What tools do you use and recommend for automating administration tasks for Windows-based computers?
Examples of such tasks include:
- Installing/upgrading software
- Standarizing application settings
- Remove blacklisted applications
A standardized disk image will be used to initially roll out a fully patched and configured Windows installation, so I'm looking specifically for tools and resources that will aid in administering the machines after they are deployed.
I know that some of this can be allowed or prevented using group policies deployed via Active Directory, and that many Microsoft products can be updated and managed through Windows Server Update Services (WSUS).
What do you use for other tasks? AutoIT scripting? PowerShell? Another scripting language? A 3rd party application? Or, is there a better approach to this ongoing task?
We use Group Policy for almost everything these days, and we use a single Windows disk image that we deploy to all of our computers. We also have System Center Configuration Manager installed (the newest version of SMS).
Our image contains all of the commonly-used apps in our facility, but we use Group Policy to expose only the apps that the particular user or group of users need to see. This keeps the Start menu and desktop tidy.
SCCM allows one to install and patch software. This can also be done through Group Policy.
For automation tasks, we use PowerShell heavily. It's well worth the effort you'll put into learning it.
We don't allow users to install apps, so we don't need to remove blacklisted applications much, but if we did it could be done through SCCM as well.
This is a pretty general question. Is there anything in particular you need to know more about?
Regarding your comment on a standardised disk image for initial deployment of the OS have you looked at using the Microsoft Deployment Toolkit for building and deploying your images?
We have been using this for about two years now and it has really cut down the number of images we have had to maintain especially around the driver management. We are using it for not only desktop builds but also server builds. It also has great links with SCCM OS Deployment.
We use Windows Systems Management Server for a lot of what you describe. Also another application called Softricity SoftGrid does some things you might be interested in.
We use Active Directory and GPOs for as much as possible due to the ease of deployment and management. It's good to note that there are lots of helpful tools and .adm templates out there that let you extend management through GPOs to more than just stock windows settings.
We also use WSUS, which is pretty hard to beat for patch management. For other tasks, we automate with scripts written in python (it's easy to write quickly in and comes with batteries included) as well as good old fashioned batch scripts. Backup is a good example; one script runs jobs in ntbackup, osql database dumps, and exmerge brick-level mailbox backups, encrypts it all, puts it where it needs to be, and emails the logs when it's finished.
SMS became SCCM, in case there is any confusion. We use Altiris, which is a competitor product, for software deployment and tracking. However, those solutions tend to be a bit expensive. if you're talking about a small business. In cases where I've supported that type of situation, I built standard images using a tool like Symantec Ghost which had the common software installed (like Office). Then I figured out how to automate installs of the other software packages using batch scripts. When a new system came in or one had to be re-imaged, then I could run those scripts to ensure the right software was installed.
One of the best solutions, if you can enforce it, is to take local administrator rights away from end users. In most cases this is doable and is a political fight. This helps reduce work due to application settings and almost completely eliminates cases where users install blacklisted software. It also tends to reduce support calls due to malware.
One thing that I have done in the past is to put a shortcut to a script on every machine's desktop. In this central script I put all kinds of fixes, patches, data collection, logging, etc. Users were able to run this script and "reset" applications. For example: Certain application settings that are in HKCU would get out of whack occasionally. Users just knew to hit the reset script and get back to square one if certain things went wrong. It remapped drives and printers based on different triggers. We started doing it a long time ago after we abandoned roaming desktops in the NT days. Users could switch desks and ensure everything was configured to a certain baseline.
Occasionally we would use something like Primal script to package a vbscript under local elevated privs to get an emergency fix out that users couldn't install. Definitely a roll your own type of approach, but it's simple, extensible, and very effective. Once users are accustomed to the idea of using it, problems are resolved quickly with little downtime. You can get pretty creative with it.
I would also strongly second the idea of removing local admin rights if possible (this can be problematic with laptop travelers though).
These days Microsoft's own imaging system is strongly recommended over any hard-image solutions like Ghost. The basic tools are free and you use included services like Windows Deployment Services (WDS) and free accelerators like Microsoft Deployment Toolkit (MDT) to easily deploy them.
Group policies are for basic configuration and can do stuff like allowing laptop travellers to change their network settings without being administrators as well as setting various defaults, forced settings and run scripts depending on a number of criteria.
Adding a more complex solution on-top of this to more easily manage third party applications would be wise, depending on the environment's size. The System Center series is available in smaller varieties like Essentials and the now defunct EBS or as full-grown products like Configuration Manager which would be a decent first step if Essentials doesn't fit the scale.