ad info

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
Computing

Windows 95 chaos control: Products that will help you

July 17, 1998
Web posted at: 12:50 PM EDT

by Tom Henderson

From...


(IDG) -- While Microsoft offers some degree of control over users' desktop configurations through the Windows 95 and NT registries, the controls are difficult to implement and easy to work around. But in recent weeks, two oddly complementary products designed to lighten the management of desktop loads have come from none other than Microsoft Corp. itself and network operating system arch rival Novell, Inc.

Microsoft's Zero Administration Kit (ZAK) for Windows is a set of software tools for centralized configuration of distributed clients. Novell's Zero Effort Networks (ZENworks) is the combination of two older Novell products, NetWare Applications Launcher and Workstation Manager, coupled with a secure remote control application for front-line help desk support and an administrative add-on to Novell's NWAdmin program. Of the two products, ZENworks succeeds better overall, thanks to its wider range of features and easier installation and deployment.

Neither product ensures zero administration for Windows workstations. And both products fail to fully insulate you from the intricacies of the complex Windows Registry. However, the products passed just about every test we threw at them (see "How we did it," page 52). The lone exception was ZENworks' failure to properly install a DOS program on a Windows client. A quick test of each product with the Windows 98 Beta 3 code showed neither product worked with it.

Microsoft's ZAK ties in to policy-control procedures outlined with Windows NT Server, although most of the techniques used for desktop controls can be applied to other networks. ZENworks can take ZAK or ZAK-like policy control and anchor it with Novell Directory Services (NDS), another reason it's the better tool. ZENworks expands the NDS schema in a way that complements the NetWare Client32. The Client32 software authenticates a user, then checks the user's attributes and modifies the desktop and operational characteristics of the workstation according to what it finds in NDS.

MORE COMPUTING INTELLIGENCE
  IDG.net home page
  Network World Fusion home page
 Free registration required to access Network World
  Free Network World Fusion newsletters
  Get Media Grok and The Industry Standard Intelligencer delivered to for free
 Reviews & in-depth info at IDG.net
    IDG.net's bridges & routers page
  IDG.net's hubs & switches page
    IDG.net's network operating systems page
  IDG.net's network management software page
  IDG.net's personal news page
  Questions about computers? Let IDG.net's editors help you
  Search IDG.net in 12 languages
  Subscribe to IDG.net's free daily newsletter for network experts
 News Radio
  PC World News Radio
  Computerworld Minute audio news for managers
   

Anchored by Directory Services

ZENworks includes two user interfaces: Application Launcher and Application Explorer. Application Launcher is a customizable shell for application execution. Application Explorer looks more like Windows Explorer with enhancements, and it is somewhat reminiscent of both the older Novell Application Launcher and Windows 3.X Program Manager.

Included with ZENworks is snAppShot, a product that takes a snapshot of a system before and after you install an application. You can use the data file that details the changes to automatically apply the same changes to other workstations across the network.

The proposed benefit is the ability to create machine-independent profiles that allow users to roam from machine to machine while always seeing the same application set wherever they work. The goal is to enable a user to log on to a new machine and have ZENworks determine who it is. ZENworks then looks into NDS, determines which applications the user should have and installs any that aren't already on the desktop.

We found roaming profiles worked well, even between Windows 95 and NT workstations. When we hadn't previously used a given NT workstation, the NetWare logon process discovered that fact, made us a user of the workstation, and then downloaded profiles that allowed us to print to the correct queues without intervention.

We tried to use snAppShot to profile the installation of Adobe Capture Version 3.0 under Windows 95. We found it frustrating that snAppShot crashed three times during the attempt. Finally, when we attempted to install Capture on a workstation that had never before been used, it took. The problem seems to be specific to Adobe Capture 3.0, but because Adobe uses InstallShield, a common application installation program, we feared other products that use InstallShield might also have problems until this bug is fixed. Novell's tech support could offer no immediate solution to the problem. We installed the application under Windows NT Workstation with no difficulty.

Policy control is flexible in ZENworks, but there are ways of avoiding it. We were using a Novell network client logon, but we found we could hack and install a different network client that didn't work with ZENworks, which could foil your administrative control. A policy control from the ZAK CD-ROM was able to prevent us from changing clients.

ZENworks also contains a help desk request applet that's designed to dovetail into Novell's ManageWise support and management software system. The applet can find support contact information via NDS and contains a remote access program that allows support personnel to help solve desktop usage problems.

Each Windows 95 and NT workstation on the network required new client software. We then added an entry into NDS for all the workstations; by highlighting a group of workstations, we could do mass imports of client information to NDS. The beauty of an object-oriented directory service such as NDS is that we could update policies en masse, and then control workstations immediately after rebooting them. ZENworks runs only on NetWare 4.1 and newer servers, and supports only Windows clients within an NDS domain.

Sergeant ZAK

ZAK offers two modes, TaskStation and AppStation. TaskStation clients boot into the Internet Explorer application instead of the Windows interface and are limited to using applications that run in the browser. The goal is to lock down the desktop configuration to prevent users from making changes.

TaskStation offers many ways to limit end-user access to the underlying operating system. You can remove the Run command from the user interface in TaskStation and hide selected or all folders, the taskbar, the Find command and My Computer. You can also restrict Network Neighborhood in several ways to limit access to otherwise visible network resources. In Windows 95, you're supposed to be able to restrict registry editing and MS-DOS access, but we figured out a way to get around those barriers.

AppStation administration is more involved because the user interface isn't constrained to Internet Explorer. The biggest advantage to AppStation is that it can control what users see on the Start menu and what they can access on the disk. AppStation has tools to suppress registry editing, and it can prevent users from invoking Windows' Task Manager to kill the process that controls the suppression.

Server-side administration provides several possibilities for group control to be replicated and partitioned through the NDS structure - a plus in WAN environments. Neither TaskStation nor AppStation make it possible to lock down Windows boot configurations, but both can limit end-user access to specific folders and drives. Both packages also let you create classes of users and develop gradients of desktop controls to suit differing needs.

To achieve strong administrative controls with ZAK, you need to experiment with user and group controls to balance the level of control you need vs. the flexibility you want. Much of the control offered comes via the use of registry hives, which are slices of the system registry that are imported to the workstation at logon. By contrast, ZENworks uses a logon-time download coupled with properties in directory services (asserted by individual or group characteristics) to assert control over the desktop.

ZAK is designed for deployment on newly installed PCs, although with a bit of work, we found it could be used on already deployed Windows 95 and NT 4 workstations. There are two ways to deploy ZAK: read the instructions and design the suggested controls, or use a demo setup that walks you through the process of installing Microsoft Office 97 as a shared server-based application. The installation process suggests helpful (but not mandatory) installation and subsequent management steps be obtained from the Office 97 Resource Kit and the Windows NT Server 4.0 Resource Kit. Fortunately, we had both.

ZAK deployment involves three steps: server installation, initial workstation setup and client/user administration. We easily installed our test clients after the server, and we modified our Windows NT Server Primary Domain Controller user profiles as suggested by the ZAK online documentation. To complete the steps, you create a directory structure and copy boilerplate user profiles to the server.

The Strongest Rope

With ZENworks, Novell hits Microsoft in one of its weak spots - directory services, or rather the lack of one. While ZAK provides low-level control of user desktop configuration, it doesn't scale well for large organizations. For example, Microsoft strongly recommends replicating the ZAK infrastructure in multiple-domain NT networks - a tedious and often manual procedure. This problem doesn't exist in a network running under NDS because resources are partitioned and replicated automatically.

Unlike the more automated ZENworks, ZAK is a kit, and as such offers great flexibility at the cost of a learning and experimentation curve.

ZENworks can dovetail nicely with the controls offered in ZAK. For example, the registry controls needed to keep users from accessing local CD-ROM drives can be made part of the ZENworks details that follow users from workstation to workstation. These products do not thwart each other in any way and are actually complementary. Perhaps it takes two products - one pushing and one pulling - to do the job of corralling the desktop.

But based on our experience, Novell has a head start it's not likely to lose, even after NT 5 arrives.

Tom Henderson is a systems architectural consultant in Indianapolis and the author or co-author of 12 books on network hardware and software.
Related stories:
Latest Headlines

Today on CNN

Related IDG.net stories:

Note: Pages will open in a new browser window Related sites:

External sites are not
endorsed by CNN Interactive.

SEARCH CNN.com
Enter keyword(s)   go    help

  
 

Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.