IFAS COMPUTER COORDINATORS
NOTES FROM October 10th 2008 REGULAR MEETING
A meeting of the ICC was held on Friday, October 10th, 2008 in the ICS conference room. The meeting was chaired and called to order by Dennis Brown at a couple of minutes past 10:00 am.
PRESENT: Fifteen members participated.
Remote participants: Bill Black, Micah Bolen, Dan Christophy, Dan Cromer, John Dixon, Francis Ferguson, Chris Fooshee, Wayne Hyde, Joel Parlin, Mike Ryabin, and Louise Ryan
David Bauldree, Ken Brauer, Dennis Brown and Winnie Lante
STREAMING AUDIO: available here.
Agendas were distributed and the sign-up sheet was passed around.
Dennis introduced John Dixon III who is now supplying OPS IT support for NFREC. John was connected remotely via Polycom and provided a little background information about himself. He began by supplying IT technical support in the area for a couple of years and then moved into Help Desk support. He appreciates this opportunity to transition to actual hands-on work supporting end-users having hardware and software issues. He currently works part-time in Milton and Jay. He also works full-time about 10-15 minutes up-the-road as a network analyst for another company. He is currently working towards his Computer Science bachelor's degree.
Dennis welcomed John into our group and hopes others will as well. If John has any issues getting up-to-speed the ICC is always ready and able to assist.
Recap since last meeting:
Dennis pointed folks to the notes of the last meeting, without going into any details.
Shibboleth and Identity and Access Management (IAM) at UF (see prior discussion)
Dan Cromer related that a public beta of the UF Shibboleth implementation is being offered mid-October with the expectation for production by mid-November. Completion of this project will mean that GLauth and other identity management systems will convert to Shibboleth over the years. There is no phase-out date for GLauth currently, but the stated direction for UF is movement to Shibboleth.
Report from the October ITAC-NI meeting
Dennis mentioned that he attended this meeting via Polycom, arriving just a little late on the scene. Dr. Charles Frazier spoke there about his transitional role in UF obtaining a CIO. Dr. Frazier spoke about his role as interim CIO and how Dr. Machen has now made the search for a CIO his priority now that the top-level HR and CFO organizations have been addressed. Dan's take was that this could lead to sweeping change for the overall IT organization at UF. Dan said that Dr. Joe Joyce is involved in a special committee which is looking at the overall governance structure for IT at UF.
Dan indicated that he would like to invite Dr. Frazier to an upcoming ICC meeting and provide him an opportunity to discuss with us how the upcoming governance changes might play out. Dr. Frazier is aware that IFAS has a good governance structure involving technical input from the ICC and policy recommendations from the ITPAC. The UF-level committee structure, ITAC is being reconstituted and restructured and the plan is to retain the currently functioning sub-committees (Network Infrastructure, Data Infrastructure, Information Security Management, etc.).
Upcoming ITPAC meeting November 12th
The agenda has not yet been set, but discussion will likely return to the proposed Web Domain Policy among other issues.
Comprehensive IT risk assessments will be REQUIRED soon
Dennis noted this topic but no discussion ensued.
Update on changing the Barracuda default settings
(see prior discussion)
Again, Dennis noted this topic but no discussion was offered.
UF Exchange Project updates (see prior discussion)
Mail Meter deployment progressing
Dan Cromer reported that this UF Exchange attachment archiving solution is progressing and should be complete in roughly 60 days or so. That initial archiving process takes considerable time, but has already recovered considerable high-speed disk storage space.
IT support folks should be aware that these changes are happening so they can answer user questions should those arise.
Student mail to move to Google Gmail?
Dan Cromer reported that this matter has been tabled pending the CIO search and other IT organizational changes. It has not, however, been quashed.
WAN transition to CNS (previous discussion)
Dan Cromer reported that James Moore has been working very hard on setting up the infrastructure. He is evaluating connection options for our various locations to increase speeds and/or reduce costs. Dan stated that he believes the WAN is being managed as well currently as it was in the past. That doesn't mean there aren't difficulties and it is a continuing problem getting quotes from vendors in a timely fashion.
Split DNS solution for UFAD problems
Steve Lasley wants to keep this on the agenda for future reference.
IFAS WebDAV implementation
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Vista Deployment via SMS and WDS
Andrew Carey was unavailable to give an update on this matter, but Lance Cozart has been looking into an imaging solution for ICS. Daniel Solano has been successful in deploying a single Windows XP image for all of Food Science and is willing to be a resource to Lance in creating his image(s). Andrew and Daniel have offered to help Lance with that investigation.
Exit processes, NMB and permission removal (prior discussion)
Wayne Hyde pointed out that NMB settings (ufad\if-admn credentials required) need to be cleared immediately when people leave in order to control access to file shares and machines. Unfortunately, if NMB is removed prior to an individual's mailbox being de-provisioned (archiving and/or making accessible by supervisor, etc.) then only the central UFAD group can touch those. This places a burden on them which really needs to be address via UF processes. Granularity is needed to separate file and machine access from e-mail access because too many access issues hinge on that single NMB setting.
It was suggested that, perhaps, a new role of "Mailbox Managed By" could be lobbied for; Dan Cromer stated that he would bring the matter up with Mike Conlon for his consideration.
Re-enabling the Windows firewall
Wayne Hyde has been investigating this but his heavy workload keeps it on the backburner for now. The intention is to implement this in the not-too-distant future however.
Disabling/deleting computer accounts based on computer password age
Andrew was not available to discuss the plans on this, but Wayne filled in for him a bit. Andrew had investigated the matter by digging out an old laptop that had not checked into UFAD in 193 days (6 months) for which the computer account had been disabled by our current scripts. After booting up and trying to log on, he received a message that the computer account in UFAD was either missing or disabled so he enabled it and was able to log in. The moral there is that even machine left off the network for quite a long time can (at least sometimes) be simply enabled again without the need to rejoin them to the domain.
Despite these findings, IT/SA would still like to implement some form of a deletion policy to help identify and clean up old computer accounts that are no longer being used. Andrew had proposed the following to start discussion:
- After 90 days of inactivity, a computer account is disabled (this is happening currently)
- Once a week, each OU admin receives a report of disabled computer accounts in their OU which includes the date the account was disabled, the date the account will be deleted, and steps to take to prevent the deletion.
- After 90 days of being disabled, the account information (computer name, location in AD, description and deletion date) will be logged to a database which will be accessible by the OU admin and the account will be deleted.
This would allow for 180 total days (almost six months) of inactivity before a computer account is deleted. To prevent deletion, Andrew envisions users going to a web page and selecting the computers that should not be deleted.
WinXP SP3 upgrades needed for Volume Shadow Copy
Wayne reported that he is trying to get all of the on-campus OUs set to receive SP3 via WSUS. Since these are the folks getting migrated to the new file cluster, they are the ones for whom this upgrade is critical. There are only a few on campus units for which that has not yet been approved. No problems have been reported with the upgrade though several upgrades have failed--likely due to insufficient disk space.
Note from future: on Monday, October 20th, Andrew modified the login script to block user access to the VSS previous versions restore button and the VSS previous versions tab.
Non-UF domain names: policies, different policies, and developing IFAS procedures
Chris Leopold has been trying to get this discussed at the UF level as well but was unavailable to lead discussion here today.
New MPS/DC testing -- access by unit-level administrators
Andrew wasn't available to discuss this matter but Dan Cromer reported that testing of the proposed virtualized MPS/DC combination on Hyper-V is reportedly going well. IFAS will manage Hyper-V which will support a RODC (managed by UFAD and accessible by IFAS as well) as well as a multi-purpose file/print server.
They are expecting this to be roughly a nine-month project with a projected completion date of September 2009.
Mike Ryabin wanted to know if remote units would have the same access to the MPS which they currently enjoy. As discussed previously, the intention is to provide access as needed for remote OU admins to perform their duties. There may be some certification process required for certain types of access to assure that unit admins are properly trained however.
Report generating system
Dennis mentioned that he is interested in seeing what Lansweeper data would be available. His department currently uses AIDA32 for software and hardware inventory.
Our previous computer startup script has been removed along with the “UpdateComputer Information” scheduled task on AD APPS. The only thing left in the computer startup script is the enumeration of applications and services and the “UpdateComputer Information” scheduled task was performing the same function on a weekly basis. Since LanSweeper is handling this now, they are no longer needed.
Joel Parlin asked if this is something for which OU admins could request a report on. That is certainly the plan. Since the Lansweeper data is store in SQL, queries can be developed to mine that data and the SQL reporting system can even allow support folks to subscribe to queries so they are e-mailed on a regular basis if desired. What is needed from the ICC is some input on what reports might be most useful. Matt Wilson has mentioned that he is willing and able to develop that if provided such guidance on what we need.
Core Services status
Wayne reported that the biggest change currently is the necessary move to the new file server cluster which itself is waiting on deployment of SP3 to all campus WinXP machines so that certain Volume Shadow Copy controls may be disabled. Once a unit has deployed that it will be ready for migration to the new cluster.
ePO version 4 status
Wayne mentioned that there is another ePO server patch coming out shortly and a new client agent is expected in a month or two. Additionally, McAfee VirusScan 8.7i was just released and Wayne will begin pushing that out in a few weeks.
Status of SharePoint services (prior discussion)
Ben Beach was unavailable, but he plans to do a major SharePoint upgrade to over the coming weekend to the new network load-balanced configuration with two web front-end nodes and a backend search node connected to the database.
Dennis asked about backups and Wayne responded that the database gets backed up every day.
Dan Cromer wanted everyone aware that Patrick Pettus is working on upgrading the software on our Polycom systems and is implementing software which provides an overall management solution for our various systems.
Dennis mentioned that his unit has been having some of their videoconferences recorded and had one in particular which they wished to retain on a long-term basis. Generally recorded conferences are kept only for a short time due to space constraints. With the help of Patrick Pettus, Dennis was able to download the file and convert it to a Windows Media file which was about one-tenth the size of the original. There are apparently a number of conversion options available and Dennis is still playing with that to get the windows sizes the way he wants.
There will be four critical and six important Microsoft patches this month.
Wayne mentioned that WSUS is currently set up to install updates every night and reboot every night at 3 AM. He is considering changing that to reboot every Thursday at 3 AM. Some people have complained about the necessary reboots and this change might help alleviate that somewhat. If patches came out consecutive days then the reboot wouldn't happen on consecutive days as well then.
Joel mentioned that he is seeing a strong push to turn off computers at night. He was wondering how the reboots worked in such cases. Wayne said he believed that if a machine had been turned off it would get the patch on next boot five minutes after logon and then either reboot at 3 am (if left on) or the normal shut-down process would take care of that. Joel responded that he believed a machine would reboot after a five-minute countdown if the individual logged on is running as a standard user. If logged on as an administrator then they apparently get a reboot notice which they can ignore (until 3 AM) should they so choose.
MS Office News update
There was no new discussion on this standing item for this month.
Public folder file deletion policies and procedures status
Wayne related that the IFAS Public folder is going away for security reasons. That function will be replaced by SharePoint. They also intend to develop some web-based interface where individuals can upload a .zip file which will either be password protected or accessed via a random URL which can be e-mailed to someone.
Job Matrix Update status
Steve wants to leave this matter as a standing agenda item for future discussion.
Remedy system status
Dennis asked Dan Cromer if he had any new information on Remedy. Dan noted that they are still working on being able to assign IFAS and UF Remedy tickets into the CNS Remedy system. In the past all such an assignment would do was to send an e-mail to Terri Van Horn and she would have to put something into the CNS system manually. This should help with WAN support workflow.
Micah Bolen asked if there were any UF or IFAS policies regarding digital IDs or electronic signatures (for signing PDF docs, etc.)? He had heard of IFAS deans using that and was excited at the prospect of never having to print out and fax a form to someone ever again.
Dan Cromer responded that the need for this is recognized and has been discussed with and by Mike Conlon in the past; it is something which needs to happen at the UF level. Dr. McLellan, our Dean for Research, had electronic signature available at his former university and has been vocal concerning the need for that at UF. Dan believes this will happen eventually, but did not know the current status. Dan does not know of any such system in production currently but mentioned that Wendy Williams has been asked to look into the matter for Instruction.
Network Access Control
Mike Ryabin related that he had recently visited the two universities which are in his area, NOVA and Florida Atlantic, and noticed that they had different network access controls than Ft. Lauderdale currently enjoys. Mike has guest accounts on his wireless network which provide access only to the commodity Internet and was wondering if there were any plans now that CNS was in charge of the WAN that might cause problems for him continuing to do that. Dan mentioned that CNS is looking into NAC but this would be implemented first on campus and only later at remote sites. It is likely that some provision for guests would be made however.
The meeting was adjourned early at 11:05 AM.