realtimepublishers.comtm The Definitive Guidetm To Windows Desktop Administration
Bob Kelly Introduction
Introduction
By Sean Daily, Series Editor
Welcome to The Definitive Guide to Windows Desktop Administration! The book you are about to read represents an entirely new modality of book publishing and a major first in the publishing industry. The founding concept behind Realtimepublishers.com is the idea of providing readers with high-quality books about today’s most critical IT topics—at no cost to the reader. Although this may sound like a somewhat impossible feat to achieve, it is made possible through the vision and generosity of corporate sponsors such as ScriptLogic, who agree to bear the book’s production expenses and host the book on its Web site for the benefit of its Web site visitors. It should be pointed out that the free nature of these books does not in any way diminish their quality. Without reservation, I can tell you that this book is the equivalent of any similar printed book you might find at your local bookstore (with the notable exception that it won’t cost you $30 to $80). In addition to the free nature of the books, this publishing model provides other significant benefits. For example, the electronic nature of this eBook makes events such as chapter updates and additions, or the release of a new edition of the book possible to achieve in a far shorter timeframe than is possible with printed books. Because we publish our titles in “real- time”—that is, as chapters are written or revised by the author—you benefit from receiving the information immediately rather than having to wait months or years to receive a complete product. Finally, I’d like to note that although it is true that the sponsor’s Web site is the exclusive online location of the book, this book is by no means a paid advertisement. Realtimepublishers is an independent publishing company and maintains, by written agreement with the sponsor, 100% editorial control over the content of our titles. However, by hosting this information, ScriptLogic has set itself apart from its competitors by providing real value to its customers and transforming its site into a true technical resource library—not just a place to learn about its company and products. It is my opinion that this system of content delivery is not only of immeasurable value to readers, but represents the future of book publishing. As series editor, it is my raison d’être to locate and work only with the industry’s leading authors and editors, and publish books that help IT personnel, IT managers, and users to do their everyday jobs. To that end, I encourage and welcome your feedback on this or any other book in the Realtimepublishers.com series. If you would like to submit a comment, question, or suggestion, please do so by sending an email to [email protected], leaving feedback on our Web site at www.realtimepublishers.com, or calling us at (707) 539-5280.
Thanks for reading, and enjoy!
Sean Daily Series Editor
i Table of Contents
Introduction...... i Chapter 1: Desktop Administration Overview ...... 1 The Benefits of Desktop Administration ...... 1 Lower Cost of Ownership...... 1 Increased User Productivity...... 3 Rapid and Accurate System Recovery...... 4 When to Automate ...... 5 Deployment Automation...... 5 Backup Automation ...... 6 Inventory Automation...... 6 Windows Management Instrumentation...... 6 The Scope of Desktop Administration...... 7 System Deployment...... 7 User Profile and Data Management...... 8 Application Management...... 9 Desktop Security...... 10 Desktop Support...... 11 Scripting Custom Solutions ...... 11 Asset Management...... 12 The Politics of Desktop Administration ...... 13 Making Decisions that Affect Users...... 13 Delegation of Control ...... 13 NT Domains...... 14 AD...... 15 Third-Party Solutions...... 15 Working with Users ...... 15 Factors in Effective Desktop Administration ...... 16 Standardization ...... 16 Geographic Dispersion...... 17 Dedicated Staffing ...... 18 Budget...... 18 Connectivity...... 19 Process ...... 19
ii Table of Contents
Security ...... 19 Desktop Administration in Action...... 20 Help Desk Calls ...... 20 Handling New Systems...... 20 Outsourcing Desktop Administration ...... 21 The Benefits of Outsourcing...... 21 The Drawbacks of Outsourcing ...... 22 Summary...... 22 Chapter 2: OS Deployment...... 23 The Workstation Baseline...... 23 Benefits ...... 23 Increased Reliability ...... 23 Increased Deployment Speed...... 23 Ease of Troubleshooting ...... 24 Drawbacks...... 24 Baseline Components...... 24 What to Leave In...... 25 What to Leave Out...... 25 Common Pitfalls to Avoid ...... 25 MSI Source Resiliency ...... 25 Non-Essential Data ...... 26 Classified or Company Proprietary Information...... 26 Globally Unique Identifiers ...... 27 Profiles ...... 27 Security Identification Numbers...... 28 Initial Build Size ...... 30 Staging a Deployment...... 32 Benefits ...... 32 Less Time Spent at the Users’ Desks...... 32 Controlled Network Environment...... 33 Early Identification of Failed Systems...... 33 Drawbacks...... 34 Location-Specific Actions ...... 34
iii Table of Contents
Slow Delivery in a Changing Environment...... 34 Deployment Methods...... 34 Manual Installation ...... 34 Unattended Installations...... 36 Microsoft Solutions...... 37 Sysprep...... 37 Unattend.txt...... 39 $OEM$...... 40 Cmdlines.txt...... 40 Third-Party Solutions...... 40 Drive Imaging ...... 41 Available Solutions...... 43 Which Is Right For You?...... 46 Drive Duplication...... 46 Available Solutions...... 47 OS Deployment Best Practices ...... 47 Workstation Naming Conventions...... 47 System Build Information...... 49 Image Identification...... 49 Summary...... 49 Chapter 3: User Profile and Data Management ...... 50 User Profiles...... 51 Local Profiles...... 53 Roaming Profiles ...... 53 Mandatory User Profiles...... 59 Temporary User Profiles...... 59 Profile Security ...... 59 Contents of a User Profile...... 59 User Profile Storage...... 61 Profiles Templates ...... 61 Default Profiles ...... 62 Manual Profile Modifications...... 63 Dictating Data Storage...... 64
iv Table of Contents
Network Share ...... 64 User Home Directory...... 64 Single Share ...... 65 Individual User Shares...... 65 User Profile ...... 65 Local Data Directory...... 66 Setting Default Paths...... 66 Folder Redirection ...... 66 Folder Redirection via Shell Folders ...... 68 User Profile Quotas...... 69 Post Deployment Profile Configuration...... 72 Dictating Settings at Startup ...... 72 Dictating Settings at Logon ...... 73 Additional Tools ...... 73 ScriptLogic...... 73 Visual KIX...... 75 Backing Up and Restoring Profiles...... 76 Traditional Backup Systems ...... 76 Scripted Copies ...... 77 Migration Tools ...... 78 Troubleshooting Profiles...... 78 Unable to Load Profile...... 78 Troubleshooting Profile Problems with UserEnv.log...... 79 Using Profiles with Multiple Versions of Windows...... 80 Hard-Coded Profile Paths ...... 80 System and Group Policy Assignments...... 80 Summary...... 81 Chapter 4: Application Management...... 82 The Software Deployment Process...... 82 Receipt ...... 83 Deploying the Latest Version ...... 83 Existing Older Versions...... 83 Media Tracking...... 84
v Table of Contents
Integration Testing...... 86 Installation and Usage Documentation ...... 86 Application Interaction Considerations ...... 87 Package Research...... 87 MSI ...... 88 Command-Line Installations...... 91 Answer File...... 92 Repackaging...... 96 Package Development...... 97 OnDemand Software’s WinINSTALL ...... 97 Wise Package Studio...... 98 InstallShield AdminStudio...... 99 New Boundary Technologies’ Prism Pack ...... 100 Package Testing ...... 101 Package Quality Assurance...... 101 Deployment Testing...... 101 Pilot Deployment ...... 102 Volunteers Anyone?...... 102 User Notification...... 103 Track Successes and Failures...... 103 Baseline Updates...... 104 Image Updates ...... 104 Unattended Installation Script Updates ...... 104 Package Availability ...... 104 Package Deployment System...... 105 Software Distribution Vendors ...... 105 Summary...... 110 Chapter 5: Desktop Security ...... 111 Written Security Policy...... 111 Defining Your Security Policy...... 111 Enforcing Your Security Policy...... 112 Benefits of a Locked Down Environment ...... 113 Provide Desktop Damage Control ...... 113
vi Table of Contents
Prevent Installation of Personal Software...... 114 Eliminate Unauthorized Installation of Company Software...... 114 Stop Software Theft ...... 114 Enforce Proper Usage ...... 115 Playing Games “On the Clock” ...... 115 Conducting Personal Business...... 115 Conducting Illegal Activities ...... 115 Decrease Proliferation of Viruses ...... 115 Principal of Least Privilege...... 116 Protect Data...... 116 Drawbacks of a Locked Down Environment...... 116 Application Failures...... 116 Failure to Save Settings ...... 117 Failures When Saving Data ...... 117 First Launch ...... 117 Complex Deployments...... 118 Political Considerations ...... 118 Modifying File and Registry Access and User Rights...... 118 Registry Security...... 119 Group Policy ...... 119 RegINI...... 121 RegDmp ...... 122 SecAdd...... 122 File Security...... 122 Group Policy ...... 122 CACLS...... 123 XCACLS...... 123 User Rights...... 124 Group Policy ...... 124 NT User Manager ...... 124 NTRights...... 125 Changing Security Context...... 126 The Switch User Utility (SU.EXE)...... 126
vii Table of Contents
TqcRunas ...... 126 Controlling Removable Media and Restricting Device Access...... 127 Disable PnP and Other Devices ...... 127 The Load and unload device drivers Right...... 128 SecureNT ...... 128 General Security Recommendations...... 129 Rename Local Administrator Account ...... 129 Enforce Complex Passwords ...... 129 Disable Guest Account ...... 130 Replace the Everyone Group with Authenticated Users on File Shares...... 130 Employ Logon Warning Messages...... 131 Hide Last Logged On User Name...... 131 Password Protect the Screensaver...... 131 Enable Auditing ...... 132 Use RunAs ...... 132 Examining Your Security ...... 132 Microsoft Baseline Security Analyzer...... 132 Security Configuration and Analysis...... 134 SecEdit ...... 135 Event Log Management...... 136 Configuring Event Logs’ Retention...... 136 Archiving Event Logs...... 137 Summary...... 138 Chapter 6: Desktop Support...... 139 Adopting and Implementing Best Practices...... 139 Desktop Support Best Practices...... 141 Tracking Trouble Tickets...... 141 Web...... 141 Telephone...... 141 Email...... 142 Walk Ups ...... 142 Using a Knowledge Base...... 142 Employing Remote Control ...... 143
viii Table of Contents
Microsoft...... 144 AT&T...... 148 Paying for the Good Stuff...... 149 Working through Problems...... 150 What is Your System’s Computer Name?...... 150 Where is that Computer? ...... 150 Troubleshooting Tips...... 152 Profile Problems...... 152 Works On One Computer, But Not On Another...... 153 The Web Is Your Friend ...... 154 Is it Worth the Time? ...... 155 Keeping Users Informed...... 155 Monitoring the End-User Experience ...... 156 Survey Users ...... 157 Email...... 157 Documenting Your Workload...... 159 Summary...... 159 Chapter 7: Scripting Custom Solutions...... 160 Should You Script It?...... 160 Choosing a Scripting Language...... 163 VBScript ...... 163 KiXtart ...... 164 JScript ...... 164 WinBatch ...... 165 PerlScript...... 165 Shell Scripting...... 165 COM Automation ...... 166 WMI...... 166 Active Directory Service Interfaces...... 166 WSH...... 166 ActiveX Data Objects ...... 167 Internet Explorer ...... 168 Automate Actions ...... 168
ix Table of Contents
Display Information...... 168 Running Your Scripts ...... 170 Logon Scripts...... 170 RunOnce and Run...... 172 Startup Shortcuts...... 172 Schedulers...... 173 Manual Execution ...... 174 Group Policy ...... 175 Assigning Scripts ...... 175 Building Lists...... 176 Machine List ...... 177 AD...... 177 Server Manager...... 178 NET VIEW ...... 179 Custom Script Examples...... 179 Restarting Remote Systems ...... 180 Backing Up Event Logs...... 180 Software Inventory...... 181 Reading the Registry...... 181 Windows Installer ...... 182 The AutoLogon Process...... 183 Restricting Access...... 184 Summary...... 185 Chapter 8: Asset Management...... 186 Inventory...... 186 Benefits of Maintaining an Updated Hardware Inventory...... 186 Ensuring Minimum System Requirements Are Met...... 187 Knowing Where to Replace Hardware ...... 188 Enhancing System Components ...... 188 Improving Help Desk Productivity...... 188 Deterring Loss and Theft ...... 189 Hardware Inventory Methods ...... 189 Software Licensing ...... 194
x Table of Contents
Ensuring License Compliance ...... 194 License Types ...... 194 Licensing Methods...... 195 Buying Only What You Use...... 196 Software Metering ...... 196 Validating Your Environment...... 197 Software Inventory Tools ...... 198 Software Inventory Methods...... 199 Change Management ...... 202 Establishing Policies for Change ...... 203 Goals and Objectives ...... 203 Roles and Responsibilities ...... 204 Initiation Procedures ...... 204 Approval Procedures...... 204 Design, Planning, and Testing ...... 204 Scheduling...... 204 Communication...... 205 Recovery and Support...... 205 Documentation and Tracking...... 205 Waivers and Exceptions...... 205 Summary...... 205
xi Copyright Statement
Copyright Statement © 2003 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com, Inc. (the “Materials”) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com, Inc or its web site sponsors. In no event shall Realtimepublishers.com, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, non- commercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtimepublishers.com and the Realtimepublishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtimepublishers.com, please contact us via e-mail at [email protected].
xii Chapter 1
Chapter 1: Desktop Administration Overview
The latest computers, the fastest network, and the best-rated software can quickly turn from a good investment into a money pit without proper planning and implementation of desktop administration practices. So what is desktop administration? As you’ll discover in this book, desktop administration is the methods and technologies used to deploy, configure, maintain, and track client workstations. It encompasses system deployment, user settings and data management, application management, security, support, and asset management. How you handle these critical facets determines the success of your workstation support. From a small office of 10 machines to a worldwide network consisting of tens of thousands of systems, the desktop administrator must address the same issues. GartnerGroup studies have found that 82 percent of implemented management systems fail to meet user expectations. The reason is that the expectations of the solutions on the market are often simply unrealistic. There are no point-and-click solutions to deploying new systems or applications. There is no way of automatically backing up and managing user settings and data. Access to reports showing just the asset management, software inventory, or usage metrics you want to see isn’t going to be displayed on your screen. You won’t meet any of these mission critical needs unless time is taken to identify, plan, evaluate, test, and implement the right desktop administration solutions for your organization. As if meeting these mission-critical needs isn’t motivation enough, let’s delve into additional benefits of desktop administration.