Teach me to be a small-time Windows sysadmin
August 26, 2009 5:30 PM Subscribe
I'm just starting a small Windows sysadmin job (~10 computers) for my dorm. I know there are tools out there to make my life easier, but what are they? I'm trying to bridge the gap between "just do everything repeatedly on every computer" and "take this year-long training course so you can administer 500 computers remotely from your Batcave."
I've got lots of Windows experience as a user. But as an administrator of multiple desktops, I'm somewhat clueless. Here are some basic questions that run through my mind:
I've got lots of Windows experience as a user. But as an administrator of multiple desktops, I'm somewhat clueless. Here are some basic questions that run through my mind:
- What software tools should I have in my toolbox, given the small number of computers? I'm thinking Norton Ghost (or similar), but beyond that I'm not sure; the Microsoft sysadmin software in particular is pretty confusing.
- Here's a big one: let's say Adobe Acrobat, or Mozilla Firefox, or similar user software comes out with an update. The users can't upgrade themselves, since they don't have admin privileges. How can I roll this out to all the computers, quickly and painlessly? Or better yet, is there a way to get an auto-update service running as administrator in the background?
- What's the deal with Windows Updates? How do we roll them out? I presume this whole "patch Tuesday" thing is designed specifically to make sysadmins' lives easier, but how does that work?
- I'll obviously be putting together a master system image. What little things might I miss that I should be sure to include, or settings should I toggle?
- The problem with master system images is that they get outdated very fast (especially application versions, not just Windows updates). Do people actually use them to restore unhappy computers, or do you only use them for the initial rollout?
- I've messed around with gpedit.msc a few times on individual computers, but it seems like there's a way to manage that stuff remotely; how?
- Are the tools for Windows 7 sysadmining available? If not, when do we anticipate that happening?
I'm a primarily a linux/unix sysadmin, so I'm kibitzing, but you're leaving out any sort of backup strategy from your list. Have on-site and off-site backups, preferably automated. Have a retention policy, so you and everyone else will know what can be recovered and how far back you can recover them. Test your backups, so you won't be unpleasantly surprised one day. Remember that the backup is also one of your tools for any sort of virus infection -- it'll save time and effort to nuke the machine and move on.
Windows Updates: google for WSUS. How well you can use it probably depends on whether you have a Windows Server box lying around, and whether your 10 workstations are in a domain (with the corollary that these machines are "Professional" rather than "Home"). Similarly for managing group policy across all your boxes: I believe you will need a domain controller.
You may want a Knoppix or Ubuntu boot CD in your toolbox. It's handy to be able to boot into something that's Not Windows in order to see if the problem is with Windows or with hardware, and to do certain tasks that are harder to do in Windows, etc.
posted by chengjih at 6:49 PM on August 26, 2009
Windows Updates: google for WSUS. How well you can use it probably depends on whether you have a Windows Server box lying around, and whether your 10 workstations are in a domain (with the corollary that these machines are "Professional" rather than "Home"). Similarly for managing group policy across all your boxes: I believe you will need a domain controller.
You may want a Knoppix or Ubuntu boot CD in your toolbox. It's handy to be able to boot into something that's Not Windows in order to see if the problem is with Windows or with hardware, and to do certain tasks that are harder to do in Windows, etc.
posted by chengjih at 6:49 PM on August 26, 2009
Best answer: If the users don't need to change things on the machines, and do not need to store anything on the machines, use Windows SteadyState to lock the machines down so they reboot the way they were. It's an indispensable tool, and free compared to DeepFreeze. You can schedule times for updates with it, timer locks for certain profiles to be logged on, and do all sorts of stuff. I think you can also set up the group policy items from inside SteadyState and NOT lock the hard drive down, but to be honest, I've never set it up that way.
As far as gaining access to the machines, make sure they're all running Remote Desktop, and be able to log on to them from a user account that you make for that purpose. With SteadyState, I think you can make it so certain logons don't get clobbered by the locked hard drive restriction.
posted by deezil at 7:12 PM on August 26, 2009
As far as gaining access to the machines, make sure they're all running Remote Desktop, and be able to log on to them from a user account that you make for that purpose. With SteadyState, I think you can make it so certain logons don't get clobbered by the locked hard drive restriction.
posted by deezil at 7:12 PM on August 26, 2009
Best answer: You're a student, probably with ample free time and working for peanuts. The most expensive part of automating this stuff is learning how it works. Take this as an opportunity to manage 10 computers from your batcave, to further your own professional development; think of it as paid training. If they didn't want things to fuck up on occasion they'd hire salaried employees.
The basic Microsoft tool to install and manage computers is Active Directory; if you're asking this question you probably don't have one set up yet. You have one server set up as a Domain Controller, make both computer and user objects, and set the other computers connect to it. From there, you can write "GPOs" to distribute changes to computers. gpedit lets you create group policy objects (terrible name), but doesn't handle distributing them. For that, connect to (remote desktop or the admin tool) the Domain Controller, where Active Directory Users and Computers will let you drag and drop GPOs into management units, ie the folder that holds a bunch of Desktop computer accounts. When the computers connect to AD, they'll see the new policies and apply them.
Personally, I manage servers (Windows & Linux), so I'm not familiar with desktop aspects. I believe that you can use GPOs to install 3rd party software, and I know you can use WSUS to update Microsoft patches. On the server side, I like having Process Explorer installed, since default tools are junk. Maybe figure out how to install Adblock Plus or other plugins systemwide?
About system images: a friend of mine is a university IT tech, and they Ghost new images pretty often in the process of diagnosing problems. I'm sure their employees hate it as their local personal data disappears. The admins maintain a clean image to copy over, and every so often command the army of student workers to reimage the building. They just keep one golden image around and try to make sure nobody's too far off the curve.
You can see the problem with that; you never know what's on a given computer reliably. Which is why larger installations manage computers via AD or novell etc. The good news is that Microsoft pretty much gives this shit away to universities. Ask your boss to requisition a copy of Windows Server 2003 or Server 2008 and they should be able to find a site license.
posted by pwnguin at 7:30 PM on August 26, 2009
The basic Microsoft tool to install and manage computers is Active Directory; if you're asking this question you probably don't have one set up yet. You have one server set up as a Domain Controller, make both computer and user objects, and set the other computers connect to it. From there, you can write "GPOs" to distribute changes to computers. gpedit lets you create group policy objects (terrible name), but doesn't handle distributing them. For that, connect to (remote desktop or the admin tool) the Domain Controller, where Active Directory Users and Computers will let you drag and drop GPOs into management units, ie the folder that holds a bunch of Desktop computer accounts. When the computers connect to AD, they'll see the new policies and apply them.
Personally, I manage servers (Windows & Linux), so I'm not familiar with desktop aspects. I believe that you can use GPOs to install 3rd party software, and I know you can use WSUS to update Microsoft patches. On the server side, I like having Process Explorer installed, since default tools are junk. Maybe figure out how to install Adblock Plus or other plugins systemwide?
About system images: a friend of mine is a university IT tech, and they Ghost new images pretty often in the process of diagnosing problems. I'm sure their employees hate it as their local personal data disappears. The admins maintain a clean image to copy over, and every so often command the army of student workers to reimage the building. They just keep one golden image around and try to make sure nobody's too far off the curve.
You can see the problem with that; you never know what's on a given computer reliably. Which is why larger installations manage computers via AD or novell etc. The good news is that Microsoft pretty much gives this shit away to universities. Ask your boss to requisition a copy of Windows Server 2003 or Server 2008 and they should be able to find a site license.
posted by pwnguin at 7:30 PM on August 26, 2009
Use LogMeIn (free) to administer the machines from one box.
posted by blue_beetle at 9:05 PM on August 26, 2009
posted by blue_beetle at 9:05 PM on August 26, 2009
Response by poster: Great answers so far; thank you!
With regards to pwnguin's quite helpful and in-depth response, the problem with such a setup, as I understand it, is that it would reduce the number of usable computers by 1, since one of them would need to be a domain controller that only I touch. Given our small number of computers, I'm not sure that'd be worth it.
In combination with chengjih's answer, though, it does look like an AD/Directory Server/domain setup is the way to go... hmm.
posted by Jacen Solo at 9:26 PM on August 26, 2009
With regards to pwnguin's quite helpful and in-depth response, the problem with such a setup, as I understand it, is that it would reduce the number of usable computers by 1, since one of them would need to be a domain controller that only I touch. Given our small number of computers, I'm not sure that'd be worth it.
In combination with chengjih's answer, though, it does look like an AD/Directory Server/domain setup is the way to go... hmm.
posted by Jacen Solo at 9:26 PM on August 26, 2009
Can you give us a bit more information about the computers you are expected to manage - things like:
Who will be using them, what applications will they use, are the users expected to install things, etc.
posted by TravellingDen at 1:14 AM on August 27, 2009
Who will be using them, what applications will they use, are the users expected to install things, etc.
posted by TravellingDen at 1:14 AM on August 27, 2009
Computers are cheap. Dirt cheap. For a ten computer / account AD server, you can probably run the damn thing on a netbook (cheap, and built in battery backup!). Except I wouldn't rule out Microsoft software refusing to run.
You work for a college; there's invariably surplus you can hit up. Find some old dilapidated spare and you're fine until your boss finds the budget for something that won't fail.
posted by pwnguin at 1:46 AM on August 27, 2009
You work for a college; there's invariably surplus you can hit up. Find some old dilapidated spare and you're fine until your boss finds the budget for something that won't fail.
posted by pwnguin at 1:46 AM on August 27, 2009
Response by poster: TravellingDen: about 100 students are the potential users, although in practice most people use their own computers. They are fairly recent (1--3 years old). The idea is to install all the software ahead of time, so things like Firefox, Microsoft Office, LaTeX, Mathematica, Adobe Acrobat, some codec pack or probably just VLC player, etc. Typical uses include watching TV shows, browsing the internet, and doing homework. Users should save their files to either the network file-share or to their own personal USB sticks. Think that covers it?
posted by Jacen Solo at 4:42 AM on August 27, 2009
posted by Jacen Solo at 4:42 AM on August 27, 2009
Best answer: Stop trying to figure out the whole thing if you don't know what you're doing yet. For the first 3 months go through this workflow:
1) Boss/Coworker asks for help on something
2) Research what you need to do
3) Do it. If you've done it twice, document how to do it. Have someone more experienced look at the doc to see if you're doing it wrong or inefficiently. Learn to document clearly and in idiot-proof steps. Take a technical writing course. Make sure someone on day 1 can read your docs and get stuff done.
4) Repeat
While you're going through this, learn how to script stuff. Seriously, scripts are force multipliers and sanity savers. Scripts are the surest thing to move you out of the beginner phase. Your workflow now becomes:
1) Boss/Coworker asks for help on something
2) Research what you need to do
3) Do it. If you've done it twice, document how to do it. Have someone more experienced look at the doc to see if you're doing it wrong or inefficiently. If you've done it three times, script it. Have someone look at your scripts to see if you're doing it wrong or inefficiently. Update your docs to reflect using the script. Leave in the manual way in case your script breaks.
4) Repeat
After another 3 months of this it's time to start looking at process improvement and doing things beyond your job requirements. Make sure you a) justify any changes to the status quo with data, b) note your reservations once and professionally if your boss shoots you down on it for any reason then let it go, and c) clear every last one of these with your boss.
I realize this is a bit more general take on how to be a good admin, but doing the things here gets the silly stuff documented so you aren't researching all the time, giving you more time to script. Scripting gets rid of the time investment in fixing known problems so you get more time to figure out the hard stuff. This lets you learn.
Also, see if you can score an MCSE or MCSA. Like most paper, they're utterly worthless after you have experience, but it can jump start the newb to having starting points on new problems by forcing you to imbibe knowledge.
As always, remember your first job is to fit in. Your second job is to have your boss's back. After that, it's all gravy.
posted by bfranklin at 5:18 AM on August 27, 2009
1) Boss/Coworker asks for help on something
2) Research what you need to do
3) Do it. If you've done it twice, document how to do it. Have someone more experienced look at the doc to see if you're doing it wrong or inefficiently. Learn to document clearly and in idiot-proof steps. Take a technical writing course. Make sure someone on day 1 can read your docs and get stuff done.
4) Repeat
While you're going through this, learn how to script stuff. Seriously, scripts are force multipliers and sanity savers. Scripts are the surest thing to move you out of the beginner phase. Your workflow now becomes:
1) Boss/Coworker asks for help on something
2) Research what you need to do
3) Do it. If you've done it twice, document how to do it. Have someone more experienced look at the doc to see if you're doing it wrong or inefficiently. If you've done it three times, script it. Have someone look at your scripts to see if you're doing it wrong or inefficiently. Update your docs to reflect using the script. Leave in the manual way in case your script breaks.
4) Repeat
After another 3 months of this it's time to start looking at process improvement and doing things beyond your job requirements. Make sure you a) justify any changes to the status quo with data, b) note your reservations once and professionally if your boss shoots you down on it for any reason then let it go, and c) clear every last one of these with your boss.
I realize this is a bit more general take on how to be a good admin, but doing the things here gets the silly stuff documented so you aren't researching all the time, giving you more time to script. Scripting gets rid of the time investment in fixing known problems so you get more time to figure out the hard stuff. This lets you learn.
Also, see if you can score an MCSE or MCSA. Like most paper, they're utterly worthless after you have experience, but it can jump start the newb to having starting points on new problems by forcing you to imbibe knowledge.
As always, remember your first job is to fit in. Your second job is to have your boss's back. After that, it's all gravy.
posted by bfranklin at 5:18 AM on August 27, 2009
A few more notes: talk to the other folks doing this job at the uni. Circulate your docs and scripts to them. Hoarding doesn't make you look more effective, sharing and making everyone better does.
The first point for the majority of issues in any type of production environment is the Windows Event Logs. 10 computers isn't a lot. Start watching 'em daily, and spend free time researching what all those messages mean. When you can review a day's worth of event logs for 10 computers in around 10-15 minutes and know what you're looking at you're getting good.
As mentioned above, unis get cheap software. Req some licenses for Windows software you use in your job, scrounge up some decommissioned machines, and build yourself a lab and learn.
posted by bfranklin at 5:27 AM on August 27, 2009
The first point for the majority of issues in any type of production environment is the Windows Event Logs. 10 computers isn't a lot. Start watching 'em daily, and spend free time researching what all those messages mean. When you can review a day's worth of event logs for 10 computers in around 10-15 minutes and know what you're looking at you're getting good.
As mentioned above, unis get cheap software. Req some licenses for Windows software you use in your job, scrounge up some decommissioned machines, and build yourself a lab and learn.
posted by bfranklin at 5:27 AM on August 27, 2009
Download the Microsoft Sysinternals tools and keep them somewhere you can get to them from any system. In my experience you can solve 90% of any user or system issues by using ProcMon to watch exactly what the system is doing before it fails.
posted by Gortuk at 6:14 AM on August 27, 2009
posted by Gortuk at 6:14 AM on August 27, 2009
This is what you need: Desktop Central 6 The free edition can manage up to 10 workstations.
posted by bleucube at 7:16 AM on August 27, 2009
posted by bleucube at 7:16 AM on August 27, 2009
Make an Ultimate Boot CD (UBCD) with lots of tools.
posted by theora55 at 10:46 AM on August 27, 2009
posted by theora55 at 10:46 AM on August 27, 2009
« Older How to prevent a PayPal horror story | The average human is mortal, Socrates is human, so... Newer »
This thread is closed to new comments.
Do you have access to the domain / active directory server? Your best bet is to store the user profiles remotely on a server and make sure you image with ghost every night.
The best option, if you can swing it, is run a customized RDP live disk and Windows Terminal Server, or if you're really feeling pioneering VMWare View 4 (formerly VDI). All of which is super-cheap with educational licenses.
posted by geoff. at 6:02 PM on August 26, 2009