Windows – Tips for managing multiple non-domain, off-site computers

domainremotewindows

My home office uses a Windows domain that hosts about 25 nodes. There are 17 locations out in the field (70% Windows XP, 30% Windows 7) with anywhere from 4-10 computers that are not joined to this domain and don't exist on a domain. We had decided early on the cost to create and manage the infrastructure to hook into our home office domain was not enough to justify what little we needed it for (they all connect to our web application to do their work anyways.)

However, this creates a big time sink for our (very small) IT department whenever we need to do any kind of maintenance on the field machines. I'd love to see us save some time with a tool or set of practices that will allow us to better manage these systems remotely, even if it is something as simple as managing updates, running commands, or pushing Firefox out to everyone.

What are some good tools/practices to manage this problem for about 150 remote, non-domain nodes? Any software solutions should be recommended knowing that we are a small company with a constrained IT budget.

Best Answer

I personally like AD, but you've already said you've decided against it. So...

  • VPN Connections to connect them to the office. (Routing and Remote Access/OpenVPN/Cisco AnyConnect/What came with your router/etc.)
  • LogMeIn or something similar on the clients.
  • You can run WSUS outside of a domain. There are registry keys to help you with that, and they can download their Microsoft updates via the VPN. This will also give you reports on patch compliance. You can push out these keys one of the ways below. (Be careful with the SusClientID and PingID--they cannot be identical on all machines. Also, WinXP takes those keys like a little doll, but you might have to handhold 7 a bit.) Conversely, you could foist an update policy on the clients that involves going directly to Microsoft and have done with it.

Which leaves us with software installs/updates. Money and time spent will be in inverse proportion to each other, in my experience, but your mileage may vary.

  1. Management software like Altiris Deployment Solution, LANdesk, etc. Pros: Built for this, and they make it a lot more manageable. Your clients do show up in the console when they're connected to the VPN, although the connection can be stinky. Cons: Costs money, although I believe most of them charge by the client.
  2. Scripts and PSexec, although I've never tested running them over a VPN and you'd probably have trouble finding individual workstations. Pros: Free. Cons: You'd probably have to LogMeIn to a remote machine and run PSexec on the local machines that way.

Which is why Grant is in favor of Active Directory for software installs. Honestly, I was just absurdly happy when a former employer finally got AD and I could finally stop pushing out registry keys via management software.

There are also (very few) places that do remote desktops as a service (Desktone, Molten, Citrix, Amazon has a beta). You might be a candidate for that. It's definitely worth looking into in your case, IMHO.

What I would recommend is:

  • Figure out how much it would cost to hook the remote sites into your existing domain, including hardware, software, and someone to manage it.
  • Price various software packages (Altiris, LANdesk), including hardware, software, and someone to manage it.
  • Price hiring another tech or two.
  • Price the various Desktops as a Service providers and see if they look like a good fit.

Hopefully, at that point, something will start to look right to you. Good luck!

Related Topic