In general, Desktop Management is the ability to provide central management capabilities on PCs. Some examples include:

• Administer configuration settings on JMU computers
• Establish and enforce desktop security standards
• Administer local user rights on the desktop to what is required to perform work functions
• Capture hardware and software inventories
• Perform enhanced support via remote assistance tools
• Provide enhanced patch management capabilities to the desktop
• Provide enhanced security capabilities to the desktop

In today's technology environment, it is imperative JMU make significant progress with Desktop Management to ensure our environment is as safe and secure as possible, and to provide our staff with the tools to enhance proactive monitoring and deliver superior customer service.

Our team has been busy several months planning the implementation of Desktop Management for JMU-owned PCs. We are to the point in our planning that we are ready to conduct an internal pilot utilizing PCs in IT. We believe using ourselves as a pilot will greatly assist our learning prior to rolling out to other areas of JMU. Our goal is to implement Desktop Management in multiple stages on as many IT PCs as possible, while gathering your feedback and addressing any issues that may arise. Some of these stages include:

• Join IT PCs to the Microsoft Active Directory Domain - testing both manual and automated methods
• Push the Microsoft SMS client software to computers. This software, among other features, gives us the ability to gather software and hardware inventory
• Test and verify the capabilities of remote support tools (Remote Assistance, Remote Control)
• Enforce current policies that are enabled on every computer Desktop Services installs
• Enforce StartSafe policies
• Push Microsoft and non-Microsoft software updates

IT staff who use Windows XP and Vista desktops and laptops.

We began the pilot on October 1, 2007.
IT PCs will remain part of our managed environment going forward.

• Enables File and Print exceptions in the firewall for AD
  • Ensures that the minimum firewall exceptions are in place for a successful migration
  • Ensure that the Microsoft File and Print sharing services themselves are enabled and turned on
• Copies any local firewall rules to the domain rules
  • Windows keeps two sets of firewall rules. Copying the local rules to the domain rules ensures that any exceptions the user may have made are carried over after a successful migration
• Re-SIDs the computer
  • The SID (Security IDentifier) is supposed to be unique to each computer joined to a domain. In our past, the general images deployed on computers did not generate unique SIDs, and half our PCs have the same SID. This step regenerates it to make sure that every SID is unique
• Renames computer to a consistent name
  • This is where we use the computer owner's organizational unit and the computer's ESN to generate a unique computer name, for example "IT-H1111.ws.jmu.edu"
• Joins the computer to the domain
• Makes the local user account (e-ID) a domain user account
  • The domain user account stays at the same user level, e.g. if an administrator account prior to the migration, it is an administrator account after the migration
• Migrate / re-ACL / re-DACL all local profiles to domain profiles
  • Default the domain e-ID to the local e-ID's profile path (C:\Documents and Settings\e-ID) and create a new path for the local e-ID
  • ACL = Access Control List; DACL = Discretionary ACL
  • In effect, make the permissions for the local e-ID and the domain e-ID the same all across the board

How it is now:
The majority of computers on the JMU network are operating as decentralized, stand-alone computers. Each computer must be maintained on an individual basis. This means that patches, upgrades, anti-virus and software installations are controlled by the user of each machine.

Joining the Domain:
Joining the domain is the first step in having fully managed computers. When a computer joins the domain it is essentially agreeing that it is part of a bigger whole. It no longer considers itself as a stand-alone machine but recognizes that it is on a connected network where the individual machine is no longer "the boss." The machine will now recognize that there are other servers (domain controllers) that are in charge and the computer agrees to take marching orders from those servers. The important thing to remember about domain membership is that the act of joining the domain does not make a computer managed; it simply provides us with the ability to manage the computer as the computer has agreed to take orders from a central source.

Managed Computers:
Managed computers are computers that receive policy and configuration settings from one or more centralized sources. In context of the Desktop Management project at JMU, once we apply GPOs (group policies) or install an SMS (system management server) client, the machine then becomes managed.
Managing a computer removes the responsibility for patches, upgrades, anti-virus and software installation/control from the computer users and places that responsibility in the hands of system administrators.

IMPORTANT NOTE ABOUT PASSWORD CHANGES:

Once you have joined the Active Directory (migrated), you need to take extra care when changing your e-ID password via the Accounts Portal. The Accounts Portal automatically pushes the new password to Active Directory. It is imperative you reboot or logoff/logon immediately following a password change to avoid getting locked out of your computer. (As the Identity Management Project progresses, we hope to have the capability to eliminate this extra step.)

Any new deployment has its challenges; so far this pilot has gone quite smoothly. However, if you do encounter any issues and/or you want to send us feedback (positive or negative), please email: mailto:desktop-pilot@jmu.edu?subject=Desktop%20Pilot%20Feedback.