Posts Tagged ‘Windows 7’

« Older Entries

Windows 7 Device Installation without Administrator Privileges

Tuesday, November 10th, 2009

Supporting mobile workers is always a little tricky.  Whilst you need them to be able to work effectively, you don’t always want to grant them enough system access that they can break things whilst on the other side of the world where you can’t help them.

One of the big requirements for administrative access to systems is the ability to install new devices such as printers.  Windows has supported non-admin installation of drivers for years, but with the big caveat that the drivers are signed.  If they’re not then it won’t work, and often the manufactures don’t bother going through the time and expense.

Fortunately Windows 7 offers some help here by allowing you to point the system at Windows Update for driver installations.  When a device is plugged in Windows will check for appropriate drivers on the local disk (these can of course be pre-populated) and then if it can’t find any search Windows Update.

We’ve tested it with a few devices here, and whilst not everything is on Windows Update, it would seem that the majority of newer printers and devices are.  At the very least it’s a huge expansion of the drivers included out-the-box.

You can also search the Windows Update catalog so check whether certain devices are covered, and download those drivers manually.  I’ve not tried it, but I suspect that might also be useful should only Vista drivers be available.

image

Anyway, so how do you set this up?  Well there are two Group Policies that you need to set:

Computer Configuration > Policies > Administrative Templates > System > Device Installation >  Specify search order for device driver installation source locations = Enabled: Search Windows Update Last

This tells Windows to search locally for drivers, then search Windows Update for a compatible driver if none are found

Computer Configuration > Policies > Administrative Templates > System > Driver Installation > Turn off Windows Update device driver search prompt = Enabled

This removes the choice for an administrator to specify searching Windows Update and sets Windows to search Windows Update by default (given the search order specified above).  If this isn’t set the user is prompted to enter administrative credentials before searching Windows Update

Tags: , , , , ,
Posted in Tech, Work | No Comments »

Direct Access Infrastructure Planning and Design

Monday, October 26th, 2009

IPv6TransitionTechnologies1[1]

To go along with the release of Windows 7 last week, Microsoft have today released the Infrastructure Planning and Design guide (IPD) for DirectAccess.

I’ve covered DirectAccess a few times here as I think it’s a good solution for remote workers.  The IPD covers the steps you’d need to consider in the design process including IPv4/IPv6 transition technologies, IPv4/IPv6 network address translation and the overall server and certificate topology.  Though I still think my diagrams are better :)

You can find the guide here: here

Tags: , , , , ,
Posted in Tech, Work | No Comments »

Integrating Enterprise Search into Windows 7

Tuesday, October 20th, 2009

One of the things I like about Vista and Windows 7 is the way search has been integrated into almost every part of the interface.  Sure it’s not something you immediately start using, but for me at least it’s really grown into something that I use more than once a day to help find information and save me time.

On top of the ability to search the local disk, one of the great things about the Vista/2008/7/R2 windows family is the ability to federate search across a number of sources. 

What does that mean?  Search federation allows Windows to query against remote data stores without the need to index those locations itself.  Imagine that you wanted to search your SharePoint sites for a document, and you wanted to do it from within Windows.  One way to do this would be to get Windows to index all of the SharePoint content and keep its own index.   That’s not very efficient though, if there is more than one computer each one would need a copy, so in an enterprise that’s a whole lot of duplication. 

With federated search you enter your search query in one place, in this case Windows, and that query is then forwarded on to the other systems which have indexed content.  They then execute the query against their own index and send back the results.  Those results are then displayed back in the original application as if they were searched and indexed locally.  The benefit of this is that it’s much more efficient, each source can have it’s own index and search tool (provided it supports federation of searching) and only the query and results are passed over the network.

So, how do we make use of this?  Well Windows 7 supports search federation in the form of OpenSearch.  Fortunately quite a few different search engines support this, but for the sake of this post I’ll use SharePoint as I’m guessing that one of the more common data sources people will want to search. 

What it looks like
Before I get into how this can be setup and configured, here’s a screenshot of what it looks like in action:

SharePoint Search in Windows 7

This is a screenshot from Windows Explorer on a Win7 a test machine I was using today. First you can see that there’s an addition to the Favourites for your new search.  When you enter something into the search box, the results from the SharePoint location are returned directly into Explorer Window.  If you select one of the files and have the preview pane turned on you get a live preview of the document (the preview pane is something else I really find useful!).

In addition to the view above, you can pin your new search to the bottom of any other results… but more on that later.

So how do you set this up?  Well there’s the manual setup and an automated setup using Active Directory Group Policy.

The Manual Way
For manually setting up a new search location you can create a new OpenSearch Description file which you can then double click to install.  An OpenSearch Description file (.osdx) is an XML document that tells Windows where to send the search terms and how the results should be formatted.  These are fully document here, but I’ve included an example below:

   1: <?xml version="1.0" encoding="UTF-8"?>

   2: <OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:ms-ose="http://schemas.microsoft.com/opensearchext/2009/">

   3: <ShortName>SharePoint Search</ShortName>

   4: <Description>Search SharePoint</Description>

   5: <Url type="application/rss+xml" template="http://yoursharepointsite.com/searchcentre/_layouts/srchrss.aspx?k={searchTerms}&amp;start={startIndex}&amp;cnt={count}"/>

   6: <Url type="text/html" template="http://yoursharepointsite.com/searchcentre/Pages/Results.aspx?k={searchTerms}&amp;page={startPage}&amp;cnt={count}"/>

   7: <ms-ose:ResultsProcessing format="application/rss+xml">

   8: <ms-ose:LinkIsFilePath>-1</ms-ose:LinkIsFilePath>

   9: </ms-ose:ResultsProcessing>

  10: </OpenSearchDescription>

When you double click on this .osdx file, Windows uses the information it contains to create two new files.  The first is a Search Connector (a .searchconnector-ms file) in the “%userprofile%/searches” directory, and the second is a shortcut to it in the “%userprofile%/links” directory.   It’s this shortcut that appears in the ‘Favorites’ folder in to Screenshot above.

The Automated Way

The simplest way to deploy the new search settings out to a number of computers is though Group Policy. 

As the search config is stored within the Search Connector, all you need to do is deploy the .searchcconnector-ms file and shortcut out to your target computers.  There are a few ways to do this, but personally I’d use Group Policy Preferences.  This will give you a good level of control over the targeting of the files, and easily allow you to adjust the settings over time.  You could also use things like logon scripts.

You can configure Group Policy Preferences to deploy files with the User Configuration > Preferences > Windows Settings > Files area of a GPO.  You’ll have to do this as a user based policy as the files must be copied into the User Profile, if you copied the files as a computer policy it would apply before a user was logged on so they would end up in the wrong place.

Within the Files Preferences, you have to specify a source file location and a target location.  For the source location I would tend to use the Netlogon share for your domain (//domain.com/netlogon/) as a copy will be on every domain controller and usually therefore local to the end users.  The target locations should be the same as those described in the manual steps above:

Search Connector: %userprofile%/searches/File.searchconnector-ms

Shortcut: %userprofile%/links/SearchTitle.lnk

As well as the source and target info, you also need to set a few of the other options.  The first is ‘Run in logged on user’s security context (user policy option)’ as this will ensure that the file is copied in context of the user logging on. 

You may also wish to consider whether to set the ‘Remove this item when it is no longer applied’ options so that the files are removed if you decide to remove the policy.

Adding Links to Your Search Connector

Following the steps above will add your new search location into the Favourites folder and allow you to search against it.  You can however also add your new Search Connector to both the ‘Search Again’ links that appear at the bottom of any search results, and to the Start Menu.  This is done by configuring the ‘Pin Libraries or Search Connectors to the ‘Search Connectors’ to the ‘Search Again’ links and the Start Menu’ Group Policy that can be found within the User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer area.

I hope this has been useful!

Tags: , , , , , , ,
Posted in Tech, Work | No Comments »

Disk2VHD: Convert a live disk into a VHD

Tuesday, October 20th, 2009

A couple of guys at work pointed this out to me last week, so I’m a bit late posting about it, but I think it’s worth mentioning all the same.

image

Disk2VHD is a great little tool from Mark Russinovich and Bryce Cogswell, two of the guys behind Sysinternals (now part of Microsoft).  What it does is is pretty simple, copy a physical hard disk into a virtual hard disk (VHD).  There are loads of tools to do this, but what makes Disk2VHD different is that it can run on a live, online disk.  To do this is makes use of the Volume Snapshot capability that’s be in Windows since WinXP to create a point-in-time snapshots.

Being able to create a VHD from an online disk opens up a couple of news possibilities, for example it would make a pretty good tool for creating bootable backups of machines.  In fact when I get a chance I’ll be seeing if I can knock up an automated way of creating a VHD backup of an XP computer before it’s trashed and upgraded to Windows 7.  If it works, combined with Windows 7’s native boot to VHD functionality it’ll be a pretty good way of providing an instant recovery back to a users old XP computer.  Hopefully they’d never need it, but it may be worth the effort to add an extra level confidence.

Check out Disk2VHD here: http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Tags: , , , , ,
Posted in Tech, Work | No Comments »

DirectAccess Planning Guide Beta Released

Wednesday, September 16th, 2009

I’ve written a few times about Windows 7 and Server 2008 R2’s DirectAccess technology.  It’s something that whilst complex, has the potential to be extremely useful when providing services to remote workers.

Microsoft have just released a beta of the Infrastructure Planning and Design guide for DirectAccess.  Whilst I’ve not had a chance to read through in on detail, the IPD guides are usually very helpful, and certainly the information I’ve seen through the TAP programme has been pretty good.

You’ll need to join the beta through the connect site, but information on how to do that can be found here: http://technet.microsoft.com/en-us/library/ee477347.aspx

Tags: , , , , , , ,
Posted in Tech, Work | No Comments »

Filtering Group Policy to Windows 7 Computers

Friday, September 11th, 2009

During the development work we’ve been doing with Windows 7, one of the items we’ve been looking at is how we can filter the group policy applied to User Accounts by the operating system they are using.

The reason for this is that for a phased migration to Windows 7, you will probably need to account for people roaming between different computers – which may or may not have been migrated.  As the configuration applied to Windows 7 may be very different to that applied to older Windows XP computers we need a way of linking both sets of policy to the user accounts, but only applying the right one for the current OS.

If you have all of your user accounts in a single OU (or OU hierarchy) this is relatively straight forward.  The simple answer is to use Group Policy WMI filters.  These allow you to filter the application of Group Policy based on the results of WMI queries you make of the computer.  For example another good use of these is to detect whether a computer is a laptop or desktop, by querying the battery status you can easily set different configurations for things like Offline Folders on laptops.

After a bit of testing I found the following queries work for filtering policy to different OS levels, and computer roles:

Select * from Win32_OperatingSystem Where Version like “6.1%” and ProductType = “1”

To further filter policies based on versions and roles the following properties can be used:

Version
To filter the by OS version, change the Version property to:

Windows 7 or Server 2008 R2 = “6.1%”
Windows Vista or Server 2008 = “6.0%”
Windows XP = “5.2%”
Windows 2000 = “5.0%”

Product Type
To filter by the different roles the computer might have, change the ProductType property to:

Client = “1”
Server running a Domain Controller role = “2”
Member server (server that’s not a DC) = “3”

The % character in the above queries is a wildcard for any characters that follow, so you could therefore use Version Like “6%”to filter for OS’s which are Vista and later.

To apply the filters, you use the Group Policy Management Console (GPMC).  In the WMI Filters section in the right hand pane, click right-click and select New.  Then give a name and description, click Add then enter the filter into the Query box.  Then click Ok and Save

To apply the filter to a policy, select the policy in the right hand pane, then on the Scope tab under WMI Filtering select your filter.

There are a few limitations, like you can only apply one filter per Policy (but you can have more than one query per filter) and the Queries are a property of the policy not the link, but overall they’re a very powerful tool.

Tags: , , , , , , ,
Posted in Tech, Work | 4 Comments »

Why use Windows 7 DirectAccess?

Saturday, July 25th, 2009

I’ve a couple of posts now about Windows 7 DirectAccess (here and here), and particularly about it’s use of IPv6.  It’s all been fairly technical, but despite the title of one of those posts I’ve only briefly touched on what DirectAccess is and why you might want to use it in your organisation.  So here goes…

There are a few trends to consider when you think about DirectAccess (DA) as it’s been built to answer some of the challenges that they pose.   The first is Mobile Working. 

In my experience over the past few years the amount of mobile workers, or at least those that are equipped with laptop computers to allow them to work remotely, has been steadily increasing.  With home broadband now available to most people, wireless networks common in peoples homes as well as in hotels and airports, peoples ability to work out of the office has never been greater.  And with them goes your corporate data, whether that be on their laptop, or a USB key or in an email to their GMail account – applying security closer to your data will become more important as time goes on.

Another trend to think about is cloud computing.  ‘Cloud’ is the new buzzword these days but it covers a wide range of topics.  The chances are most big companies are already using cloud services of some sort, whether that’s full on Google Enterprise or a Message Labs email filtering service.  Either way, that sort of managed or outsourced service will be a big factor over the next few years, and they introduce a few new things to consider.  First, relying on systems and services that you don’t have on your network, or managed by your guys, means that again security needs to be moved closer to those systems and the data they contain.  Secondly, if the services your end users access are out on the Internet somewhere perhaps the best way of accessing them remotely might not be via your corporate network.  Mobile clients may need to access both your network and the wider internet at the same time.

These trends combine with a third which is around the changing nature of the security perimeter around corporate information.  On the DA class I went on at Microsoft they referred to this as ‘re-perimeterisation’ which I think is a much better term than ‘de-perimeterisation’ which is favoured by the Jericho forum.  Whilst this is a big subject in its own right, the gist is that the traditional model of securing your information by firewalling off you network and relying on that perimeter to protect your systems hasn’t been sufficient for a couple of years now.  We need to start moving security in towards the host and the data.

So how does DirectAccess help with all this?

Well DirectAccess provides your organisations remote computers with transparent access to both the Internet and your corporate network.  If a DA enabled laptop connects to the Internet, a connection to the corporate network is automatically established at the same time.  This connection is authenicated against both the computer and the user, and secured using IPSec between the client and corporate resources it accesses (not just between the client and the gateway).

The computer can be authenticated either using a machine certificate issued to validated it’s from your domain, or by a health certificate from a Network Access Protection system to validate that the computer is ‘healthy’ (patched, AV’ed) enough to enter your network.

As DirectAccess launches the corporate network connection automatically the end user experience is… well… invisible.  They just logon as usual and they’re connected (assuming that they have internet access of course).  What’s more, the connection to the corporate network does not compromise their general internet connectivity – or visa versa.  You can specify the namespace of your internal network (for example intranet.mycompany.com) and any applications that attempt to access resources within that namespace are directed to internal DNS servers to ensure that the right resources are accessed.

Because DA connectivity is ‘always on’ computers connected in that way are much easier to manage and support.  With traditional VPN access solutions the remote laptops are only really manageable if and when the VPN is connected, meaning maintenance and patching tasks can be hard to achieve.  DA clients are visible to to any internal systems of support teams.  Patches can be applied, applications delivered and remote control tools used.

As DA can establish a corporate connection before the user has even logged on you also get the benefit of being able to apply changes to group policy and update the mobile users security token etc. just as if the user was in the office.

So in short, DirectAccess has the potential to greatly improve both the end users remote working experience, and the IT groups ability to support those remote users.  It’s good stuff (but you might want to read about some of the pre-requisites!).

Tags: , , , , , ,
Posted in Tech, Work | No Comments »

DirectAccess, IPv6 and IPv4 Networks

Thursday, July 23rd, 2009

The other day I posted some some information about the DirectAccess features of Windows 7 and Windows Server 2008 R2.  DirectAccess offers some fantastic functionality for mobile workers, making remote access to corporate systems completely seamless.

When setup, DirectAccess provides simultaneous connectivity to both the Internet and the corporate network.  If the client is connected to the Internet, it’s connected to the corporate network.  This allows mobile workers to access the corporate resources they need and allows IT groups to better manage and support remote computers.  It’s requirement for IPv6 however is a little bit scary.

I’ve never really delved into IPv6 in any detail, it’s always been one of those things that I’ll get around to later.  To be honest I don’t know a whole lot more about it now, it’s a huge subject and I hadn’t appreciated just how different is was from IPv4.  I don’t want to go into too much detail here as there’s tonnes of info out there already.  There are a few interesting things to consider in the context of DirectAccess though.

Whilst the networks like the Internet run quite successfully on IPv4, the 32-bit address space it offers is actually pretty small.  This means that most of the computers accessing the internet probably don’t have addresses that are publically addressable.  Of course this could be seen as a benefit to security, but if you want to access these machines for genuine reasons (management etc.) the fact these computers aren’t globally addressable is a real problem.  Oh, and the the last estimate I saw predicted that the public IPv4 address range will run out in 2 years!

The solution for these problems is IPv6.  It offers a 128-bit address space, which is simply h u g e.  I heard somewhere you could effectively give every grain of sand on earth an IP address or two and not worry about it.  It also has IPSec security built in (existing IPv4 solutions are retrofitted from v6) to provide better, more granular, security and supports much better prioritisation of traffic.

So IPv6 sounds great… but a full implementation is a huge change for networks designed and built to run IPv4.  A lot of network kit just wouldn’t work within a native IPv6 environment.  So a full IPv6 implementation is more of a long term goal, fortunately there are a few transition technologies available to help IPv4 and IPv6 co-exist.

From Vista onwards, Windows has shipped with an IP stack that supports IPv6 natively.  In fact, Windows now favours IPv6 and will use it to communicate with other Vista/2008/7 nodes if it can.  To allow IPv6 traffic to pass thorough existing IPv4 networks, IPv6 can be encapsulated within IPv4 packets.  Again, Windows will automatically encapsulate IPv6 should it determine that there is IPv4 connectivity between two IPv6 nodes (it can also be forced).

The encapsulation is done using the following technologies:

ISATAP – Used to provide unicast communication between IPv6/IPv4 hosts across an IPv4-only intranet.

6to4 – Used to provide unicast communication between IPv6/IPv4 hosts and IPv6-capable sites across the Internet (which is IPv4).

Teredo – Used to provide unicast communication between IPv6/IPv4 hosts across the IPv4 Internet, even when they have private IPv4 addresses and are located behind a NAT (Network Address Translation) device.

IP-HTTPS – Allows IPv6 to be tunnelled in using HTTP with SSL as a transport, thereby allowing connectivity even if clients are behind a restrictive proxy or firewall.  This is only available in Windows 7 and Server 2008 R2

For older equipment, there are also IPv4-IPv6 gateways that can be used to provide communication to equipment not compatible with IPv6.

DirectAccess uses these technologies to provide communication between the remote Windows 7 client and the Windows Server 2008 R2 DirectAccess server.  They (well ISATAP specifically) is then used to allow traffic to traverse an IPv4 Intranet from the DirectAccess Server to the resources being accessed.

The solution looks roughly like this:

IPv6 Transition Technologies

Tags: , ,
Posted in Tech, Work | 4 Comments »

So what is Windows 7 DirectAccess?

Tuesday, July 21st, 2009

A couple of weeks ago I was fortunate to be offered a place on a two day class at Microsoft to learn about the DirectAccess functionality of Windows 7 and Server 2008 R2.  The class was run by Fernando Cima from MS in Brazil (who it has to be said really knows his stuff).

For many years now private company networks have been completely separate from the hostile environment of the Internet.  This separation is achieved through the use of firewalls etc, and in many cases internal networks use private IP address ranges that can’t be directly addressed from the internet.

Whilst this separation provides a level of security, it does make life difficult for mobile workers, after all they’re on the Internet wanting to gain access to the very resources company’s want to protect.  Many organisations use solutions like VPN’s, Citrix and application publishing (for example Outlook Web Access published through a reverse proxy) to get around these limitations and make services available to remote workers.

These solutions are definitely useful, but the user experience for mobile workers is often less than ideal.  To maintain security they’ll almost certainly have to logon to these remote services separately, probably using complex passwords or two-factor authentication like RSA SecurID.  It’s hardly seamless.  Using a VPN probably also means that any traffic between the laptop and the Internet is routed though the VPN, into the company network, out of the company Internet connection and back again.  Again, not exactly ideal (though split-tunnelling can help).

What’s more, supporting remote clients is often a support nightmare.  Devices not on the network are hard to manage.  Using a VPN they are only accessible if and when the user launches the VPN.  Whether the connection is up and running long enough for patches to download etc. is often down to chance. 

So all in all there’s a lot of room for remote access solutions to be improved.  This is where DirectAccess tries to help.  It provides remote clients with seamless access to both the Internet and the internal network (intranet).  If the remote client has internet access, it automatically has access the intranet and the services within it.  No client software to launch, no additional authentication nothing.  Sounds good eh?

So how does it work… well the first thing to note is that DirectAccess isn’t a fancy new product in its own right – it’s really just a clever implementation of IPv6 and IPSec.  There is however a DirectAccess server role, and a wizard to set the whole thing up. 

At a high level it makes sure that both the client computer and the Intranet resources are globally addressable, and secures communication between them.  Of course to do this there are a number of problems to overcome:

Addressing
As mentioned, internal networks often use private address ranges, and even if they didn’t there simply aren’t enough IPv4 addresses available for companies to use globally unique addressing. 

Fortunately IPv6 is here to save the day… (this is the scary part).  IPv6 provides globally unique addressing, allowing the client and intranet services to address each other.  The techie among you are probably now thinking about how your networks are all IPv4 and that this is never going to work. 

From Windows Vista onwards, the IP stack in Windows has natively supported IPv6, and enables it by default.  In fact, Windows now favours IPv6 and will use it to communicate with other Vista/2008/7 nodes if it can.  So there’s a fair chance that some of your computers have an IPv6 address already.  

In many cases of course computers will be sitting on an existing IPv4 networks.  IPv6 traffic would therefore need to traverse these older networks to be of any use.  To achieve this IPv6 can be encapsulated within IPv4 packets.  Windows also now supports a number of protocols for achieving this natively, and will automatically encapsulate IPv6 should it determine that there is IPv4 connectivity between two IPv6 nodes (it can also be forced).  On an Intranet the ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is used to achieve this, and is enabled when DirectAccess is setup.  Older IPv4 based resources (for example Window Server 2003 and earlier) can be accessed through the use of IP translation devices such as Network Address Translation-Protocol Translation (NAT-PT).

The other area where IPv6 traversal over IPv4 networks has to be considered is over the internet, which is IPv4, and on the clients local network which is likely to be IPv4.  DirectAccess clients will attempt to use traversal technologies to gain access to the DirectAccess server, in these cases either 6to4 or Teredo depending on whether the client has a public internet address or is on a NAT’ed network.  Again this is automatic and handled by the Windows IP stack.  As a last resort, if 6to4 and Teredo traffic is blocked, a new protocol IP-HTTPS is used to encapsulate IPv6 packets inside HTTPS.

So in short, you should be able to use IPv6 for DirectAccess with only minimal work to the underlying network.  MS themselves are very clear that IPv6 is a long term goal, and have provided a heap of technologies in Windows to help deal with a long transition.

Security
If both your remote clients and your internal services are globally addressable, security is going to be a big concern.  DirectAccess uses the IPSec features of IPv6 to authenticate the client connecting to the DirectAccess server, and protect the traffic that passes between them. 

Computer authentication certificates can be either issued from a central CA in the domain to validate that the remote client is a company asset, or can be issued by the health authority within a Network Access Protection (NAP) environment.  In that case computers are validated as being ‘healthy’ before being granted access.

Name Resolution
Using DirectAccess clients effectively have access to both the Internet and the intranet.  You therefore need to ensure that traffic intended for the intranet goes there, and not out to the Internet.  Windows 7 does this using a Name Resolution Policy Table.  This table contains entries for internal namespaces and corresponding internal DNS servers.  When an application wants to access a resource, the resources name is compared to entries in the NRPT, if there’s a match the internal DNS server is used to resolve the name, if not the Internet connections DNS server is used.  In this way traffic is routed to the correct location.

So at a high level that’s how direct access works.  There’s a lot more to it than that, and I’ll try to post more over the next few days.  It’s a pretty complex thing to deal with – my head hurt after the two day class having struggled to take it all in.  I’ve never done anything with IPv6, so that was a hell of a learning curve, but once to you go though is a few times is make a lot of sense.

IPv6 is probably going to be Microsoft’s biggest obstacle in gaining traction with DirectAccess, many people I’ve spoken to about is run away when you point out that IPv6 is required.  Having worked though the implementation in a few labs however it’s not all that bad.  Whilst there are things you would want to do before enabling IPv6, it’s far less work than I though it would be – at least to get to a point where DirectAccess works.

Do the benefits of DirectAccess make it worthwhile?  Well it’s certainly a great solution.  Once it’s working remote clients are on the internal network, so communication is bi-directional and remote clients can not only access internal resources, but can be accessed from those internal resources for management and support.  Group policy applies as the computer starts up and users logon, patches apply and applications can be delivered.  For organisations with large numbers of remote users that’s are pretty compelling functionality. 

Whilst IPv6 might be perceived as an obstacle for DirectAccess, DirectAccess is probably the first ‘killer app’ for IPv6.

Tags: , , , , ,
Posted in Tech, Work | 3 Comments »

Energy Efficiency in Windows 7

Thursday, June 4th, 2009

As you might have guessed from some of my other posts, I’ve been doing a fair amount of work recently on Windows 7.  One thing I’ve been doing a bit of reading about is power management and if/how Win7 can influence our energy efficiency. 

Like may organisations we’re actively looking at ways to reduce the energy we consume, both in terms of within the work we deliver (i.e. designing buildings for our customers that consume less energy), and also the energy we consume as a company in our day to day operations – of which IT plays a part.

Having dig into it a little, Windows 7 has some interesting capabilities that should help us achieve our green computing objectives by reducing the power consumed by our desktop and laptop computers.  There’s some detailed info available from Microsoft directly so I won’t talk about it too much, but a few points are worth talking about.

A big part of a computers overall power consumption is the energy it uses when idle – not least because most computers spend a fair chunck of their lives in that state.  If you can’t turn them off or put them to sleep when idle, you should at least try to optimise tham a little.  Win7 helps by reducing the system resources that are used when idle, and reducing or postponing background tasks until the computer is being actively used.  It achieves this partly though increasing the number of background services that are only started when needed, cutting the amount of work Windows asks the computer to do.

In addition to managing core CPU, memory and disk usage, Win7 is also more intelligent about how it manages devices that are attached.  Displays, network adapters and Bluetooth radios can be scaled back to reduce power consumption, and in the case of displays Win7 natively supports ambient lighting sensors to optimise the brightness of the screen.

A big advantage for organisations managing a large number of computers is Win7’s improved support for management and diagnostics.  Group Policy can be used to set power policies, and a WMI provider allows for better scripting support through PowerShell.  This will allow a much more consistent application of power saving features across organisations.

Of course Win7, whilst an improvement, isn’t a sliver bullet that will solve all your problems.  There’s still a place for third party tools such as 1E’s NightWatchman. 

NightWatchman is actually a pretty good product.  Not only does it help you to shutdown computers overnight whilst gracefully closing applications etc, the backend components will also help you track benefits across your organisation.  It’s worth a look if you’re looking at cutting power consumption, whether for green or financial reasons.

Further info:
MS Win7 Power Management White Paper
- MS Win7 Power Management Webcast (it’s level 200 so not too techie)
1E NightWatchman

Tags: , , , ,
Posted in Tech, Work | No Comments »

« Older Entries