko72 asks: "I have been put in charge of setting up a small computer lab (30 workstations) for a local community. The benefactor is providing the hardware (dell workstations and one server) as well as the operating system for these systems (Windows XP Professional and Windows 2000 Advanced Server) All the equipment is used, but not too old. I would like to find out what some of you guys use to monitor and manage the lab usage (ie provide realtime stats of which station is in use, etc). I would plan to set these machines in a Windows domain using Win2k Advanced Server as the controller via Active Directory. There must be some way to access AD and find out who is logged in to what machine in the domain. Any suggestions or ideas would be much appreciated."
This isn't quite what you're asking about but I figured I'll give you some useful information. I put in some security hardware called Centurion Guard at my library. I must say, if you're worries about malicious conduct on the computers, either viri or people sabotaging systems (damn teenagers), I suggest you consider it. Basically it keeps a partition of itself and whenever you reboot everything not on the partition (which normal users can't screw around with) is wiped and restored to it's original state. Just giving you my 2 cents.
Live life to the fullest. It's not that life is short, but that you are dead for so long.
Systems Management Server.
You're a community organisation - just ask Bill and Melinda for a few licenses.
Dameware : manage the machines from a remote location.
netusers.exe and some perl or python thrown in to deal with the output of netusers. You can get all your user stats and stuff from this.
With those tools you can develop some scripts to track usage, avaiable comptures and throw it all up on a web site.
At the most basic level this would work: /T >>H:\LOGINLOG.TXT /T >>H:\LOGINLOG.TXT
You can include a script to run in the startup folder that does the following:
rem --
net use h: \\SERVERNAMEORIP\SHARE
echo [INSERTCOMPUTERNAMEHERE] had the following user login:>>H:\LOGINLOG.TXT
echo %USERNAME% >> H:\LOGINLOG.TXT
date
time
rem --
every user that logged into the domain would need write access to the share tho.
There are tons GPO+VB script ways to do this
- Strong locks for the outer doors of the lab.
- Clippers capable of severing all keyboard and mouse cables.
- A sturdy, 36" Crowbar.
- Cheap bourbon.
Long and painful experience has shown that management software and administrative tools are interchangeable luxuries at best (and are more often nothing more than time-consuming placebos). While you are certain to receive many suggestions for that type of product, I am certain that the list above represents the absolutely indispensible core of any competent adminstrator's toolkit.No, seriously...
/etc/squid/blocked_sites.txt. List the file extentions to block in /etc/squid/filetypes.txt in regex fashion (something like \.(exe)$ to block .exe files). Not a complete fix, but a good quick way to safeguard web access.
Bring up your favorite distro. The important bits of immediate concern are Squid and syslog. Prevent direct access to the net from the client machines and force them to go through the proxy using a GPO in ActiveDirectory. Configure Squid how you like, but best to at least add the capability to block certain sites and prevent certain file types from being downloaded:
acl hosts_deny dstdomain "/etc/squid/blocked_sites.txt"
acl filetypes urlpath_regex -i "/etc/squid/filetypes.txt"
http_access deny filetypes
http_access deny hosts_deny
List the domains to block in
Now run over to sourceforge and grab ntsyslog. This handy tool exports your Event Viewer logs to a remote syslog server. It installs as a service and it's a cinche to setup. Stick is on your domain controller. On your Linux box add a line like the following to syslog.conf (for sysklogd):
user.alert -/var/log/domain.log
By default, ntsyslog uses user.alert, but you can change that to whatever you like. Also make sure your syslog is configured to receive messages from remote clients. Now, in your default domain policy on the domain controller configure it to audit logon events as well as account logon events, successes and failures for both.
Now you've got web access managed by a central proxy with full logging and minimal blocking abilities and all logon success/failures being reported to Event Viewer on the DC and forwarded to the syslog. If you want to see who is logged into a machine at any given time you can either quickly parse the logs or use something like NetUsers or LoggedOn.
Popular local opinion says that you're likely to have more problems/attacks with/against your Windows server. Having your Event Viewer messages forwarded means you can diagnose problems in the event something happanes to that server. You'll probably want to at least MRTG the Linux box to get an idea of bandwidth usage too. Then enjoy whippin' up your own set of shell scripts to play with your logs (hint: real-time monitoring)!
I'm against picketing, but I don't know how to show it.
I suggest you check out NetOp School. I manage 8 computer labs for a community college in Gainesville, FL and we use this in several of them. At a glance, the instructors can tell who is logged in & where (uses machine name and windows login name information). Additionally, NetOp School provides controls, i.e. lockout and demo mode. You can run commands on the remote machine, transfer files, etc. Also, you can create breakout sessions where small groups are formed, and one person in that group would be granted all of the above controls.
It installs remotely (from the "instructor" station) and runs as a service. Our instructors love it. I think you should check it out.
In Soviet Russia, the signature reads YOU!
Assuming that you will be in charge, here are some pointers on how it can be done
My opinion? See above.
Never underestimate the power of a pointy stick.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Keeping track of who used which computer at what time isn't treating users like criminals, it does the opposite in fact. When something "goes wrong" on the network or one of the workstations, it lets you narrow down the list of who could have done it; that way you can scrutinize a select few instead of treating all your users as a criminal or being forced to remove/limit access. When I was in high school the network manager had a horrible problem with one of the students installing sub 7 on various machines trying to get into the administrative side of the network. While the malicious script kiddy wasn't so bright being that the administrative computers were on a completely different physical network from the student machines, it did create a lot of trouble as far as cleaning up the mess. She had some monitoring packages installed so when the kiddy installed it again she got paged and caught him in the act. While this isn't always possible to find the one person responsible the first try, if you had something go wrong every day at 4pm you could and likely would pay more attention to who is using the systems at that time and try to find the culprit through a process of elimination.