upgrading our office
March 17, 2011 8:09 AM   Subscribe

IT filter: Whats the fastest route to a closed office network on windows? Goals: remove local admin rights for users, create white/black lists of software that can be installed by them, remotely manage routine maintenance for them (updates, virus scans).

An active directory server and group policy? Is that the most direct route? By 'most direct' i mean least amount of hardware setup and software maintenance.

Just looking for the broadest strokes -- point my head in the right direction...

This would be for offices with between 20 and 500 people.
posted by jak68 to Technology (10 answers total) 7 users marked this as a favorite
AD/Group Policy would be one way of doing it, but AD isn't a great tool for that. I would look into remote management tools like Altiris, LanDesk, or BigFix for something like that - they're much better for that task.
posted by deadmessenger at 8:14 AM on March 17, 2011

You can also configure mandatory software packages (via GPO) such that a new machine will get that software automatically installed when it is connected to AD or the user logs in.
posted by rhizome at 9:41 AM on March 17, 2011

least hardware is a VM per user on a big VMWare server, restore standard images nightly, home drive on a file share.

I would quit if you did that to me, but I'm a developer.
posted by Mad_Carew at 9:47 AM on March 17, 2011

Least hardware is cloud-based. Just need a fat pipe. But your definitely going in the right direction.

There's a dramatic difference in hardware requirements if you go from 20 users to 500 users.

ehh... if you check spec's usually a single server can run domain services for 500 clients. The big server hardware requirements are usually driven by biz requirements: separate offices with WAN redundancy, backups, etc. A lot of little places can be down for an afternoon while a server monkey fixes something where a larger shop would find that totally unacceptable.
posted by anti social order at 11:02 AM on March 17, 2011

The 20 to 500 person range is giving me fits. Among various IT related hats, one of them I wear is to be in charge of the Windows network at my workplace. We have around 40 employees and I've debated locking down the systems, but then it would increase my support load to do administrative tasks on their behalf. With 500 people, absolutely it would pay dividends but with a small user community you have more good will and possibly less administrative issues to let people be an administrative user on their day to day machine.

I wonder where the breakpoint lies. All I know is I haven't hit it yet.
posted by dgran at 2:08 PM on March 17, 2011

A domain with Active Directory is the most common way to go. That will give you GPOs, centralized Windows updates via WSUS, and some basic controls over the network and systems. AD is pretty stable, and if you've already got a Windows file server, it might as well be the domain controller and run AD as well; it's not a heavy workload.

Most business antivirus packages include a console module that you install on an IT machine; each PC 'phones home' to this console with details of the last time it ran a scan, if it found anything, etc. You can also push things out from the console, like scheduling every PC to wake and do a scan at 3am, etc. That lets you centrally manage AV in the same way that WSUS handles Windows OS updates.

If you're an all-Windows-7-Enterprise shop, you could be a guinea pig for Windows Intune? It's marketed as that same kind of 'phone home' console, but cloud-based and managing the OS instead of just AV.

But if you're looking to get really granular control such as black/whitelisting applications, then you're going to need a third party suite to manage that, since Windows can't do it out of the box. I've heard good things about Faronics products for that, especially from sysadmins who need to work with labs or libraries where they need to lock everything down.

Of course, you're going to have trouble with any of this if you don't have a good central inventory, monitoring, and control system. For that I point you at the free Spiceworks software package, which rocks. Also a good community to ask more questions ass you proceed. I'd start there, especially since it comes with a Helpdesk that you'll need to manage all your support requests.
posted by bartleby at 4:48 PM on March 17, 2011

Oh, and to echo degran and address the idea of lockdown...

While it's true that removing Local Admin rights is a best practice, and will do a lot to protect users from their own mistakes, it also means that a lot of common maintenance tasks now have to be done by IT (you), since users won't have the system rights to do it themselves. So it's a tradeoff between speding your Support time answering requests like "I reformatted my C: drive, is that bad?" from Local Admins - or "Acrobat keeps asking me to update Flash Player every time I open a website, please update it" from less-privledged users.

Something that works up to about 50 PCs is to set aside one weeknight or weekend afternoon where IT works when everyone else is gone. IT remotely logs on to every PC and installs all the patches, updates, etc that users are locked out of doing themselves. It's tedious, but goes quickly if done in assembly line fashon, and it can save a lot of day to day hassle because you know exactly which machines have had which patches installed.

That makes your default support response "OK, thanks, I'll install that on Sunday afternoon during the maintenance window. Unless you want to go do something else while I log on as Admin and install it for you, it should take X minutes."

The opposite way to go is to give everyone full control and let them go to town without babying them. You're never going to be able to manage all the problems that causes, but you are going to have to get them working again when they FUBAR their machine. Which is where the tools that let you set up a master system image with all the necessary software already installed, then deploy that image to a PC over the network, comes in. (Acronis has good tools for this.)

Then your default Support response is going to be "Wow. I have no idea how your machine got this messed up, but I do know that it would take me all day to fix. How about I just nuke the whole thing and replace it with the standard Accounting Department image? That'll only take about 30 minutes and will make it good as new; but you'll lose all the customization you did - which is non-work-related anyway."

Depends on how you want to spend your Support time.
posted by bartleby at 5:14 PM on March 17, 2011

Response by poster: everyone, thanks for the very informative responses, this kind of broad info is pretty much exactly what I was looking for.
posted by jak68 at 9:47 AM on March 18, 2011

Response by poster: (another q - wud one of you, if in nyc, want to be a paid consultant for us as we put something together? If you're interested, shoot me a pm)
posted by jak68 at 9:51 AM on March 18, 2011

This is what I do for a (temp) job, though IANYSI (I am not your system integrator).

- For Windows clients, Active Directory is a must. I cannot emphasize this enough. Even on a small network of 15 computers, it has paid off many times over to have a coherent and managed structure of users and computers.

- Because of Active Directory, you have the option of using Group Policy. Nay, forget option. It is well-nigh mandatory, considering your network size. Need to lock down a group of computers? Group Policy. Need to disable access to removable drives for a certain group of users? Group Policy. Need to roll out new software? Group Policy. These are but a few examples of what I use Group Policy for. Basically it saves you a lot of time by making the change on one server and having it enforced by your clients without a lot of manual labour.

- Similar hardware is a must. When I upgraded our office network last year, I made it a point to have a standardized configuration across the board (split into 2 types of workstations, for standard users and power users). This allowed me to keep the configuration of the workstations consistent, and I could do my testing on one sample workstation and know that it would work across-the-board. This also makes a lot of sense during initial deployment. What I did was to create the configuration on one workstation and deployed the image to the rest via the network. There was minimal configuration needed.

- You will probably want more than one domain controller. This allows you to take down either domain controller without fear of locking your users out. Microsoft has gotten pretty good at this; from Windows 2003 and up there is a File Replication Service that automatically synchronizes the domain between all domain controllers. There is very little manual intervention needed.

- Most corporate antivirus software will link in to Active Directory. This means that you can make use of your Active Directory set up to enforce rules, like scheduled scans and the like. Possible options are Symantec Endpoint Protection and Microsoft Forefront. They will really reduce the administrative nightmare and give you peace of mind.

In short, as a sysadmin today your life is probably easier than just a few years ago. There are a lot of software solutions that work straight out of the box, and Active Directory has really come into its own as a viable domain manager (and I'm saying this as an open-source geek!) At my clients' workplaces where there is no Active Directory, we have to do a lot of manual work like virus scans and policy enforcement that could have been settled with a few configuration changes at the server end. There's a lot less hacking with custom scripts needed today, which makes your burden easier, and allows you more time to do testing and implementation rather than get bogged down in the minutiae of daily maintenance.
posted by titantoppler at 8:13 AM on March 19, 2011

« Older What Dessert to make?   |   How do I get Obamacare Newer »
This thread is closed to new comments.