Aidan Finn, IT Pro

I’ve just made the big leap to Windows Vista (x64) and Office 2007.  I’ve been using Office 2007 right through the public beta process.  I hadn’t done much with Vista since it’s fir public beta release up until I did my WDS document. 

It’s not possible to upgrade from Window XP x64 to Vista x64.  The installer tells you that you need XP with SP2.  XP x64 is at SP1 but it is actually SP2 under a different name.  I did install SP2 RC for XP x64 and tried to do an upgrade but that wasn’t allowed either.

I backed up my data, documented my drivers and did a fresh install.  It’s not a labour intensive process at all.  I entered some information at the start and left the machine to it’s own devices while I watched some NFL action from last night.  I came back up and found the machine was waiting for me.  But hold on … it didn’t ask me what domain I wanted to join.  I had a sinking feeling.

My XP x64 installation used an Atheros Wireless Network Adapter driver for my Netgear WiFi NIC.  That driver was not auto detected.  I supplied the XP driver which was installed but would not start.  Vista x64 requires drivers to be signed and the driver wasn’t signed.  The RC1 release of Vista allows you to disable signing but that no longer works.  An alternative is to boot up using <F8> and to disable the forcing of driver signing.  I’m not into that.  I ended up configuring RRAS on my server and setting up a hub between my PC and Wi-Fi router with server as an intermediate router.  I’d been thinking of "wiring" my office anyway.  I wanted better speeds for copying batches of large CR2 Canon DSLR RAW files between my PC and server.  I also want to get ISA 2006 up an runnng on the server.

I added the machine to the domain.  It’s fast.  IE in Vista is faster than IE7 on XP x64.  I like it.  Things have moved around a lot.  It took me ages to set a static IP on my LAN NIC.  This could take some getting used to.  UAC can be a little annoying. 

I’ve read some threads about a problem that some have had with logon scripts and Vista.  Well … my logon script did not run.  People are saying it will run if you disable UAC.  That’s not good.  My first suspicion lies with Defender because I’ve seen it block run-time scripts before.

I then installed Office 2007.  Like I said, I’ve been using it for some time now.  It took a while to get used to Word but I like it now.  It is much faster than the beta or RC releases.  Outlook 2007 is a dream.  It picked up my logon credentials and automatically searched AD to find out how to configure my profile.  Outlook opened up and immediately started to configure my local cache.  I like it!  I downloaded the add-in for Office 2007 that allows you to save files as a PDF.  That works nicely and will come in handy for my website documentation.

Now I’ve gotta get VMware, Photoshop, printer drivers, and all the other good stuff installed.

• I’d create a group for Floppy access, USB storage access and CD-ROM access.
• If I had multiple sites with delegate security administration, I’d use nested groups with the member groups located where local administrators could manage the membership.
• It’s a per-machine setting so I’d place the machines in the appropriate groups where the users require access.
• I’d create a GPO for each device type to be managed, e.g. Block USB Storage Access, Block Floppy Access and Block CD-ROM Access. 
• Using GPO filtering, I’d prevent the "Apply Policy" permission for each group for the appropriate policy, e.g. the Floppy Access group would be prevented from applying the Block Floppy Access Policy.

Problems:  It’s a per-machine setting.  What prevents a user from going to a PC that has access in order to copy or steal data, bring in unauthorised materials, etc?  Things are going to be tricky when you need to change how the policy is applied, e.g. a user or administrator needs temporary access to the services muct be unblocked and started.  The policy supports USB Storage, Floppy drives, CD-ROM’s and super floppies.  Maybe it can be extended to other devices but I don’t know.

In the past I have used DeviceLock.  It’s a simple tool to deploy.  It can mange the basic devices as well as WiFi, Bluetooth, Firewire, Serial, etc.  It is done on a per group and per device bsisis and is set up like NTFS permissions with a schedule.  The basic settings where it uses some local groups and administrators to grant acecss.  I populated the local groups using GPO Restricted Groups to grant access to selected users.  Users could move from machine to machine and always had their designated access or non-access as the case may be.  A central policy console as well as GPO integration was available.

If I had the choice, I’d go with DeviceLock.  It was just so simple to deploy and manage.  But if you have a tight budget then maybe this custom ADM is a solution for you.

My blog has now been running for just over two months.  I’ve been monitoring the stats and I’ve got to say "thank you" to everyone who’s reading.  I’m amazed by how many RSS subscribers there are and by how many document downloads I’ve had over the two months.

I started this thing off as a way something to hang off of my CV/resume (e.g. "Look… I do know this stuff"), to motivate me to learn more and to share what I’ve learned.  Seeing the growth in hits is spurring me on and giving me encouragement to keeps things up.

I’ve just been watching "Ramsay’s Kitchen Nightmares" and it brought me back to some conversations I used to have with a former workmate about the show. Myself and my buddy, GB, used to reckon everything that Gordon Ramsay said in his show applied not only to running a successful restaurant but also to a smooth running IT infrastructure and department. Gordon Ramsay stresses 3 things:

1. Good ingredients that work together;
2. Good communication and
3. Keep it simple.

Me and GB reckoned that if you applied all three, then things would run smooth. I ran a Windows infrastructure team. GB ran the helpdesk. Our teams ran smooth as silk. The infrastructure was under complete control and we always knew where each other team was.

Based on my experiences, I can say the same is true for everyone. In fact, a smooth running IT infrastructure seems to be a rare find, in my opinion.

The Ingredients

Anyone who knows me or has read a little of my blog knows that I have a bias towards Microsoft solutions. Why? They work. They also work together. That last word is critical. Together. Way too often I’m in on sites where people have tried to save a few Euros by buying Honest Joe’s system management solution or Danny Boy’s archive. In order to get these solutions to work the staff end up having to re-invent the wheel or jimmy in the solution to their infrastructure. What happens is that they increase complexity, introduce fragility and waste so much effort that any savings they thought they were making have disappeared into the ether.

Before I go any further, I’m not saying you have to always buy a solution from Microsoft. I am saying that if you run a Microsoft network, you might want to adopt solutions that follow best practices from that company. The same goes for implementing solutions for a Sun or Linux network.

When GB and I worked together, we tried to find the best solutions we could. We tested and we hammered salesmen and consultants. We had no problem bringing members from other teams in to make sure that solution X was best for the network. Using the best solutions that we could afford meant that the solutions worked for us and not the other way around which seems way too prevalent.

Find the best ingredients you can afford that work with what you have got. When the ingredients work and work together then your customer will notice the difference.

Good Communication

Everyone in the IT department must communicate and communicate openly. I’ve seen all sorts of scenarios in my time. I’ve seen IT organisations where the departments just flat-out don’t talk to each other. I’ve seen a senior sys admin who refused to share information because he saw himself as sitting on an ivory throne and sharing could "threaten" his position. A polar opposite was a senior admin who didn’t communicate so as to hide his weaknesses and poor decisions. I’ve seen inter-site politics destroy an IT organisation. I’ve seen senior management that did not communicate with their IT department. And I’ve been lucky enough to work in a department where communication was open, clear, proceduralised and facilitated a good working organisation.

Imagine a team of people who go off on a project to implement a reporting solution. A few team members spend months writing this solution. They get Apache web server, programming languages no one has ever heard of, have server all over the place running as "polers", copying data left, right and centre. Then I come along and ask what they’ve been doing. I find out they’re assembling the mother of all reporting engines for SQL 2000 that will run on a web server. Hmm, if only they’d mentioned this to me before. Maybe I could have suggest that they install SQL Reporting Services. All that wasted effort because some people didn’t communicate.

Communication is a 2 way thing too. When I did mention SQL Reporting Services, it was as if I had never spoken. They couldn’t let their bosses know that they’d wasted probably 12 man-months developing a solution that they could have just downloaded from the Internet.

Communication must be clear between management, the teams, the team members and the users. If you cannot work together then you might as well not come into work. There’s loads of ways to communicate; I’m not going to waste bandwidth babbling on about that. But if the communication does not work then the infrastructure does not work. If the infrastructure doesn’t work then your customer doesn’t work. It won’t be long until your "restaurant" closes down.

When management, the staff in the kitchen and the staff on the floor works in unison, there is a better chance that your customer will be happy.

Keep It Simple

It amazes me how IT organisations ignore this one. There is some genetic fault in the human race where we cannot keep our solutions simple. We’ve always got to think short term and find a McGuyver solution. This might solve whatever problem is there now but 2 months down the line, it’s going to kick you in the backside. I’ve lost count of the meetings I’ve been in where other "engineers" start focusing in on the first brainfart that crosses their minds. And then they get angry when I start asking about how this will work if X users are involved or what will it be like during an AD upgrade or in 6 months time. They’re always thinking of now and of the tiny little space that is the problem. The big picture is always ignored.

Something I’ve learned over the years is to keep it simple. Way too many organisations introduce unnecessary complexity. Complexity introduces fire fighting. Fire fighting means there is downtime. Downtime means the business (your customer) is losing money.

If what you provide to your customer is simple, elegant and not complex, then you know that you can provide a timely, efficient, cost sensitive solution that will make your customer happy

The Customer

No restaurant can exist without customers. The same goes for IT. If the IT department is not getting the job done, changes will be made and you might not like what happens then. Use the best ingredients you can. Communicate with each other and the customer so that everyone can do the best they can and meet on a common ground. Keep what you are doing simple. Making things complex delays your solutions and makes them prone to be faulty.

Above all else Gordon Ramsay probably hates unsafe food going out to his customers. The same should hold through for an IT department. Use best practices for everything you do. Don’t fall into the trap that I see way too often. In this business arrogance is one of the most common traits. Everyone thinks they know best. Do your research and find out what is the best way to do things. Don’t rely on old knowledge or do what you’ve always done before.  Those who don’t learn from hsitory are damned to repeat it’s mistakes.

I’m not saying all of this is easy.  Far from it.  I’ve been looking for this sort of chemistry since GB and I worked together and haven’t come close to finding it.

Maybe a few of these tips will help you avoid your own personal IT nightmare.

If you turn to page 42 on this month’s issue of Windows IT Pro, you’ll find yours truly quoted in print.  A while back, one of the guys from there, Jason Bovberg, started a thread on MR&D to do some research for this issue of the magazine.  He asked about our experiences in the industry, how we see work and home life interacting and about our perception of the IT community.  Myself and a number of other MR&D members were quoted.

• Network Monitor is no longer part of the new SMS (Configuration Manager 2007).  Netmon 3 will therefor be fully featured unlike the previous free versions, e.g. there will be a promiscuous mode.
• A new user interface.  Filtering is supposed to be easier to do than before (it was messy!).
• "Near" real-time capture and display.
• The ability to capture traffic from multiple NIC’s at one time.
• You can identify and track network "conversations".
• Support for W2003/Vista/XP on x32 and x64.

The Netmon tea claim it is a whole new product that took 2 years to complete.  They’ve launched a blog.    There is a Netmon 3 FAQ on the Connect site.

• TechNet Magazine did a nice little introduction in this month’s issue.  There’s no excuse not to read this free publication.
• MS have a bunch of webcasts that you can view.
• The Microsoft TechNet ScriptCenter has a repository of Powershell scripts.  I regularly hit their VBS repository for sample code to tweak to my needs.  These guys also have their own homepage for Powershell.
• A documentation pack for Powershell 1.0 is available.
• The Powershell team is running a blog.
• The MR&D Forum has a dedicated section on Powershell.
• SAPIEN Technologies has started their own Powershell blog.

You may be one of those admins who reckons they don’t need to know anything other than batch scripting.  But what will happen when you need to make changes to X number of Active Directory objects?  What will you do when you need to do file manipulation that can’t be done from normal command line options?  Powershell will be implemented with new MS Infrastructure solutions, further opening up the power of scripting.  Exchange 2007 will enable Powershell scripts to dig deep, e.g. a mail store can be opened just like a file system folder!