ICC logo IFAS logo

ICC Meeting:



A meeting of the ICC was held on Friday, August 13th, 2010 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Fifteen members participated.
Remote participants: David Bauldree, Bill Black, Micah Bolen, Dan Cromer, Francis Ferguson, Marvin Newman, Mike Ryabin, and John Wells.
On-site participants: Andrew Carey, Dennis Brown, David DePatie, Wayne Hyde, Winnie Lante, Steve Lasley, and Wendy Williams.

STREAMING AUDIO: available here


Agendas were distributed and the sign-up sheet was passed around.

Report from the chairman

Member news:

Steve was saddened to relate that Bob Huston, former IT Support for Ft. Pierce, passed away on August 2nd after a long illness.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details

David DePatie has joined the Soil and Water Science department recently and was at the meeting today. Steve is very pleased to finally get some representation from that department on our committee.

Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

End-user Scheduling

We are still awaiting details about the reported plan is to provide some subset of individuals access to schedule their own videoconferences on TMS.

Office Communicator infrastructure status (previous discussion)

Dan Cromer has posted instructions on the UF Wiki for controlling the viewing options when connected to a bridged conference from OC (go to http://wiki.it.ufl.edu/, search on "Office Communicator", and scroll down to the "Office Communicator with videoconferencing bridges" section). Basically, you enter two pound signs (#) to enable far end camera control. You can view the details on the Wiki, but this should help with controlling remote site views while connecting via OC to bridged conferences.

Dennis Brown had pointed out that OU Admins may use ADUC to see whether or not a user is SIP-enabled. If you select your OU in the People branch of UFAD, you will see a listing of your users which includes information in columns labeled "Live Communications Address" and "Office Communications Server Address" for those that are SIP-enabled. OU Admins can also look up user information in Wayne's Power Tools which shows group memberships. Those which are SIP-enabled will be members of the "IF-OCS-Users" group. This can all be helpful in diagnosing why a particular user cannot connect via OC.

Polycom has announced a new strategic relationship with Microsoft for End-to-End Unified Communications. This is to include:

  • New and next-generation Polycom CX series endpoints optimized for Microsoft UC
  • New, innovative room-based video systems designed specifically for enabling direct integration with Microsoft Communications Server "14"
  • Additional interoperable solutions between Polycom's existing and future video conferencing solutions

New VC gateway status (previous discussion)

As available...

Recording lectures for Distance Education (previous discussion)

There is a wide range of products in this category. Steve noted he had seen the AV-1 forum's recent discussion on lecture capture tools and was surprised by the number of different options that various schools are using. Besides Accordent and MediaSite, as are used here at UF, some of the other options include:

David DePatie from Soil Science added that his department is using Adobe Connect as well.

Accordent training being planned for next week

Daniel Soltedo of Accordent has offered that he could perform training via webex and a conference bridge hosted by Accordent. Ideally, Daniel wants to take over one of our Capture Stations, review basic operation, and then cover advanced configurations. Currently, Ron Thomas is proposing Monday at 2 pm and Thursday at 10 am.

Issues with Articulate software provided by the Dean (previous discussion)

Steve wants to keep this topic on the agenda to discuss ongoing issues with that somewhat fragile software. You can drill back to previous discussions on this topic by clicking on the "(previous discussion)" link above.

Dr. Barrick stepping down from CALS dean position

During the meeting Wendy Williams reported it was just announced that Mark Rieger was just named CALS Interim dean as Dr. Barrick is stepping down to return to full-time teaching. The search for a permanent replacement, led by Mark McLellan, is expected to take 9 months to a year. Steve wonders what implications (if any) this will have for the proposal to move 75% of our courses to distance education over the next three years--as Dr. Rieger was/is the driving force behind that.

Videoconferencing documentation being posted via SharePoint

Steve would like to mention again that Lance Cozart has this documentation. Lance Cozart continues to develop it.

New Elluminate system status

This topic was not addressed this month.

WAN transition to CNS (previous discussion)

Connection of UF and IFAS Remedy systems with the CNS Remedy system

A demonstration of the new interconnection was provided on July 22nd but Steve neglected to ask for an update on how that went. Dan said it seemed to be working fine. Steve thought that Dan said the procedure used involved "assigning" a ticket to Net Services, but he doesn't see that option, so perhaps only certain individuals may do this:

assign to Net Services?

Steve also asked how such assigned tickets could be tracked by those who were doing the assigning. When Dan responded that he didn't know how that was done, Steve suggested that CNS might need to add progress notification into their procedures to ensure that.

Updates from James Moore

James did not attend today's meeting.


Rob Adams appointed as new ISO for UF

The announcement was made yesterday via the DDD list.

Elias Eldayrie address at Peer2Peer last Friday

A number of topics were covered and the session was kicked off by our new CIO who was also at the ITPAC meeting three days ago.

Alternate IFAS domains in e-mail

Steve wants to keep this on our agenda for future discussion. He believes there is no advantage to having multiple aliases and that we should move towards removing those if possible.

The long-expected ITPAC meeting was cancelled

The IFAS IT Policy Advisory Committee (ITPAC) was supposed to meet earlier this week for the first time in over a year and only the second time in nearly two years. The agenda came out only the day prior and the meeting was cancelled the morning of because Elias Eldayrie could not attend (though he wasn't on the agenda).

Dan Cromer said that ITPAC had not been meeting regularly (supposedly quarterly) because there had been nothing to discuss. Steve noted that he wants to find someone else to represent the ICC at ITPAC (possibly Dennis Brown) as he would like to concentrate on the ICC during his years in DROP--hoping to get a good transition in place for when he leaves.

Identity Management (IdM) Interface Training

Steve wants to remind everyone of the "UF_PA_IDM_NETMGR" role which will allow you to set NMB for your users. Your Department Security Administrator can do that for you.

ITAC-NI still meeting (previous discussion)

Steve noted that he will be working on the minutes (his last as he has resigned as secretary) and hopes to have those posted soon. [Note: those draft minutes are now available.]

The agenda included:

  • Presentation on DHNet’s NAC solution
  • CNS Wall-Plate and VoIP update
  • Update on organizational changes in HealthNet

Course Management System Conversion to Sakai 3 (previous discussion)

Steve reminded folks of Doug Johnson's announcement of a CMS Transition web site. A pilot test has been in progress this summer and full production is planned for the Fall. On-line documentation is now available with separate instructions for both students and faculty.

myuf Market (previous discussion)

Steve wants to keep this on our agendas in case discussion seems warranted.

UF Exchange Project updates (previous discussion)

connection problems due to Exchange 2010 migration plans

A discussion started on the CCC list in mid-July regarding problems with mobile devices connecting to UF Exchange. The initial thread was entitled "AT&T 3G problems" but it quickly proved to be a more general problem. A later thread was titled "Exchange now rejecting credentials from Apple Mail". There was some consternation expressed on the ICC-L that UF Exchange personnel had not responded on the cause, scope and resolution of these issues.

Erik Schmidt finally did respond, well after most had resolved these issues for themselves via word of mouth. Erik reported:

"Scheduled maintenance was done several weeks ago to prepare for Exchange 2010. As a result, mail.ufl.edu refers to a firewall rule that allows 2010 mailboxes through but redirects 2007 mailboxes to legacy.mail.ufl.edu. *Most* clients handle this redirection without a problem. *Some* clients (Mac, in particular) do not handle the redirection properly. In cases where the client does not handle the redirect, simply re-pointing the client directly to legacy.mail.ufl.edu solves the problem."

Shortly thereafter he responded to a related question:

"Using 'Exchange IMAP' along with credentials in the format Gatorlink@ufl.edu and a server address of legacy.mail.ufl.edu allows Mac Mail to work."

Dwight Jesseman's replacement has been picked

Erik Schmidt announced that "Luis Molina will be moving across the country to join the MAG team in about a month. Luis is an experienced Exchange 2010 and OCS 2007 R2 architect with the University of California-Davis."

Centralized FAX service via Exchange (previous discussion)

Steve wants to keep this potential service in everyone's minds as it seems a logical direction for all to take.

Split DNS solution for UFAD problems

Steve wants to keep this on the agenda for future reference.


IFAS WebDAV implementation

There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.

Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM

Windows 7 deployment

Andrew Carey said that since Daniel Solano has left, he believes Dan Christophy and Chris Leopold will be trying to continue with SCCM. Time considerations will make that difficult however. Steve couldn't resist pointing out that spending some resources on a SCCM solution for desktop deployment would pay for itself many times over in quick fashion. It is a shame we are so busy digging with spoons that we can't take the time to learn how to run the "heavy equipment".

Exit processes, NMB and permission removal (prior discussion)

Nothing further was available on this topic at this time.

Re-enabling the Windows firewall (prior discussion)

Update as available...

Services Documentation: Is a Wiki the way? (prior discussion)

Steve skipped over this topic but will keep it on our agendas.


Restoration of back-ups on the file server

Wayne Hyde was recently surprised to find that the IFAS Help Desk staff did not know how to assist users in restoring their own files from the Volume Shadow Copies. Consequently, he is working on documentation which he intends to submit via the IFAS-Announce-L list.

Wayne wants to document various scenarios on how people can restore earlier copies of existing files or folders as well as how to retrieve things they may have deleted. Each of those processes is subtly different and the procedure varies a bit based on what OS you are running. For example, WinXP lists the date of the snapshot while Vista and Win7 list the date the object was last modified (an unfortunate change in the user interface).

Wayne intends to post the documentation somewhere on-line, but the exact location is yet to be determined.

Incident response

Wayne Hyde instituted new incident response procedures which he announced via e-mail:

Message to the ICC distribution list from Wayne Hyde:
"security tickets" Tue 7/20/2010 9:06 AM


From this point forward if I see a security ticket for an on-campus host I will be adding the host to the “Deny-Filter” in DHCP and kicking the machine off of the network within a few hours if the ticket has not been marked as contained/resolved.

I will attempt to do the same for off-campus machines on subnets that ITSA manages DHCP. Until we get 2008 R2 DHCP servers at remote sites, I’ll create a reservation for the IP address and limit connectivity to the local subnet via DHCP options (router/dns =, etc). Once we get the new multipurpose servers I’ll switch to the filter-deny method which prevents the machine from getting an IP address completely.

Security tickets should be contained or resolved within 24 hours. Containing an incident is as simple as removing the computer from the network until it can be resolved via a nuke/reinstall or cleaning depending on the type of compromise. The tech who contains/resolves the incident should update the UFIRT ticket with the new status and an explanation of what was done.

Once a compromise has been resolved, you can request the filter be removed by emailing the ITSA server admin group.

DO NOT add another NIC to a machine that I have filtered to get it back on the network.

I will work with CNS to target alerts for a subnet to the OU report groups that we have created so everyone does not get all UFIRT alerts for IFAS. I suspect some folks eyes glaze over when they see UFIRT emails or move them to a subfolder in outlook automatically.

Wayne mentioned that IFAS still does pretty well on the semi-annual reports to the IFAS ISA (Joe Joyce). Our response time used to be about one day, but it popped up to about five days due to some security tickets which were open for about two months before they got closed; those were at sites which Wayne does not control and could only resort to "nastygrams". For machines Wayne does control, he will give the OU Admin a couple of hours to get it off-line before filtering it for you.

Steve pointed out that such filtering would prevent pulling files off over the network prior to a rebuild (via a Bart's PE or the like). Consequently, one would need to send a request to ". IFAS-ITNS LAN Systems" to get the filter lifted prior.

Wayne said that it is the responsibility of the local OU Admins to respond to security tickets and update their status. Do not expect Wayne to do this for you. It is very important to get infected machines off the network ASAP and update the ticket to "contained". UF Security only tracks time to containment so that is the most important metric from a response perspective.

UAC enforcement

Wayne announced his intention to enforce UAC via GPO to "prompt for credentials on the secure desktop" as a means of making it more difficult for users running as local admin to unintentionally install malware.

Message to the ICC-L from Wayne Hyde:
"[ICC-L] UAC enforcement" Mon 7/12/2010 6:26 PM

As stated in the ICC meeting – UAC is being enabled for Vista and Windows 7 machines in UFAD via GPO. I’ll flip the switch after some testing (currently IT and ENTNEM). Please let me know if you’d like to help test and change the setting now in your OU (or even a sub-OU) for your department.

The policy settings:

  • Run all administrators in Admin Approval Mode – Enabled
  • Behavior of the elevation prompt for administrators in Admin Approval Mode – Prompt for credentials on the secure desktop

This setting will force a user who is a local admin to enter in their credentials to do administrative tasks on the machine. Since politics prevent me from forcing everyone to run as a normal user, this will have to do. (Chris will buy cookies for the folks who don’t let users run as local admins.)

There is an additional UAC setting, “Behavior of the elevation prompt for standard users,” which has the default setting of “Prompt for credentials on the secure desktop.” I am not enforcing this setting as you may wish to change it to “Automatically deny elevation requests” in some cases. The other possible setting is “Prompt for credentials.” There is no way to have it automatically elevate which is why I am not changing the default.

Now is the time for OU admins to remove their GL account from the local administrator group on their managed computers and use their IF-ADM-GL accounts for PC management duties. With the UAC change, you can still log on the machine with your Gatorlink account; you’ll just enter your if-admn-gatorlink credentials if you install software or do anything else that requires admin rights.

After some testing, Wayne determined there was a bug in Remote Assistance that threatened to foil his plans. He put out feelers asking how many made use of Remote Assistance with Windows 7 clients currently.

Message to the ICC distribution list from Wayne Hyde:
"RE: Who uses Remote Assistance with Windows 7 clients?" Tue 7/27/2010 9:29 AM

I am about to enable the UAC changes for Windows 7 clients across IFAS and would like to leave the secure desktop enabled (where it blacks out most of the screen except for the UAC dialog box). Unfortunately, there is a bug where the GPO setting to disable the secure desktop for UIAccess applications (such as Remote Assistance) is not working.

The bug causes the client (aka remote user) to get the UAC elevation prompts instead of the “help desk” side. The help desk side gets a pause screen on the Remote Assistance window.

Who currently uses Remote Assistance with Windows 7 clients in their OU?

Joe Hayden, Micah Bolen, Joel Parlin, Winnie Lante, and Marvin Newman all responded that they depended on this feature in order to support folks distributed far and wide. That led Wayne to request additional input in order to determine whether or not he could devise a suitable work-around.

Message to the ICC distribution list from Wayne Hyde:
"RE: Who uses Remote Assistance with Windows 7 clients?" Tue 7/27/2010 10:02 AM

Ok, so quite a few folks use RA and 7, which is fine.

The problem crops up when the remote user is not a local administrator on their machine and the “help desk” side needs to elevate. Due to the bug the client/remote user gets the UAC elevation prompt and the help desk side gets the pause screen. This situation means the help desk admin can’t elevate and get admin rights on the remote system.

If the client is a local admin on their machine, they can always enter credentials in the UAC dialogs.

With that said, how many people who use Remote Assistance have clients who are not local admins?

The temporary fix is to disable secure desktop until a fix is available and then I can re-enable secure desktop. I am just trying to avoid having to disable the SD.

Since this is a situation that is easy to see firsthand but difficult to explain, Wayne added a few details explaining the situation.

Message to the ICC distribution list from Wayne Hyde:
"RE: Who uses Remote Assistance with Windows 7 clients?" Tue 7/27/2010 11:21 AM

To clarify, the UAC issue pops up when the help desk side requests control of the client. The client gets a window asking if they want to allow remote control:

request to one being helped for disabling secure desktop

They *should* be able to check the box and click ‘Yes’ which will enable the remote tech to handle all UAC prompts. Unfortunately, once they click ‘Yes’ they are greeted with:

Scan Locations

The client can still click ‘No’ or cancel the dialog and the Help Desk tech will have remote control. They will not, however, be able to do anything that requires UAC elevation – the local user will still get the UAC prompts.

The MAG group is working with Microsoft on the issue. There is no ETA on when or if a fix will be available.

Finally, Wayne decided to enforce the changes as originally planned, but detailed a work-around for issues which will arise due to this bug.

Message to the ICC distribution list from Wayne Hyde:
"UAC, Remote Assistance, Microsoft bugs, the joy of IT support" Tue 7/27/2010 6:11 PM


I am going to go ahead and configure UAC to use the secure desktop and require credentials for elevation. By default Windows 7 uses the secure desktop and users without administrator rights must enter credentials for elevation. The GPO will force administrators to enter credentials instead of simply giving consent. (i.e., click yes if you want to install this malware)

Since the secure desktop is currently being used by default, my change will not break anything that was not already “broken.”

The steps to open a remote assistance session for Vista/7 clients:

If the client user has local administrator rights on their machine

  • Start the Remote Assistance session
  • When you request remote control they will be prompted with the “Would you like to allow to share control of your desktop” dialog. (See picture #1).
  • They should click the “Allow to respond to User Account Control prompts” option.
  • Once they click “Yes” they will have to enter their account credentials to disable the secure desktop. (see picture #3)
  • You now have remote control and can respond to further UAC dialogs with your own ADM credentials.

If the client user does not have local administrator rights

  • Start the Remote Assistance session
  • After the session is started, use either remote Computer Management or psexec script to create a local admin account on the client machine.
  • Use the built-in chat of Remote Assistance to notify the user of the temporary administrator credentials. The username should be prefixed with “.\” so the local account is used for the authorization. (See picture #2)
  • Click “Request Control” and have the user enter the temporary credentials. (see picture #3)
  • Delete the temporary administrator account using remote Computer Management or psexec script. Or launch computer management on the remote system (which will test UAC) and delete the account.

Steve has written two handy scripts that use psexec to do the dirty work for provisioning the temporary account. The first will create the local account on the remote system and add it to the administrator group. The second script deletes the account. The scripts will get published on the ICC webpage and also get sent here after some testing is done.

The pictures referenced above:

Picture #1 – client side dialog

client side dialog

Picture #2 – sample chat dialog

sample chat dialog

Picture #3 – client side disable secure desktop UAC prompt

client side disable secure desktop UAC prompt

This isn’t perfect and requires a minute of extra steps, but it is still usable.

Scripts for adding/removing a local admin account to a machine:

CRLA.CMD (Create Remote Local Admin)
@echo off
if "%1" == "" goto error
if "%2" == "" goto error
if "%3" == "" goto error
echo executing... psexec %1 net user %2 %3 /add 
psexec %1 net user %2 %3 /add 
echo executing... psexec %1 net localgroup "Administrators" /add temp 
psexec %1 net localgroup "Administrators" /add %2 
echo Account "%2" created as local admin on "%1"
goto end
echo You must specify a remote computer name, an account name, and a password!
echo usage  CRLA \\if-computername localaccountname password 
*******end contents******

DRLA.CMD (Delete Remote Local Admin)
@echo off
if "%1" == "" goto error
if "%2" == "" goto error
psexec %1 net localgroup Administrators %2 /delete 
psexec %1 net user %2 /delete 
echo Account "%2" removed from "%1"
goto end
echo You must specify a remote computer name and an account name!
echo usage  DRLA \\if-computername localaccountname 
*******end contents******

Replacement campus print server is being readied (previous discussion)

The migration is planned for two weeks from today and it is important that folks test out the new server prior.

Santos Soler posted the following just yesterday:

Message to the ICC-L list from Santos Soler:
"[ICC-L] New Print Server" Thu 8/12/2010 3:30 PM

We have been working on a new print server. We need to make sure printers work as expected. You should have access to ALL the printers in your area, please let us know if we are missing printers or if printers need to be added or removed.

We are using universal drivers when possible, this may cause some issues.

Please test that:

  1. You can print a test page
  2. You can print a multiple page document
  3. You can print a multiple page document more than once in the same print job (print 3 copies)
  4. You can print color documents
  5. You can do duplexing
  6. You can do staples
  7. Your ADMN account can modify settings on the printer

We are planning on moving to this new server by August 27 (in 2 weeks).

Please test ASAP and let us know if you have any issues.

One easy way to do basic testing as well as to centrally manage your printers is via an MMC console. You begin by installing the RSAT onto a Windows 7 management station. You must then enable the tools by going into the Control Panel > Programs > Programs and Features > Turn Windows features on and off > Remote Server Administration Tools. In this case you are interested in the "Print Management" tool. You then run an elevated MMC console (Windows Key + R > type "mmc" > press "Enter" and provide your if-admn credentials when prompted).

Next you add a snap-in:

adding a snap-in to an MMC console

The "Print Management" snap-in:

Print Management snap-in

You will be prompted to specify print servers. Our current production server is "if-srv-print", but the new server which requires testing is "if-srvv-print". You might want to add both, but you can always change the list later.

Configuring the Print Management snap-in

You can then view your printers because the permissions for all have been applied to your if-admn accounts. You can do a test print by right-clicking on a particular printer:

Running a test print

That would, of course, be a very basic test but it would address the main issue which Santos has been seeing: namely that some HP printers cannot use the HP Universal print driver.

You can also select the printer properties to view the printer defaults:

Viewing the printing defaults

Is would be good to check this configuration to see that it truly matches the features of your particular printer (duplexing, stapling, 3 trays, etc.). Winnie also mentioned it is important to check the default paper types, because sometimes these drivers switch that from what you might expect.

Andrew cautioned folks to be careful with these settings, but your if-admn accounts have full access via the console for changing those. Doing that for some of the settings could cause you problems. When in doubt you might want to consult with the ITSA group before making changes because some of these have been set for particular reasons. Things like changing drivers (in particular) would be a BAD idea without talking to them first.

More thorough testing of the features which Santos had mentioned (above) will require connecting to the printers as a client, however. On Windows 7 that is done off the Start Menu via the menu path of Devices and Printers > Add a printer > Add a network... > The printer that I want wasn't listed. Then in the "Selected a shared printer by name" box you would type "\\if-srvv-print\" and as soon as you hit that last "\" (as shown below) you should be offered a list of those printers to which you have access (this time via your Gatorlink credentials). You may have to add yourself into some security groups in order to get access to a particular printer.

Connecting to a printer

Winnie Lante mentioned that the HP universal drivers have proved problematic for her in some cases. For example, in one case the printer would print multiple pages, but not multiple copies of multiple pages.

Membership of ". IFAS-ICC" email distribution group to be narrowed to ICC members only

You are reminded that the ". IFAS-ICC" email distribution group does not include the broader audience which the ICC-L will reach. Plan your e-mails accordingly.

IFAS efforts toward Green IT (previous discussion)

Update as available...

Creating guest GatorLink accounts: singly or in bulk (prior discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

Can IFAS support DirectAccess in the future? (prior discussion)

Steve wants to keep this topic on our radar.

Moving away from the IFAS VPN service (previous discussion)

Steve assumes that moving our VPN to private IP is waiting on Wayne Hyde finding the time to implement.

VDI desktops as admin workstations (previous discussion)

This is another cool service that Wayne has in progress and which is awaiting sufficient time to pursue further.

Wayne's Power Tools (prior discussion)

There was nothing new to report this month.

OU Technical Contact email groups now in use

You should now be getting automatic FSR reports concerning file server space usage (duplicate/large files/etc.).

Computer compliance tool in production (previous discussion)

Update as available...

Folder permissioning on the IFAS file server

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey has a good plan for dealing with this which he simply has had no time to address. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

New MPS/DC deployment

Andrew Carey reported that seven of the new servers have now been deployed. He has been working with Ben Beach to get those out in the NE District. The plan is to roll throughout the various districts basically one at-a-time.

Deployment of the physical servers is just part of the process. The bigger reason this is taking so long is the actual migration of the data over to the new server; this involves a good deal of cleanup of the structure and permissions and is necessarily time consuming.

Mike Ryabin asked when Ft. Lauderdale might expect theirs because he is reworking his facilities, knocking down part of a wall to expand his area. Andrew said it is difficult to be precise because south Florida will be near the end of the list and all depends on how things go prior. Andrew does hope, however, that it will all be done before year-end. Andrew also mentioned that these servers are 2-unit rack mounts (a bit larger than the previous units) but will still go into the existing secure enclosures.

Steve asked about which sites had additional fileserver space that was not handled by these MPS servers. Andrew responded that Apopka, Plant City, and Ft. Lauderdale are certainly in that category. It might even include most of the RECs. The issue there is the need for storage beyond what has been budgeted by administration centrally. The MPS servers at these sites are at least providing DHCP if nothing else--with Lake Alfred being the single exception.

Core Services status

Data Protection Manager planning

Wayne Hyde reported that the purchase order for the necessary equipment just got submitted. It took three weeks to get all the information together for the lease arrangements.

Eventual move to MS Storage Server 2008 R2?

Wayne copied 8TB of data to a test cluster to investigate how much space moving to Windows Storage Server's Single Instance Storage (SIS) might save us. It turns out the savings for that test data (from our current file server) weighed in at about 25%--which is quite significant.

ePO updates

Changes in how the virus definitions are packaged and released will require a rebuild of the McAfee cleaner.iso. Wayne will get this done shortly; he intends to add Avira (another antivirus) onto that boot disc as well. A USB boot image is also planned; the issue there is that those (with few exceptions--those with a lock switch) are read/write and could get corrupted. The most important addition Wayne intends to make to the cleaner.iso is to give it the ability to update the virus definitions; that will alleviate him having to keep updating the .iso as well as us needing to keep burning the latest version.

Steve mentioned that he has been finding "McAfee Security Scan Plus" on a number of his user machines. Apparently, Adobe has been offering that along with updates to Adobe Reader. Steve suspects this can only interfere with VirusScan and should be removed where found.

Status of SharePoint services (prior discussion)

IFAS migrating to centralized MOSS

Steve hadn't heard any further information on when we might be migrating, but he understood that it wouldn't be until sometime after the end of the year. Steve asked if any departments were using this for "mission critical" things yet. Winnie mentioned that her department had been using it for their fiscal shadow system (PeopleSoft simply doesn't provide all the details units require, which necessitates keeping local shadow systems of fiscal data). This was begun by Michelle Quire who has since left the department and Winnie finds SharePoint management (particularly the permissioning) somewhat less than intuitive.

Steve mentioned that he has created sub-sites for both his fiscal and graduate coordinator groups, but really hasn't encouraged them to use those yet. He prefers waiting until we are migrated centrally to see how that transition goes.

Dennis Brown mentioned that one of his faculty is using SharePoint for collaboration within his lab and really likes it. Winnie added that Fisheries is using that similarly for several of their lab groups.

Steve mentioned that he has been concerned with the permissioning model as well. We worked hard to keep that sane and maintainable for the file server, but Steve doesn't see any way to encourage (let alone enforce) any particular standard on SharePoint. Those in charge of sites within their unit can basically do anything and permissions will become an enormous tangle over time he fears.

Dennis asked about collaboration with outside individuals via SharePoint. Steve responded that even though SharePoint allows for local (non-UFAD) accounts, the overhead in maintaining that is too great. Consequently, the solution is to have your Directory Coordinator create an UFID for outside individuals so they can get a Gatorlink account. They can also add the "Departmental Associate" role to provide additional rights such as email for those.

Dan Cromer mentioned that Fedro Zazueta is in charge of a project first initiated by Mike Conlon which has been on the back-burner prior but is now beginning to receive attention. This involves creation of a second level of UF association for Gatorlink accounts which would permit controlling access for less formal associations. Functional and technical descriptions have been posted prior. This will allow a web interface via which anyone may sign up for their own Gatorlink account. Obviously, the permissions for accounts in this category will be more strict but it should be quite handy for such things as permitting in anonymous SharePoint access. This is something which will be great for our extension programs like the Master Gardener, for example.

Steve noted that GLAuth is going away in favor of Shibboleth and asked Dan if IFAS was prepared; Steve wasn't sure that IFAS even used GLAuth much. Dan responded that In-service Training (IST) has been converted. The Bookstore Application is almost there. The portion of the IFAS Directory where the Directory Liaisons make changes also uses GLAuth currently and will have to be converted.

Steve asked where we were with regards to requiring this separate database for IFAS. Dan Cromer responded that the database was first of all useful because it is easier to search three thousand items rather than the million and a half that are in PeopleSoft. Also, we have fields in there such as "Specialty" which are not implemented in PeopleSoft. Other items include things like the salaries for Courtesy Agents which are paid by Counties, and faculty appointment percentages for teaching/research/extension. We also use the IFAS Directory for some of our dynamic listserv lists such as IFAS-ALL-L, IFAS-Extension-L, etc. Dan's goal has been to coordinate with PeopleSoft to get those fields added centrally so that there was a single master database from which to extract information.

Steve wondered how good a job the various Directory Liaisons were doing with keeping the IFAS Directory up-to-date. He had the impression that this may have slipped close attention in his own department, though he might be wrong. Dan mentioned that he had tried to coordinate with IFAS HR to have the database maintained more centrally but the director said she would need additional staff in order to do that. Unless things break so horribly that upper administration decides this is a priority, it appears we will have to continue to limp along with a difficult to maintain/manage distributed editing system.

Public folder file deletion policies and procedures status

Nothing further was available on this topic at this time.

Patching updates...


There was an out-of-band patch on August 2nd for an active exploit on all Windows platforms. A podcast summary of this special patch was provided by "Security Bulletins for the regular IT guy".

The August Microsoft patches included fourteen bulletins overall covering a record-tying 34 vulnerabilities! Twelve of the bulletins affect Windows (seven Critical and five Important). Two bulletins affect Microsoft Office; one Critical and one Important. A podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".

The Microsoft Baseline Security Analyzer 2.2 was released last Friday.


A new version of Flash (v10.1.82.76) was released on Tuesday to address critical vulnerabilities. In Steve's experience you must uninstall all versions first or the old files remain. In case you missed it, last month Steve published a way to do this remotely via PsExec. It is also worth mentioning that Adobe AIR should be uninstalled, er... upgraded to 2.0.3 as well.

There is a critical flaw in Reader/Acrobat for which Adobe is expected to release an out-of-cycle patch the week of august 16th

MS Office News update

Steve wanted to remind folks that he has created a new 32-bit Office 2010 installation point (ufad\if-admn credentials required) for everyone's use.

Dan Cromer mentioned that he has been trying out the Beta of Microsoft Office 2011 for Mac. It has Outlook instead of Entourage and includes Office Communicator for the Mac as well. Dan feels this will be a good step up from the current Mac Office package.

Job Matrix Update status

This is here as a standing topic--no discussion this month.

Remedy system status (previous discussion)

Steve wants to keep this item on the agendas in order to address potential future concerns.

Other Topics

Issue with 64-bit SAS on Windows 7

Winnie Lante mentioned that she had received a notice from Software Licensing Service (SLS) that they have new media for supporting a 64-bit SAS install on Windows 7. Winnie mentioned that she has been installing it successfully prior w/o issue, however. James Hardemon cautioned Winnie that the installation required being logged on with a local admin account (i.e., not just a domain account that was a member of the local Administrators group on the computer. Steve confirmed that this has been his experience. Steve particularly hates this latest Win7-suppported install because it requires multiple and repeated swapping of discs during the install process. Steve has yet to try copying those to a network location to see if installation over the network could circumvent that.

When to use 64-bit Windows 7

We had a brief discussion about 64-bit Windows 7 and when that would be appropriate. Winnie is using it on machines that have 4GB or more of RAM. Andrew suggested that it was appropriate for any machine that was capable of holding more than 4GB of RAM. Steve mentioned that he is still installing 32-bit Win7 on machines with 4GB of RAM. His thought was to leave room for future upgrades to 8GB of RAM and would move to 64-bit at that time. He is somewhat cautious of the need for signed drivers. As for software support, Winnie said that she has been successful with SAS, SPSS and ArcGIS on the 64-bit platform. Dennis Brown mentioned having an issue with drivers for the Fujitsu Snap scanners; the 64-bit drivers are not available for direct download apparently--but one can fill out a form to request them.

Polycoms falling out of maintenance

Francis Ferguson mentioned that the most recent large Polycom purchase was nearly three years ago (74 units in Nov. 2007) and those system will all be going off maintenance. He was wondering if anyone was following up on that issue. Dan Cromer responded that maintenance extensions would be up to the individual units ($880 for a year or $2000 for three years). Assistance for placing the orders would be provided, however, and Lance Cozart could be contacted about that.

When Steve looked into the costs in the past, they seemed incredibly expensive. Steve dislikes that even firmware updates require a full hardware maintenance contract, feeling that it amounts to extortion. Frankly, his department has saved enough money over the years by NOT purchasing maintenance to buy a whole new unit. Dan Cromer mentioned, however, that the VSX 7000's have had quite a few issues over our various units.

Dan keeps hoping that OC with web cameras/microphones can replace a good deal of our Polycom usage needs in the near future. Cost considerations may move that along fairly rapidly.

PDF-Xchange (prior discussion)

Updates as available...

Interest in Wordpress blog systems, and photo gallery systems that require PHP and MySQL

Updates as available...

The meeting was adjourned early at about 11:30 AM