Tips for managing multiple non-domain, off-site computers?

Question

My home office uses a Windows domain that hosts about 25 nodes. There are 17 locations out in the field (70% Windows XP, 30% Windows 7) with anywhere from 4-10 computers that are not joined to this domain and don't exist on a domain. We had decided early on the cost to create and manage the infrastructure to hook into our home office domain was not enough to justify what little we needed it for (they all connect to our web application to do their work anyways.)

However, this creates a big time sink for our (very small) IT department whenever we need to do any kind of maintenance on the field machines. I'd love to see us save some time with a tool or set of practices that will allow us to better manage these systems remotely, even if it is something as simple as managing updates, running commands, or pushing Firefox out to everyone.

What are some good tools/practices to manage this problem for about 150 remote, non-domain nodes? Any software solutions should be recommended knowing that we are a small company with a constrained IT budget.

Did yuo reevaluate the "cost for joiing them to a domain" because either you value time at 0 or - another evaluation is in order after "we have a lot more work than we originally thought". — TomTom, Feb 12 '14 at 18:34
You might want to tweak your question so as to remove the request for tool recommendations, so as to avoid running afoul of the "requests for software recommendations are off topic" rule. "What are some cost- and labor-efficient ways to manage widely distributed PCs in a non-AD environment?" or something. — Katherine Villyard, Feb 13 '14 at 01:48

Katherine Villyard · Answer 1 · 2014-02-13T15:21:03.153

I personally like AD, but you've already said you've decided against it. So...

VPN Connections to connect them to the office. (Routing and Remote Access/OpenVPN/Cisco AnyConnect/What came with your router/etc.)
LogMeIn or something similar on the clients.
You can run WSUS outside of a domain. There are registry keys to help you with that, and they can download their Microsoft updates via the VPN. This will also give you reports on patch compliance. You can push out these keys one of the ways below. (Be careful with the SusClientID and PingID--they cannot be identical on all machines. Also, WinXP takes those keys like a little doll, but you might have to handhold 7 a bit.) Conversely, you could foist an update policy on the clients that involves going directly to Microsoft and have done with it.

Which leaves us with software installs/updates. Money and time spent will be in inverse proportion to each other, in my experience, but your mileage may vary.

Management software like Altiris Deployment Solution, LANdesk, etc. Pros: Built for this, and they make it a lot more manageable. Your clients do show up in the console when they're connected to the VPN, although the connection can be stinky. Cons: Costs money, although I believe most of them charge by the client.
Scripts and PSexec, although I've never tested running them over a VPN and you'd probably have trouble finding individual workstations. Pros: Free. Cons: You'd probably have to LogMeIn to a remote machine and run PSexec on the local machines that way.

Which is why Grant is in favor of Active Directory for software installs. Honestly, I was just absurdly happy when a former employer finally got AD and I could finally stop pushing out registry keys via management software.

There are also (very few) places that do remote desktops as a service (Desktone, Molten, Citrix, Amazon has a beta). You might be a candidate for that. It's definitely worth looking into in your case, IMHO.

What I would recommend is:

Figure out how much it would cost to hook the remote sites into your existing domain, including hardware, software, and someone to manage it.
Price various software packages (Altiris, LANdesk), including hardware, software, and someone to manage it.
Price hiring another tech or two.
Price the various Desktops as a Service providers and see if they look like a good fit.

Hopefully, at that point, something will start to look right to you. Good luck!

thanks for your post. We're definitely not opposed to AD completely, it's just cost prohibitive according to my managers. Plus, introducing dependencies to our office domain via VPN without some kind of offsite domain introduces risk. There are additional costs associated with maintaining AD, which would add to our already overextended hours. Finally, the high turnover in our company would make managing AD credentials somewhat of a nightmare. Mostly, I'm looking for software/techniques to help us manage updates and software deployments. — TSFroggy, Feb 13 '14 at 15:58
I also like Altiris and LANdesk, but they do cost money. I believe they charge by the client, however, so your 150 node installation would be a lot cheaper than my 5000 node installation was. — Katherine Villyard, Feb 13 '14 at 16:11

score 2 · Answer 2 · answered Feb 13 '14 at 10:07

2

Active Directory.

We had decided early on the cost to create and manage the infrastructure to hook into our home office domain was not enough to justify what little we needed it for...

At the time, that might have been true. However, now, you're getting to the point that without a domain, it's unmanageable in non-polynomial time.

So it's time to revisit that decision, buy a couple of servers (yes, proper servers), and install Windows Server 2012 R2. It's not even that expensive any more.

That way, you'll be able to deploy software and updates with WSUS, have greater control over who does what with GPOs. You can even deploy new systems to bare metal with WDS.

Seriously. 150 nodes. You need a domain. If you don't think so, you're wrong.

answered Feb 13 '14 at 10:07

Tom O'Connor

27,440
10
72
148

Yeah, but 17 field locations. He's not going to use WDS over the WAN to 17 field locations. He's also not going to buy 17 servers, or however many sites he deems need their own DC. I generally like AD for more than two clients, ;) but in the OP's case I think he needs to evaluate the cost for a variety of solutions, including AD. – Katherine Villyard Feb 13 '14 at 15:12
Tom, I respectfully disagree. Yes, I know the capabilities and benefits of AD. However, I'm an employee, not a decision maker, so I can't (and wouldn't) wire 17 remote locations to AD when the money would be better spent elsewhere. Besides, with our already overextended IT dept, we'd have to add on additional time to manage the AD infrastructure. Perhaps you live in a land where companies have unlimited IT budgets. The reality is that we're a small company and every single dollar is counted. It's cheaper to have someone log into each node to do updates than to make their job easier with AD. – TSFroggy Feb 13 '14 at 15:51
1

@TSFroggy If that's their attitude, it might be time to consider finding an employer with a better one. It doesn't seem to me like you're doing yourself any favors sticking around to work for penny-pinchers and develop skills and experience that are largely useless. I could be wrong, of course, but let me leave you with some advice I once got - `it's not our job to protect management from the consequences of their bad decisions.` – HopelessN00b Feb 13 '14 at 16:39
@HopelessN00b Point taken. Honestly I'm actually in a dev role with a very tiny dash of support and we have a lot of freedom in the development department, including adding experimental features and getting the tools we need. We do have a bias towards development when it comes to our money because ultimately it provides the best returns, but we're trying to find ways to make support a little easier. BTW, I love the quote and will remember it for another time. – TSFroggy Feb 13 '14 at 17:09
@TSFroggy Oh, well, if you're a Dev, that's a bit different then... thinking you were the IT guy or sysadmin gave me the most horrible flashback to when I was younger... :) – HopelessN00b Feb 13 '14 at 17:22
I disrespectfully disagree. You are wrong. – Tom O'Connor Feb 13 '14 at 23:42

score 0 · Answer 3 · answered Feb 12 '14 at 15:36

There are a few ways you could look at managing it:

Windows intune
System Center Configuration Manager (I believe it can work remotely with a bit of extra effort)
Logmein or similar on all the remote machines
Site to site VPN connections to bring them on the domain.
VPN right on each PC to bring them on the domain. The built in windows 7 one lets you connect from the login screen so you can still login. Win XP may need a third party client.

I would recommend the VPN options. The microsoft vpn services aren't terribly expensive. And OpenVPN can be done for free (plus the cost of your time).

Having all the PCs on the domain means you can use GPOs, remote assistance, etc. to very easily manage them. And you don't have to manage seperate credentials on each machine. Compare the cost in IT time now of managing the remote machines vs domain connected ones and you'll probably find bringing them all into the domain to be quite cost effective and bring better security at the same time.

score 0 · Answer 4 · answered Feb 12 '14 at 22:56

If both systems have credentials that match (same username/password for AD user on domain and local user on remote host), then the domain user should be able to seamlessly authenticate to the remote host.

You'll need to configure the firewall on the remote machines to allow access to port 445 from your domain network and block it for all others.

Once this is done, any process running as the domain user would be able to cross-authenticate to the remote machine as the matching local user without a logon prompt.

Tips for managing multiple non-domain, off-site computers?

4 Answers4