Management Tools for Computer Labs?

dorko72 asks: "I have been put in charge of setting up a small computer lab (30 workstations) for a local community. The benefactor is providing the hardware (dell workstations and one server) as well as the operating system for these systems (Windows XP Professional and Windows 2000 Advanced Server) All the equipment is used, but not too old. I would like to find out what some of you guys use to monitor and manage the lab usage (ie provide realtime stats of which station is in use, etc). I would plan to set these machines in a Windows domain using Win2k Advanced Server as the controller via Active Directory. There must be some way to access AD and find out who is logged in to what machine in the domain. Any suggestions or ideas would be much appreciated."

A bit off topic

[john_is_war]

This isn't quite what you're asking about but I figured I'll give you some useful information. I put in some security hardware called Centurion Guard at my library. I must say, if you're worries about malicious conduct on the computers, either viri or people sabotaging systems (damn teenagers), I suggest you consider it. Basically it keeps a partition of itself and whenever you reboot everything not on the partition (which normal users can't screw around with) is wiped and restored to it's original state. Just giving you my 2 cents.

Re:A bit off topic

[wolf-]

Deep Freeze (www.deepfreezeusa.com) is very similar to Centurion (http://www.centuriontech.com/centurionguard.htm).

The concept is very nice. We have used deep freeze from pre-schools to universities to make life a lot easier on everyone. Teachers simply start the machines in the morning. Next day, the machines are like a clean slate, waiting to be abused again.

Re:A bit off topic

[Oriumpor]

I second that, as it is MANY MANY people have tried to break deep freeze, and none have been succesful at attacking the way it works, only at the bios/preboot level. I have installed deep freeze on a 98/2k system dropped to prompt-fdisked and or formatted and rebooted to find the system working fine. alt.2600 had a few people trying to break it as well to no avail.

HOWTO: Subvert Deep Freeze

[Vagary]

I've never used Deep Freeze, but from everything that's been said about it so far it appears that subverting it is directly reducable to the problem of gaining raw write access to the hard drive. Once you have raw access, you could either alter the Deep Freeze partition or, if the administrator was clever enough to put the image on a CD, alter the master boot record to ensure that Deep Freeze is never activated.

I have no idea how difficult it is to get raw access using various versions of Windows, but in L

Re:HOWTO: Subvert Deep Freeze

[Oriumpor]

fdisk /mbr does not kill deep freeze.

Nor does manually whiping out the partition containing deep freeze.

Re:HOWTO: Subvert Deep Freeze

[Vagary]

Does it modify the BIOS, then? It has to be stored somewhere and the only places that persist without power are partitions, the master boot record*, and firmware.

* Does `fdisk /mbr` wipe the entire MBR? Like what would happen if you installed LILO or GRUB on a Deep Frozen system?

Re:A bit off topic

[Jucius Maximus]

"The concept is very nice. We have used deep freeze from pre-schools to universities to make life a lot easier on everyone. Teachers simply start the machines in the morning. Next day, the machines are like a clean slate, waiting to be abused again."

An anecdote about deepfreeze: They have it installed in many of the labs at my university. It probably makes life a lot easier for the sysadmins and it's nice to not see kazaa, a bunch of spyware and other crap load up when I log in.

BUT there was one annoyi

Re:A bit off topic

[silvwolf]

I love Deep Freeze! I get to watch over, for the next 2 weeks until graduation at least, about 15 computer labs at my school. We image them after every semester to catch up on Windows Updates and AV sig files.. Other than that, we don't have to touch them as far as software is concerned (hardware is a diff story).

I started shortly after they got Deep Freeze, so I missed the days of constantly fighting with virus infections, spyware infections, people saving passwords, and other borked up stuff.

The Pro v

Re:A bit off topic

[Kethinov]

I'm a supervisor at a similar computer lab at a college and all my machines have the Centurion Guard. No matter how badly the students screw up the computers every day, one press of the reset button solves all the problems. They all run WinXP (shudder). I'll tell you one thing though. The Centurion Guard is one way to keep a Windows box totally virus free. As for me, when I'm supervising the lab, I run Knoppix on top of one of the WinXP machine so I can get my coding done. It sure is nice being able to work

Re:A bit off topic

[wik]

How easy is it to update the OS image? Since a number of recent viruses infect networked machines within 15 minutes, rebooting/restoring to an unpatched machine just means you'll get infected again.

Can updates to the images be pushed out over the network? Just curious, I have no reason to buy Centurion Guard. I run a compute cluster where if people screw it up, they just jeopardize their own research. :)

Re:A bit off topic

[Kethinov]

You can unlock the Centurion Guard with a key (physical key). Then you can do whatever you want to the machines at it'll save the changes until you reboot which relocks the computer. We usually do this at the college once every few months or so to update the virus protection. You're right though, it will keep getting the same viruses unless we do these updates. You just have to stay on top of it. Still, it's a lot easier than managing unprotected computers.

Unfortunately, we have no way of deploying updates

Re:A bit off topic

[wmguy]

I have experimented with both DeepFreeze and another product called CleanSlate, but I have never had the time to get past some initial tests, and have never rolled anything out into our lab. I have never heard of Centurion Guard, but I looked at their website and it looks interesting. Same concept, but who knows, maybe it will be better than what I have tried so far.

Re:A bit off topic

[cscx]

I believe Roxio GoBack does the same thing, except in software. It uses a special disk driver that mounts the C:\ drive ro, and redirects all writes to a buffer file. The buffer is flushed on reboot, and the machine is returned to its original state!

LTSP MRTG SMB

[arcadum]

Ditch windows for PXE boot LTSP MOSIX and have yourself a controlable cluster. You might want to look at: http://k12ltsp.org/contents.html Windows terminal services are another option, but, they are much less secure.

Re:LTSP MRTG SMB

[ez76]

You can't just look at the licensing price, you have to look at the Total Cost of 0wN3rship.

Three words:

[Anonymous Coward]

Systems Management Server [microsoft.com].

You're a community organisation - just ask Bill and Melinda [gatesfoundation.org] for a few licenses.

Re:Three words:

[dfranks]

Actually, it's www.techsoup.org [techsoup.org] and they have a good selection of MS and other software for cheap (for most non-profits).

There are forums there you might ask about lab admin as well.

Lab management software

[altp]

Dameware [dameware.com] : manage the machines from a remote location.

netusers.exe [jsiinc.com] and some perl or python thrown in to deal with the output of netusers. You can get all your user stats and stuff from this.

With those tools you can develop some scripts to track usage, avaiable comptures and throw it all up on a web site.

Remote Admin Tool

[BhAaD]

Install a remote admin tool on each of the comps. You can watch their desktops this way too. Another fun thing to do is control their desktop while theyre playing games or something and mess them up :P

Windows 2000 Domain

[Oriumpor]

At the most basic level this would work:
You can include a script to run in the startup folder that does the following:
rem --
net use h: \\SERVERNAMEORIP\SHARE
echo [INSERTCOMPUTERNAMEHERE] had the following user login:>>H:\LOGINLOG.TXT
echo %USERNAME% >> H:\LOGINLOG.TXT
date /T >>H:\LOGINLOG.TXT
time /T >>H:\LOGINLOG.TXT
rem --
every user that logged into the domain would need write access to the share tho.

There are tons GPO+VB script ways to do this

next time

[croddy]

post it to "ask microsoft"

Short list

[Anonymous Coward]

This is the short list of the few tools that you will find necessary while managing a public computing lab.

1. Strong locks for the outer doors of the lab.
2. Clippers capable of severing all keyboard and mouse cables.
3. A sturdy, 36" Crowbar.
4. Cheap bourbon.

Long and painful experience has shown that management software and administrative tools are interchangeable luxuries at best (and are more often nothing more than time-consuming placebos). While you are certain to receive many suggestions for that type of product, I am certain that the list above represents the absolutely indispensible core of any competent adminstrator's toolkit.

Re:Short list

[FatherBash]

yes, users will do anything and everything to circumvent controls. Khalid Kamal Alam [convert.org]

Needed: One linux box

[omega9]

No, seriously...

Bring up your favorite distro. The important bits of immediate concern are Squid and syslog. Prevent direct access to the net from the client machines and force them to go through the proxy using a GPO in ActiveDirectory. Configure Squid how you like, but best to at least add the capability to block certain sites and prevent certain file types from being downloaded:

acl hosts_deny dstdomain "/etc/squid/blocked_sites.txt"
acl filetypes urlpath_regex -i "/etc/squid/filetypes.txt"

http_access deny filetypes
http_access deny hosts_deny

List the domains to block in /etc/squid/blocked_sites.txt. List the file extentions to block in /etc/squid/filetypes.txt in regex fashion (something like \.(exe)$ to block .exe files). Not a complete fix, but a good quick way to safeguard web access.

Now run over to sourceforge and grab ntsyslog [sourceforge.net]. This handy tool exports your Event Viewer logs to a remote syslog server. It installs as a service and it's a cinche to setup. Stick is on your domain controller. On your Linux box add a line like the following to syslog.conf (for sysklogd):

user.alert -/var/log/domain.log

By default, ntsyslog uses user.alert, but you can change that to whatever you like. Also make sure your syslog is configured to receive messages from remote clients. Now, in your default domain policy on the domain controller configure it to audit logon events as well as account logon events, successes and failures for both.

Now you've got web access managed by a central proxy with full logging and minimal blocking abilities and all logon success/failures being reported to Event Viewer on the DC and forwarded to the syslog. If you want to see who is logged into a machine at any given time you can either quickly parse the logs or use something like NetUsers [jsiinc.com] or LoggedOn [jsiinc.com].

Popular local opinion says that you're likely to have more problems/attacks with/against your Windows server. Having your Event Viewer messages forwarded means you can diagnose problems in the event something happanes to that server. You'll probably want to at least MRTG the Linux box to get an idea of bandwidth usage too. Then enjoy whippin' up your own set of shell scripts to play with your logs (hint: real-time monitoring)!

Re:Needed: One linux box

[popeyethesailor]

Or he could just go with SMS, as the AC said. Or if that's too expensive, mess around with MS's free resource kit [microsoft.com]. Or even walk around the lab, talking to people(gasp).

There're plenty of free software proxy servers, firewalls on windows, no need to futz around with linux.

Re:Needed: One linux box

[JeffTL]

Much agreed. For this purpose a Linux server would probably be best for all involved.

NetOp School

[andylievertz]

I suggest you check out NetOp School [netop.com]. I manage 8 computer labs for a community college in Gainesville, FL and we use this in several of them. At a glance, the instructors can tell who is logged in & where (uses machine name and windows login name information). Additionally, NetOp School provides controls, i.e. lockout and demo mode. You can run commands on the remote machine, transfer files, etc. Also, you can create breakout sessions where small groups are formed, and one person in that group woul

Learn from the master

[ebbe11]

Assuming that you will be in charge, here are some pointers on how it can be done [theregister.co.uk]

psutils

[zerblat]

Since no one's mentioned it already: to keep your sanity when managing Windows boxes, you need pstools [sysinternals.com]. It contains tools like psexec, which is like a poor mans telnet -- run commandline programs on remote computers -- and tools for listing logged on users, installed software, running processes and more. All you need is the proper rights and you can do magic on Windows workstations, even while a user is logged on (you can also use it for BOFH stuff ;).

I'll also recommend Microsoft Baseline Security Analy [microsoft.com]

Deepfreeze woes/woots

[1eyedhive]

This box here at school (along with a few hundred others) has Deepfreeze.
the BANE of us geeks, we can't fiddle and tweak with our boxen cuz the night classes have newbies *sigh*

Deepfreeze works at the MBR level, only way to circumvent it to blow the HD away (i.e. write zeros across it and sector zero.)
easy way around that is a password on the bios (also on these boxers) to prevent alt boot sources
A big honkin' Master lock on the covers keeps us from getting at the bios reflash jumpers, i.e these boxes are

Re:Deepfreeze woes/woots

[TiggsPanther]

I'll second DeepFreeze.

We use it here where I work, and I have a love/hate relationship with it.

It's great. It stops people pissing with the settings. It means that should Win98 hang (as it frequently does...)n you can just hit the power switch and DF brings the box back up in it's original state.

It's a bugger for trying to roll-out official minor updates though. (Like anitivirus signatures).
Automated updates get automatically undone.

I find it's greatest irritation is also it's greatest strength.
I

Re:Deepfreeze woes/woots

[1eyedhive]

indeed the only way to crack the damn thing is to hack the password, the dialog locks out after several attempt to prevent brute-forcing.

there is a guy in my net studies class who works a bit for the IT guys, and thus knows the password. But like any government drone, he remains mum about it. And whenever comfronting the sysadmin, he conviently skirts around any issues relationg to DF... gee, i wonder whats up with that.

Altiris

[paugq]

Altiris [altiris.com] is what you need.

Re:Altiris

[bstory]

I will second this recommendation. They have a suite of products depending on your needs.

monitor and audit?

[planckscale]

Sounds like you want to enable Auditing on the AD domain for logins and logoffs. You can use a good open source monitoring tool called Big Brother 'www.bb4.com' to monitor machines by ping, nslookup, or any other service you'd like. It can mail or page your cellphone if something goes down. We use it to watch servers, services, websites, and switches. It's highly customizable. Plus you can put the big brother client on each desktop and monitor cpu usage or even available disk space. Also it's a good idea to

Sometimes the oldest managment tools are the best

[sharkey]

Never underestimate the power of a pointy stick.

ask yourself why..

[Suppafly]

ask yourself why you need to monitor this information.. most likely you don't need to treat your users as criminals..

Re:ask yourself why..

[dark404]

Keeping track of who used which computer at what time isn't treating users like criminals, it does the opposite in fact. When something "goes wrong" on the network or one of the workstations, it lets you narrow down the list of who could have done it; that way you can scrutinize a select few instead of treating all your users as a criminal or being forced to remove/limit access. When I was in high school the network manager had a horrible problem with one of the students installing sub 7 on various machines

tools

[Anonymous Coward]

I have to second depefreeze - i did student work in the networking dept at my college last semester and worked with deepfreeze a lot. it's great for keeping morons from effing up stuff they shouldn't, easy to use, and very difficult to screw up.

To initially install the OS and software for a full lab, we would use a program called Ghost. It works by taking an iso of an existing setup and writes it multiple machines at once over a hub. i'd set up a lan with 12 machines at a time and would write the image

What is Active Directory?

[TwistedSquare]

Off-topic I know, but is there a list anywhere (that is more concise and plain than Microsoft's official site) of what all these odd Microsoft inventions/names are?

I just about get what COM is, ActiveX took me a while but I think I have the gist, I found out very recently that .NET is like Java (not just a new brand name like I thought!), but Active Directory and various others still elude me... anyone else have this problem?

Yes

[Orien]

Yes, I have that problem too. For more info on AD google found me this link [microsoft.com]. AD does everything that a domain controler used to do in earlier version of Windows. It gives you authentication, and security for an entire network with lots of users. What's different that a traditional domain controler you ask? It's not backwards compatable, so you have to upgrade. Standard MS tactic. Take existing software, add a feature that nobody wants, and force you to upgrade to it. Case in point, my favorite version of Ex

These tools are built in.

[FreeLinux]

The tools you need to meet your needs are built in.

For determining who is logging in where and when, you simply need to enable auditing at the domain level.

If you want performance or utilization information then use Performance Monitor. It can be used either locally or remotely to monitor a mind boggling(and possibly useless) number of performance counters.

For monitoring the activities of the users, file level auditing can be used. For internet activities you need additional hardware/software than you sa

Obiligatory Linux Response....

[gozar]

Is there a reason they have to run Windows?

Take a look at the K12 Linux Terminal Server Project [k12ltsp.org]. With relatively new machines you can be up and going in 2 hours (not including plugging the machines in). I put this in our business lab at the high school and it's been a dream to run. I never have to worry about viruses, and updates/installations are done once. To install a new machine you plug it in, go to the BIOS and tell it to do a network boot. I don't have to worry about any license issues either. If y

Why?

[Alex Belits]

Why would you want to know those things? What is the point? What can possibly that information be good for, other than the obvious -- being subpoenaed by some dipshit who thinks, some of your students pinged him, and you being responsible for accuracy of it, instead of being able to just say "we never log anything, get lost", and get him off your back?