Roaming Computing System (Windows Edition) 3.6 - Administration Guide
Miscellaneous Administration
Starting and Stopping the System
Turning Off
You can turn off in any order:
- workstations - Start → Shutdown
- server - press power button on the front, briefly, then wait for it to shut itself down
- firewall - press power button on the front, briefly, then wait for it to shut itself down
- modem - if they have a switch, turn the switch off, otherwise remove the power cable
- hubs - remove their power cable
Turning On
Turn on in the following order:
- hubs - re-connect their power cable
- modem - if they have a switch, turn the switch on, otherwise re-connect the power cable
- firewall - press power button on the front, wait a minute or so
- server - press power button on the front, wait a couple of minutes
- workstations
Administrative Domain Accounts
You have a domain administrator account called winadmin and a domain user account called winuser. Use these domain accounts rather than machine accounts. If you have to give out the domain administrator account to someone temporarily, it is subsequently easier to change this once, rather than change the administrator account on every workstation.
Connecting to the server's underlying file system / operating system from any workstation
To login to the server at the command-line from a Windows workstation use PuTTY via Start → Programs → Internet → PuTTY → PuTTY. Enter server into 'Host Name (or IP address) and choose Open. You can paste commands into the PuTTY terminal by copying in the usual then way just pressing the right-mouse button within PuTTY. To copy text from a PuTTY terminal just highlight the text, it is then automatically in the paste buffer and can be pasted elsewhere.
(Beware, when pasting from guides at thegoldenear.org, PuTTY on windows will include a carriage return at the end of a command where as ssh on linux will not. Some of the commands in these guides assume you don't use a carriage return when pasting them so that the line can be edited before hitting [Enter].
To login to the server at the command-line from a Linux workstation use ssh, using the command ssh root@server.
To transfer files between a Windows workstation and the server at its operating system level use WinSCP on the workstation via Start → Programs → Internet → WinSCP.
To transfer files between a Linux workstation and the server at its operating system level use any of the FTP programs such as FileZilla or gFTP.
Regular Administration Tasks
Workstations
These must all be performed whilst logged in as an administrative user.
- To free up space on C:
- Use CCleaner (Start → Programs → Accessories → CCleaner) to remove:
- Windows' backup of security update / hotfix files. Make sure that Windows → Advanced → Hotfix uninstallers is selected. This deletes C:\Windows\$nt... directories.
- Empty the recycle bins
- (only as a last resort, because of the risk of making a mistake) manually delete Windows Service Pack uninstall files' directories, those in blue at %WINDIR% (CCleaner doesn't delete these).
- (only as a last resort) manually delete Windows' cache of security update files by deleting the directory %WINDIR%\SoftwareDistribution\Download.
- ? Microsoft Office uses 464MB in C:\MSOcache
- ? C:\windows\ie7updates and C:\windows\ie8updates are worth looking at as another directory that might be able to be deleted
- QuickBooks downloads updates to C:\Documents and Settings\All Users\Application Data\Intuit\
- Defragment each workstation's C: and D: partitions. Start → Programs → Accessories → System Tools → Disk Defragmenter. You need to be an administrative user to do this. This will speed up the computer but probably isn't worth running more often than every couple of months.
User Profiles
On a Windows workstation, System Properties → Advanced → User Profiles → Settings will tell you the weight of each profile and allow you to delete them. From the server, at the command-line, du --max-depth=1 -h /home/samba/profiles | sort -rn will tell you the weight of each person's profile.
People can have bigger profiles on their workstations than the profile uses up on the server because not everything roams - Local Settings. Perhaps it's worth hosing the local profile once a year or something.
On a Windows workstation, whilst logged in as a user, the Application Data directory is at %APPDATA%. From the server, at the command-line, this would be /home/samba/profiles/<username>/Application Data/ This is the most likley place where excess files will accumulate.
Areas where data accumulates in a user profile that can potentially be considered for removal:
- Firefox profile
- Notably:
- places.sqlite - Firefox's history (and more) file. This can grow, for example, to 270MB. Clearing history etc will recoup space. See http://kb.mozillazine.org/Places.sqlite.
- zotero directory. This can grow for example to 360MB.
- If the Cache directory grows then it indicates that maybe their Firefox mistakenly hasn't been configured to save its cached files on D:.
- Thunderbird profile
- Notably:
- ImapMail directory
- %APPDATA%\google\picasa2\db3
- %APPDATA%\OpenOffice.org2\user\backup
- At least for winadmin, C:\Documents and Settings\winadmin\Application Data\Sun\Java\ where there can be directories for each JRE update such as jre1.6.0_07 with jre1.6.0_07.msi
Files saved to the desktop are copied back and forth between the server and workstation when logging on and off, so are strongly discouraged. To check on the weight of a person's desktop, from the server, at the command-line, use du --max-depth=1 -h /home/samba/profiles/<username>/Desktop | sort -rn.
if they somehow gained an additional firefox profile it won't be configured for its cache on D: - /home/samba/profiles/<username>/Application Data/Mozilla/Firefox/Profiles/ may have more than one profile directory '<random number>.default' or '<random number>.user chosen name'. Check contents of user.js.
Server
- Check there is enough free disk space on each partition:
df -h - To free up disk space on the home partition:
- Email - use
du --max-depth=1 -h /home/vmail/<domain name> | sort -rnto see if some people have excessive amounts of email. If you go into each person's Maildir directory You might find a lot of space taken up in people's Trash directory (Deleted messages). You can empty these using SquirrelMail at http://10.0.0.10/squirrelmail/, login with their email address and email password, then use the 'Purge' button beside 'Deleted messages'(?). - See User Profiles above.
- Check the backup system is working - as long as there exists backup-general-* and backup-home-* for each day and they're 0 bytes large then everything should be OK. If they're larger than zero bytes then look at what's in them.
- Perform a filesystem check on the backup disk occasionally:
- Unmount the backup disk, in case it is already mounted:
umount /media/backup - Do a filesystem check:
fsck -p /dev/<disk partition reference i.e. sdb1>
General
- Check the 'postmaster' and 'abuse' mailboxes.
- If you have a bandwidth cap on your Internet usage set by your ISP, check how much you've downloaded in this period. For Zen Internet this is available at https://portal.zen.co.uk/Pages/Wizards/WizardLauncher.aspx?ID=UsageAllowanceWizard.
- Is VPN access working so that remote administration can be performed?
Managing Domain User Accounts
Archive a user's files prior to deleting their Windows domain account
Move their files to the ex-staff directory in the 'archive' area (or similarly it could be the 'confidential' area), if you already have one. This moves their home directory files (H:) and their Windows profile (containing such things as their Windows desktop, browser bookmarks, etcetera). Don't delete some things and leave others, it's safer to just save the lot. Their email is unaffected.
Archive their home directory:
mv /home/<username>/ /home/<organisation>/restricted/archive/ex-staff/
Make a directory for their Windows profile:
mkdir /home/<organisation>/restricted/archive/ex-staff/<username>/windows-profile/
Archive their Windows profile:
mv /home/samba/profiles/<username>/* /home/<organisation>/restricted/archive/ex-staff/<username>/windows-profile/
Change ownership so that the files are in the 'archive' (or 'confidential' group):
chown winadmin.archive /home/<organisation>/restricted/archive/ex-staff/<username>/* -R
Change permissions so that other people can't access the files (This leaves them read-only to members of the group, which seems appropriate for an archive):
chmod o-rwx /home/<organisation>/restricted/archive/ex-staff/* -R
Delete A User's Windows domain account
Delete their account, with either:
- From the command-line on the server:
- Remove Samba account:
net rpc user delete <username>- Note that this doesn't delete their home directory (H: or /home/<username>) - Delete home directory:
rm -rf /home/<username>- note there are dire consequences of getting this wrong so do so with great care - Delete Windows profile:
rm -rf /home/samba/profiles/<username> - Or you should be able to do so from within Windows
Restricted Groups
R: is where you can have directories where access is restricted to specific groups of people. For example R:\finance is only accessible by members of the finance group. You can add whichever such groups you choose.
To create a new restricted directory and group use Twix: R → F.
To add a person to a specific restricted group use Twix: R → O.
To remove a person from a specific restricted group use Twix: R → P.
Mailboxes, Aliases and Forwardings
Manage mailboxes, aliases and forwardings using MailManager at http://server/mailmanager/login.php.
Bounce Forwardings / Mailing Lists
A forwarding can either be a forwarding where a copy goes to the original address and to the address you want it forwarding to, or a bounce forwarding where the mail goes only to the address you want it forwarding to. The latter is a useful means of creating a mailing list.
(An alias might seem easier because it doesn't require a corresponding mailbox, but administering the list at a single point, rather than in each individual list member's settings seems easier to deal with)
Set one up using the following:
- Login to MailManager
- Add a new mailbox using 'Add new virtual user to selected domain'
- Manage virtual aliases → Select a virtual domain ... → Select a virtual user ... → Email forwarding for screenings on domain <your domain> → Add forwarding → Email for new alias - add the email address of each recipient
Auto-replies
See workaround in the User Guide.
Domain Mapping
If you want to forward mail from a mailbox at one domain to a mailbox at another, create the domain then create each mailbox and a forwarding for that mailbox.
Don't do whle domain mapping. MailManager doesn't support it because "You will in the first step accept email for anybody in @domain1. Then the aliasing is done. And if Postfix finds that the user doesn't exist in domain2 it will generate a bounce. As spammers tend to guess email addresses you will become a source for backscatter. So that's really a problem. My recommendation: don't use it like this. Instead use an alias for every user in domain1. Even if it's tedious.".
Server Updates Affecting Users
Samba
It's OK to restart Samba (at the command-line you use /etc/init.d/samba restart) when people are logged in with documents open, even if they have unsaved work. You should, though, ask people to not save work for a moment whilst you restart Samba. If you restart Samba then people try to save unsaved work too soon, before Samba is properly restarted, OpenOffice, for example, will say "Error saving the document <document name>: General Error. General input/output error." but allow you to try saving again; where as GIMP will automatically wait until the Samba share is available again and then save; Thunderbird won't be affected at all unless you are using local folders and have located them on a network share.
Networking
ifdown eth0
ifup eth0
Settings You Must Not Change
Server
- DNS domain - it's 'localdomain' (Debian's default). The mail server relies on this remaining the same.
- Hostname - it's 'server'. The mail server relies on this remaining the same.
- Samba's name or domain name(?) setting - this will require workstations to have to re-join the domain
- IP address - it's 10.0.0.10. Don't change it, but if you really need to change it to another inthe same subnet then you need to change it in here too:
- On the server
- The server's /etc/network/interfaces
- The server's /etc/resolv.conf (TODO: do we change it WRT /etc/resolvconf if resolvconf is installed?)
- The server's /etc/postfix/main.cf
- The server's Samba - see xania.org/200809/samba-problems-after-ip-change
/etc/init.d/samba stoprm /var/cache/samba/browse.datrm /var/lib/samba/wins.dat/etc/init.d/samba start- On the firewall
- The firewall's static hosts, such as server → 10.0.0.10
- The firewall's DHCP Server's WINS address
- The winuser account password - it's used by WPKG Client [TODO: maybe we should have a dedicated WPKG account instead]
Changing Windows Workstation Names
You cannot change a workstation's name direcly. You must first disconnect from the domain by swapping the domain name for a workgroup name; give the winadmin or root account so as to leave the domain; restart the workstation; change the name; restart again; reconnect to the domain.
Physically moving a system from one location to another
It should be straight forward but you should expect something to go wrong as it invariably will.
For the server and workstations, moving involves turning them off properly, disconnecting all cables and reconnecting in the same manner at the other end. This should be straight forward for anyone to do as cables for everything can't be connected into the wrong socket. Just make sure you carefully pack up all cables together so that nothing is misplaced or broken. Obviously, treat computers with care in transit, but don't worry excessively as they can take a few knocks.
For hubs, the network cables probably don't need to be reconnected in any specific order, but even if they do it will only be one of the cables and you can see that by checking first if one is connected to a socket marked 'uplink'.
For the firewall, there are two network cables which need to specifically connect back into the same connectors from which they were removed. Some settings on the firewall will need to change if your static Internet address is going to change, which it probably is.
Keep backup disks seperate in case the server gets lost or stolen.
Take great care with laser printers as they are extremely fragile. It's probably worth removing toner cartridge(s) during transit.
You either connect to the Internet through your own modem or you're attached to an intranet provided by someone else and they have their own modem. Changes to your method of connecting to the Internet will need to be reflected in the firewall and modem.
Change of SMTP server for outgoing email. If you're piggy backing someone else's Internet connection you can ask them for the SMTP server name, or you can find out yourself. To find out yourself, use traceroute, or GRC's Shields up!, to find your external IP address. then do a whois lookup on that IP address to find who it is (you'll get, say, 'netname: BULLDOG-CHT', where 'Role:' is who owns them, 'Cable and Wireless Access Ltd', a Google search on 'bulldog smtp' reveals their SMTP address.
Can we change ISP from Zen Internet to another?
We recommend Zen Internet and most of our clients use them. When I last read up on the topic of who was the best ISP to use, Zen were top month after month, and they've proved to be very good at everything including customer care. You pay for what you get.
BT on the other hand are appalling at customer care. The only reason to be with BT is if you have a problem with your ADSL Internet connection, then you deal directly with BT, rather than dealing with Zen Internet who deal with with BT and in such cases BT make things more difficult.
I don't know enough about other ISPs to compare Zen Internet with others.
It's worth ringing Zen Internet to find if they have a new tariff that would save you money, just as Matt did some time ago and did something like halved the bill and doubled the speed.
There are some things we require of your ISP:
- A static IP address so that we can remotely connect into your system. You get this with Zen Internet; last time I checked BT wanted £100 per year for this.
- The ability to mail out system logs to us from your system. BT only allow mail to be sent out where the domain name is registered to the physical address of your organisation. This makes mailing out system logs to us difficult at present.
- A fast enough incoming _and_ outgoing Internet connection that we can successfully remotely connect in and use your computers.
Troubleshooting
Server
The most common complaint with the server is the assumption that email isn't going in or out. You can leave the server logged in running one or more of these commands to show incoming and outgoing mail:
tail -f /var/log/syslogtail -f /var/log/mail.log
If the server crashes it will leave complex messages on the screen. usually you can restart the server with ctrl+alt+del. Try this but if it fails to get the server to respond, by saying it is shutting down, then power cycle it. The messages on the screen will be available in the logs (/var/log/syslog and /var/log/messages) for whomever wants to look.
User Accounts
If someone is having trouble logging on, can they log on elsewhere? can others logon on the machine they're having trouble with? The most common reason for not being able to logon is theer not being enough room on the workstation's C: to copy the user's profile there, for example the user may have large files on their desktop or excessive files in %APPDATA%.
Workstations
If files are deleted from a user's desktop they go to the local recycle bin in C:\RECYCLER\S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxx-xxxx.
WPKG
WPKG logs to %TEMP%, the system temp location, in a file called wpkg-<machine name>.log
Backup
Backup
The server backs up to a directly connected USB-attached hard disk. You connect the disk and leave it over-night, replacing it with another disk the next day. The backup runs at 02:00. You do not need to issue any commands, everything is automatic. If there were any errors they are written to a log file (in /var/log/hotswap-backup/) [though they should be emailed to the administrator].
The disk uses a Unix filesystem (ext3) so can only be read on those Windows workstations that have Ext2 IFS installed (at least one of your workstations should have). The data is saved directly to the backup disk, it is not zipped up. To access Ext2 IFS's configuration use Control Panel → IFS drives.
Note that because the backup system successively copies files from the server without first removing them from the backup disk, the size of the backup will grow over time and at a faster rate than the space used on the server. Files on the server will be deleted whilst a copy remains on the backup disk. For this reason you may want to delete everything off the backup disk periodically.
Restore
If you connect the disk to the server, whilst logged in as root, you can read it by issuing the command: mount /media/backup. The disk's contents will then be available in the /media/backup directory.
You can connect the disk to any Windows workstation with the ext2IFS software installed and read the files. It might be that only one workstation has this, or maybe all do.
If you connect the disk to a Linux workstation its contents will appear automatically.
These are some useful places you may need to access on the backup disk:
- S: - home/<your organisation name>/shared. Permissions are such that you can read these files.
- R: - home/<your organisation name>/restricted. Permissions are such that you can read these files.
- H: - home/<person's name>. Permissions are set so only the owner can read them unless you override those permissions.
- A person's Windows desktop - home/samba/profiles/<person's name>/Desktop.
- Each person's email - home/vmail/<your organisation's domain name>/<mailbox name>/Maildir.
- T: - home/<your organisation name>/database
Note
Backup Disk Inode Size
The current version 1.11a of the Ext2IFS driver for reading the backup disk under Windows only mounts volumes with an inode size of 128 bytes. Recent versions of Linux's mkfs.ext3 will format the disk with an inode size of 256 bytes and when attached to Windows it will say it can't read the disk and ask if it is to be formatted.
To fix existing disks, format them again using mkfs.ext3 -I 128 /dev/<disk partition reference i.e. sdb1> (which will delete everything on the disk) and name them again using e2label /dev/<disk partition reference i.e. sdb1> backup.
You can find the inode size of an existing partition using tune2fs -l /dev/<disk partition reference i.e. sdb1>, amongst the information will be something like Inode size: 256.
Troubleshooting Issues With The Backup Disk Under Windows
If the disk isn't accessable under Windows, download and use the mountdiag.exe tool as described at http://www.fs-driver.org/troubleshoot.html. It should give you a descriptive message about why the disk isn't accessable.
Manual Software Application Updates
Typicallly updates are managed through WPKG but if you want to update the system manually some of the software applications make this really easy. If there is any risk of breaking the system they will be described here.
Adobe Reader
OpenOffice
Firefox
- Login to a workstation as administrator or into the domain as winadmin
- From within Firefox choose Help → Check for Updates
- If it says, for example, "Updates Available - An update for Firefox is available: Firefox 2.0.0.6" you can choose "Download & Install Now >>"
Thunderbird
- Login to a workstation as administrator
- From within Thunderbird choose Help → Check for Updates
- If it says, for example, "Updates Available - An update for Thunderbird is available: Thunderbird 2.0.0.6" you can choose "Download & Install Now >>"
Quickbooks
You should run the Quickbooks updater manually once a month.
F-Prot
F-Prot updates itself automatically.
Java Runtime Environment
Control Panel → Java → Update → Update Now.
The newly installed version will automatically become the default in Firefox.
This creates an additional installed copy to those versions already installed and so uses up an additional 70MB or more each time
[TODO: In OpenOffice, it isn't selected, does that mean anything?]
Software Application Tips And Tricks
Firefox
Firefox Migration
If you setup a new Firefox profile for someone you can migrate their old saved settings to the new by copying over these files. Note that this will over-rule any existing settings in the new Firefox profile.
Firefox 3
- Saved passwords
- signons3.txt
- key3.db
- cert8.db
- Bookmarks and history - in order to merge old bookmarks with new, you need to export the old bookmarks as a HTML or JSON file from within Firefox then import them into the new profile.
- places.sqlite
- places.sqlite-journal - this file may not be present
- Cookies, including login information, session data, and preferences: cookies.sqlite
- Permissions; preferences about which sites you allow or prohibit to set cookies, to display images, to open popup windows and to initiate extensions installation: permissions.sqlite
- User-added preferences: user.js - you probably wouldn't migrate this
- Preferences: prefs.js - you probably wouldn't migrate this
OpenOffice
There are various extensions available at extensions.services.openoffice.org.
Deleting a User's OpenOffice Profile
- Make sure OpenOffice isn't open first (check the system tray by the clock, close down the icon there if there is one)
- Delete the person's OpenOffice profile at C:\documents and settings\<username>\Application Data\OpenOffice.org\ (an easy way to get there is to right-click on the Start Menu and choose 'Explore'; or, in the Windows Explorer's location bar, go to '%APPDATA%' (without the single quotes))
- OpenOffice will then need configuring again. This can be forced to automatically take place by deleting the directory 'C:\documents and settings\fiona\RCS34-CONFIG-DONE'.
- Logout then login again
Repeated "unexpected error"
Issue: when running OpenOffice it can say "due to an unexpected error, OpenOffice.org crashed" it lists documents to be recovered, of which there are none, you choose OK and it returns to its opening window, where upon you choose an application and it crashes again with the previous message.
Solution:
- Delete the user's OpenOffice profile (see above)
- Uninstall the program
- Delete all files in C:\Program Files\OpenOffice
- Restart the workstation so that OpenOffice is reinstalled
Error loading BASIC of document file
Issue: Whenever a file is opened you get the error message:
Error loading BASIC of document file :///C:/Documents%20and%20Settings/fiona/Application%20Data/OpenOffice.org/3/user/basic/dialog.xlc/:
General Error.
General input/output error.
Solution: Delete the user's OpenOffice profile (see above)
Lock Files
When a user has an OpenOffice file open, information about the lock (such as the workstation they have it open on) is contained in their OpenOffice user profile (for example /home/samba/profiles/<username>/Application Data/OpenOffice.org/3) in a .lock file:
[Lockdata] User=DOMAIN/username Host=WORKSTATION Stamp=7406D8EED4EEB7CF4FE4E64EE34764E0 Time=Fri Apr 15 09:40:56 2011 IPCServer=true
A lock file is also kept for each file in that file's directory, for example called .~lock.<filename>#. You can find all such open lock files on the system using find /home -iname .~lock*. This lock file describes the domain name and username of the person with the file open; the workstation name; time it was opened(?); the location of the user lock file in the user's OpenOffice profile; the name of the directory the file is in.
You can delete all OpenOffice lock files left open on the system with: find /home -type f -name '.~lock*' -exec rm -i {} \; but only do so whilst everyone is logged out.
Thunderbird
If you want a message inserted at the bottom of everyone's email, save it somewhere on S: so that staff can link to it from within Thunderbird as a signature.
If people coming from Microsoft Outlook are missing particular aspects of Outlook's behaviour it's worth checking out Emulate Microsoft email clients to see if they can be catered for.
ImapMail Directory
The ImapMail directory in a person's Thunderbird profile can build up to an unwanted size. It's OK to just delete it. Note that this buildup could indicate that a person mistakenly has syncing turned on for one or more mailboxes (Synchronization & Storage → Keep messages for this account on this computer / offline_download).Shared Calendar
There isn't yet a standard for sharing calendar data, so various providers have each worked out their own. This is why Lightning, the calendar component in Thunderbird, doesn't offer this by itself.
You can use Google Calendar as the 'backend'. You setup a calendar at Google and then Lighting is able to connect to it, showing the contents of the Google Calendar inside Lightning (you don't need to go to Google's web interface to use the calendar, though you can if you wish).
There are a couple of ways of going about this. Either each person could have a Google Calendar, and every person could see everyone else's Google Calendar in their Lightning calendar. Or you could setup a single Google Calendar for the organisation and everyone sees just that one calendar in their Lightning calendar, also having their own existing individual Lightning calendar.
There are two ways of setting up the Google Calendar. If each person is to have a Google Calendar then either each person could have a seperate individual Google account; or the organisation could have a Google Apps for Domains account, and within that a seperate account for each individual. If you're having just the one organisation Google Calendar then you probably want to just have the one Google account.
The Thunderbird Extension Provider for Google Calendar is required to enable read and write syncing between Lightning and Google Calendar.
Thunderbird Migration
If you setup a new Thunderbird profile for someone you can migrate their old saved settings to the new by copying over these files. Note that this will over-rule any existing settings in the new Thunderbird profile.
NOTE: THIS LIST IS CURRENTLY INCOMPLETE! See kb.mozillazine.org/Profile_folder_-_Thunderbird#Files and http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird.
- Address Books
- Personal Address Book: abook.mab
- Collected Addresses: history.mab
Multimedia Support
Our intention is to have a single media player on the system that plays all media types, rather than a plethora of media players each for a different media format (for example Windows Media Player, Real Player and Quicktime). In theory our single Media Player is Windows Media Player. However in practice that isn't possible so we also have to use Media Player Classic for playing some files in the web browser. We would very much have liked to have VLC as our main media player but it has lacked some necessary features, such as decent playlist support. In future we envision using VLC and Songbird. Obviously Adobe Flash Player will be used in the browser when playing Flash video.
Applications supporting multimedia:
- Windows Media Player 11
- K-Lite Codec Pack (Standard) 5.7.0 (upgraded with RCS 3.6.8) (includes Media Player Classic AND Real Alternative Lite)
- QT-Lite 3.1 (upgraded with RCS 3.6.8) - includes QuickTime 7.6.5
- Real Alternative Lite 2.0.1
- Ogg Codec Pack
- Firefox Windows Media Player Plugin
Support for Various Multimedia Formats:
FEATURE STAND-ALONE FILES IN BROWSER DVD movie WMP with plugin RealAudio Doesn't play Doesn't play RealVideo Doesn't play Doesn't play Quicktime Doesn't play Doesn't play FLV ? ? MP3 ? ? Ogg Theora ? ? Ogg Vorbis ? ? WMV ? ? Flash (.SWF, .FLV) ? Adobe Flash Player Xvid ? ? DivX ? ?
To be tidied up:
We want support for Real and QuickTime files in the web browser and on disk. We have K-Lite with MPC, QT Lite and Real Alternative Lite. We need MPC for playing Real Media and QT files on disk. Though supposedly QT files can be played on disk when you have K-Lite installed but I don't know which version as it doesn't work with our version.
Real Alternative's "RealMedia DirectShow splitter does not work with streaming content. You must use the included Media Player Classic to play streaming content" but we already have MPC so can install Real Alternative Lite.
Real Alternative and Real Alternative Lite allow files on disk to be played in any DirectShow enabled player but this DirectShow support doesn't work for streaming files, for this you need MPC. Either you have MPC already and you install Real Alternative Lite, or you install Real Alternative.
Probably need RealMedia Splitter to play Real files in WMP.
QT Lite says it is only for playing in the browser - but is that only becaue it doesn't include MPC?
- QT ActiveX plugin
- browser plugin - this is the apple quicktime plugin
QuickTime Alternative claims to include 'QuickTime DirectShow filter' where as QT Lite claims to include 'QuickTime ActiveX plugin' and yet QT Lite claims the only difference between it and QuickTime Alternative is that it doen't include MPC
QuickTime Alternative
- quicktime actvex plugin
- quicktime browser plugin
QT Lite with .mov files on disk - they play in MPC. WMP won't play them. Without MPC, files on disk won't play at all. So if you already have MPC you can use QT Lite rather than QuickTime Alternative
codecguide.com / QT Lite says that MPC is able to play quicktime files on disk but if you want to play quicktime files on disk in WMP you need to additionally have K-lite installed, for its directshow filters - but which version of K-Lite?
QT files with streaming QT content - is played by Quicktime browser plugin
Windows Media Player in Firefox: http://kb.mozillazine.org/Windows_Media_Player
Options for Remote Access by Staff Using VPN (Virtual Private Network)
We can give you remote access to your organisation's network, including access to:
- Network drives S:, R:, H: and the files therein
- Potentially any organisation-specific software
As the firewall (running the VPN server) and the server (hosting files and email) are permanently on, access to most facilities doesn't require you to switch any computers on in order to access the above.
If you only require access to email then there may be more cost-effective methods of accessing that than using the VPN.
There are various methods with which you can connect with the computer system in the office, using:
- A dedicated computer with an operating system installed by us. This computer can either be loaned out from the organisation and returned, or provided just for you. The operating system can be either Windows XP or Ubuntu Linux. We can provide a modern laptop computer for this purpose for around £200, maybe less depending on the specification.
- If Windows XP, we have to setup the operating system in the same secure way we setup workstations in the organisation. This typically takes about 4 hours to setup. You can either have just this Windows XP on the computer, or additionally have another system that you can have setup whichever way you like.
- If Ubuntu Linux, we have just a couple of stipulations about how it is used. This typically takes about 3 hours to setup.
- Your own computer, running your own Linux operating system (preferably Ubuntu) which you have already installed and used (for security reasons we will not configure your own copy of Windows for remote access).
- Your own computer or a dedicated computer loaned out from the organisation, with a Linux operating system running off a USB memory stick that has been provided by us. This way we do not alter or use any operating systems already installed on your computer. We haven't yet tested this option. This is a much cheaper option as it is easy to use with any existing computer.
Once connected, there are various methods with which you can use the computer system in the office:
- Using software installed on your own system at home
- An office suite (word processor, spreadsheet, etcetera) to open files
- Thunderbird to access email
- Using software via the web browser
- You can access email using SquirrelMail at http://server/squirrelmail/ or http://10.0.0.10/squirrelmail/
- There is no means by which to access files using this method
- Using VNC (Virtual Network Computing). Once you have connected, you can open up a window to a workstation within the organisation, then use that workstation as though you were sat at it in the organisation. The workstation in the organisation could be dedicated to the task, or could be any of the existing workstations that you would share with other people in the organisation (only one person at a time can use it). If the workstation in the organisation is switched off, you will need to turn it on by going to https://firewall/services_wol.php or https://10.0.0.1/services_wol.php. The workstation in the organisation needs to be capable of being remotely switched on for this method to work.
If you wish to use any organisation-specific software, that is, software that is not part of our standard suite of software, that might be paid for by or built specifically for the organisation, then there are a couple of options available for you to run it:
- The software could potentially be installed on the computer you use to connect.
Licencing would need to be dealt with, because you may need to pay for the additional installations of the software.
If the software uses data stored on the server in the organisation then it would need to be checked to see whether the software had any issue with the increased time it takes to connect with that data, because it will now be doing so over the Internt, rather than just over the organisation's intranet.
If it is software that is only available for Windows then either it will require you to be running Windows, or it may run under Linux (using Wine) but this would need to be tested. - Use VNC (see above). Using this method, any organisation-specific software is guaranteed to work, though the means of doing so is slightly awkward.
What we need to do to make this work:
- At the very least we need to create VPN certificates and keys, which takes about 30 minutes, then issue them in a secure manner.
- We may need to setup an operating system on a computer, which can take between 3 and 4 hours
- We may need to provide a computer
Can we have X program?
We have a suite of software that should cover most eventualities. If our suite doesn't cover certain cases which we think others could also make use of then we could be interested in adding new software to that suite. Adding any and all software gto a system would quickly make the system much more time intensive to administer. There is great value on having a lean system only with software that is actually required. We try as hard as possible to keep all software identical across all organisations for the most efficient administration.
Deploying new software is tricky. It takes time to evaluate and ready software applications before they can be deployed. The software application you might want to have added to the system might have alternatives that are better which we would consider.
The stability of the computing system is of utmost importance.
We want the same software on each workstation, keeping everything standard is of utmost importance in terms of knowing the system and keeping it stable.
This is an enterprise environment, it fundamentally differs from a home environment. Not all software is designed to work in this environment; not all software works as its authors describe - it can be buggy and bloated and cause instability in the system.
Software needs to not misbehave - i.e. it needs to not be insecure by design; needs to not consume excessive unmanageable quantities of Internet bandwidth.
For us to deploy software:
- We need to test it to find if it works within our system and to make sure we have found all potential issues before the stability of the system is compromised.
- We need to understand any configuration that might need to be made, on each workstation it is installed on, and for each user that runs it, and write code to automatically perform that configuration.
- It needs to be able to be deployed silently so that we can install it automatically, efficiently, on all workstations when they boot up. And similarly be able to be updated and removed. If it will even install silently it takes time for us to learn how to install software silently (there are many different methods used by differing software applications)
- It needs to not store excessive quantities of data in a user's Windows profile. Doing so causes C: drives to fill up and affects the time taken to login and logout (which can be mitigated by installing faster networking equipment)
We prefer to work with Free open source software because it tends to be better quality; its cost is more sustainable in the long term to keep up with new versions; it is more likely to has less security vulnerabilities and they are more likely to be disclosed and fixed sooner that proprietary software. If software costs money then we have to buy a copy as well, in order to learn how to deploy and maintain it, and have to keep buying updates for the same reasons.
Why We Don't Offer Certain Applications
Every software application takes a significant amount of time to deploy so that they work and won't ruin the system. We need to be able to deploy applications automatedly, where any configuration changes are 'scripted' (programmed to run automatically so that we don't have to make any changes by hand). Certain software applications are intended for home user use, where certain assumptions can be made (such as you have an Internet connection with a modem/router just to yourself or one or two others) that aren't compatible with an organisational setting. Certain attributes of applications make them more likely to have problems that need accommodating or working around, in our experience, in which case they can take significant research, development and testing effort to get right.
Why Don't We Offer Spotify
We won't be offering Spotify in the short term future. Deployment of Spotify would involve working through too many issues when we believe there are more important developments to make first. If you wish to pay us to work through this then we can provide you with a quote.
Spotify has a number of particular attributes that make it more likely to have problems that need accommodating or working around, indicating it could take significant research, development and testing effort to get ready for deployment.
Below we describe our concerns about Spotify.
Cache size and location
By default it uses up to 1GB disk space per person, for its cache. The authors recommend this for optimum usage. It saves this in each person's Windows profile. This is incompatible with the type of network system we are running. Neither the server, nor the workstations, nor the network could cope with this. So Spotify's cache would need to be much decreased (consequently increasing the Internet bandwidth Spotify would consume) and its cache location changed.
Internet bandwidth consumption
With Spotify's music consuming 256 kilobits per second (320kb/s if you're a paying customer). If 5 people use that for 7 hours per day that's 7.5 gigabytes per day, 38GB per working week, 173GB per month. You may have a fixed allowance from your Internet service provider, such as 50GB per month (that you'd need to move to a higher cost tariff to overcome); If you go over that limit you pay a cost, such as £1.49 per gigabyte.
Another way of looking at it is that if your Internet connection speed is 6Mb/s downstream, then one person using Spotify will use up 1/24th of that. In light of this it may be worth keeping a check on how much Internet bandwidth you already consume given that people can install Spotify into their own profile without requiring administrative priveleges.
Note that Oxford University have banned Spotify from being used on their computer systems because of its bandwidth consumption.
What about alternative streaming music services? Last.fm uses 160kb/s; 128kb/s is the norm for most streaming music, so not much bandwidth is saved there.
Peer-to-peer
It is a peer-to-peer, or P2P, program. As such:
It will use upstream Internet bandwidth in streaming music to other people across the Internet. This will slow down use of the Internet. The degree to which isn't configurable within the program.
It will consume the resources of the firewall router disproportionately to the other software currently used.
We're jittery about allowing the use of peer-to-peer software because "If you're using software capable of P2P traffic (like Spotify) there's always the risk of an exploitable bug that turns your PC into a backdoor into the company network. We've just been handed a ban on all P2P traffic at work (and on work-related systems at home) for that very reason.".
Why Don't We Offer Adobe Reader
It goes well beyond its simple remit of being a PDF document and form viewer. Adobe use the fact that people need a PDF reader, and invariably choose their reader, to bundle a host of unrequired features with it in the hope of making Reader a platform for commercial gain, and with it ever increasing bloat.
Resulting from its excess of features, specifically its ability to run JavaScript code, it has a lot of security vulnerabilities, making it one of the most important programs to remove in order to make a system more secure against malicious threats from the Internet. Adobe are notoriously slow to fix security issues in their software.
Also resulting from its excess of features, it uses up much more system memory than is necessary, given its role, slowing workstations down whilst it is running.
It is overly complex to configure, requiring a disproportionate amount of time on our behalf each time we need to deploy a new version.
Instead we include Foxit Reader which massively improves on all of these aspects.
Why Don't We Offer DropBox
There are many options for online backup and file sharing options (http://en.wikipedia.org/wiki/Comparison_of_online_backup_services). Here's what I've found when testing DropBox 0.7.110. (Reading their changelog, little seems to have changed between version 0.7 and the latest 1.1.35 on 25/5/2011).
This concerns each person running dropBox. An alternative would be to have one DropBox account for the organisation, synced to S:\dropbox (we've looked at this, it seemed overly complicated and unexplained by the authors so we've left that alone for the time being).
The Windows DropBox client, for various reasons, wasn't built for using in an 'enterprise' environment (networked computers setup in an organisational setting), more for a home user with a single computer.
By default the installer installs into the Windows user profile rather than into C:\Program Files (which is completely wrong; meaning DropBox is installed into the administrative user's profile itself and is inaccessible by others). If the switch is set to specify to install it into C:\Program Files alongside using the switch to install it silently (required for us to deploy the software initially and to deploy updates), it fails because both switches can't be used concurrently - a double bind. (Update: there is a slightly complex way to do this using AutoIt, described at the WPKG DropBox page).
DropBox refuses to allow files to be stored on a networked drive such as S:, and when it is fooled into trying to use H: (My Documents), DropBox breaks because its notification system expects functionality that the Samba server does not provide (though this might be fixed by an upgrade of the Samba software on the server).
Getting DropBox Functionality Using Alternative Means
The web site at https://www.dropbox.com/home allows upload, download, etc of files.
And https://www.dropbox.com/events provides a list of events regarding a person's Dropbox. This can be attached to a person's Thunderbird so as to keep them notified of changes in their Dropbox. The following instructions describe how:
- Go to https://www.dropbox.com/events where there's an RSS feed people can subscribe to in Thunderbird.
- In Firefox, select 'Subscribe to this feed.' and copy the feed address.
- In Thunderbird go to File → New → Other Accounts → Blogs & News Feeds - give it a name, say 'DropBox Feeds' or somesuch.
- Select 'DropBox Feeds' → Manage subscriptions → Add -> Feed URL: paste the feed URL here.
- When the feed has loaded, close the dialog box using the 'X'.
- It will appear under 'DropBox Feeds' as 'Dropbox Event Feed - <the person's name>'.
To configure the notifications to appear more often:
- Go to Edit → Account Settings → choose 'DropBox Feeds' account →
- Check for new articles at startup - enable
- Check for new articles every [100] minutes - change this to, say, 10
USB Sticks and Malware Protection
Two of the biggest methods for the spread of malware are USB sticks brought into the organisation from outside, and using Facebook. Banning both practices would be sensible but I expect you're unlikely to want to make that rule so we don't even bother to suggest it.
When you insert the USB stick, Windows attaches it to the system. You see some activity from the computer at that point. Nothing to worry about there.
By default, Windows has this feature where by when you insert some removable media, such as USB sticks and CDs, it automatically runs any program that is listed in a file on the media called autorun.inf; if the USB stick is infected by malware, the malware can put a link to itself into autorun.inf so that it runs each time you insert the USB stick. This is a huge security vulnerability and so it's a popular vector for malware to target and spread. Manchester City Council were completely brought down by this approach in 2009. We turn off this 'feature' of Windows, so you're protected there.
No malware is going to get a chance to run automatically.
Your anti-malware software, Microsoft Security Essentials, can do a malware check on USB sticks when they're inserted. This setting is off by default and we leave it off (see Settings → Advanced → Scan removable drives).
When a program on a USB stick is run, or a document loaded into a word processor, as anywhere on the workstation, Microsoft Security Essentials will first check the program for malware. This is the most convenient place for this check and from what I know a sufficient way to deal with it considering the fact we've turned off the autorun.inf feature.