Desktop Authority exerts the maximum level of control with a minimal amount of effort.
- By Greg Shields
1: Virtually inoperable or nonexistent
5: Average, performs adequately
You don't have to be a master scripter, a Group Policy god or sport a black
belt in registry manipulation to effectively lock down your desktop configuration.
If you're a mere mortal like most of us, and the thought of scripting in VBScript
makes you shudder, then ScriptLogic's flagship Desktop Authority will make an
excellent addition to your quiver of admin tools.
Desktop Authority has been around for quite a while and has been repeatedly
recognized as a top-quality tool for centralizing workstation configuration
control. Whether or not your operating system supports Group Policy, Desktop
Authority does its magic through the log-in script. It's typically installed
on a Domain Controller and leverages the NETLOGON share of the Windows domain
to replicate its configuration through your domain's log-in scripts.
Where Desktop Authority excels above and beyond simple Group Policy is its
ability to handle multiple profiles for a user or computer based on a rich set
of validation logic. Group Policy has a lot of functionality when it comes to
configuring a particular computer or user, but that determination is usually
based strictly on membership in an organizational unit (OU). Since an Active
Directory object can only be present in one OU at a time, it's difficult to
apply any form of conditional logic.
The logic in Desktop Authority's profiles means you can apply a policy configuration
based on more parameters than mere OU membership. For example, need to apply
a desktop-level lockdown to laptops, but only when they're connected to the
wireless network? Create a profile based on the hardware chassis type and connected
network. If the client configuration matches that profile at log-on, then it
will process the lockdown.
With Desktop Authority 7.5, you can have as many as 24 possible tests connected
with Boolean operators (think "or" and "and") to build the
profile. Once you construct the validation logic, you can control 36 separate
configuration classes through Desktop Authority. For example, you can enable
reporting on workstation inventory, health, patch compliance and overall activity
to run on-demand or be e-mailed to anyone who needs that information on a set
schedule. Desktop Authority also has several remote assistance features to let
technicians look over the shoulder of any of your users who may need a helping
[Click on image for larger view.]
|Figure 1. With
USB/Port Security, you can selectively disable USB hard drives while continuing
to allow other types of media.
That New Software Smell
ScriptLogic refers to this particular update as "the Desktop Lifecycle
release." The company is positioning its extended product line as a cradle-to-grave
solution for initial provisioning on new workstations, ongoing operational management
and eventual decommissioning. It has added four specific features to the core
- The ability to lock out USB and other removable storage devices
- Improvements to software deployment
- A new operating system imaging solution
- The much-desired ability to refresh a workstation's configuration at times
other than log-on and log-off.
While previous versions could pull inventory and only configure remote systems
at log-in and log-off, this release lets you refresh a workstation's configuration
at preset intervals. This is similar to the refresh interval for Group Policy,
but is defaulted to a 60-minute interval.
Severing the product's exclusive tie to the log-in script significantly enhances
its utility. You can now refresh configurations on systems that don't regularly
log on to the network. If some of your users prefer to remain logged in with
their workstations simply locked (you hope) rather than logged out every night,
this feature will come in quite handy.
With the physical size of storage devices getting smaller, the risk of data
theft as an inside job is greater. Heck, USB-connected drives are getting to
the size now where a disgruntled employee can pocket a hard drive big enough
to steal a company's entire intellectual property set.
version 7.6 is coming up within the next couple of months.
The new version lets you:
• Manage Vista and non-Vista platforms from one console
with common security and configuration policies
• Centralize IE and Office management to ensure a consistent
• Manage Vista's User Access Control to mitigate compatibility
issues and ensure a smoother rollout
In the face of these types of threats, having a cohesive policy to protect
data against theft is critical. Desktop Authority incorporates policy-based
lockdown that lets you identify and restrict specific types of removable storage
per profile. If your desktop users need to use their CD burners but you want
to lock out USB thumb drives, you can.
Desktop Authority has long touted its ability to install, uninstall and ultimately
manage an environment's MSI-based software from the network administrator's
lofty ivory tower. This version lets you package editing tools to customize
and test MSI installations. With Desktop Authority MSI Studio, you can edit,
customize and repackage vendor-supplied MSI installations to fit your environment.
This process lets you add environment-specific configurations to your software
and enable it for a fully silent installation.
What you gain here is the ability to simulate a package installation on a remote
computer in order to validate the files and registry keys overwritten by the
package. Also, the new simulation capabilities let you look for conflicts between
the new package and any existing software on the computer. These new testing
capabilities further ensure that any software deployment proceeds smoothly.
Finishing out the "Desktop Lifecycle" components are the new Image
Center features. These features let you deploy operating system images with
Desktop Authority. Functioning in a relatively similar fashion to other vendors'
solutions for image deployment, Image Center lets you generate and deploy standardized
core operating system images. You can then deploy these images to workstation
hardware either directly through bootable media, over the network using Microsoft's
RIS or via the supplied PXE server.
If you're already using Desktop Authority in your infrastructure, this additional
image deployment feature coupled with the other software deployment components
basically provides an end-to-end workstation provisioning solution. The only
thing the image deployment components seem to lack is the ability to install
device drivers other than those mass storage and hardware abstraction layer
pieces you'd need to boot the workstation.
Where Desktop Authority truly elevates itself is in providing a centralized
and easy-to-use interface for building, enabling and monitoring all these system
configuration capabilities. You could use a mix of scripting and policies, but
doing so requires some high-level mojo. That knowledge and experience takes
time to develop and you would still have to manage it from a cumbersome list
of interfaces. Using Desktop Authority, you can establish easy, auditable and
repeatable administration with a minimum of strain on your brain.
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.