I like to run a really good Windows machine. Firefox is my default browser (although IE’s come leaps and bounds since it’s “I’ll merrily install any program a webpage asks me to!” days), I keep a system free of viruses and spyware, I have a “background” disk defrag tool, I routinely run CCleaner, etc. to purge accumulated cruft, and so forth. In short, I’m a system administrator’s dream. (Actually, I think I’m their nightmare, since the only time I contact them is when I have a really hard question, and I never do anything they expect… But I digress. If I administered a set of desktop nodes, I’d want them to be setup like mine.)
If I ran a computer network, though, I really wouldn’t trust normal people with doing things. Virus definitions need to be updated, virus checks need to be run, recycle bins need to get emptied, stale caches need to get purged, clocks need to get synced, and disks need to be defragged. I do this naturally on my desktop machine, so I don’t think of it as taking a lot of time, but if you asked me to maintain a network of, say, 30 PCs, I’d want to cry.
There exist, of course, a bajillion different tools for administering clusters of PCs. But what I find interesting is that I can’t think of any that really do what I want. I want to make sure certain programs are installed, and run them unattended periodically. Most solutions still seem like they’re require me to go to each PC and do my work, or they’d limit things: an increasingly common thing to do is just reimage each computer when it reboots. In some cases, though, this is totally undesired: people might forget to use their network drive, losing all their work when they reboot. Or they might need to install a legitimate program for their work, and you’d end up losing a lot of productivity as they’re forced to reinstall every time they reboot. (Which means that they won’t reboot often, which complicates other things.)
Where I work, we have all the problems that you mentioned. However, we do have technology in place to addresses them, which I can describe.
We have found that what works best is a combination of imaging, and policy based desktop management.
We manage a relatively small number of desktops (less then 1000 globally), however we also have a relatively small desktop support team. During our initial discussions, we had thought of re-imaging a machine every time it boots, however its not practical. At about 2GB each, think of the bandwidth required to pull down several hundred images all at, or around, the same time (8AM when people come into work). Now of course a fiber optic backbone and robust switching equipment could handle this, you would run into disk performance issues, and you would need to have near perfect uptime of the imaging server, or else the nobody can work. And what about PC’s that are wireless? Some workstations we have in our manufacturing facilities are wireless, because equipment tends to move around a lot, so the PC’s need to be moved as well.
The other option is of course to store imagines on everyone’s machine in a separate partition, but what happens when you want to update the image? It would either be a major PITA, or you would again run into network bandwidth issues.
So what we did was use imaging only for new PC, or if a PC dies (usually the same thing, if your PC dies, you get a new one).
The second piece to the puzzle is policy based application deployment. Based on your role, or with approval, most applications can be deployed straight to your desktop simply by assigning a policy to a given user. So for example, if a user needs AutoCad, we simply assign them to the AutoCad 2008 policy, and the application is installed, pre-configured to that persons desktop without user intervention. Policies can even be created to change all sort of things, from installing printers, to creating registry entries, changing the home-page or default background, or even disabling certain features of their desktop (like USB Mass Storage Devices).
The third piece, which is designed to address the need to protect local data (e.g. My Documents, Desktop, etc). Even though our policy is that if you’re store it locally, and your PC dies, too bad. But that is not really practical in all cases. For example, if you have a laptop, and are on the road a lot. What are you to do? Or what if you are the CEO, and your hard drive crashes? Saying, “Sorry, you should of read the policy.”, probably won’t go over too well. So the technology we deploy to address this is background disk-to-disk backup agent, that is configured on a daily bases to backup the My Documents and Desktop data to a centralized repository, which is then offloaded to secondary storage. That way, if a PC dies, and that person “really needs their documents back”, we are able to get them back. The nice part about it is, if the person is traveling, the backup will wait till there is a connecting back to the server (either locally, or over the VPN).
The final piece to making a easy to maintain desktop environment is probably the most import, but dependent on the first two pieces. You must revoke administrator rights. Most organizations that let their users have administrative rights on their local PC, do so because its not practical to have the user call the “helpdesk” do to every minor task. However, with policy based technologies, the work-load becomes bearable because assigning user’s to polices requires only a few clicks of the mouse.
Kind of a long winded comment, however we have been in heavily involved in designing and implementing this technology over the past few months, so I can speak to it to at great lengths.
Thanks for the helpful comment. It’s kind of neat to see systems where they actually manage things really well, mostly because it seems like not many places do.
On the machines at school that are reimaged on reboot (public terminals only), they store the image locally, so there’s really not much overhead involved. Updates aren’t made that often, though: I know this because every time I log in, I get an error that the virus definitions are out of date, an error that only pops up if they’re quite old. I contend that it could be done well, though, if you were more clever with distributing the load–you can push it out to a handful of machines at a time, thus avoiding saturating your network.
That said, there are still lots of issues making it a horrendous idea for things like a desktop system.
I really like the clever use of policies to manage things. I was only aware of its use in locking things down (like you mention with disabling USB, or keeping people from changing the clock, etc.), but its ability to roll out various software is a cool idea.