- My Rant: Why imaging? Why SMS?
- Get a signed copy of...
- my GP book: Group Policy, Profiles and IntelliMirror
- my Windows & Linux Integration book
- Public Group Policy Intensive Training and Workshop Schedule Update
- Upcoming appearances and schedule
- Thanks Netpro!
- Subscribe, Unsubscribe, and Usage Information
This issue is (Iâm sorry folks) a rant. Itâs not about the war, or politicsâbut about something close to us, that we can all rally behind: disk imaging and management products.
So, without further ado, my rant.
After I rant for a while, I'll give you an update on my 2006 Group Policy Class Schedule and suggest some other great stuff for you to check out.
Before I forgetâthe Sacramento, CA Two-Day Group Policy class is ON for March 30, 31. We have three seats available. If you want one of those seatsâsign up soon at www.GPanswers.com/workshop.
PS: A hearty THANK YOU to the folks who came and saw me and Tom present Win/Lin topics at this season's TechMentor in Orlando. I'm gone now (off to the next thing).. but thanks for brightening our days there -- you were a super audience !
Newsletter Sponsored by: Special Operations Software
Sometimes the out-of-the-box Password Policy in Windows isn't just enough. If you need many Password Policies perActive Directory domain or more granularcontrol of howpasswords can be created you should have a look at Specops Password Policy.
Redmond Magazine says that "Password Policy is easy to install and easy to use. It provides much more granular control and doesn't have a long learning curve."
Click the link to read more on how Specops Password Policy can benefit your organization with increased security.
As Dennis Miller says I don't mean to go off on a rant here
My good friends at TechNet Magazine have recently released their March/April 2006 magazine. And, let me tell youâitâs excellent, specifically, if youâre running SMS to roll out your desktops and/or contemplating using the new Business Desktop Deployment (BDD) to roll out desktops.
And, I have some questions (and please donât answer me directly via email. Please, please, please answer this question or agree/disagree with this rant by going to http://tinyurl.com/htaxwon my community forum and post your 2 cents there.)
My three questions are:
- Why does Microsoft have 7 ways to deploy a desktop?
- Why bother with image-style desktop deployments at all? and
- Why bother with SMS-style tools?
So, letâs get started on this very special ârantâ issue.
Microsofts desktop deployment options
By my count, Microsoft has seven ways of âofficiallyâ deploying a desktop: Category 1: via winnt.exe
- Put in the CD and restart the machine. This basically runs winnt.exe and installs Windows.
- DOS-style Network boot disk to connect over the network to run winnt.exe
- WinPE-style to again run winnt.exe (almost the same as a DOS-style network boot disk in practice)
- Remote Installation Services (via PxE) where winnt.exe gets invoked
Category 2: via image
- SMS + Operating Systems Deployment Pack (OSD)
- Business Desktop Deployment (BDD)
- Standard Edition and
- Enterprise Edition
- Vistaâs all-new image-based deployment
The methods in Category 1 âbuildâ a PC from scratch, loading Windows step by step (or via answer file), but fundamentally âcreateâ a PC by formatting it and loading each file.
The methods in Category 2 âphotocopyâ from an image source in Ghost style.
So, hereâs the question (again): why bother using either the Zero Touch Deployment for SMS (with the Operating System Deployment pack), the BDD, or the upcoming Vista image-based methods to roll out your desktops?
First of all, unless Iâm missing somethingâthese latest tools from Microsoft compete with each other for your desktop rollout attention. Not to mention that Vista will also come with its image-style based deployment mechanism. So, between the BDD, SMS+OSD and Vistaâs Imaging mechanismâIâm one confused guyâand Iâm trying to understand why each has itâs place.
So, thatâs three image-style mechanisms to do the same job. Thatâs my real question: can someone (anyone) explain why I might choose, say, the BDD over the SMS+OSD even if could deploy both at exactly the same hard and soft costs. (Again, donât reply hereÃ¢â¬Â¦post about it, at http://tinyurl.com/htaxw.)
To me, it seems a main selling point of both the BDD and SMS+OSD appears to be that it will âmaintain stateâ as you do a desktop upgrade from say Windows 2000 to Windows XP. With a little elbow grease, you use the built-in User State Migration tool, shoot up a copy of the userâs important stuff, blast down a new desktop, and restore the important stuff (like desktop backgrounds, etc., etc.)
Great. But again, why bother specifically saving the state?
If youâre using the network to store the important stuff (say, by using Roaming Profiles), and use Group Policy to maintain your application settings, why specifically go out of your way to preserve any of it? Those of you whoâve heard my talks on desktop deployment know it will still be there waiting on the network when you deploy that new desktop to the user.
So, if you want to educate meÃ¢â¬Â¦ please do so. Again, respond by posting to http://tinyurl.com/htaxw.
Beyond the Microsoft image-based deployments
Since I'm already off on a rant here, let me take it one step fartherÃ¢â¬Â¦
Truthfully, I don't even see the point of having any image-style/âphotocopy-styleâ deployments (including other non-Microsoft image-style deployments a la Ghost, PowerQuest, or anything else). Those of you whoâve seen me speak at conferences or those who have taken my more in-depth two-day Group Policy course know my feelings about image based deployments. Yes, theyâre fastâbut, ultimately, theyâre a âphotocopy.â To recap the process, you essentially wrap up a âperfectâ PC with a set of âcoreâ applications and make a big image. Then, you deploy that image to a zillion machines. And you do it fast.
But, this means several downsides when thinking long term. First, thereâs the problem with the âphotocopyâ aspect in terms of hardware deployment.
Yes, I knowâWindows sysprep is supposed to be the answer. Sysprepâs job (especially with the -pnp switch) is to shut the machine down for photocopying. Then, once the photocopied machine is turned back on, itâs supposed to magically discover all the correct hardware, and birds will land on the computer singing and chirping.
Except itâs not guaranteed (especially the birds). Not to mention the problem with photocopying from one machine to anotherâthe required drivers might not be there. If youâre photocopying the same image for a Dell Latitude and an IBM Thinkpadâyou let me know how thatâs working out for you. If you can sleep at night while doing this, youâre a stronger man than I.
Okay, Iâm sure the BDD and SMS+OSD deployment have some provisions to handle this situation. But, I was at a loss on specifically how to add new drivers to either the BDD or SMS+OSD if, say, a new network card showed up in your next desktop shipment. What I am sure of is that in each case, the WinPE image (which provides you the ability to access the image) would indeed need to be tweaked to accommodate this (already a hassle). But my confusion is what about the drivers for when Windows is actually running? If Iâm pulling down a fully formed image, how can I jam in new drivers? If you know, and can educate me, please do so.
Even if there is a native way to do this (easy or cumbersome) it appears that Binary Research (the original makers of Ghost) has created something to help fail-safe the process. Their âUniversal Imaging Utilityâ product (found here) is supposed to help inject a bazillion drivers into your imagesâspecifically to remediate this very problem Iâm describing.
The next big problem with the photocopy isâitâs obsolete the very day itâs placed into service. Why? Letâs explore a typical photocopy-style rollout. Letâs say weâre deploying our image to 1000 desktops. Just to give it a name, weâll call our project OurImage 1.0. After rolling out 300 of our 1000 desktops someone on the deployment team realizes theyâve forgotten a critical application patch, or bite-sized application, or a configuration setting, or misspelled a directory, or any number of a 1,000 things that can go wrong during image building. So, the desktop engineering team cleans up the image, and rolls out OurImage 1.1. They then roll out to the next 300 desktops. (And, of course, the problems werenât big enough to retrofit the first 300 desktops and disrupt users.) So, now, you have 600 desktops deployed: half on OurImage 1.0 and half on OurImage 1.1.
Not ideal, to be sure.
Then, one of the applications in the image has a new minor version (which the manufacturer strongly recommends you start deploying right away). Back to the drawing board, and a new revision, OurImage 1.2, is created. The deployment rollout must go on! And OurImage 1.2 is now deployed to the next 300 clients.
So, now, thatâs three somewhat-different images over 900 clients. Now when any of those users calls the helpdesk for help, which version of the image are they using? Remember each version of the image has slightly different application versions tucked inside.
Or, consider this case: the image is rolled out to 300 peopleâboth Sales and Marketing. But Sales is constantly playing around with applications in the image they have no right to even use. Should those applications have ever been in the image at all? Sure,those applications are needed for the Marketing guys. But not for Sales. So what do some IT departments do? They send someone to trot out to the Sales desktops and manually uninstall those applications (or script it, or touch it with SMS or something).
So, it must appear as if Iâm âdownâ on photocopy-style desktop deployments such as Ghost, SMS+OSD or the BDD. Itâs not that Iâm down on them, just utterly confused why anyone would use them.
With that in mind, whatâs my proposed desktop deployment solution?
Group Policy of course (with a little help from Remote Installation Services)!
Why RIS? Because RIS doesnât âphotocopyâ an image. It âbuildsâ the computer from scratch, installing just the software it needs in order for Windows to run. And, there are provisions for centrally adding new and updated drivers when new hardware comes out (like NICs, sound cards, etc.).
Why Group Policy? Because you can deploy just the applications you need to just the specific people who need them. If Fred in Sales shouldnât get an application only Marketing would use, then itâs not in any photocopy where youâd have to worry about it. Fred only pulls down applications Fred needs.
Yes, I know the downside to my strategy. That is, in order for my suggested strategy to be successful, you have to be 100% committed to the MSI promised land (or buy 3rd party Group Policy tools to deploy applications other than only MSI apps).
Now, before you napalm my houseâlet me wrap up this section with this one thought:
I AM NOT SAYING TO ABANDON GHOST, POWERQUEST OR ANY OTHER IMAGE-BASED TOOL IF ITâS WORKING FOR YOU.
I know lots of people are quite attached to their desktop deployment methods. If something is working for you, and youâre happyâkeep on truckinâ.
Don't let me stop you.
The main reason I'm down on image-type deployments is for the reasons I mentioned above:
- Again, first, itâs a photocopy, and even though sysprep -pnp should work from machine to machine, it doesnât always. If it does work for youâfantastic. Consider yourself blessed, and continue to make use of the speed that photocopying provides.
- However, consider the second problem: âcore applicationsâ in the image make it difficult to customize each userâs experience for them. If you get away from photocopying, you get away from deploying unnecessary apps (or forgetting to put apps in your image).
So again, yes I know RIS is slow. Slower than a photocopy, yes. And, if youâre comfortable photocopying machine to machine to get the OS deployed then, again, keep on doing that. All Iâm asking is for you to consider not imbedding the applications in the image.
Now, if you want to help me out you can explain a few things to me.
- If youâre actually using the SMS+OSDâhow is it really âzero touchâ as itâs touted? I donât get it. Iâve read countless pieces of documentation, but it still appears as if the client needs to be âseenâ by the SMS system in order to zap a new photocopy upon it. That means it needs to be an SMS client. If Iâm cracking out a desktop or laptop from the cardboard box and put it on the wire, Iâm totally unclear how SMS will âfindâ this new machine and zap it my corporate photocopy. From what Iâm reading it seems (dig this) that the prescription is to actually use RIS to deploy that initial desktop, then get the SMS client loaded, then zap down the remaining applications. Wait a secondâthat sounds like âThe Jeremy Prescriptionâ (except you substitute GPO for SMS!) If Iâm missing something, and youâre an expert here, please, please educate me.
- The BDD has lots of wizard-driven steps to help you create your photocopy and then deploy it. Why would anyone would use the BDD at all, for any reason, when there are clearly other options which do the job? And, unless Iâm looking it wrong, it seems the BDD requires a Ghost-style imaging tool to do the work. Indeed the documentation talks about the Powerquest tool quite a bit. Again, Iâm at a loss to understand why the RIS/Group Policy/MSI combo wouldnât be the preferred way to go hereâor just about anywhere.
More stuff to rant about(Or, why I'm already unpopular with the SMS team at Microsoft)
Since I'm ranting about SMS anyway
The issue of TechNet magazine I mentioned has a whole article dedicated to SMS troubleshooting. When people ask me if Iâd prefer SMS over Group Policy, Iâll tell them âEven if you gave me all the licenses I need for SMS, Iâd still pick Group Policy over it any day.â Yes, yes, I know SMS has more features than Group Policy does.
But a Dodge Caravan has more features than a Mazda Miata. Get the picture?
In the end analysis what are the features people use when they buy that Dodge Caravan, er, SMS? Letâs look:
- Software Deployment with targeting (which can be done with Group Policy Software Installation and WMI filters)
- Hardware and software inventory (which can not be done natively with Group Policy but is, I hear, coming soon with 3rd party Group Policy tools.)
- SMS has Software Metering toolsâbut no one I know uses it much.
- SMS has compliance/patch-management tools. I do know some companies which do make use of theseâbut only because the free WSUS wasnât yet available, and now they feel like theyâre âlocked in.â
So, why would I pick Group Policy over SMS even if someone handed me unlimited free licenses? The TechNet article in the same issue entitled âNo Desktop Left Behind: SMS Troubleshooting Basicsâ about sums it up. Not to saturate you with all the steps the author expertly describes, but, holy cow does it ever take some troubleshooting skillz (thatâs skillz with a âzâ) to get to the bottom of things when SMS stops working. In a nutshell: SMS has about a zillion moving parts. The author expertly demonstrates how to âtraceâ where the problem is within all those moving parts.
In a basic (very basic) comparison, the same operation (software deployment) for Group Policy is refreshingly simple. There are, in short,many fewer moving parts to troubleshoot when things go wrong. Yes, okay, maybe Iâm a little biased due to my love of all things Group Policy. And that isnât to say Group Policy always works, either.
What I am saying, however, is that when Group Policy âbreaksâ itâs a much easier proposition to figure out where the problem is, then actually get to fixing it. For the record, in case you think Iâm making stuff up here to specifically beat up SMS, I am certified in SMS 2.0 and do know a little about what Iâm talking about. (And, yes, I know SMS 2003 is a different, though similar animal.)
Simpler is better
Okay, poor SMS. I just beat it up a little bit, and Iâm feeling a little guilty here. But, ask yourself if you need a tool like SMS at all.
If you need itâyou need it.
But, the question is do you really need it?
I've personally met a handful of people who seem to be with me; ditching SMS and Tivoli (and the like) for a pure Group Policy-based solution to their management.
Here's the thought process: By not introducing an SMS-style tool, youâre reducing complexity.
Again, the Group Policy moving parts are already built-into the operating system.
So, if you can make use of the moving parts inside the box, my advice is to do so.
Now, let me be super-clear before the hate mail comes in from the SMS team (or SMS-style product companies). As I said: if you need itâyou need it. Thatâs the trick, and the trap I see many organizations fall into. Many organizations inadvertently increase their complexity by adding an SMS-style management tool for not a lot of benefit. When I ask people âWhy did you end up deploying your SMS-style tool?â The #1 response I get is âWe needed a way to distribute software.â And 10% actually use the overall âpower featuresâ SMS provides over Group Policy.
So, again, my feeling is that, yes, an SMS-style tool is greatâif it truly gives you something you cannot achieve a different way. Again, SMS provides software distribution, hardware and software inventory, patch management, image deployment, and software metering. If you need something on this list that Group Policy cannot do natively (or enhanced with third-party tools) then, yes, go get it.
But, if you don't need itâwhy introduce it, even if youâre getting the licenses for free?
For the love of Pete (whoever he is) do NOT email me directly about this rant. While I strive to answer everyoneâs email, Iâm making an exception in this case. Itâs not because I donât love you, itâs because I want you to respond publicly here where we can all talk about it. Key points to talk about:
- If youâre using the BDDÃ¢â¬Â¦why? What does the BDD give you that other methods do not?
- If youâre using SMS+OSDÃ¢â¬Â¦why? Howâs it working out for you?
- How can you add drivers when Windows runs using the BDD or SMS+OSD?
- If youâre using the âJeremy Methodâ of RIS + Group Policy + MSI, howâs that working out for you? Was getting to the MSI promised land a tough haul? Did you succeed, or give up?
- Why save user state and restore it using the USMT during the BDD or SMS+OSD process? If youâre using the network properly (redirected MyDocs and Application Data), what precisely are you saving by using the USMT?
- Has anyone introduced an SMS-like product only to then realize it was overkill and the same task could be performed via Group Policy? How did you handle that?
- Or, is SMS your life blood and youâre using it for a task I didnât describe here?
Thanks for listening.
Get signed copies of...
Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)
Windows & Linux Integration: Hands on Solutions for a Mixed Environment
Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.
Order your signed copy today by clicking here.
Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from www.WinLinAnswers.com/book.
Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here:
http://www.amazon.com/gp/product/0782144470 (GPO book)
http://www.amazon.com/gp/product/0782144284 (WinLin book)
Public Group Policy Intensive Training and Workshop Schedule Update
I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.
You BOUGHT and IMPLEMENTED Active Directoryânow DO SOMETHING with it.
So, learn to properly drive that "Ferrari" you bought by coming to a class! Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):
Mar 30-31, 2006: Sacramento, CAâThis class is ON. If you want a seat, I suggest you sign up now. Only three seats left!
Apl 18-19: Atlanta, GA
Apr 20-21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
Apr 26-27, 2006 (new class): Richmond, VA
May 15-16, 2006: London, England
Why THESE cities? Because people used the "Suggest a city" form at https://www.gpanswers.com/suggest and ASKED me to have classes here.
Here's hoping you'll take advantage of the opportunity!
Learn more and sign up at: https://www.gpanswers.com/workshop (Don't forget to scroll all the way to the bottom of that page and locate your city!)
Or,if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!
If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japanâor wherever! Have passport, will travel!
Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!
For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at [email protected] or call me at 302-351-8408.
Upcoming Appearances and schedule
It's going to be a busy month for me. Embrace the travel! Love the airport. Embrace the security dweebs patting me down. Well, maybe not.
Here's my ever-so-brief schedule.
NetPro Directory Experts Conference: Mar 26 - Mar 29
I'll be speaking on Windows/Linux authentication integration. My speech is 9.15 Tuesday the 28th. www.dec2006.com/agenda_tues.cfm
Linuxworld Boston: Apl 3 - Apl 6
Again, on Windows/Linux authentication integration. My specific speech date is 4/4/06 and it'll be at 2.30 PM. Hope to see you there !tinyurl.com/7dspg
WinConnections Orlando: Apl 9 - Apl 12
I'll be speaking on a variety of topics at this WinConnections. "Group Policy Toolbelt", Shared Computer Toolkit" & "WindowsâLinux Integration: Authentication Services" and a 3-hour Group Policy Pre-Conference warm-up. www.winconnections.com
Microsoft Teched Boston: Jun 11 -1 5
Again, on Windows/Linux authentication integration. Don't know my exact speech date yet. tinyurl.com/7lktw
Recently Netpro had a cool webinar, and they mentioned usâGPanswers.com. Neat! Thought Iâd return the favor. Hereâs how to check out the webinar with a good message for anyone managing Active Directory. WEBCAST: 16 Steps to a healthier and happier Active Directory
Before going about securing Active Directory, you should make sure that certain configurations have not created unexpected security holes. In this webcast, NetPro CTO Gil Kirkpatrick will examine various aspects of Active Directory, from backup to DNS configuration to Group Policy management, that, when executed properly, can ensure a secure installation. Register here.
Subscribe, Unsubscribe, and Usage Information
If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.
Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).
For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter
You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.
While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me: [email protected]
If you have questions about ordering a book, contact my assistant Jon at: [email protected] We endeavor to respond to everyone who emails.
Thanks for reading!