I wanted to get some input regarding this topic – Here’s why – let me apologize in advance for the book:
I work in a organization that only uses local workstation policies for workstation control or conformity – we have about 3000 ws nodes.
We don’t have any written policy for workstation lockdown or deployment procedures.
We could use Zen or AD (have hybrid Novell/MS) to enforce group policies, but we don’t do this. Neither NAL’s or MSI’s are used to install applications in a consistent manner (most apps are installed manually after the base image is loaded then (occasionally) the installers profile is copied as the default profile).
The workstations (Win2K) are locked down by tweaking the rights on the image (removing user rights to folders like WINNT, Program Files and most parts of the registry). I ran some Registry Exam/Repair tools and found that the base image has over 100 registry errors before it is joined to the network or any apps are even loaded. Often when there are application errors the desktop support team adds users to the local Admin group to resolve problems – a supposed no-no, but with no written policy…
Users cannot add their own printers, but even when printers are loaded by support personnel there is no consistency as to drivers or descriptions.
Patches and such are usually pushed using EPO (ePolicy Orchestrator) or occasionally Novell Workstation Manager. These patches are rarely ever tested before pushing so applications break on a pretty consistent basis.
I have worked in other (larger) organizations that seem to work much more efficiently so I am wondering if it is just me or does this process seem a bit unwieldy?
I guess my real questions are these:
1) Does desktop support control workstation security policy in any other organizations?
2) If so, does anyone else enforce security at a purely workstation level as opposed to using system policies of some sort?
3) Does the desktop support area dictate to the server support area when they can have access to the Zen Server anywhere else?
4) Any suggestions for hard data to show more effective and manageable ways?
Thanks FrustratedSupport