UAC or User Account Control is a feature of Windows 7 that helps protect your computer from being harmed by changes made by potentially dangerous software or unprivileged users. One could argue that it has many benefits to a large organization, but is UAC truly a help or is it a hindrance to IT management?

Let me step back and describe my infrastructure a little bit. We have multiple locations, half of our computers are used by staff members and half are open to the public. We use different means, software and policy, to control what people can do on their computers. You could say I’m an expert with group policy and user rights. 90% of our users run with reduced privileges on their machines.

Windows XP

We previously had Windows XP running on our machines. Windows XP had a limited “Run As” ability, but if an account didn’t have permission to do something, the operation failed outright. For example, our users didn’t have permission to install printer drivers. If they tried, it would fail; end of story. IT staff would have to logoff, logon as admin, and install the drivers. Multiply that by 20 and this workflow process would end up wasting a lot of time for our techs if they had to, for example, reinstall printer drivers at one of our locations.

Windows 7

Windows 7 has UAC and a greatly improved facility for running applications in other user contexts. We’ll take the same example as above. This time, with Windows 7, instead of failing outright, the PC prompts us for administrative credentials to install the same printer drivers. Without logging off, we can install the new drivers, and this alone has cut the time it takes to change out drivers by at least half (we’ve found out about a new cool gpo setting called “Point and Print” which makes this even easier, more on that another time).

Downside of UAC in Implementation

In my experience, UAC has lots of benefits. It’s already saved me and my department both time and sanity. I’m not unhappy with the concept or implementation by Microsoft. I feel that having non-administrators be prompted to do privileged things is a much better solution than the previous workflow in XP.

My biggest problem is more with smaller programming companies that don’t seem to understand UAC and write their code without taking it into mind. I don’t like the idea of having to disable UAC just to make a necessary piece of software function correctly. It should be up to the designers to be current with the latest technology and operating systems and to program within this paradigm.

I’ve seen two examples within the last week with software that is necessary to my organization. I have to make this software work and usable, but it doesn’t work on a non-administrative account when UAC is enabled. Windows 7 has been out for a while, 8 is on the horizon, the fact that their software is still not current with technology is ridiculous.

UAC and Automatic Updates

My second problem with UAC falls on companies like Adobe and Mozilla. These oft-exploited programs frequently update. They’ve recently forced automatic updating into their programs. The problem is, non-privileged users don’t have permission to run these updates. I have a large network and software versioning and updates is something that I tightly control. I go through hoops at deployment time to silently update these programs and remove their ability to auto update. I don’t want my users to be annoyed by constant update prompts, especially when they can’t get past UAC to install these updates. I would rather the burden to update be on me the administrator than on my users. I just want them to be able to trust that their computer works and its updated to the latest version.

Conclusion

I like UAC; I think it’s a big step forward for management. Like anything, there’s always room for self-evaluation and improvement. I think there should be a better mechanism for allowing exceptions for frequently updating, approved programs (like Flash Player or Firefox) to update themselves without administrative approval. While I understand the arguments from both sides, I think there should be a way, even if it’s a little more hidden, to more easily bypass UAC for specific programs.

With a new year comes a new budget and new projects. One of my favorites this year is going to be some Vmware experimentation. We’re planning on combining the functionality of one of our sets of branch servers into a single physical box. The benefit being that we can do this at half the hardware price.

Another advantage this year is that I’m taking a step up in technology. I was able to purchase a Windows Server 2008 R2 Volume License. One of the catches to upgrading to Server 2008 R2 is that it is 64-bit only. Our DC’s are pretty old. I’m reasonably sure that most of them are 64-bit capable, but they were installed back when Windows Server 2003 was top of the line. There’s no direct upgrade path from Windows Server 2003 32-bit to Windows Server 2008 R2 64-bit. For those of you who may not know, this jump is like going from Win XP to Windows 7. Windows Server 2008 is built on Vista technology, while Server 2008 R2 adds technology and functionality from Windows 7.

Unless I can completely reformat my boxes, I can’t load them with Windows Server 2008 R2. For some of my machines, especially the DC’s, I can pretty much reload them with impunity because every other DC has a copy of Active Directory on it. However, in the case of an application server, I wouldn’t be able to do that without having to restore the applications on it. Luckily, my Exchange Server is new and I installed it on Server 2008 R2 last year. However, things like my Configuration Manager Servers and Web Servers aren’t as lucky.

While I may not be able to upgrade these older servers to Windows Server 2008 R2, I may be able to upgrade them to Windows Server 2008 32-bit. This would come down to a case by case basis; and would also depend on what new functionality that upgrade would give us.

I’d like to blast Java off my network, however there are many sites and applications that depend on the quirky, unreliable programming framework. I’ve tried both Java 7 and Java 7 Update 1, neither of which appears to have the polish I’d like on them.

My biggest problem is the auto-updating feature. I have 500 public PC’s that run on limited user accounts, and when either version of Java 7 is installed, the users receive an administrative elevation prompt when the system logs on. It creates confusion and just isn’t detail conscious.

My second issue is that everyone wants their site to work on my PC’s. An example is the blackboard education site for Kent State. Up until a few weeks ago, it would not function with IE9, and it needed Java 6. Without these two conditions met, the site would freeze IE. I try to be security conscious and on the cutting edge, to protect the security of my network and the privacy of my users. However many sites, especially government sites, rely on antiquated versions of software. FAFSA filing is a good example. They still require IE8 even though IE9 has been out for more than a year. I have neither the manpower, nor the time to make my computers compatible with every site on the internet.

Uninstalling Java 7

Java is one of those programs that, instead of upgrading in-place, it installs a new copy of itself when you update. So you could literally have 5 revisions of java installed on your machine. If I want to have a specific version of java installed, I’d have to uninstall all previous versions and reinstall the one that I want.

Luckily for us, there’s an easy way to do this, using the registry and the program Msiexec. First, we’ll have to dive into the registry. Open the registry using the Regedit command. Navigate to the HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall key. You’ll notice a bunch of program ID’s listed under this key. You’re looking for keys that start with “{26A24AE4”. All the entries for Java will start with these numbers.

We can use Msiexec.exe to uninstall all of these versions of java using the command “msiexec /x {Program ID} /qn /norestart”. We’ll start building a batch file, including a similar line for each version of java listed under the uninstall key. We’ll also include the “start /wait” at the beginning of the line to signal that we want the command to complete before running the next one.

Next, we’re going to want to run the installer for the version of java we actually want on the machine; in this case, Java 6 Update 29. We’re going to include the “/s /qn” switches for silent install. We’re also going to use the special parameters “ADDLOCAL=All IEXPLORER=1 ALLUSERS=1 JAVAUPDATE=0 AUTOUPDATECHECK=0 SYSTRAY=0 WEBSTARTICON=0”. We’re installing in IE for all users. We’re disabling auto-update, and we don’t want the web icon to show when running java stuff.

The final step, is to make sure that the auto-updater is not started when you log on. Go back to your Regedit and navigate up a little bit to the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run. If the auto-updater is installed, you’ll see a value listed under this key called “SunJavaUpdateSched”. We want to remove this key. We can do this by adding a “Reg Delete” command to our batch file. The full command is “start /B reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v SunJavaUpdateSched /f”.

I’ll add in a parameter to the batch file to handle 32-bit or 64-bit and my final batch file looks a little like this:

When you run the batch file, it uninstalls previous versions of java, reinstalls the desired version, and then disables all form of auto-updates.

I recently walked into the local Best Buy to purchase a serial cable. I found all sorts of overpriced HDMI, USB, and VGA cables; but there’s no serial cable to be found. It reminds me of just how much shopping for IT equipment has changed.

When I was growing up, I remember hitting the local CompUSA with my dad; that was my primary store for computer buying. They had a wide array of add-on cards, cases, processors, memory, and everything else that you’d want.

CompUSA is gone, Radio Shack, or “The Shack” as it’s called now is basically a cellphone store. Best Buy has barely sells any computers; it’s all cellphones, tablets, and TV’s. They have one or two desktops, a few laptops, but mostly mobile devices.

The best place I’ve found to buy computer components is Microcenter; unfortunately, the closest one is about an hour north. I was amazed with the shelves of raw hard drives and the stacks of motherboards and cases. It’s the closest that I’ve seen in person to Newegg.

My Dad gave me my start with computers. When I was a kid, he bought us a 386SX (my first actual computer was a Commodore 64). I’m sure it cost him a little bit, but I think that he knew that computers would be big in the future, he was right. He helped me upgrade the system over time. We added a new CD-ROM, sound card, video card, RAM, hard drive. I learned how to install and configure these, back in the day before plug and play. It was a huge foundation for what I do today, arguably more important than even what I learned in college. I’m thankful to my Dad for exposing me to computers when I was little. In a sense, it helped decide what I would do for a living. I couldn’t really be an engineer like him (I’m not made for that), but my Dad still had a big influence on the career that I eventually chose.

Updating Your Windows Servers

Keeping your servers and clients updated is one of the hardest tasks for an Information Technology Pro. There are two ways of going about this .You can manually run windows update, which becomes a tedious and regimented process, or you can set up some mechanism to automatically update your systems. The problem with this second approach is that automation inherently fails. Many people set up an automated process, and then never check back up on it until it’s too late and something has happened, or their servers are so out of date that they get compromised.

Make no mistake, whichever option you choose, it’s your responsibility as an Information Technology Pro to check up on your process and make sure that your systems are getting updated.

Slow and Steady Wins the Race

I worked for a company a few years back that was a little backward. I eventually left because their options of IT were not in-line with mine. In many ways, their IT desires were very backward and status quo. I like to be on the cutting edge, evaluating new products.

I was told at this company that “IT should be seen and not heard. If I see you or hear you, you’re not doing your job.” Likewise, any attempt to reform their backwards IT practices was rebuffed. They kept a sheet in the office that had every employee’s login and password on it. The sheet was stapled to the wall. Seriously, this is not the way to do things.

They were very big on me manually doing everything. A problem that I had with them was that they wanted me to start every morning, before the regular employees started, and laboriously run individualized updates on each computer. This was really a lot of extra time that required me to be in way early and something that I could easily make obsolete with a little modern technology.

Mechanisms to Auto-update

That’s one way of doing things. Manually updating works, I won’t dispute that. But the problem happens when you go from a network with 5 computers, to a network with 1,000 computers. You can’t manually update a network that large, or maybe your network includes multiple locations. With a limited IT staff (nobody with that many locations is going to have dedicated IT staff for each one), you physically can’t maintain this update cycle.

Microsoft has implemented two ways of automatically updating computers. The first is, you can set the operating system itself to automatically run updates. However, this bypasses a network administrator’s power to vet updates for any problems they may cause.

This brings us to Windows Server Update Services (WSUS) and by extension System Center Configuration Manager (SCCM); which uses WSUS on the back-end.

WSUS provides a mechanism to approve updates and then uses Group Policy Objects, or the SCCM Client to control the specifics of update deployment. Using these software tools, you can approve updates, track deployments, and manage compliance from behind the scenes. For a large network, this is great. WSUS is freely available to anyone who’s already running Windows Server (so any business can implement it) and larger companies will be able to utilize it through SCCM.

Troubleshooting SCCM Update Deployment

No automatic update process is failure proof. As I’ve stated, it’s your responsibility to your organization to monitor and track how your update process is functioning. I noticed recently, while checking server logs, that part of my update process had failed. The SCCM Status was saying that the WSUS Configuration component was in a failure state. To fix this, I had to reinstall WSUS and the Software Update Point feature of SCCM. This time, instead of directing WSUS traffic through the default port 80\443, I decided to direct it through the alternate default ports recommended for SCCM by Microsoft, which are 8530 and 8531. I noticed that after doing this, my servers were still not installing updates as published.

The Joy of SCCM Logs

Configuration Manager maintains client-side logging of its operations. By default, SCCM logs are contained in the directory C:\Windows\System32\CCM\Logs or C:\Windows\SysWow64\CCM\Logs (depending on your OS type). The log WUHandler.log is the log file for how SCCM links in to Windows Update. When looking at this log, I noticed that the log indicated that Windows Update traffic had been stalled for a while. At the time, the log file was about a month behind.

My first thought was to go in and repair the Configuration Manger client. You can initiate a repair by selecting the Computer Management icon in your control panel, and then selecting the repair option from the Components tab. This resynchronizes the Configuration Manager client with your server.

I investigated the WUHAndler log a little more, and I kept seeing this line “Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and Policy NOT CONFIGURED”. Following this, the Windows Update handler would try to change the WSUS port from port 8530 back to port 80. This mystified me because there’s no GPO in place setting this, and SCCM should be statically setting the server address and port. This error indicates that some setting within a GPO was affecting my update settings.

I searched and searched and could not find a currently applied GPO with this option enabled however there were a few old objects with WSUS settings. I’m pretty much a Group Policy expert. What I ended up doing was adding a new GPO that adds settings for Windows Updates and points to the correct port, when I did this, the log file updated to show that the windows update server was already set to 8530 and did not need to be changed. Following this, my windows updates FINALLY started flowing again.

Conclusion

This was a really long explanation to tell you the proper way of updating your network, and to highlight that just because you’ve created an automatic deployment system, you need to be careful of the details and monitor your system to make sure that it functions as intended.

Information Technology is more than just hardware and software. It’s about problem solving. Our co-workers come to us with problems, and it’s our job to find a solution to those problems using our skills and abilities. A consciousness for details and good problem solving skills are an essential addition to a good Information Technology professional’s toolbox.