[63] in Kakapo Windows Team
Windows Services and Docs
daemon@ATHENA.MIT.EDU (Brian Murphy)
Thu Aug 14 11:41:54 2003
Message-Id: <5.0.2.1.2.20030814104356.02194280@po12.mit.edu>
Date: Thu, 14 Aug 2003 11:41:17 -0400
To: kakapo@mit.edu
From: Brian Murphy <bmurphy@MIT.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
I've did some combining, reformatting and minor editing to what was
received. Here is what we have so far....Brian
http://mit.edu/pismere/support/for-cont-admins/cont-admins-top.html
http://mit.edu/pismere/draft-documents/remote-installation-faq.html
https://web.mit.edu/windows-delivery/www/dontindex/server/
http://web.mit.edu/pismere/presentations/brochure.html
http://mit.edu/pismere/support/for-cont-admins/gpsnap.
http://mit.edu/pismere/draft-documents/managing-your-profile.html
http://mit.edu/pismere/draft-documents/logon
http://mit.edu/pismere/draft-documents/dosanddonts.html
http://mit.edu/pismere/support/for-cont-admins/wingpintro.html
http://mit.edu/pismere/support/for-cont-admins/winathena-extensions.html
http://mit.edu/pismere/support/for-cont-admins/autohotfixer.html
http://mit.edu/pismere/support/web-interfaces.html
>We need to develop a common document with the roles, responsibilities for
Container Admins.
Comment> There is some discussion underway with ASO and DITR. Perhaps this
is the forum in which the talks can take place.
Here are win.mit.edu services.
Beyond the features available to any Windows 2000 Domain machine, a
machine that joins the win.mit.edu Domain obtains the following:
For the user:
Seamless integration into existing MIT infrastructure, including
Kerberos, AFS, Moira, management interfaces and Data Warehouse
Single signon - use your normal MIT username and password
One "roaming" profile in your persistent AFS home directory on H:
Locker access - run applications, edit and store MIT web sites on Z:
Shared printing to a variety of networked printers, Kerberized or not
Sendbug automated problem reporting, an integrated application
Schema extensions to access to newer applications and technologies
For the DLC machine group, or Container, Administrator:
Naturally, no need to install, maintain and support Domain
Controllers. Your containers are "islands of control," with scalable Group
Policy, admin advice, peer support and backup Remote Install (RIS), RIPREP
(monolithic image), or join existing
machines.
Auto Hotfixer deploys approved Microsoft security updates and patches Push
approved Service Packs using Group Policy
Set periodic self-maintenance scripts that run in the SYSTEM account
Log events to a secure access-controlled central server
Use web interfaces for many machine admin tasks and Domain requests
Set and use Moira data (users, lists, &c.), propagated to Active Directory
Other management tools, like Perl, W2K Resource Kit, W2K Support Tools
Reliable secure servers - DCs in continuous operation since Spring, 2001
User Policies
------------
GP-Moira-Users and
GP.Pismere. Container Admins cannot really affect these settings, but
any user from the Moira/Users container who logs into any machine in
the domain will get them, and local machine users or other domain
users not in the Moira/Users container will not. These policies are
enumerated in the User Configuration section of the Group Policiy
Management Console reports:
Machine Policies
---------------
WIN applies three policies to every machine, including software
settings, windows setttings and administrative templates. Of course,
container administrators may apply additional policies to machine
containers. For a snapshot of current Domain-wide group policies,
see:
WIN Activity Policies
--------------------
The following Domain support activities are available through webpages down
and limited to users with privileges as specified.
Request a container
Must have an Athena account, must have at least one Athena container admin.
Request approval comes from members of the list container-request
Upon container approval,
The list container-admin-[name] is set to be the container admin list for
it, and includes a few other Domain-wide container admins.
The Domain delegates only group policy control to the container.
Set your WIN domain password
Must have an Athena account.
Delete a machine account from the WIN domain - Must own the machine or be a
container admin for the machine container.
Container Maintenance Request - Must have an Athena account (this may
further restrict to require a container admin for the machine container).
Join a machine to the Domain - Must have an Athena account.
Send a suggestion or comment about win.mit.edu
Anyone.
Report a win.mit.edu bug
Anyone.
Request PXE support on an MIT subnet
Anyone.
Request a win.mit.edu Dorm or Classroom cluster
Anyone. - Request approval comes from members of the list ac-proposals.
Upon container approval, process copies "Request a container," above.
Our approach to licensing is an important addtiional policy missing from my
previous post. Current web docs may not
currently explicitly name this as a policy, We should establish that
software licensing compliance is the Department's responsibility.
I am sure it will take constant efforts to clarify this as a Container
Administrator's obligation.
Hints to this effect are on the WIN web site in places such as the RIS
FAQ:
It is important to remember that MIT does not have a site license for
all Windows Operating Systems and users. Container
Administrators must each keep track of our licenses, and make sure we
have a CALs per machine. For OS licensing, please see
_MIT/Windows 2000 Professional License_. For CALS (ordering info from
May, 2003), visit the _GovConnection Catalog_, either
departmental or personal, and find the Microsoft Select product named
"Acad. Select Windows Server 2003 per Device Client," Catalog
Item #440472.
Ops - Services and documentation around the WIN domain are focused on the
behind the scenes stuff. We maintain the servers (DC, DFS, RIS,
backup, etc.) that run the WIN domain. On the more user visable side, we
are currently responsible for new container creations. We've also done
some of the work to install new network drives, etc. into RIS images. We
have some documentation, but it is designed for use within the group,
documenting various procedures for ourselves.
