Does anyone have experience administrating laptops in a Windows Domain environment?
I currently have roaming profiles configured with folder redirection throughout our domain. I wanted to know how people handle laptops. We usually only use these laptops for presentations and the like. What is the best way to handle Windows Updates? I know that a laptop off site can log into the domain using cached credentials, but is there a better way?
Anyone know of resources/methods of administrating laptops?
The laptop should be added to the domain, if it is not part of the domain it will be a vulnerability when plugged into office network.
You create a new OU in Active Directory for laptops and create new GP, specify the config you wish to enforce on the laptops. You then make user a local admin so they can install software offsite if need be. Windows updates can then run from any internet connection.
Are you asking us these because you're looking for a more efficient way to administer laptops and laptop users or you have an issue that you'd like to address? Are you specifically interested on how to administer remote laptop users?
Only other way I can think of on how to administer laptop users is to setup a terminal server and allow the laptop users to remote into the terminal server. The laptops would basically only be "thin clients" in this configuration. Windows Server 2003 allows you to run TS for free for a few months (I forgot the exact number) if you'd like to pilot that idea. Updates would be applied to the server by the TS administrator. Software would be installed by the TS admin. Users could run their sessions as if they were in the office, on standalone PCs. Roaming profile download and upload wouldn't be an issue either since the profile would stay on the TS. Slowness would probably be the only concern.
One issue I've found with running laptops for remote users in a domain is group policy application. Group policy settings on the laptop sometimes conflict with group policy settings on the network (i.e.: password policy mismatches). The issues aren't major, though. Either way, being that group policy is one of the major ways to administer computers, you can do like quinnyyy suggests and setup a special OU for laptop users. With the GP, you can setup Windows Update.
I'd be interested to know if you take the TS route
I work in an organisation with apparantly 20,000 staff across the UK and there are very few actual tower/desktop type PCs. First day you get a laptop (which then becomes your personal [sackable offence type] responsibility) and docking station as you walk in the door and wherever you go you just hook it up to the "hot" desk's power/network/phone supply unit and lovely extra hot desk screen. User logs in and off they go. Docking station provides laptop connectivity to the core network wherever they go with the added bonus of two screens to work from (which, for such a simple thing, is almost indespensable once you get the hang of it - I get really frustrated with just one monitor nowadays). The company also has a policy of providing mobile phones for mobile/work from home users which is also invaluable.
Once you login you don't get roaming profile. Everything is based from links off your PC. IE home page is for your group and security is restriced when you try go elsewhere. Same from home. Have huge dialup capability for home connectivity to the core network and, to be honest, there is nothing I cannot do from home that I can do in the office except answer the desk phone when it rings. (which is a bonus)
Question I ask is .. Why roaming profiles ? Why do you need to push down what you think their desktop should look like if their laptop already knows what they want ? With thought about security, they cannot get where they're not supposed to be if internal staff transfers/etc are reported to the server team diligently.
In 15 years of IT, I have yet to see these server pushes work consistently well. There is always some sort of cock up which messes everything up for the user and typically takes absolutely days to work out, usually with a complete whipe and start again fix. Network connectivity is all that you really need to think about. They start a job and the office manager gives security authorisation to the things they need. Immediate HR communications on internal transfers/new joiners and leavers stop all the hastle and not to mentiopn precious network bandwidth.
Users are IT's Meat. Who controls the meat ? ...... HR ! get them on board at board level for a much more efficient and forward thinking organisation ! If you can get that to happen (and good luck with that) everything else becomes easy peasey.
Think out of the box ! Do not restrict yourself by what Microsoft tells you the possible things you can do.