Brian Arkills Software Engineer, LDAP geek, AD guy, Chief Troublemaking Officer Windows HiEd Conference 2006 Managed Workstations: UW Nebula

Goal and Philosophy Goal: To provide easily-supported, reliable, secure, flexible, networked computing to end users Philosophy: Solve general problems, rather than specialized problems: “economy of scale.” Nebula isn’t for everyone

Core Components Support Infrastructure Governance Service Model Definitions Software Distribution Mechanism Patching Mechanism Popular Application Service Offerings Detailed Reporting Tools and Infrastructure Glue

Support Infrastructure Support Groups (SGs) for Client Interactions –Experts at workstation support and people skills Engineering Group for Escalation –Experts at tools, infrastructure glue, and troubleshooting non-simplistic problems

Governance A planning or governance group helps prevent a number of problems. Membership: –Each Support Group has one member on Planning group –Engineering sends as many as needed –One additional Support Group member serves as a facilitator –Managers of each group can attend Policy document (and exceptions)

Standardization=clarity=supportable expectations Two general categories of models –Managed Gold workstation Kiosk Managed servers –Loosely managed Bronze workstation Local servers Loosely managed servers Mac workstations Service Model Definitions

Numbers 1 SG member per 250 workstations 1 engineer per 1000 workstations 1 software package per week 2800 computers in domain, 2200 users, 1200 groups; 1 sister domain Cost: –$52/month:gold desktop (2055) –$58/month:gold laptop (329) –$26/month:bronze (135) Doesn’t include hardware, add ~$30/month for hardware 4.53 terabytes of file storage, 2.95 terabytes in use

Software Distribution Nebula provides: –Core apps that everyone wants (office, , calendaring, etc.) –Any app that more than 5 computers need and meets our definition for “packagable” Part-time students create software packages SG members: –sponsor each package –provide installation settings desired –ensure that adequate testing happens

Patching Mechanism Doesn’t matter what you use, as long as: –You have some kind of reporting for clients that haven’t gotten the patches –You have some kind of reporting for clients that haven’t been talking to your patch solution for awhile Nebula uses WSUS with custom-written code that generates these reports –

Application Service Offerings User need determines our offerings. We usually consume a service offering from central IT. Stuff we consume: –Calendaring –Mailing lists –SQL hosting –BlackBerry Stuff that we float just for Nebula: –File services with 2 week user-retrievable snapshots –Print services –Unix shell account –VPN

Reporting is as important as features Focus is: 1.General info for troubleshooting Computer or user specific web-based queries with department awareness 2.Policy exceptions -based report that warns of problem 3.Security exceptions -based report that warns of problem and possible implications All our code is available under an apache-style license Detailed Reporting

Web-based Reports Computer info query: Name, IP address, MAC, support group, test group, purchase date, dept, last user, chassis, model Department summary: number per model, number per service, warranty end Software package assignments Up-to-the-minute patch status Installed application query Service and program classification query AU configuration for all servers in domain Oracle calendar usage reports Billing reports

-based Reports Patching Status: Not Seen in 14 days Bronze Missing Managedby Missing or Unknown LAG members Computers with remote management issues Unused Nebula Accounts Old OS

-based Reports Port scan System Services Missing Patches Prohibited Programs VirusScan DAT version

Report Code Logic For each SG (Support Group) grabAllComputersUnder(SG)—sorted by dept For each computer –gatherComputerInfo –checkForException –addExceptionToReport mailExceptions(SG)

Report: “adminCheck” Checks LAG group of every computer for: –Expected: domain admins, SG admins (context specific), local admin –Prohibited: authenticated users, anonymous logon, domain users, everyone, unresolved sid, any principals outside domain Uses winnt: provider. Syntax Example: "winnt://NEBULA2/domain admins“ Adds/Removes members as needed

Report: Prohibited Programs Uses a DB to store: –List of installed programs per computer across all of nebula—this is the basis for a web report –List of permitted/prohibited programs per model and per computer and per computer group Uses the registry to find installed programs Reports evil and unknown on managed Reports evil on unmanaged

Tools and Infrastructure Glue Calendaring service + AD + Unix requires “glue”: a DB to link them Functionality add-ons: –UW white pages sync –dell warranty info harvesting –automatic wireless MAC registration

The End Brian Arkills Author of LDAP Directories ExplainedLDAP Directories Explained