Take Control of Your Users
This requires managing expectations, data and the computing experience.
- By Mark Wingard
Your day is all planned. You’ll arrive early and start visiting each of the 250 desktops you’re responsible for to configure the Windows Update service and download the latest critical hotfix from Microsoft. Unfortunately, when you get to work there are two users at your door; one whose documents keep coming out all garbled on his new printer and another whose system keeps locking up from the shareware screensaver she downloaded from the Internet. One of your managers is sitting in your office because the hard drive on the no-name system he bought online has died along with his critical presentation file. Your pager keeps going off with pages from a user who can’t play her music CDs and wants her CD-ROM fixed. (She’s been leaving you increasingly nasty voice mails.) You learn that all the shared documents have apparently been deleted from the Public folder on the file server. The Welchia worm continues to appear on multiple systems throughout the network even though you’ve blocked it at the firewall, and the Macintosh users in the Graphics Department can’t read any of the memos from the VP who uses WordPerfect. Meanwhile, that service pack that you need to install on the mail server still hasn’t been applied and now there's massive congestion in the mail processing queue.
If it wasn’t for all these *%#$! users, you might be able to get some work done!
If this sounds familiar, you may have two choices: 1) Consider a career
change, or 2) Learn how to manage your users as well as their computers.
As IT budgets continue to contract or remain flat, systems administrators
are expected to do more with less, support more users and assume more
responsibility for increasingly complex technologies. Computing professionals
must have a strategy for proactively managing users or quickly become
Manage Users’ Expectations
A logical place to begin is by controlling what your users expect in regards
to their personal computer use. A wise person once said the cause of all
anger is unmet expectations. If you’re able to meet or exceed your users’
expectations, you’re golden; otherwise, you’re just a yellowish rock.
The most effective way to manage users’ expectations is through a little
tough love: Limit the choices available to users in the area of desktop
hardware and software. By doing so, you narrow the scope of what you’re
expected to support and can implement efficient strategies for providing
that support. Just as children need to be told “no” periodically and given
boundaries so they know they’re loved, users need to know where they have
freedom in their computing environment and where they don’t.
Company policy should limit the platforms, manufacturers and models of
desktop hardware available to users. This will allow you to have replacement
hardware on hand and to know exactly what drivers are needed in troubleshooting
situations. In the spirit of Henry Ford, tell your users they can have
any color PC they want as long as it’s black.
This approach shouldn’t just apply to hardware. Your organization needs to have standards of what software is acceptable and supported and what isn’t. Some companies have multiple tiers of software standards. For example, Category A is mandatory applications; Category B includes optional, but supported, applications; Category C is permitted, but unsupported software, and Category D is forbidden software. Other companies take a more draconian approach by not allowing users to install their own applications, and limit software to only Categories A and B. Each enterprise must choose what supports its business needs while giving users the tools to get their jobs done.
By establishing a consistent hardware platform and software standards,
you set the stage for creating base images of the OS and applications
for the desktops you support. There are a number of ways to accomplish
this through hard drive imaging applications such as Symantec Ghost and
PowerQuest Drive Image. Using such tools, PCs that experience OS corruptions,
driver failures or other such calamities can be quickly returned to a
standard base state and users can get on with their work.
Manage Users’ Data
Hardware and software can always be replaced, but users’ data cannot.
Protecting your users’ data can make you a hero—or at least save your
Back It Up
There are a variety of approaches and considerations to accomplishing
this. The simplest way to protect your users’ data is to not allow them
to store it on their local hard disks. This is why such things as file
servers exist. If all user data is stored on a file server, then you only
have to worry about backing up the server. Combine this approach with
a standardized hardware/software image and you won’t even have to troubleshoot
OS or hardware problems. You can quickly replace the hardware or the OS
image and the users’ data won’t be affected. In an Active Directory environment,
you can easily redirect My Documents via Group Policy to a user’s personal
folder on a file server. If you also employ roaming profiles, your users
will experience their own custom desktop settings and data no matter what
computer they’re sitting in front of.
Keep It Locked (But Don’t Lose the Key!)
Regardless of where the data is stored, you should be responsible for
the security of that data. If user files are kept on a file server, you
must ensure unauthorized users don’t have access to the data, while at
the same time giving access to those with a legitimate need to know. Basic
file- and folder-level security should be employed at the very least,
with file encryption a consideration as well. File-level security and
encryption can be utilized on local hard drives as well. Just make sure
you aren’t locked out of your users’ data, and if encryption is used,
ensure that you always have a recovery key.
Manage Users’ Computing Experience
Group Policy in AD is the best thing to happen to network administrators
since the tape drive. With Windows Server 2003 and XP on the desktop,
some amazing feats can be accomplished through creative Group Policies
and manipulating Windows Management Instrumentation (WMI). Combine Group
Policy with more robust systems management products like Systems Management
Server (SMS), Altiris, Marimba, ManageSoft and so on, and you may never
have to visit a desktop again! But even with these great tools at your
disposal, it’s important to have a philosophy at work behind them.
Protect Users from Themselves
Don’t let your users play with loaded guns or they’ll invariably shoot
themselves (or you) in the foot. Give them the fewest security permissions
necessary to get their work done. If you do it right, users should never
need to be logged on with Administrator privileges. In general, what they
can’t do (to their computers) won’t hurt them. Most Windows-based software
today requires Administrator-level permissions for installation, so by
not permitting such capability, you can control what applications users
install on their systems. Keeping users from running as administrators
also prevents them from keeping you out of their systems, so you can effectively
Lock Down the Desktop
What users don’t see won’t hurt them. Through the wonders of Group Policy,
you can remove items that tempt fate like Network Neighborhood (to keep
them from exploring other computers where they don’t belong), the Run
command and the command prompt (to keep them from invoking applications
that could cause trouble), or any other operating system feature you don’t
want them to access.
Keep Them Patched and Protected
Keeping users’ systems patched with the latest hotfixes and with current
virus definitions has become a full-time job of late. Don’t expect your
users to be on top of this. Most users are knowledge workers, not computing
professionals. They depend on your skills to keep them safe from viruses
and worms. All it takes is one unpatched system to allow a virus or worm
to start running amok on your network. There are a number of applications
available to automate this task, but if you fail to take an automated,
monitored approach to patching, you’ll forever be playing catch-up to
the script kiddies of the world.
Keep Users’ Applications Consistent
Hard disk imaging is a great way to roll out new hardware and/or roll
back to known, good states, but software upgrades are like a fast-moving
train. New versions of even approved, company-standard applications can
introduce incompatibilities into your environment and quickly increase
the complexity of providing support. With systems management software
that allows you to distribute and install applications remotely, you can
keep all your users’ applications at the same version and dictate when,
and if, upgrades will occur.
Don’t Let Your Users Manage You
You’ll never get any work done if users can interrupt you any time, any
place, to solve their individual problems. While it may not seem as user-friendly,
controlling how and when you can be contacted by your users will actually
allow you to provide them with better service.
Manage How Users Can Reach You
Give users a Web page or e-mail address to communicate with you. Guard
your pager and phone numbers like they’re state secrets. By establishing
a one-way channel for support issues, you can diplomatically prioritize
the issues you respond to and tackle the mission-critical issues before
Give Bosses Special Attention (but Not Too Much)
It can pay dividends to give upper-level managers kid glove treatment,
but don’t break all the previously stated rules to do so. If you have
to violate the rules of engagement, let managers know that you have done
so. Even if you don’t go out of your way to solve their problems, at least
let them think that you are!
As annoying as users can sometimes be, remember that without them you
wouldn’t have a job. Even if you only follow half of these suggestions,
you’ll still be ahead of the game. The more you’re able to manage your
users’ computing behavior and how they interact with you, the more time
you’ll have to keep up with new technologies and implement additional
time-saving techniques. If you’re lucky, that means you’ll also have a