| Executive Summary: |
This year's Windows IT Pro Innovators award winners found inventive solutions to problems ranging from automating Web-site creation, tracking logons, and deploying software to doing compliance-mandated auditing and making over an intranet portal.
By definition, IT is a behind-the-scenes profession. Your non-IT coworkers take IT services and your skills for granted—unless, of course, email isn’t working or the network dies, and then suddenly all eyes are on you. Although most IT folks didn’t get into the career to become rock stars, at Windows IT Pro, we believe your talent for solving problems and understanding technology is worthy of recognition.
Giving IT professionals the appreciation they deserve is the main intent of the Windows IT Pro Innovators contest, now in its third year. Among this year’s winning entries are an automated Web-site creation solution, a custom- built internal portal, two solutions that greatly simplified complex software upgrades, and two methods for tracking users’ access to systems and applications. The common thread among this diverse group of solutions is the resourcefulness of the IT pros who created them, using their problem-solving skills and the tools at hand.
We hope this year’s award winners will inspire you when you’re dealing with your own IT challenges. As in previous years, we’ve published the winners’ email addresses, so feel free to contact any of them if you want more information about their solutions.
Grand Prize Winners
Creating Web Sites in a Snap
At most universities, staff, students, and teachers rely on the Web for disseminating college and course-related information. Instructors and professors publish class schedules, assignments, lecture notes, and students’ grades on their Web pages. Staff maintain college and division sites with news and forms for current and potential students. With thousands of sites and hundreds of requests pouring in, keeping up with the demands was straining the University of Wyoming’s small IT staff, as Systems Programmer Rowdy Downey explains. “We were getting 25 to 50 requests per week to manage sites for authors. We have thousands of professors, departments, colleges, units, classes, projects, and so on, all wanting to set up, delete, or manage configurations for their sites. Fulfilling these requests quickly became a massive drain on our time, so I decided to automate the site-creation process.”
Rowdy launched the project by first investigating whether an existing product could do the job he required. “We wanted to create sites that were sandboxed, secure, manageable, and flexible,” he says. “I couldn’t find any \[product\] robust enough to meet our requirements.” Rowdy believed he could build the solution himself, but before he could begin development, he spent a lot of time researching blogs and Microsoft and scripting sites to find the tools, scripts, and techniques he’d need.
Rowdy’s solution consists of a combination of ASP and ASP.NET, plus several Microsoft utilities (adsutil.vbs, iisvdir.vbs, xcacls .vbs, owsrmadm.exe, rmtshare.exe, and sleep .exe), all tied together in a 2,388-line VBScript program. “Although this seemed like a relatively simple automation solution, it quickly proved to be quite involved,” says Rowdy. “The solution needed to be able to create and configure groups, set permissions for sites and databases, set ODBC connections, set metabase configurations, create IIS sites, extend sites with Microsoft FrontPage extensions, create shares, and set share permissions.”
The utility uses the university’s Active Directory (AD) infrastructure and properties set on various universal groups to control authoring and browsing to specific sites. Rowdy developed secure Web interfaces through which faculty, staff, and students can submit requests to create, delete, and manage site properties. Scheduled jobs launch the utility to perform the actual work. The solution handles multiple site-configuration options, including basic sites, FrontPage-extended sites, multimedia streaming sites, calendar sites, development sites, data-access capabilities, site-browse restrictions, and forced Secure Sockets Layer options. This same utility has been ported to provide University of Wyoming students personal sites that they use for portfolios, class assignments, and graduate projects, all with the benefit of automated administration to minimize resource drain.
Hosting the numerous on-campus sites in a secure, sandboxed environment requires running hundreds of application pools concurrently in Microsoft Internet Information Services (IIS) 6.0. This approach has revealed certain architectural limitations of Windows. Rowdy says that moving to 64-bit hardware will ultimately alleviate these problems.
Rowdy says that the Web-site–creation solution has saved the university’s IT staff “countless hours” in the three years it’s been in use. “We went from Web site requests taking a large chunk of time from multiple members of the IT team down to taking maybe one-quarter of a full-time employee’s time. Much of the benefit is realized because site authors can manage their own sites without Help desk intervention. This saves a great deal of time on everyone’s part and is much closer to a real-time solution.” Although faculty and students as well as IT have benefited from the solution, Rowdy found that using his own resourcefulness and technical skills to solve the problem was equally gratifying. “This solution is an example of taking the tools you have available and molding them into the solution you need!”
Custom Logon-Tracking Solution
Keeping track of users’ access to computers is an ongoing challenge for IT administrators. Brandon Jones, a systems administrator at Northern Arizona University—and two-time winner of a Windows IT Pro Innovators grand prize—faced this challenge by developing a custom logon-tracking solution that provides detailed information about students’ computer use in the university’s College of Business.
Brandon, who’s one of four people in the business college’s IT department, decided that the school needed a more efficient way to collect usage statistics for machines in different areas of the business-college building. Several factors led to his decision to develop the solution, ranging from a desire to know whether and when students used lab computers, to the ability to easily view logon data and track user statistics. “Microsoft tools such as event logs and user properties in Active Directory are cumbersome and don’t even approach the level of detail and ease of use we were after,” says Brandon.
The custom solution Brandon developed relies on disparate technologies, including VBScript scripts, Windows user environment variables, and Microsoft Access. Brandon explains how all these tools work together in his solution.
“When a user logs on to a machine in our domain, a Visual Basic logon script creates a new row in an Access database table, containing the username, computer name, and date/time of the logon. The script also creates a unique environment variable (the row number from the database table), which is stored on the local computer during that user’s logon session. When the user logs off, a VBScript logoff script runs and, using the environment variable to look up the appropriate row in the database table, appends the logoff date/time for that user. The result is a single row (containing username, computer name, logon date/time, and logoff date/time) for every logon session that occurs in our domain.”
With the logon information now housed in the database, Brandon can develop queries to specifically pull out needed information as requested. Information that can be drawn from the database includes logon and logoff times and session duration keyed by username. Using this information, Brandon has been able to provide faculty, at their request, with information about student activity. “A professor suspected that one of his students never showed up for an exam in a computer lab, even though the student insisted he had,” says Brandon. “My solution not only confirmed that the student had logged on in the lab during the exam, but also told us the computer he used and how long he was logged on.”
Brandon reports that the logon-tracking solution has been working effectively since implementation and that it also has had an unexpected side benefit: contributing to the arrest of a car thief. Thanks to Brandon’s logontracking system, the university can provide timely information to authorities when needed. “Last semester, information obtained from my solution helped police apprehend an individual who had stolen computers from one of our labs,” says Brandon. “More recently, police arrested a car thief—who had logged on to one of our computers before taking someone’s car keys—just hours after we provided them with information acquired from my solution.”
To download Brandon’s detailed explanation of his solution, go to www.windowsitpro.com, InstantDoc ID 97204, and click the Download the Code button.
Hands-Free, Large-Scale Software Deployment
Tim Manley oversees IT operations for a large overseas US Department of Defense installation. Until recently, Manley’s IT staff spent an excessive amount of time keeping hundreds of computers at numerous remote sites updated. “Our legacy OS build was image based and required numerous man-hours to build or rebuild a PC,” says Tim. “We had different images for each of our different makes and models—Windows 2000 ghost images that were sent out from headquarters, over a slow WAN link. Our guys might waste a whole day trying to find what image was supposed to go on which type of hardware.” Compounding the problem was the fact that the upgrade process required a lot of manual tweaking and that systems frequently crashed because of outdated hardware.
Tim’s challenge was to seamlessly automate the upgrade process so that his organization’s planned migration to Windows XP and future upgrades could be done much more quickly and with minimal manual intervention. “I had just come on board, and my supervisor said, hey, we’ve got to automate this. The methodology we’re using is so outdated and difficult to maintain, we need to look at other options.” Because of tight security requirements, Tim’s options for doing large-scale software upgrades were limited. “Basically, the only tool that I could find that would work in our environment was Remote Installation Services,” he says.
In less than a month, Tim developed a scripted RIS build process that he says enables “100 percent automated and hands-free OS and core application deployment.” The build process is initiated on RIS servers at the organization’s two main sites where IT staff rebuild machines; a build is replicated from one site to another to ensure an optimum transmission of the build over the WAN link.
When an IT staffer is preparing to replace a computer, he runs a premigration VBScript script to obtain configuration details about the computer to be replaced, such as what applications are installed, the computer’s name, and its IP address. Finally, a postmigration script, which is part of the RIS automated installation, enables a variety of settings to ensure that the PC complies with government security requirements and other organization standards, such as the desktop background image and screen saver. “These are all settings that we couldn’t do via Group Policy and didn’t want to do manually,” Tim says. “The goal was for the desktop guys to be able to hit the button and walk off. When they come back, they’ve got a complete OS build, and the user can then log on and use all their basic applications. Furthermore, since users’ data is redirected to the user home drive via Group Policy, there’s no data to migrate, and PCs can be rebuilt on the fly and swapped out without any loss of data or downtime to the user.”
Tim’s solution has made the upgrade process virtually painless for IT staff and much faster than before. “We’ve reduced migration time by 70 percent,” says Tim. “Now it takes less than two hours from end to end to build a PC.” Since completing the mass XP upgrade, IT staff have found additional uses for the automated build process. “About once a month we have to replace a machine, so we use the automated process for that,” Tim says. Another key use is to slipstream software updates, such as service packs, applications, or new drivers, into a build, so that the update will be automatically included in future PC upgrades. “If we were still using an image-based upgrade process, the image might not be able to support the new hardware drivers. With RIS, we can just download and copy the drivers to the share, to immediately support new hardware.”
Intranet Portal Makeover
When he worked at Capitol Federal Savings, Ryan Rackley—now a senior local network administrator for ISG Technology—was spending an inordinate amount of time and money nursing a proprietary and crash-prone corporate intranet portal. Finally, he decided it was time for a change.
“The biggest problem was just how complex the system was,” explains Ryan. “The portal application required software to be installed on each of our clients, as well as the server piece … there were multiple points of failure in the system, and it was frequently down for days at a time.” Ryan’s headaches were amplified by inadequate support from the original developer of the system and an expensive service contract that was stretching department budgets. The time was right to make a switch, and Ryan decided that a better solution could be developed internally.
Ryan didn’t have time to try a new standalone application, and the budget didn’t allow for new servers or a new Microsoft SharePoint Portal Server installation. “We also wanted to keep the look and feel of our new solution as close as possible to the existing one,” say Ryan. “We didn’t want to confuse our users, so that consistency was important to us.”
A small team of IT staffers began development of the new portal, which centered on using an open HTML format dedicating a file server to house company documents and other files accessed through the portal. Ryan’s team eventually employed Adobe Dreamweaver to create the portal site, resulting in a more reliable solution that could be edited with off-the-shelf HTML editing tools. The new solution was created and deployed in a sixweek timeframe and has since helped Capitol Federal realize substantial cost savings in its IT department budget.
“Our system uptime reached 100 percent after we switched, mainly due to the simplicity of the solution,” says Ryan. Using Windows integrated security with AD eliminated the need for users to have multiple passwords, contributing to a 94 percent reduction in portal support calls when compared with the previous system. Ryan explains that for those reasons (and many more), the old system wasn’t missed. “We had used that system for more than two and a half years,” says Ryan. “We had a big party when we unplugged that thing!”
Automating Imaging and Software Configuration
Regular upgrades and backups of the 120 tablet PCs in use at Midwest Palliative & Hospice CareCenter were becoming an increasingly onerous task, with one particularly nasty disk-imaging session finally convincing Jeff Ramsier, the center’s network administrator, to find a more efficient solution.
“We had four people working on the upgrade—including me—and it still took us more than 12 hours to finish just the tablets,” says Jeff. “\[The\] night we performed the install was at the end of a 30-hour day. We had to work on all 120-plus tablets with only seven power supplies … and half the batteries were almost dead.” Jeff recounts how he and his support staff were forced to run from machine to machine, switching power supplies in order keep the laptops charged for the imaging process. “Once one of tablets goes down, the whole ghost imaging process stops until you get the \[downed\] tablet back up.”
Determined to not go through a similar ordeal in the future, Jeff set to work on developing a series of Visual Basic scripts that could help automate some of the organization’s most common administrative tasks. “For the most part, I did this all myself,” says Jeff. “Microsoft’s ‘Hey, Scripting Guy!’ Web site \[www.microsoft.com/technet/scriptcenter/resources/qanda/default.mspx\] helped with some of the VB scripting.”
Jeff’s scripted solution helped automate many services, including installation of client software, printers, and faxes. It also configures installed software and synchronizes the laptop with the Misys medical software that the care center uses.
Now Jeff can easily image and update laptops as needed and has successfully transformed a time-consuming and error-prone process into a streamlined and efficient system. The new process requires only about 20 minutes for ghost imaging. Jeff likes the fact that he doesn’t have to be present to perform installs and can install to and upgrade multiple tablets at the same time. “This solution is something that companies with a lot of tablets or laptops could use,” he says. “Typically, in companies, the techs take a lot of time to image the tablets (or laptops), or they don’t put much time into the image, so \[the computer\] isn’t employee-friendly. This solution offers the best of both worlds.”
Auditing Application Access for Compliance
In heavily regulated industries, some of IT’s most crucial projects are bound to be driven by compliance mandates. That was the case for Michael Shire, who developed his winning solution in response to Canadian government regulations that require auditing a company’s access to individuals’ personal financial information. Michael’s employer, a telecommunications firm, directed IT to track users’ access to a payroll application (who, when, and how they gained access). Because access to the application is controlled through membership in AD security groups, Michael opted to fulfill the requirement by devising a way to monitor all ADgroup modifications.
Michael initially looked into third-party products as potential solutions, but “there were no off-the-shelf packages that fulfilled the requirements for the project,” he says. Michael has only moderate experience with scripting but, as he says, “I’m very good at solving puzzles, and I have a high Google IQ,” so he relied mainly on his research skills to track down the components of the solution. “I pulled numerous sample scripts from the Microsoft Scripting Center and Google searches to accomplish everything required.”
The solution Michael forged is basically a VBScript script using Windows Management Instrumentation to monitor all new events in the Windows security event log. Michael explains, “When an event related to a group modification occurs, the data from the event is written to a log. All AD group modifications are logged; however, monthly reports specific to the application are generated from this log in comma-separated value format. The script must run on all AD domain controllers (DCs) and keeps the logs and reports in a locked-down set of folders. The script is started as a service, where Windows can ensure that it’s always running. Should the service stop, a warning message is written to the event log.” The monthly reports are available to auditors upon request.
Michael’s solution offers the additional advantage of being able to monitor all AD groups for other types of auditing. “I think the greatest benefit of the solution is its simplicity and scalability. If future AD groups require reporting, this can be easily accomplished by looking at the current reporting scripts. \[The solution\] can be applied to future DCs without rebooting them. Further, the code can be modified to look for other Windows event log entries, not just AD group modifications. You could call it Frankenstein’s VBScript, but I find the results much more pleasant to live with!”