Windows optimize

10 mistakes new Windows administrators make

Whether you're new to network administration or to the Windows environment, a few common oversights and mistakes can trip you up. Deb Shinder explains how to avoid some of the problems new Windows admins often encounter.

Whether you're new to network administration or to the Windows environment, a few common oversights and mistakes can trip you up. Deb Shinder explains how to avoid some of the problems new Windows admins often encounter.


Maybe you're a brand new network admin. You've taken some courses, you've passed some certification exams, perhaps you even have a Windows domain set up at home. But you'll soon find that being responsible for a company network brings challenges you hadn't anticipated.

Or maybe you're an experienced corporate IT person, but up until now, you've worked in a UNIX environment. Now -- either due to a job change or a new deployment in your current workplace -- you find yourself in the less familiar world of Windows.

This article is aimed at helping you avoid some of the most common mistakes made by new Windows administrators.

Note: This information is also available as a PDF download.

#1: Trying to change everything all at once

When you come into a new job, or start working with a new technology, you may have all sorts of bright ideas. If you're new to the workplace, you immediately hone in on those things that your predecessors were (or seem to have been) doing wrong. You're full of all the best practices and tips and tricks that you learned in school. If you're an experienced administrator coming from a different environment, you may be set in your ways and want to do things the way you did them before, rather than taking advantage of features of the new OS.

Either way, you're likely to cause yourself a great deal of grief. The best bet for someone new to Windows networking (or to any other job, for that matter) is give yourself time to adapt, observe and learn, and proceed slowly. You'll make your own job easier in the long run and make more friends (or at least fewer enemies) that way.

#2: Overestimating the technical expertise of end users

Many new administrators expect users to have a better understanding of the technology than they do. Don't assume that end users realize the importance of security, or that they will be able to accurately describe the errors they're getting, or that they know what you mean when you tell them to perform a simple (to you) task such as going to Device Manager and checking the status of the sound card.

Many people in the business world use computers every day but know very little about them beyond how to operate a few specific applications. If you get frustrated with them, or make them feel stupid, most of them will try to avoid calling you when there's a problem. Instead they'll ignore it (if they can) or worse, try to fix it themselves. That means the problem may be far worse when you finally do become aware of it.

#3: Underestimating the technical expertise of end users

Although the above applies to many of your users, most companies will have at least a few who are advanced computer hobbyists and know a lot about technology. They're the ones who will come up with inventive workarounds to circumvent the restrictions you put in place if those restrictions inconvenience them. Most of these users aren't malicious; they just resent having someone else in control of their computer use -- especially if you treat them as if they don't know anything.

The best tactic with these users is to show them that you respect their skills, seek out their input, and let them know the reasons for the rules and restrictions. Point out that even a topnotch racecar driver who has demonstrated the ability to safely handle a vehicle at high speed must abide by the speed limits on the public roads, and it's not because you doubt his/her technology skills that you must insist on everyone following the rules.

#4: Not turning on auditing

Windows Server operating systems have built-in security auditing, but it's not enabled by default. It's also not one of the best documented features, so some administrators fail to take advantage of it. And that's a shame, because with the auditing features, you can keep track of logon attempts, access to files and other objects, and directory service access.

 Active Directory Domain Services (AD DS) auditing has been enhanced in Windows Server 2008 and can be done more granularly now. Without either the built-in auditing or third-party auditing software running, it can be almost impossible to pinpoint and analyze what happened in a security breach.

#5: Not keeping systems updated

This one ought to be a no-brainer: Keeping your servers and client machines patched with the latest security updates can go a long way toward preventing downtime, data loss, and other consequences of malware and attacks. Yet many administrators fall behind, and their networks are running systems that aren't properly patched.

This happens for several reasons. Understaffed and overworked IT departments just may not get around to applying patches as soon as they're released. After all, it's not always a matter of "just doing it" -- everyone knows that some updates can break things, bringing your whole network to a stop. Thus it's prudent to check out new patches in a testbed environment that simulates the applications and configurations of your production network. However, that takes time -- time you may not have.

Automating the processes as much as possible can help you keep those updates flowing. Have your test network ready each month, for instance, before Microsoft releases its regular patches. Use

Windows Server Update Services (WSUS) or other tools to simplify and automate the process once you've decided that a patch is safe to apply. And don't forget that applications -- not just the operating system -- need to be kept updated, too.

#6: Getting sloppy about security

Many administrators enforce best security practices for their users but get sloppy when it comes to their own workstations. For example, IT pros who would never allow users to run XP every day logged on with administrative accounts think nothing about running as administrators themselves while doing routine work that doesn't require that level of privileges. Some administrators seem to think they're immune to malware and attacks because they "know better." But this over confidence can lead to disaster, as it does in the case of police officers who have a high occurrence of firearms accidents because they're around guns all the time and become complacent about the dangers.

#7: Not documenting changes and fixes

Documentation is one of the most important things that you, as a network admin, can do to make your own job easier and to make it easier for someone else to step in and take care of the network in your absence. Yet it's also one of the most neglected of all administrative tasks.

You may think you'll remember what patch you applied or what configuration change you made that fixed an exasperating problem, but a year later, you probably won't. If you document your actions, you don't have to waste precious time reinventing the wheel (or the fix) all over again.

Some admins don't want to document what they do because they think that if they keep it all in their heads, they'll be indispensible. In truth, no one is ever irreplaceable -- and by making it difficult for anyone else to learn your job, you make it less likely that you'll ever get promoted out of the job.

Besides, what if you got hit by a truck crossing the street? Do you really want the company to come to a standstill because nobody knows the passwords to the administrative accounts or has a clue about how you have things set up and what daily duties you have to perform to keep the network running smoothly?

#8: Failing to test backups

One of the things that home users end up regretting the most is forgetting to back up their important data -- and thus losing it all when a hard drive fails. Most IT pros understand the importance of backing up and do it on a regular schedule. What some busy admins don't remember to do regularly is test those backups to make sure that the data really is there and that it can be restored.

Remember that making the backup is only the first step. You need to ensure that those backups will work if and when you need them.

#9: Overpromising and underdelivering

When your boss is pressuring you for answers to questions like "When can you have all the desktop systems upgraded to the new version of the software?" or "How much will it cost to get the new database server up and running?", your natural tendency may be to give a response that makes you look good. But if you make promises you can't keep and come in late or over budget, you do yourself more damage than good.

A good rule of thumb in any business is to underpromise and overdeliver instead of doing the opposite. If you think it will take two weeks to deploy a new system, give yourself some wiggle room and promise it in three weeks. If you're pretty sure you'll be able to buy the hardware you need for $10,000, ask for $12,000 just in case. Your boss will be impressed when you get the project done days ahead of time or spend less money than expected.

#10: Being afraid to ask for help

Ego is a funny thing, and many IT administrators have a lot invested in theirs. When it comes to technology, you may be reluctant to admit that you don't know it all, and thus afraid -- or embarrassed -- to ask for help. I've know MCSEs and MVPs who couldn't bear to seek help from colleagues because they felt they were supposed to be the "experts" and that their reputations would be hurt if they admitted otherwise. But plunging ahead with a project when you don't know what you're doing can get you in hot water, cost the company money, and even cost you your job.

If you're in over your head, be willing to admit it and seek help from someone more knowledgeable about the subject. You can save days, weeks, or even months of grief by doing so.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

24 comments
mkaney
mkaney

Although the list of mistakes are correct, I think the accompanying advice lacks some creativity and following it may make you yet another annoying stuck-in-the-box IT admins. I offer a few alternatives: #1. Don't change just one thing at a time either. Come up with an overall plan and move different pieces of it ahead. You might find limitations or capabilities while working on one piece that will influence or change how you do another, but if you focus too much on one thing, you fail to find creative ways to make things work together, avoid conflicts, and make adjustments and changes in another area before you invest yourself in one thing (hardware, software product, vendor, etc..) too heavily. #3. "you must insist on everyone following the rules." Really?! I say create a track system. Capitalize on advanced user's skill by granting them priveleges. If you want IT admin ho hum stability, fine, but if your interest is in moving a company ahead, don't tie down people who can help accomplish that. It may require you put in some extra hours to mitigate issues that result...deal with it. These people can also be great resources for the other people they work with, helping you offload some of the more routine user issues/questions so you can implement new things. #5. If it ain't broke, don't fix it. If there is little potential for a system to be compromised, why introduce new issues that prevent you from making real progress and implementing the kinds of things that address the root causes of issues. Reserve your aggressive security and patching for systems that have outside accessibility, amd if possible keep your mission critical servers from external exposure. Do you want to spin your wheels or move ahead. Remember that opportunity cost is important. Evaluate the risks and benefits and make your decisions appropriately. #6. This one should have a part B.. being too obsessed with security. What is at risk? What flexibility are you sacrificing? For example, if you do not have sensitive data that exposes you to liability and you have bandwidth limitations, what is the overall cost impact in implementing and forcing users to go through a VPN to connect to a database server. Just harden that thing up, manage it in such a way that you can bounce back from anything in minutes, and block all Chinese and Korean addresses lol Don't follow every IT rule for the sake of following it, follow it because it makes practical, legal, and economical sense.

The 'G-Man.'
The 'G-Man.'

So why single out one particular admin set claiming new Windows admins make these mistakes?

XnavyDK
XnavyDK

I'm not exactly afraid of asking for help, but I am sometimes too stubborn to ask for help because I want to figure it out. This sometimes can exacerbate into a lag in getting something accomplished and making it look like I am procrastinating. Depending on your environment, this could be also looked at as inexperience in required/critical subject matter and a reason for hiring someone else. For example, I cannot figure out why my firewall isn't working. Its not a mission critical system because I have something else in its place for the moment. But its been a back burner issue for far too long and I attempt daily to try and work the issue. Its my learning process and one that I'm comfortable with. But, My boss wants it to be working, I said I will make it happen. But I digress as usual, just call me Digress man! its a great paperweight by the way.

jmgarvin
jmgarvin

Sys prep is great, but verify that the box is clean. Also make sure you use imaging software (like Acronos) or push software (like LANDesk) and UNDERSTAND what drivers you need pre-install and post install!!!

csmith.kaze
csmith.kaze

If you have regulations (healthcare for example) Be sure to follow it to the 't'.

cbulla
cbulla

12: When taking over a network from a previous administrator, audit all configurations to determine what, if anything, their account is tied to that may be mission critical. I can think of several instances where new person in charge had to reenable an account that was disabled.

sidekick
sidekick

If a user needs access to a folder,someone else's email, etc.., check with their manager or some other authorized person before giving them permission. Similarly, if they ask you to do anything, don't just do it, ask why. I lost count of how many times someone requested a new mouse because the old one "didn't work" when really it was just sticking and needed the rollers cleaned.

gfjim
gfjim

I have seen a great share of very "dry behind the ears" Windows, Unix, network, you-name-it admins as well that could use a few of these suggestions as reminders.

Industrial Controller
Industrial Controller

A new environment that looks peaceful on the surface can have hidden dangers that will sink your ship in a hurry. People have usually staked out turf and woe to the person that violates unwritten rules. Proceed with caution.

jtakiwi
jtakiwi

of mistakes all IT folks and those managing them make: You said the boss wants a new firewall, but you have an existing one working fine. Is the new one required for a new feature, better security? Or like I've encountered too many times, someone up high in the foodchain thought it was a good idea, without any real knowledge? Alas, I digress from the article discussion. #12 might be to let the desired results drive the project, not the product we already bought drive the project.

The 'G-Man.'
The 'G-Man.'

Otherwise it may become a paperweight for a nasty pink slip.

jtakiwi
jtakiwi

and a decent reminder for the old hands as they transition to new environments. #11 might be: Make no assumptions.

XnavyDK
XnavyDK

also not very useful

XnavyDK
XnavyDK

Unemployed? Not useful? why do people do this. I edited because I posted in the wrong place LOL

CharlieSpencer
CharlieSpencer

If you're not a new administrator, why are you even looking at it? Not every article on TR is going to appeal to all readers. Your comment isn't useful either.

CharlieSpencer
CharlieSpencer

Keep in mind that auditing has a performance penalty. Also, some auditing can fill a log file pretty quickly. Turn on what you need, or test options one at a time.

john.jelks
john.jelks

Been there and bought the T-shirt . . .

BizMan
BizMan

RE: >> and a decent reminder for the old hands Even after doing a job for many years, a good reminder never hurts. We all often get busy, and over look the obvious, or get stuck in a rut of doing things a certain way, and make excuses for it, like, I'm too busy right now to worry about the details such as not documenting changes and fixes. I've worked with many seasoned veterans who kept all their problems to themselves, not asking for help when they needed it, not documented what they've changed or tried to do to fix the problem. It only hurts the guy who fills in for them when they are off sick or on vacation. It's not just a list for newbies, but a good list for reflection, and self assessment.

jtakiwi
jtakiwi

Auditing by itself is not very helpful in the grand scheme of things. You need something to actually condense and interpret the information for usability and compliance (if you happen to be in those industries). A well thought out system to collect, report and archive is a necessity. Also, you need to audit all the critical/logon servers for the complete picture.