In-Depth

Automating the Desktop

Making your job easier, one tool at a time.

Your company may be growing, but the IT group isn't. There are double the number of desktop systems at your facility than there were five years ago, as well as a proliferation of notebooks, BlackBerries and other edge-computing devices. You've just added a dozen new application and file servers, and are planning on more in the next six months. Yet you have the same team you did before that growth spurt. You've cut some corners, and are using some tools for automated patch distribution and password resets, but really haven't looked into other ways of improving your processes.

It gets worse. There are more tasks to do, as well as more systems on which to do them. Security, patching and application maintenance are just a few of the tasks that require more time today. You have to make the hardware last longer, which means periodically cleaning up the systems because they became too cluttered with extraneous utilities and files. It would have saved you a great deal of effort if you could completely lock down the systems, but management insists that open access is required for business reasons.

If you're on the help desk, in desktop support, or are required to roll out new applications and patches and perform regular maintenance on applications and systems, you're looking for ways to work smarter. How can you perform the variety of everyday tasks in a way that lets you take on additional work, and additional desktops, with little or no increase in resources?

I looked at several tools that make it possible to automate processes and tasks on desktop systems. These tools are more complementary than competitive in that they perform different actions. Used separately, they can help with specific tasks that are highly time-consuming. Taken together, they can put a serious dent in your day-to-day workload.

In This Roundup
[Click on image for larger view.]

BeyondTrust Privilege Manager
Security, access control and data protection remain among the biggest consumers of administrator time. They are important considerations; an increasing number of enterprises are locking down user desktops and limiting them to running as standard users. But when you do that, you can suffer a significant loss of functionality from applications. Some application features may not work without higher privilege levels; other applications may not work at all.

Privilege Manager 3.0
REDMOND RATING
Installation 20%
7.0
Features 20%
9.0
Ease of Use 20%
9.0
Administration 20%
9.0
Documentation 20%
8.0
Overall Rating:
8.8

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

BeyondTrust Privilege Manager keeps all of the applications in the enterprise -- and all of their features -- accessible to the users who need them. Its goal is to establish a least-privilege policy for all users and all applications on the network, and elevate that privilege automatically only when required by the application being used and the work being performed.

You install Privilege Manager on any system on the network, using an account that has the ability to set and maintain policies. Privilege Manager is implemented as a true Group Policy extension, and allows administrators to attach permission levels to applications. All you have to do is specify the application and which security groups should be added to and/or removed from the process token when the application is launched.

I created and set a test user as a standard user on my network, and launched an application that I knew required administrator privileges to execute some parts of it. Sure enough, the application warned me that as a standard user I wouldn't have access to some features. Through trial and error, I identified a couple of features that wouldn't work. I went back to Privilege Manager, identified that application and raised its privilege level to Administrator, then I went back and launched the application. I received no warning, and was able to run the features of the application that were previously inaccessible. The process of configuring Privilege Manager and having complete access to all application features took less than 10 minutes, even though I was working without reference to instructions.

In another case, an application wouldn't launch at all for a standard user, displaying a message saying that privileges were not sufficient. Once again, launching Privilege Manager, changing the test user's privilege level for that application, and starting the application up once again -- successfully, this time -- took only a few minutes.

The software has a default set of applications and settings to get you started in cases where the privilege needs are known and the application is a popular one. It also provides for reporting on applications accessed and used, as well as what security levels were required. Admins can use its reports to get a better idea of the need for different levels of access for enterprise applications.

Figure 1
[Click on image for larger view.]
Figure 1. The Privilege Manager Group Policy Object Editor enables an admin to fine-tune group privileges to provide required access without granting too many privileges.

Privilege Manager offers a great deal of flexibility in setting privileges for users, applications and even application components. As long as it's manipulating a policy that uses tokens, it can adjust the tokens easily. It's not a sexy application by any means, but it can be essential in keeping a locked-down environment for security and access reasons, while also enabling users to do legitimate work with applications they're authorized to use.

I saw very little downside to Privilege Manager. Arguably, the features and flexibility it provides are essential as enterprises navigate the transition to Windows Vista over the next several years. In particular, any enterprise with a number of custom applications is probably having a great deal of difficulty implementing its security and access policies, as custom software is notorious for requiring admin privileges to use. As enterprises continue to press access-restriction policies, it might be very difficult to do without in the future.

Advanced Systems Concepts ActiveBatch
An important part of automating the desktop is the ability to execute tasks across large numbers of systems. While the scripts typically run from the server, they can perform actions on individual desktops that provide an automated way of accomplishing repetitive tasks.

ActiveBatch
REDMOND RATING
Installation 20%
7.0
Features 20%
9.0
Ease of Use 20%
8.0
Administration 20%
8.0
Documentation 20%
8.0
Overall Rating:
8.0

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

ActiveBatch addresses the problem of automating those sequences of repetitive tasks across the desktops. The key to ActiveBatch is workflow. The product focuses on accomplishing sequences of processing that complete a complex task or set of tasks that can be broken down into a discrete series of steps.

I had some difficulty setting up the database necessary as a precondition to installing ActiveBatch. Rather than offering an integrated MSDE install like Desktop Authority, it required a new or existing SQL Server installation available before installing the software. It couldn't connect to my existing implementation (SQL Server 2005 Developer Edition), so I had to recreate a database connection for it to work with.

ActiveBatch lets you accomplish a variety of different things, including support for Active Directory and Windows security, the ability to perform SQL queries and search for the presence of specific files, and the ability to schedule script execution and run in a resource-constricted environment. Virtually any server or desktop task can be scripted and run automatically. The upshot is that you have to write the scripts to do the automation, but once written, they should require little or no change.

Its scripts employ variables in a hierarchical structure that allow scriptwriters to easily pass information between scripts. This means you can string scripts together to perform a series of activities while keeping them separate for flexibility or maintenance purposes.

ActiveBatch lets you compare specific changes and approvals for each revision level of a process or script to a previous or baseline change. In doing so, it identifies and documents what has changed. This provides both a change log for administrators seeking to find out what has changed and why, and an audit facility for reporting on changes for compliance purposes.

Figure 2
[Click on image for larger view.]
Figure 2. ActiveBatch lets you set a trigger so that if an event or sequence of events occurs, you can execute a specific response.

One of the things I really liked about ActiveBatch is the ability to design reasonably complex and complete scripts without having to actually write code. It also provides you with a set of library functions that script typical tasks, often requiring only very minor changes to work in unique environments.

Overall, if you're looking for a scripting solution that helps you design and maintain workflows, ActiveBatch will get the job done for you. That's especially true if you have a mixed server environment, as it supports Windows, Linux, AIX, Solaris, HP-UX and OpenVMS. If you're tired of maintaining dozens of Perl scripts or shell scripts to automate parts of your desktop administration, ActiveBatch can take a lot of pain out of building workflow scripts and keeping them up-to-date.

Is Hardware the Answer?

While you might normally think of software tools in automating desktop management and maintenance, sometimes it makes sense to think about hardware. If plugging in a hardware box for management agrees with you, take a close look at the KACE KBOX solution. The KBOX is a 1U rack-mountable, server-type system running FreeBSD that helps automate a number of different areas, including help desk, desktop hardware- and software-management, system monitoring and a host of other tasks.

Figure A
[Click on image for larger view.]
Figure A. KBOX provides help-desk functionality that lets admins track and correct issues without visiting every system.

Setting up the KBOX is easy, especially with a sales engineer-guided Web conference that KACE provides to all customers. The shipping box also includes a large sheet, a la Dell, with simplified instructions on setting up and configuring the KBOX and dispersing agents to the local systems. Once you configure the KBOX through its Unix display and hook it up to your network, you can bring up its Web interface and have an amazing number of tools at your disposal.

Logging in as administrator, you can deploy KBOX agents to any number of systems on the network, either manually, one system at a time or automatically based on an IP address range. The agent runs as a service on Windows PCs. Once you have an agent installed, you can get a complete hardware and software inventory of that box. In addition, you can package up software and prepare it for installation, monitor license compliance, obtain patch status and more things than I can name. The agent communicates back to the KBOX and to your dashboard as often as you'd like; the default is every two hours.

The amazing thing is the amount of information you have at your disposal. Can't lock down your desktops but concerned about unlicensed software? Check. Have no way of determining if all of your systems are up-to-date with patches? Check. Need to know the versions of all installed software to make sure everyone is compatible? Check.

KBOX

While not strictly a desktop solution, the KBOX does have certain things going for it. First, the cost is fixed and not dependent upon the number of desktops. Second, it helps to automate a large variety of tasks, rather than just one or two. Its Web interface provides a nice dashboard for you to obtain, monitor and change just about any desktop configuration. Lastly, it's easy. There's no reason why KBOX can't be on your network, installing agents on the desktops, in less than 30 minutes after you open the box. -P.V.

ScriptLogic Desktop Authority
The bread and butter of desktop automation includes desktop management, patch deployment, anti-spyware and interactive, Web-based remote management of individual systems. If you automate tasks such as these, you've probably taken into account more than half of the manual effort that you may spend on individual desktops.

Desktop Authority
REDMOND RATING
Installation 20%
9.0
Features 20%
9.0
Ease of Use 20%
9.0
Administration 20%
9.0
Documentation 20%
8.0
Overall Rating:
8.8

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

ScriptLogic's Desktop Authority does just that. It automates the day-to-day tasks that are the most mundane yet typically take an incredible amount of manual effort. It focuses on management, inventory, security and support.

Desktop Authority installs automatically onto a desktop system. You can use an installed or networked SQL Server installation to hold configuration information, or a local MSDE installation that the software will install for you. Once installed and once the database is configured, the software presents a comprehensive console to perform a variety of activities targeting desktop systems.

For desktop management, Desktop Authority provides a way to centralize log-on scripting, group policies and user profiles across the range of desktops. Further, it enables desktop client configuration automatically throughout the day. This allows midday configuration updates, configuration of mobile workers using cached credentials and continual security-policy enforcement. In addition, you can deploy MSI-based applications from a central location via a distributed MSI repository, letting you perform remote desktop installs. Of course, it also does patch distribution in a similar way. While it's not the only tool that can do this, combined with the other desktop-management features, it's as close to a comprehensive remote deployment solution as you can get.

How about inventory? That's the reason for the SQL Server database installation. Desktop Authority uses the database to check systems and report against information stored there. You can take an inventory at regular intervals and match its results against previous inventories. That way you don't have to lock down systems, yet you can monitor license compliance over time.

Figure 3
[Click on image for larger view.]
Figure 3. One of Desktop Authority's features is collecting and maintaining inventory on desktop systems scattered across the enterprise.

Desktop Authority uses USB and external port locking to protect against data theft and the introduction of malicious software. By implementing a policy-based lockdown of removable storage and communication devices, the product applies a set of restrictions that thwart the simplest and most common type of data theft. It also protects against spyware and provides reporting and removal.

As the company name implies (the company was recently acquired by Quest Software Inc., but is being run as a separate business unit), you can also script the features provided to give a level of customization to how it works. I didn't do any scripting in my brief test, but having it there is always a comfort when you need it.

I found Desktop Authority to provide great information and make a number of activities involving servicing desktops far easier than they could be done manually. If anything, the sheer number of features made for complexity; you should know what you want to do with it before you embark on an exploration of its features. It can be difficult to decide where to begin.

Featured

comments powered by Disqus

Subscribe on YouTube