[ Go to October 1997 Table of Contents ]|
-- by Tom Henderson
Whew! I don't think I'm out of a job. Microsoft's Zero Administration Kit (ZAK) would seem to jeopardize any NT administrator's position, but I'm not sweating. I just checked out ZAK for NT 4.0 Workstation (the Windows 95 version is due soon), and concluded that "zero" is a bit of a stretch-but still, I like what I see. It may give me more free evenings and weekends, and who can argue with that? The immediate downside is that I'm going to become a Registry expert whether I like it or not.
The reason for ZAK is obvious: It's an attempt to cut costs. Recent studies say administration and support are the main factors boosting the cost of ownership for PCs. I don't doubt that, although I think the numbers in some of the studies are too high. (I wish I had the budget they claim the corporate world spends on computing!) But anything that helps reduce Total Cost of Ownership is good.
I've found the biggest administrative headache comes from anarchy on the desktop. Dealing with the chaos wastes time for both the administrator and the end user. Programs like Microsoft's Zero Administration Initiative (ZAI) aim to impose some control without hampering desktop users' productivity. ZAK is the product of the ZAI effort. When Windows 98-formerly known as Memphis-goes from beta into production, it will include more components to give administrators the kind of control they have in NT.
While ZAK is still immature and requires you to edit Registry components to maintain user and system policies, it's a running start toward gaining control of the desktop. ZAK addresses two major problems in network infrastructures: users who unwittingly generate support calls by messing up their PC configurations and users who have distractive opportunities. Microsoft doesn't go into detail on those unproductive choices, but we know it's generally wasteful to pay users to play Doom II during business hours.
ZAK's two types of users
If you want to give ZAK a try, you'll need NT Server somewhere on the network. Microsoft divides ZAK end users into two families: TaskStation and AppStation. TaskStation users perform tasks normally confined to a single application, such as an accounting application, customer service software and so on.
Setup of the single application is simple. The application can also be a shell that holds a group of applications. You can use the application or group of apps only through a browser. No fuss, no muss and no other choices. For example, you can block access to the CD-ROM to prevent employees from loading their favorite version of Microsoft Flight Simulator onto your $3,000 workstations.
AppStation management is trickier. Microsoft recommends the AppStation approach for end users "with moderate skills or Windows knowledge." Like TaskStation mode, AppStation allows administrators to limit the available programs. But AppStation still uses the Win95/NT4.0 Start Menu. Users in AppStation management typically store data on a network server or in a local user folder. Those storage points also hold user policy components loaded to force workstation behavior.
The NT 4.0 version of ZAK arrived first because it was easier to create and implement the NT version than the Win95 version. The available NT software already includes the NT user profile components that control user environments. ZAK extends these user policy components.
A user profile consists of three components. First, there's a machine-specific or local profile (its guts, folders and settings). This profile goes with the machine as a set of resources relating largely to hardware and software installed on an NT PC. Then there's a roaming profile (desktop and other component information downloaded from a server or other machine) that follows the user. Finally, a variation of the roaming profile, called the mandatory profile, is assigned to an individual or groups for a common or specific user interface (such as a mandated desktop or application set)
The NT Registry portions that can be saved into roaming profile components are called hives, and the filename that's often used to store them is called NTUSER.DAT. The other user profile portion in NT is in the folder structure that stores shortcut links, desktop icons, startup applications and so forth. This combination of the Registry hive and the folders records all user-configurable settings that can migrate from computer to computer. Registry hives and folders with data give NT users portability among NT machines.
You can load roaming profiles from a network share resource. They're part and parcel of NT 4.0.
Windows 95 doesn't have roaming user profiles, but Windows 98 will. A key difference between NT and 95 is that the Win95 Registry has no provision for Registry hives and the subsequent control that roaming profiles affords. Windows 98 user and system policies are much closer to NT 4.0 Workstation and will be easier to manage.
Registry surgery for fun and profit
Unfortunately, ZAK requires mastering the Registry in order to manage user and system policies. System policies overwrite settings in the existing Registry with those made in the policy file. This allows a ZAK administrator to regulate and restrict both the workstation and specific users. Users get only the resources that you allow. You can restrict hardware usage at a particular workstation or by a specific user (preventing use of floppy, CD-ROM and tape drives), or set network drive mappings and limit Control Panel access to the administrator. That puts AppStations at the mercy of administrators but gives all users access to as many, or as few, resources as they need to do their jobs. Limiting access normally results in fewer problems and fewer calls to the help desk.
You make changes in the System Policy Editor. Profile settings specific to the user who logs on to a given workstation are located in the Registry under HKEY_CURRENT_USER. Likewise, machine-specific settings are located in the Registry under HKEY_LOCAL_MACHINE. Both areas can become the source of Registry hives. (See "User Profile Folders" sidebar.)
System policies are text files, and you can find examples on the NT distribution CD-ROM. Registry hives aren't text files; they're part of the Registry database. Both are needed to make the AppStation work, so administrators must become familiar with the Registry and its effects. Microsoft recommends extensively pilot testing ZAK prior to actually putting ZAK components into production. I couldn't agree more.
Control but not Convenience
The ZAK engine is a command processor that allows an administrator to modify the Registry at start-up or log-on. The commands and their implications are fairly well
annotated, and you can control a wide range of parameters, from local storage control to menu options. You'll love the control that the Registry provides but will loathe the configuration process.
Does this mean that ZAK will inhibit the personalization of computing or cause us to become more uniform and standardized? Not likely. You know what they say about locks: They keep your friends out, but your enemies have pick tools. Hackers will target ZAK, and desktop users can get around your enforced policies by using tools found on the Internet. As an administrator, you'll have to keep a close watch for new security updates and third-party software to thwart the hacks. That's one more reason ZAK's title can't be taken literally. But it's still a big step toward sanity on the desktop.
Tom Henderson runs BeachLabs in Indianapolis, a division of Telecom Industries. Contact Tom care of the editor at the addresses on page 20.