Just for the record, I am NOT an MS fan-boy. But, I do know what keeps me in hot dogs and beer. Learn about the resources Microsoft provides. Embracing the dark side instead of fighting it will save you hours of headache and make you a hero.
Active Directory is a huge time saver in any shop with more than a handful of computers/users. There is a ton of stuff you can control with group policy. The number of policy elements and the granularity of control keeps growing with each OS release. TechNet has some good resources but you have to dig for them sometimes.
For systems management, Windows scripting is a must. VBscript is not too difficult to learn. Microsoft provides scripting interfaces into Active Directory and the Windows management interface (WMI). Almost anything you can do in AD or at a computer console can be scripted in VBS with the AD and WMI interfaces. There is a very active scripting community on the TechNet web site. Lots of good sample scripts and documentation. Plus links to various webcasts. You can literally spend an hour a day for a week listening to the webcasts and learn enough scripting to save twice that much administration time every week.
Deployment is a bit of a weak spot. RIS is complicated and quirky. You can spend weeks just getting the basic system working then not be able to use it because your new hardware doesn't support the bootp environment. SMS is nice as a systems management tool. It does have OS deployment capabilities if you jump through enough hoops. But, it will cost you around $10,000 for a small deployment and months of learning how to make it work right. (It is very NON-intuitive) If you have somewhat standardized hardware and software I would use Ghost.
The trick is to make sure you document all the components involved in creating your standard image. It doesn't need to be a click-by-click instruction, just a bullet-point list will do. (Install this component, disable that one) Include just enough detail you can blast through the install on a new hardware platform and have it come out the same as previous machines. Do the same with the user configuration. Once you have a good image, sysprep it and Ghost it to an image file. Rinse, lather and repeat for other hardware platforms. There are a number of ways to deploy the images. Boot to CD or external hard drive works well in smaller environments where you might not have a dedicated image file server. Use a generic CD driver on a boot disk or check out BartPE (works well with external HDs).
90% of maintenance could be done by users but 90% of it would never get done because the average user could care less about system maintenance. Most IT staff are not trying to create job security by locking users out of doing things they are capable of. Most of us are trying to save our jobs by preventing users from horking the rest of the enterprise.
Anyone who has ever had to lock down a Windows system to prevent malicious behaviour knows it isn't easy. Until XP you had to be full administrator just to renew your IP address. You still have to be full admin to run a defrag. 99% of users should never even have power user rights - not to mention admin rights - because they do not understand the consequences of their actions.
Many of us spend days on end tweaking registry settings, file permissions and security policies to make the good stuff work seamlessly for (ungrateful) end users while blocking as much of the bad stuff as possible. Our reward? Being bashed at every opportunity because a user couldn't load the latest version of Flash when he surfed to Jib-Jab.
Both sides of this debate are correct. Simply having protection does not create the behaviour you are trying to protect against. BUT, users will get lazy and complacent the more they are coddled. The lazier and more complacent they become the louder they whine and complain. Management looks at the situation and decides IT needs to do more with le$$. It's a downward spiral from there.
We can't rely on acceptable use policies with no teeth. And we can't expect C-level executives to make the rules and enforce them. At the risk of being flamed into oblivion let me say, IT needs to grow a pair and lay down the law.
We need to take a long hard look at the business and figure out what THEIR pain is if the users screw up. You can talk about spyware and anti-virus until you're blue in the face and most non-techies will just glaze over. But, when you tell a sales exec that a "million dollar proposal" could be delayed by several hours because his numb-nut sales reps are infested with spam-bots, ears perk up - FAST.
As painful as it may be, we have to think outside the tech realm. We have to understand what the business thinks is important and play off that. Once you start putting dollar values on consequences - in terms the business can understand - funding and policies with teeth are right around the corner. Or, we can sit and whine like users.
Before anyone says I must be management or an MBA weener let me say Wrong. I've fought this battle for years from the help desk all the way up to network engineering. The only way to stop the madness is to think about it from the business' perspective and put the costs in terms they can understand.
Slashdot Mirror
Go read "1984" and get the hell off my lawn!
Just for the record, I am NOT an MS fan-boy. But, I do know what keeps me in hot dogs and beer. Learn about the resources Microsoft provides. Embracing the dark side instead of fighting it will save you hours of headache and make you a hero. Active Directory is a huge time saver in any shop with more than a handful of computers/users. There is a ton of stuff you can control with group policy. The number of policy elements and the granularity of control keeps growing with each OS release. TechNet has some good resources but you have to dig for them sometimes. For systems management, Windows scripting is a must. VBscript is not too difficult to learn. Microsoft provides scripting interfaces into Active Directory and the Windows management interface (WMI). Almost anything you can do in AD or at a computer console can be scripted in VBS with the AD and WMI interfaces. There is a very active scripting community on the TechNet web site. Lots of good sample scripts and documentation. Plus links to various webcasts. You can literally spend an hour a day for a week listening to the webcasts and learn enough scripting to save twice that much administration time every week. Deployment is a bit of a weak spot. RIS is complicated and quirky. You can spend weeks just getting the basic system working then not be able to use it because your new hardware doesn't support the bootp environment. SMS is nice as a systems management tool. It does have OS deployment capabilities if you jump through enough hoops. But, it will cost you around $10,000 for a small deployment and months of learning how to make it work right. (It is very NON-intuitive) If you have somewhat standardized hardware and software I would use Ghost. The trick is to make sure you document all the components involved in creating your standard image. It doesn't need to be a click-by-click instruction, just a bullet-point list will do. (Install this component, disable that one) Include just enough detail you can blast through the install on a new hardware platform and have it come out the same as previous machines. Do the same with the user configuration. Once you have a good image, sysprep it and Ghost it to an image file. Rinse, lather and repeat for other hardware platforms. There are a number of ways to deploy the images. Boot to CD or external hard drive works well in smaller environments where you might not have a dedicated image file server. Use a generic CD driver on a boot disk or check out BartPE (works well with external HDs).
Who needs to write a program? Just use the script that Microsoft kindly provides in KB918342 to change the license key to a known bad key.
90% of maintenance could be done by users but 90% of it would never get done because the average user could care less about system maintenance. Most IT staff are not trying to create job security by locking users out of doing things they are capable of. Most of us are trying to save our jobs by preventing users from horking the rest of the enterprise.
Anyone who has ever had to lock down a Windows system to prevent malicious behaviour knows it isn't easy. Until XP you had to be full administrator just to renew your IP address. You still have to be full admin to run a defrag. 99% of users should never even have power user rights - not to mention admin rights - because they do not understand the consequences of their actions.
Many of us spend days on end tweaking registry settings, file permissions and security policies to make the good stuff work seamlessly for (ungrateful) end users while blocking as much of the bad stuff as possible. Our reward? Being bashed at every opportunity because a user couldn't load the latest version of Flash when he surfed to Jib-Jab.
Both sides of this debate are correct. Simply having protection does not create the behaviour you are trying to protect against. BUT, users will get lazy and complacent the more they are coddled. The lazier and more complacent they become the louder they whine and complain. Management looks at the situation and decides IT needs to do more with le$$. It's a downward spiral from there.
We can't rely on acceptable use policies with no teeth. And we can't expect C-level executives to make the rules and enforce them. At the risk of being flamed into oblivion let me say, IT needs to grow a pair and lay down the law.
We need to take a long hard look at the business and figure out what THEIR pain is if the users screw up. You can talk about spyware and anti-virus until you're blue in the face and most non-techies will just glaze over. But, when you tell a sales exec that a "million dollar proposal" could be delayed by several hours because his numb-nut sales reps are infested with spam-bots, ears perk up - FAST.
As painful as it may be, we have to think outside the tech realm. We have to understand what the business thinks is important and play off that. Once you start putting dollar values on consequences - in terms the business can understand - funding and policies with teeth are right around the corner. Or, we can sit and whine like users.
Before anyone says I must be management or an MBA weener let me say Wrong. I've fought this battle for years from the help desk all the way up to network engineering. The only way to stop the madness is to think about it from the business' perspective and put the costs in terms they can understand.