Home
Patent Search
IMT Blog
REGISTER
|
SIGN IN
United States Patent Application
20030079132
Kind Code
A1
Bryant, Guy R.
April 24, 2003
Computer functional architecture and a locked down environment in a client-server architecture
Abstract
A method, an apparatus and a computer program product are disclosed for providing a lockeddown client environment in a client-server architecture of a computer network. In the method, an asset database is checked via the computer network to validate settings for configuration of the personal computer. The personal computer is booted using a personalized network boot disk for a user. The asset database contains information about the configuration of one or more personal computers. If the settings are validated, a lockeddown environment is built for the personal computer. The operating system and hardware drivers installed on the personal computer are dependent upon the asset database. The operating system prevents unauthorised modification and bypassing of the operating system. Preconfigured application software is installed on the personal computer dependent upon the asset database. User data can only be stored remotely at a server via the computer network.
Inventors:
Bryant; Guy R.
(New South Wales, AU)
Correspondence Name and Address:
INTELLECTUAL PROPERTY LAW DEPT. P.O. BOX 218
IBM CORPORATION
YORKTOWN HEIGHTS
NY
10598
US
Series Code:
791978
Filed:
February 23, 2001
U.S. Current Class:
713/182;
717/176
U.S. Class at Publication:
713/182;
717/176
Intern'l Class:
G06F 009/455;
H04L 009/00
Claims
We claim:
1. A method of providing a lockeddown client environment in a client-server architecture of a computer network, said method including the steps of: checking an asset database accessible via said computer network using a personal computer capable of connecting to said computer network and booted using a personalized network boot disk for a user to validate settings for configuration of said personal computer, said asset database containing information about the configuration of one or more personal computers; if said settings are validated, creating a lockeddown build for said personal computer, said creating step including the sub-steps of: initializing said personal computer for installation of a user environment dependent upon said personalized network boot disk; installing an operating system and hardware drivers on said personal computer via said computer network dependent upon said asset database, said operating system adapted to enable security of installed software on said personal computer against unauthorised modification and to prevent bypassing said operating system; creating a computer account for said personal computer in said computer network; installing preconfigured application software on said personal computer from a repository in said computer network dependent upon said asset database, said personal computer being configured so that user data can only be stored remotely at a server via said computer network; updating a master logfile at said server accessible via said computer network to record said personal computer configuration.
2. The method according to claim 1, further including the step of creating a personalised network boot disk.
3. The method according to claim 1, further including the step of remotely interrogating said personal computer via said computer network and comparing said interrogation results with said asset database.
4. The method according to claim 3, further including the step of determining if said personal computer satisfies software licensing requirements dependent upon said comparison results.
5. The method according to claim 1, further including the step of remotely performing diagnostic testing of said personal computer.
6. The method according to claim 1, further including the step of maintaining a security access profile for each user to enable virtual login from any personal computer connected to said computer network.
7. The method according to claim 1, wherein at least two personal computers are capable of accessing said computer network, said personal computers having similar hardware and software configurations.
8. The method according to claim 1, further including the step of providing centralized login scripts via said computer network to said personal computer from said server.
9. The method according to claim 1, further including the step of providing a security profile for said user to enable said security.
10. The method according to claim 9, further including the step of providing scripts to provide said security profile and to map one or more remote storage drives to be accessible via said computer network by said personal computer.
11. The method according to claim 1, wherein said settings are validated if an asset number provided by said personalized network boot disk.
12. The method according to claim 1, wherein said asset database contains information about the hardware and software configuration of said one or more personal computers.
13. The method according to claim 1, wherein said personalized network boot disk contains a unique identification name.
14. The method according to claim 13, further including the step of validating said personalized network boot disk dependent upon a password of said user when said personalized network boot disk is first used.
15. The method according to claim 1, further including the step of updating an individual log file.
16. An apparatus for providing a lockeddown client environment in a client-server architecture of a computer network, said apparatus including: means for checking an asset database accessible via said computer network using a personal computer capable of connecting to said computer network and booted using a personalized network boot disk for a user to validate settings for configuration of said personal computer, said asset database containing information about the configuration of one or more personal computers; means for, if said settings are validated, creating a lockeddown build for said personal computer, said creating means further including: means for initializing said personal computer for installation of a user environment dependent upon said personalized network boot disk; means for installing an operating system and hardware drivers on said personal computer via said computer network dependent upon said asset database, said operating system adapted to enable security of installed software on said personal computer against unauthorised modification and to prevent bypassing said operating system; means for creating a computer account for said personal computer in said computer network; means for installing preconfigured application software on said personal computer from a repository in said computer network dependent upon said asset database, said personal computer being configured so that user data can only be stored remotely at a server via said computer network; and means for updating a master logfile at said server accessible via said computer network to record said personal computer configuration.
17. The apparatus according to claim 16, further including means for creating a personalised network boot disk.
18. The apparatus according to claim 16, further including means for remotely interrogating said personal computer via said computer network and comparing said interrogation results with said asset database.
19. The apparatus according to claim 18, further including means for determining if said personal computer satisfies software licensing requirements dependent upon said comparison results.
20. The apparatus according to claim 16, further including means for remotely performing diagnostic testing of said personal computer.
21. The apparatus according to claim 16, further including means for maintaining a security access profile for each user to enable virtual login from any personal computer connected to said computer network.
22. The apparatus according to claim 16, wherein at least two personal computers are capable of accessing said computer network, said personal computers having similar hardware and software configurations.
23. The apparatus according to claim 16, further including means for providing centralized login scripts via said computer network to said personal computer from said server.
24. The apparatus according to claim 16, further including means for providing a security profile for said user to enable said security.
25. The apparatus according to claim 24, further including means for providing scripts to provide said security profile and to map one or more remote storage drives to be accessible via said computer network by said personal computer.
26. The apparatus according to claim 16, wherein said settings are validated if an asset number provided by said personalized network boot disk.
27. The apparatus according to claim 16, wherein said asset database contains information about the hardware and software configuration of said one or more personal computers.
28. The apparatus according to claim 16, wherein said personalized network boot disk contains a unique identification name.
29. The apparatus according to claim 28, further including means for validating said personalized network boot disk dependent upon a password of said user when said personalized network boot disk is first used.
30. The apparatus according to claim 16, further including means for updating an individual log file.
31. A computer program product having a computer readable medium having a computer program recorded therein for providing a lockeddown client environment in a client-server architecture of a computer network, said computer program product including: computer program code means for checking an asset database accessible via said computer network using a personal computer capable of connecting to said computer network and booted using a personalized network boot disk for a user to validate settings for configuration of said personal computer, said asset database containing information about the configuration of one or more personal computers; computer program code means for, if said settings are validated, creating a lockeddown build for said personal computer, said computer program code means for creating further including: computer program code means for initializing said personal computer for installation of a user environment dependent upon said personalized network boot disk; computer program code means for installing an operating system and hardware drivers on said personal computer via said computer network dependent upon said asset database, said operating system adapted to enable security of installed software on said personal computer against unauthorised modification and to prevent bypassing said operating system; computer program code means for creating a computer account for said personal computer in said computer network; computer program code means for installing preconfigured application software on said personal computer from a repository in said computer network dependent upon said asset database, said personal computer being configured so that user data can only be stored remotely at a server via said computer network; and computer program code means for updating a master logfile at said server accessible via said computer network to record said personal computer configuration.
32. The computer program product according to claim 31, further including computer program code means for creating a personalised network boot disk.
33. The computer program product according to claim 31, further including computer program code means for remotely interrogating said personal computer via said computer network and comparing said interrogation results with said asset database.
34. The computer program product according to claim 33, further including computer program code means for determining if said personal computer satisfies software licensing requirements dependent upon said comparison results.
35. The computer program product according to claim 31, further including computer program code means for remotely performing diagnostic testing of said personal computer.
36. The computer program product according to claim 31, further including computer program code means for maintaining a security access profile for each user to enable virtual login from any personal computer connected to said computer network.
37. The computer program product according to claim 31, wherein at least two personal computers are capable of accessing said computer network, said personal computers having similar hardware and software configurations.
38. The computer program product according to claim 31, further including computer program code means for providing centralized login scripts via said computer network to said personal computer from said server.
39. The computer program product according to claim 31, further including computer program code means for providing a security profile for said user to enable said security.
40. The computer program product according to claim 39, further including computer program code means for providing scripts to provide said security profile and to map one or more remote storage drives to be accessible via said computer network by said personal computer.
41. The computer program product according to claim 31, wherein said settings are validated if an asset number provided by said personalized network boot disk.
42. The computer program product according to claim 31, wherein said asset database contains information about the hardware and software configuration of said one or more personal computers.
43. The computer program product according to claim 31, wherein said personalized network boot disk contains a unique identification name.
44. The computer program product according to claim 43, further including computer program code means for validating said personalized network boot disk dependent upon a password of said user when said personalized network boot disk is first used.
45. The computer program product according to claim 31, further including computer program code means for updating an individual log file.
46. A method of locking down a client environment of a personal computer in a computer network, said method including the steps of: providing an asset database via said computer network that can be accessed by said personal computer, said asset database containing information about the configuration of one or more personal computers; booting said personal computer capable of connecting to said computer network and having installed therein an operating system and hardware drivers dependent upon said asset database, said operating system adapted to enable security of installed software on said personal computer against unauthorised modification and to prevent bypassing said operating system, said personal computer further having preconfigured application software installed on said personal computer dependent upon said asset database; logging onto said personal computer and said computer network using a centralized logon script enabling asset tracking of said personal computer; checking said asset database accessible via said computer network dependent upon a unique identifier for said personal computer and information about said user to validate settings for configuration of said personal computer; and if said settings are validated, configuring said personal computer according to a locked down build for said user and said personal computer, said personal computer being configured so that user data can only be stored remotely at a server via said computer network.
47. The method according to claim 46, wherein said asset database contains information about the hardware and software configuration of said one or more personal computers.
48. The method according to claim 46, further including the step of remotely interrogating said personal computer via said computer network and comparing said interrogation results with said asset database.
49. The method according to claim 48, further including the step of determining if said personal computer satisfies software licensing requirements dependent upon said comparison results.
50. The method according to claim 46, further including the step of maintaining a security access profile for each user to enable virtual login from any personal computer connected to said computer network.
51. The method according to claim 46, further including the step of providing a security profile for said user to enable said security.
52. The method according to claim 51, further including the step of providing scripts to provide said security profile and to map one or more remote storage drives to be accessible via said computer network by said personal computer.
53. An apparatus for locking down a client environment of a personal computer in a computer network, said apparatus including: means for providing an asset database via said computer network that can be accessed by said personal computer, said asset database containing information about the configuration of one or more personal computers; means for booting said personal computer capable of connecting to said computer network and having installed therein an operating system and hardware drivers dependent upon said asset database, said operating system adapted to enable security of installed software on said personal computer against unauthorised modification and to prevent bypassing said operating system, said personal computer further having preconfigured application software installed on said personal computer dependent upon said asset database; means for logging onto said personal computer and said computer network using a centralized logon script enabling asset tracking of said personal computer; means for checking said asset database accessible via said computer network dependent upon a unique identifier for said personal computer and information about said user to validate settings for configuration of said personal computer; and means for, if said settings are validated, configuring said personal computer according to a locked down build for said user and said personal computer, said personal computer being configured so that user data can only be stored remotely at a server via said computer network.
54. The apparatus according to claim 53, wherein said asset database contains information about the hardware and software configuration of said one or more personal computers.
55. The apparatus according to claim 53, further including means for remotely interrogating said personal computer via said computer network and comparing said interrogation results with said asset database.
56. The apparatus according to claim 55, further including means for determining if said personal computer satisfies software licensing requirements dependent upon said comparison results.
57. The apparatus according to claim 53, further including means for maintaining a security access profile for each user to enable virtual login from any personal computer connected to said computer network.
58. The apparatus according to claim 53, further including means for providing a security profile for said user to enable said security.
59. The apparatus according to claim 58, further including means for providing scripts to provide said security profile and to map one or more remote storage drives to be accessible via said computer network by said personal computer.
60. A computer program product having a computer readable medium having a computer program recorded therein for locking down a client environment of a personal computer in a computer network, said computer program product including: computer program code means for providing an asset database via said computer network that can be accessed by said personal computer, said asset database containing information about the configuration of one or more personal computers; computer program code means for booting said personal computer capable of connecting to said computer network and having installed therein an operating system and hardware drivers dependent upon said asset database, said operating system adapted to enable security of installed software on said personal computer against unauthorised modification and to prevent bypassing said operating system, said personal computer further having preconfigured application software installed on said personal computer dependent upon said asset database; computer program code means for logging onto said personal computer and said computer network using a centralized logon script enabling asset tracking of said personal computer; computer program code means for checking said asset database accessible via said computer network dependent upon a unique identifier for said personal computer and information about said user to validate settings for configuration of said personal computer; and computer program code means for, if said settings are validated, configuring said personal computer according to a locked down build for said user and said personal computer, said personal computer being configured so that user data can only be stored remotely at a server via said computer network.
61. The computer program product according to claim 60, wherein said asset database contains information about the hardware and software configuration of said one or more personal computers.
62. The computer program product according to claim 60, further including computer program code means for remotely interrogating said personal computer via said computer network and comparing said interrogation results with said asset database.
63. The computer program product according to claim 62, further including computer program code means for determining if said personal computer satisfies software licensing requirements dependent upon said comparison results.
64. The computer program product according to claim 60, further including computer program code means for maintaining a security access profile for each user to enable virtual login from any personal computer connected to said computer network.
65. The computer program product according to claim 60, further including computer program code means for providing a security profile for said user to enable said security.
66. The computer program product according to claim 65, further including computer program code means for providing scripts to provide said security profile and to map one or more remote storage drives to be accessible via said computer network by said personal computer.
Description
FIELD OF THE INVENTION
[0001] The present invention relates to computer architectures, and in particular to a structured computer organisation in a client-server environment.
BACKGROUND
[0002] In the last fifteen to twenty years, the utilisation of "personal" computers has exploded, along with the rapid advent of the Internet and other networked environments of such personal computers. Such personal computers are used in both the business world and at home, enabling widespread variations in both hardware and software installed on such computers.
[0003] Along with the widespread adoption of personal computers, there has arisen along with it the need for "help desks" and information technology (IT) support to help people with difficulties using their computers. This represents a significant expense for businesses and other organisations. For example, in large corporate environments where many users utilise a network environment, IT specialists and help desk personnel must be available to minimise downtime arising from hardware and software conflicts and other problems that arise. The same applies for example with Internet service providers. For example, an organisation might use a standard word processing application, but due to the differing hardware configurations, operating systems, network environments, software drivers, and the like problems regularly arise leading to downtime and other expenses arising from such inefficiencies, as well as the additional expense of IT personnel and the like who have to try to resolve these problems. This is often like looking for a needle in a hay stack.
[0004] Thus, a need clearly exists for an improved system for structuring computer configurations in large network environments.
SUMMARY
[0005] In accordance with a first aspect of the invention, there is provided a method of providing a lockeddown client environment in a client-server architecture of a computer network, the method including the steps of:
[0006] checking an asset database accessible via the computer network using a personal computer capable of connecting to the computer network and booted using a personalized network boot disk for a user to validate settings for configuration of the personal computer, the asset database containing information about the configuration of one or more personal computers;
[0007] if the settings are validated, creating a lockeddown build for the personal computer, the creating step including the sub-steps of:
[0008] initializing the personal computer for installation of a user environment dependent upon the personalized network boot disk;
[0009] installing an operating system and hardware drivers on the personal computer via the computer network dependent upon the asset database, the operating system adapted to enable security of installed software on the personal computer against unauthorised modification and to prevent bypassing the operating system;
[0010] creating a computer account for the personal computer in the computer network;
[0011] installing preconfigured application software on the personal computer from a repository in the computer network dependent upon the asset database, the personal computer being configured so that user data can only be stored remotely at a server via the computer network;
[0012] updating a master logfile at the server accessible via the computer network to record the personal computer configuration.
[0013] Preferably, the method further includes the step of creating a personalised network boot disk.
[0014] Preferably, the method further includes the step of remotely interrogating the personal computer via the computer network and comparing the interrogation results with the asset database. The method may further include the step of determining if the personal computer satisfies software licensing requirements dependent upon the comparison results.
[0015] Preferably, the method further includes the step of remotely performing diagnostic testing of the personal computer.
[0016] Preferably, the method further includes the step of maintaining a security access profile for each user to enable virtual login from any personal computer connected to the computer network.
[0017] Preferably, at least two personal computers are capable of accessing the computer network, the personal computers having similar hardware and software configurations.
[0018] Preferably, the method further includes the step of providing centralized login scripts via the computer network to the personal computer from the server.
[0019] Preferably, the method further includes the step of providing a security profile for the user to enable the security.
[0020] Preferably, the method further includes the step of providing scripts to provide the security profile and to map one or more remote storage drives to be accessible via the computer network by the personal computer.
[0021] Preferably, the settings are validated if an asset number provided by the personalized network boot disk.
[0022] Preferably, the asset database contains information aobut the hardware and software configuration of the one or more personal computers.
[0023] Preferably, the personalized network boot disk contains a unique identification name. The method may further include the step of validating the personalized network boot disk dependent upon a password of the user when the personalized network boot disk is first used. file.
[0024] In accordance with a second aspect of the invention, there is disclosed an apparatus for providing a lockeddown client environment in a client-server architecture of a computer network, the apparatus including:
[0025] a device for checking an asset database accessible via the computer network using a personal computer capable of connecting to the computer network and booted using a personalized network boot disk for a user to validate settings for configuration of the personal computer, the asset database containing information about the configuration of one or more personal computers;
[0026] a device for, if the settings are validated, creating a lockeddown build for the personal computer, the creating device further including:
[0027] a device for initializing the personal computer for installation of a user environment dependent upon the personalized network boot disk;
[0028] a device for installing an operating system and hardware drivers on the personal computer via the computer network dependent upon the asset database, the operating system adapted to enable security of installed software on the personal computer against unauthorised modification and to prevent bypassing the operating system;
[0029] a device for creating a computer account for the personal computer in the computer network;
[0030] a device for installing preconfigured application software on the personal computer from a repository in the computer network dependent upon the asset database, the personal computer being configured so that user data can only be stored remotely at a server via the computer network; and
[0031] a device for updating a master logfile at the server accessible via the computer network to record the personal computer configuration.
[0032] In accordance with a third aspect of the invention, there is disclosed a computer program product having a computer readable medium having a computer program recorded therein for providing a lockeddown client environment in a client-server architecture of a computer network, the computer program product including:
[0033] a computer program code module for checking an asset database accessible via the computer network using a personal computer capable of connecting to the computer network and booted using a personalized network boot disk for a user to validate settings for configuration of the personal computer, the asset database containing information about the configuration of one or more personal computers;
[0034] a computer program code module for, if the settings are validated, creating a lockeddown build for the personal computer, the computer program code module for creating further including:
[0035] a computer program code module for initializing the personal computer for installation of a user environment dependent upon the personalized network boot disk;
[0036] a computer program code module for installing an operating system and hardware drivers on the personal computer via the computer network dependent upon the asset database, the operating system adapted to enable security of installed software on the personal computer against unauthorised modification and to prevent bypassing the operating system;
[0037] a computer program code module for creating a computer account for the personal computer in the computer network;
[0038] a computer program code module for installing preconfigured application software on the personal computer from a repository in the computer network dependent upon the asset database, the personal computer being configured so that user data can only be stored remotely at a server via the computer network; and
[0039] a computer program code module for updating a master logfile at the server accessible via the computer network to record the personal computer configuration.
[0040] In accordance with a fourth aspect of the invention, there is a method of locking down a client environment of a personal computer in a computer network, the method including the steps of:
[0041] providing an asset database via the computer network that can be accessed by the personal computer, the asset database containing information about the configuration of one or more personal computers;
[0042] booting the personal computer capable of connecting to the computer network and having installed therein an operating system and hardware drivers dependent upon the asset database, the operating system adapted to enable security of installed software on the personal computer against unauthorised modification and to prevent bypassing the operating system, the personal computer further having preconfigured application software installed on the personal computer dependent upon the asset database;
[0043] logging onto the personal computer and the computer network using a centralized logon script enabling asset tracking of the personal computer;
[0044] checking the asset database accessible via the computer network dependent upon a unique identifier for the personal computer and information about the user to validate settings for configuration of the personal computer; and
[0045] if the settings are validated, configuring the personal computer according to a locked down build for the user and the personal computer, the personal computer being configured so that user data can only be stored remotely at a server via the computer network.
[0046] Preferably, the asset database contains information about the hardware and software configuration of the one or more personal computers.
[0047] Preferably, the method further includes the step of remotely interrogating the personal computer via the computer network and comparing the interrogation results with the asset database. The method may further include the step of determining if the personal computer satisfies software licensing requirements dependent upon the comparison results.
[0048] Preferably, the method further includes the step of maintaining a security access profile for each user to enable virtual login from any personal computer connected to the computer network.
[0049] Preferably, the method further includes the step of providing a security profile for the user to enable the security. The method may further include the step of providing scripts to provide the security profile and to map one or more remote storage drives to be accessible via the computer network by the personal computer.
[0050] In accordance with a fifth aspect of the invention, there is disclosed an apparatus for locking down a client environment of a personal computer in a computer network, the apparatus including:
[0051] a device for providing an asset database via the computer network that can be accessed by the personal computer, the asset database containing information about the configuration of one or more personal computers;
[0052] a device for booting the personal computer capable of connecting to the computer network and having installed therein an operating system and hardware drivers dependent upon the asset database, the operating system adapted to enable security of installed software on the personal computer against unauthorised modification and to prevent bypassing the operating system, the personal computer further having preconfigured application software installed on the personal computer dependent upon the asset database;
[0053] a device for logging onto the personal computer and the computer network using a centralized logon script enabling asset tracking of the personal computer;
[0054] a device for checking the asset database accessible via the computer network dependent upon a unique identifier for the personal computer and information about the user to validate settings for configuration of the personal computer; and
[0055] a device for, if the settings are validated, configuring the personal computer according to a locked down build for the user and the personal computer, the personal computer being configured so that user data can only be stored remotely at a server via the computer network.
[0056] In accordance with a sixth aspect of the invention, there is disclosed a computer program product having a computer readable medium having a computer program recorded therein for locking down a client environment of a personal computer in a computer network, the computer program product including:
[0057] a computer program code module for providing an asset database via the computer network that can be accessed by the personal computer, the asset database containing information about the configuration of one or more personal computers;
[0058] a computer program code module for booting the personal computer capable of connecting to the computer network and having installed therein an operating system and hardware drivers dependent upon the asset database, the operating system adapted to enable security of installed software on the personal computer against unauthorised modification and to prevent bypassing the operating system, the personal computer further having preconfigured application software installed on the personal computer dependent upon the asset database;
[0059] a computer program code module for logging onto the personal computer and the computer network using a centralized logon script enabling asset tracking of the personal computer;
[0060] a computer program code module for checking the asset database accessible via the computer network dependent upon a unique identifier for the personal computer and information about the user to validate settings for configuration of the personal computer; and
[0061] a computer program code module for, if the settings are validated, configuring the personal computer according to a locked down build for the user and the personal computer, the personal computer being configured so that user data can only be stored remotely at a server via the computer network.
BRIEF DESCRIPTION OF THE DRAWINGS
[0062] The embodiments of the invention are described hereinafter with reference to the figures, in which:
[0063] FIG. 1 is a high-level block diagram illustrating a computer networked environment 100 for implementing a locked down environment in accordance with one embodiment of the invention;
[0064] FIG. 2 is a flowchart illustrating a process for creating a build for a personal computer in the locked down environment of FIG. 1;
[0065] FIG. 3 is a more detailed diagram of the thick/thin client networked environment;
[0066] FIG. 4 is a screenshot illustrating the configuration of a personal computer derived from the asset database;
[0067] FIG. 5 is a screenshot for the Makedisk command;
[0068] FIG. 6 is another screenshot for the Makedisk command;
[0069] FIG. 7 is a screenshot illustrating an example of a diskette labelling format;
[0070] FIG. 8 is a screenshot of an example of a courtesy alert;
[0071] FIG. 9A is a depiction of a master log file, Master.log;
[0072] FIG. 9B is a depiction of a bootdisk log file, Bootdisk.log;
[0073] FIGS. 10A-10C are a depiction of a machine log file;
[0074] FIG. 11 is a depiction of an application log file;
[0075] FIG. 12 is a screenshot of a computer model table from the asset database;
[0076] FIG. 13 is a screenshot of a display adaptor table from the asset database;
[0077] FIG. 14 is a screenshot of a network card table from the asset database;
[0078] FIG. 15 is a screenshot of a software builds table from the asset database;
[0079] FIGS. 16A and 16B are a depiction of access rights to files;
[0080] FIGS. 17A-17U depict Command.Cmd Logon script of the preferred embodiment;
[0081] FIG. 18 depicts a Technology.Cmd logon script;
[0082] FIGS. 19A-19A depicts MakeDisk.bat;
[0083] FIG. 20 is a block diagram 2000 of the servers and the network domain 2000 of the initial design;
[0084] FIG. 21 is a block diagram illustrating the IP addressing structure of the initial design;
[0085] FIG. 22 is a table 2200 illustrating the DHCP server configuration;
[0086] FIG. 23 is a table illustrating the configuration for a second DHCP server;
[0087] FIG. 24 is a block diagram of the two domains with an interconnecting gateway and shared assets;
[0088] FIG. 25 is a block diagram of usage of hard disk storage in the initial design;
[0089] FIG. 26 is a pie chart with legend of disk space available to a user;
[0090] FIG. 27 is a block diagram of the network design in a building of the organization having, for example, 14 floors;
[0091] FIG. 28 is a block diagram showing the IP layer structure 2800;
[0092] FIG. 29 is a block diagram of the implemented network design;
[0093] FIG. 30 is a table setting forth IP subnets;
[0094] FIG. 31 is a block diagram showing the original LAN infrastructure;
[0095] FIG. 32 is a table providing information about the servers of FIG. 31;
[0096] FIG. 33 is a block diagram of the NT LAN layout;
[0097] FIG. 34 is a table showing the server naming convention;
[0098] FIG. 35 is a screenshot of the User Manager for the Domain interface;
[0099] FIG. 36 is a screenshot of the Account Policy for input of parameter values;
[0100] FIG. 37 is a screenshot of the interface for controlling user logons to workstations;
[0101] FIG. 38 is a screenshot of the interface for setting a user's password to not expire;
[0102] FIG. 39 is a screenshot of the interface for setting logon hours; and
[0103] FIG. 40 is a block diagram illustrating the process according to the embodiment of the invention.
DETAILED DESCRIPTION
[0104] A method and a system for providing an improved computer functional architecture are disclosed. Further, a method and an apparatus for providing a client-server architecture having a lock down environment are disclosed. In the following description, numerous details are set forth. It will be apparent to one skilled in the art, however, that the present invention may be practised without these specific details. In other instances, well-known features are not described in detail so as not to obscure the present invention.
[0105] The description is organized as follows:
[0106] 1. Overview
[0107] 2. Thick/Thin PC Client
[0108] 3. Standardized Configuration of Workstations
[0109] 4. Workstation User Information
[0110] 5. Initial Network Design
[0111] 6. Network And Cabling Design
[0112] 7. NT Deployment Cut-Over Method
[0113] 1. Overview
[0114] The embodiments of the invention involve methods, apparatuses, and computer program products for implementing a locked down environment in a client server architecture. The embodiments also involve a computer functional architecture, as well as an assets logistics process. The embodiments have been developed to set up and manage a large organization with a stable, re-usable infrastructure, facilitate computer sharing, minimise downtime, maximise reliability and minimize human resources required to support the infrastructure. In the following description, numerous specific details such as software applications, computer model numbers, naming conventions, and the like are set forth. However, it will be apparent to those skilled in the art in view of this disclosure that changes and/or modifications can be made thereto without departing from the scope and spirit of the invention. In other instances, details well known to those skilled in the art have not been set forth so as not to obscure the invention.
[0115] The locked down environment provides a thick client that works like a thin client. The application software is loaded from the client, but the user data is kept on the server. This enables a user to log in anywhere in the network and download their data. The locked down environment provides fast image response and fast image activation. Updates of the software can made to the Personal Computer over the network using remote management software such as Tivoli. Further, the locked down environment does not permit users to access local storage devices for storing user data, but instead compels the storage of data on storage devices available via the network. That is, all user generated data is held on a network server(s). Preference files are pre-written onto the PC and then locked down on the local storage device, forcing the user to go to the network drive to store user data. This also provides security for the user data. If the PC is stolen, no user data or "Intellectual Property" is lost. This also greatly ameliorates or eliminates the effects of hardware failure and consequential "down time" of users. Details of this aspect are set forth hereinafter.
[0116] In broad terms, this embodiment of the invention is shown in FIG. 1
depicting a networked environment 100 of an enterprise or organization. Each client 110, 112 has a personal computer 110A, 112A, with an application image or simply local applications 110B and 112B once installed. Remote management software 110C, 112C can be used to interrogate the "asset", and installation of the locked down environment is effected by a personalized network boot diskette 110D, 112D. The clients 110, 112 are coupled to one or more servers 120 via a network (generally indicated by double headed arrows between the foregoing elements). An asset database 130 is accessible by the server, as are a database 132 containing user data, login scripts, system policies and computer accounts. Applications for the "builds" and remote management software 134 are accessible by the server 120. The networked environment 100 is described in greater detail hereinafter.
[0117] FIG. 2 is a flow diagram illustrating a generalized process 200 for providing a lockeddown client environment in a client-server architecture of a computer network. In step 202, a personalized network boot disk is created. In step 204, a personal computer is booted using the boot disk. A bar code or other identifier is entered to provide information about the personal computer (PC). In step 206, the asset database is checked using the bar code and the settings for the PC are validated. In step 208, the PC is prepared for installation. In step 210, the operating system and hardware drivers are installed via the network. In step 212, a computer account is created in the domain. In step 214, applications are installed on the PC via the server and the applications are configured per the relevnat asset database records. In step 216, the master logfiles are updated providing a record of the "built" machine. Processing then terminates.
[0118] The embodiments of the invention also include a computer functional architecture, i.e. a network hardware architecture for enterprise or organization networks, including client server systems. The embodiments modularise the logical functionality of the network from the physical structure using "low" level technology. Redundancy is added to the physical structure to maximize various measures (e.g., availability and throughout). In particular, using such redundancy, less expensive PC equipment can be used as server hardware, preferably using Intel-based servers. The system provides a Disaster Recovery Process (DRP) using Raid Controllers. In particular, RAID 5 with parity is used protecting data with many channels for throughput, focussing on data flows between devices. This system provides high availability and is a fault resistant architecture, achieving 90% or more effectiveness of special purpose or dedicated, mid-range systems yet at 20% of the costs of the more expensive approaches. The system uses lower end technology, and the user never sees the physical underpinnings.
[0119] The embodiments further include assets logistics processes. If an asset identified over the network is not recognized in an asset database, a locked down environment build is not permitted. That is, the Personal Computer is not permitted to be configured or to load an application image. If the asset is in the database, then the application image can be loaded. This provides essentially an electronic, centralized management database and associated processes. This enables the building and configuration of operating systems and applications on a personal computer, either a desktop PC or a laptop, to be moved from highly specialized personnel to relatively low skilled personnel. In this manner, new PCs can be rapidly deployed into the networked environment of the enterprise or organization. Further the deployed system reports back to an auditing system periodically, preferably every 30 days. This assets logistics process allows an enterprise or organization to check and determine where assets are. Further, the enterpise or organization is able to more effectively manage licensing of software, since users do not have privileges enabling the users to update or write files.
[0120] The embodiments provide a toolset for users, ensuring consistency and efficiency across the network. In essence, this involves a paradigm shift from the PC as a "personal" computer to a "business" computer in the enterprise networked environment. This involves a number of methodologies that are effectively building blocks for organized the network environment. Consequently, the networked environment has greater predictability.
[0121] 2. Thick/Thin PC Client
[0122] The embodiments of the invention provide an advantageous Desktop Office environment utilising existing tools and applications. The embodiments address the challenge of implementing a back-office solution for a desktop client that reduces the cost of support by at least 50% over existing benchmarks. This implementation provides availability and access to data that meets or exceeds stringent Service Level Agreements requirements. The embodiments provide the following features:
[0123] 1. Fast Application activation;
[0124] 2. Work over any type of Network LAN infrastructure (ATM, Ethernet or Token Ring);
[0125] 3. Extensible over Wide Area Network to remote sites;
[0126] 4. Protect the client's Intellectual Property. Intellectual property as used here includes user data and data necessary to conduct a business and the like. This information often has concepts, processes and procedures that differentiate a business's or organization's product and provides a competitive edge. Loss of such information could significantly impact a business's ability to effectively compete in the marketplace.
[0127] 5. Provide for a 3:2 sharing ratio of Staff to personal computer (PC) Equipment;
[0128] 6. High availability;
[0129] 7. Lower support costs;
[0130] 8. Virtual Login, i.e. any staff member may login to any PC on the client's network and have their data and security access profile follow them to the particular PC the number logged into providing access to all authorised network services;
[0131] 9. Utilise standard Office Automation Products (Word Processing, Presentation, Spreadsheet, Database applications, etc.);
[0132] 10. Standardisation across the PC fleet allowing lowered cost of training;
[0133] 11. Easy for end user to learn and use;
[0134] 12. Ensure consistency of information interchange between internal staff and external organisations;
[0135] 13. Ease of application software update and bug fix distribution;
[0136] 14. Granular security control from the organisation level down to the individual staff member; and
[0137] 15. Cater for 3 different computing environments, Standard Office, CAD, Desktop Publishing.
[0138] The phrase Personal Computer (PC) implies a number of cultural behaviours surrounding the word Personal. These behavioural characteristics include such things as:
[0139] 1. The PC is permanently assigned to a particular staff member, i.e. "It's mine, I'll do as I please".
[0140] 2. Since the computer is Personal, the staff member may perform configuration changes as desired without concern for ultimate impact on information interchange, configuration control (Hardware/Software), virus infection, data protection or software licensing.
[0141] 3. Since the user is allowed to have Personal control over their system, business critical data is generally allowed to be stored on the local desktop computer. Loss of this locally stored data through fire, theft, vandalism or component failure costs organisations an amount estimated to be in the hundred's of millions of dollars annually throughout the globe. This loss of Intellectual Property and lost productivity can be crippling, if not fatal for an organisation.
[0142] These basic behaviours can cost large organisations hundreds of millions of dollars annually across the globe. These costs are typically contained under the broad heading of `Support`, `Intellectual Property Loss` and `Productivity Loss`.
[0143] The embodiments of invention involve a paradigm shift whereby the Personal computer became the Professional computer. An organisation can issue its staff members a toolbox, not a sandbox.
[0144] To overcome these organisation technology liabilities while achieving the requirements outlined above, the embodiments of the invention pioneer a new architecture and implementation methodology.
[0145] The new architecture utilises and builds upon existing, commercially available hardware and software. Viewed at a high level, the embodiments address the following issues:
[0146] 1. The environment is Locked Down, so that an individual staff member may not modify the software configuration in any manner, except where specifically authorised to do so. No application software may be added or deleted without management approval. This facilitates many benefits including, software configuration control and software licensing compliance.
[0147] 2. All organisational data is forced to be stored on a highly available, central file server(s). All desktops, except where specifically excluded, are not allowed to store any data locally. This protects an organisation's Intellectual Property by ensuring standard, regular IT disciplines are used to protect data (backup/restore, off-site storage etc.).
[0148] 3. To allow for incremental computing capacity to be added, deleted or moved, the central storage performs file serving and network based services, such as Authorisation/Authentication, Mail, Printing and Name Services. Desktop PC's are the primary source of user compute cycles and memory necessary to perform the organisation's business.
[0149] 4. To allow for fast Application Activation times, the user applications are primarily installed on the Desktop PC. The desktop PC provides the memory, computational facilities and scratch disk areas necessary for the application to function properly. This reduces the size and cost of the central services including the LAN bandwidth.
[0150] 5. To ensure maximised flexibility within a facility, dedicated bandwidth is provided to each server, which aggregates into a high speed backbone and subsequent distribution to a managed ratio of PC's to LAN segment. Printing within larger sites, greater than 200 PC's, is put on dedicated segments.
[0151] 6. All PC Computing Environment hardware is of the same memory capability. As far as possible, multiple PC hardware configurations are minimised by purchasing in large lots as needed. This ensures both standardisation of performance and minimises application or operating system errors due to hardware differences. Once a problem is identified, bug-fix distribution is greatly simplified.
[0152] To facilitate this environment, the embodiments of the invention utilize a particular set of commercially available products and communication standards. The Standard Operation Environment (SOE) preferably includes:
[0153] 1. Operating System: Microsoft Windows NT.TM.,
[0154] 2. Office Applications: Lotus Notes (Mail and Application), Lotus Smartsuite, including WordPro, Freelance Graphics, Approach, 1-2-3
spreadsheet. Microsoft Office Viewers, Adobe Acrobat reader, Netscape, Terminal emulation allowing access to JDE for procurement and Norton Antivirus.
[0155] 3. Tivoli for Hardware/Software configuration reporting, remote takeover support, availability monitoring and reporting.
[0156] 4. TCP/IP as the network I/O transport.
[0157] However, other commercially available products may be chosen and have basically the same effect, plus or minus some features, if this solution/architecture is followed without departing from the scope and spirit of the invention. Just as a piece of iron can be cast to perform many different unique tasks, so the basic technology tools can be forged to create multiple unique solutions from the same raw material.
[0158] Central to this architecture is the choice of PC Operating System (PCOS). The PCOS must provide:
[0159] 1. User Access/Authentication,
[0160] 2. User Security Profile Management,
[0161] 3. Application Management,
[0162] 4. Access to Network Based Services (Print, Name, Authentication, Configuration (DHCP) etc.),
[0163] 5. Access to high availability File Services,
[0164] 6. Full complement of TCP/IP protocol support,
[0165] 7. Ability to allow/deny access to resources located on the local PC based on the user profile,
[0166] 8. Not allow a user to over-ride the access authorisation, and
[0167] 9. Organisation Security Policy enforcement.
[0168] User Applications are standard with the customisation performed on the preferences to ensure consistent operation and integration into the LAN infrastructure. This pre-configuration also plays an important role in the overall deployment, installation and support of these products. Except where authorised, users are not allowed to modify these preferences or parameters.
[0169] Personal computers and Servers are preferably selected from standard, commercially available Intel-based products. Since data availability becomes critical in the embodiments of the invention, server construction plays a key role and is covered in a separate document.
[0170] FIG. 3 is a more detailed schematic diagram illustrating a thick/thin client computing architecture 300 in accordance with embodiments of the invention.
[0171] The process 4000 of FIG. 40 commences in step 4010. In step 4010, assets are ordered and scheduled on a master delivery schedule. In step 4012, assets are received and preferably signed by two staff members. In step 4014, an asset manager preferably records the serial number and configuration into an asset database and then tags the PC 4016 as shown. The PC 4018 is then connected to the network for initial configuration. This is done via floppy disk that is used to boot the personal computer. The asset is then checked to ensure that it is in the asset database. Based on the contents of the asset database, the proper base operating system (BOS) is loaded onto the PC's local hard drive, pre-configured applications are loaded, and a machine account is created in the NT domain. The build server 4022 provides the base operating system configurations, the pre-configured applications, and custom scripts and procedures for loading software. The asset database 4020 maintains records of the serial number, asset number, model number, and hardware and software configuration installed on the particular PC. Further, in this process, the asset is preferably signed for by a staff member. The desktop PCs are connected to the network, and the base operating system "lockeddown" environment prevents users from being able to install or modify certain software parameters as shown in block 4034. With reference to block 4036, the base operating system and applications are stored locally on the PC's hard disk drive, as shown in block 4036. Further, in block 4038, all user data and user profiles are stored on central servers. This allows a user environment and data to follow the user to whatever PC the person logs onto in the network. This results in maximum utilisation, flexibility and performance. The system also has multiple servers 4032 that provide network base services including: authentication, naming, mail, print, asset tracking and address administration. The multiple servers 4030 also provide user support including: mail, file and central application services. Central application services include such functions as: fax, budget, procurement, human resources, and other applications requiring a central depository and central distribution.
[0172] Benefits from implementing the solution/architecture of FIGS. 3 and 4 are as follows:
[0173] 1. Significant reduction in cost-of-support. This benefit is attributable for several reasons:
[0174] a) Since all PC's have a similar configuration, a hardware or software failure on one PC is not a high priority since the staff member may simply log onto another PC where their environment follows the staff member.
[0175] b) The staff member cannot install software, thereby damaging other installations already on the PC.
[0176] c) LAN bandwidth requirements are predictable.
[0177] d) Centralised logon scripts ensure ease of implementation for Moves, Adds or Changes. This scripting is done at 3 levels: Organisation, Division/Group and Individual. By maintaining this hierarchy, data access at various levels of the organisation can be provided easily. By standardisation of the environment naming, ease of training and staff communication is enabled. This authorised data access facilitates organisational standardisation, i.e.: common look and feel for all electronic documents, Workgroup Collaboration and Individual Configuration (e.g., favourite printers) and confidentiality. The data follows the user instead of the user following data on a particular PC.
[0178] 2. Fast Image Activation is ensured because an application image is stored on disk media local to the user.
[0179] 3. Predictable performance is ensured because the PC hardware CPU and Memory are similar throughout the organisation.
[0180] 4. The organisation's Intellectual Property is protected from loss due to fire, water, theft, component failure or acts of God since all user data is located on the file servers in a secure area. This user/organisational data is protected on the servers by:
[0181] a) Security Profiles that determine which users can access specific data;
[0182] b) Regular backups and off-site fire storage of all organisational data;
[0183] c) Server redundancy, including the use of Redundant Array of Inexpensive Disks (RAID), separation of Server Operating System from User Data both physically as well as logically, Redundant Power, UPS, Multiple Network Interface Cards (NICs) and dedicated IO Bandwidth for disk spindles; and
[0184] d) If a particular PC fails, is destroyed or is stolen, only the applications are on the PC while user data continues to be available from a server farm.
[0185] 5. Centralised authorisation with distributed authentication ensures only properly authorised staff access data the staff are granted to have access to.
[0186] 6. Centralised logon scripting also enables calling of hardware/software configuration monitoring and reporting software. This enables asset tracking applications to be called thus ensuring up-to-date status of asset availability to the organisation. Conversely, lack of visibility within a pre-determined time period alerts the organisation to locate a particular PC in question.
[0187] 7. Information interchange is assured because the applications are all maintained at similar revision levels. Also no staff member can install their `favourite` application such as a spreadsheet, thereby creating organisational information interchange problems.
[0188] 8. Training is simplified because a standard software tool suite is maintained.
[0189] 9. Executive management is put back in charge of an organisation's direction. Costs are more predictable, conversion issues due to lack of knowledge are eliminated while improving the organisation's return on assets.
[0190] 10. Virus infections potential from staff installing software are significantly reduced or eliminated altogether and thus the associated costs with repair and organisation productivity.
[0191] 11. Capital costs are reduced since not all staff need be allocated a "Personal" Computer. Sharing physical hardware while maintaining a level of personalization permits an organisation to reduce capital expenditures for PC's while enabling their workforce with the needed tools and data to deliver the organisation's business.
[0192] 12. Centralised scripting further facilitates the distribution of software patches/bug-fixes while providing an entry point for calling overall software application installations or updates.
[0193] Demonstrated capabilities of an embodiment of the invention include:
[0194] 1. Information availability 99.3%.
[0195] 2. All services available greater than 99%.
[0196] 3. Call Centre `First Call` problem resolution rate greater than 80%.
[0197] 4. All customer Service Level Agreement measurements met or exceeded.
[0198] 5. Calls to Call Centre averaging approximately 1 call/user/month. Industry average indicates approximately 3-5 calls per user per month.
[0199] 6. Highest customer satisfaction rating for the longest period to date.
[0200] 7. Zero virus infections and as such, no resource expended cleaning/restoring `clean` environment or loss of productivity to the end customer due to lack of access to data.
[0201] 8. No un-recoverable data loss.
[0202] 9. Support costs including overhead of approximately $1000/year/seat typically while industry averages researched by the Gartner Group are indicative of costs approximating $3000/year/seat.
[0203] The Total Cost of Ownership and costs of service delivery can be significantly reduced while improving the overall predicability and technology delivery to an organisation if the unique methodology/architecture in accordance with the embodiments of the invention is implemented.
[0204] Science has the same basic elements available to it, yet from these basic elements many varied and unique combinations can be formed. Putting the same basic technology elements together in a predetermined and defined manner in accordance with the embodiments of the invention yields a unique environment with repeatable characteristics.
[0205] 3. Standardized Configuration of Workstations
[0206] 3.1 Overview
[0207] A Windows NT Workstation Standard in accordance with an embodiment of the invention enables large numbers of computers to have Windows NT installed and configured (or, when necessary, rebuilt) quickly and efficiently. In addition, the setup may cater for an organisation's policy of sharing desktop PCs. The installation strategy should offer maximum flexibility (both on the hardware- and software- side), while at the same time keeping operator intervention to a bare minimum.
[0208] To achieve these objectives, a modular build process ties in with an Asset Database that is already in use at a site. Making the Asset Database the repository for all information about every machine's configuration offers a number of benefits:
[0209] Hardware and software are collected in one central location.
[0210] Duplication and re-entry of data is avoided.
[0211] Non-standard machines can be tracked.
[0212] Reporting and reconciliation are simplified.
[0213] The Build process uses the asset database to decide what to install on a given machine.
[0214] Integrity between the database and what is actually on the machine is ensured.
[0215] Manual interaction during the build process is minimised.
[0216] Conceptually, the installation process involves:
[0217] 1. To start an installation, the operator inserts a network boot disk into the computer.
[0218] 2. The operator is prompted for the barcode of the machine.
[0219] 3. The operator is prompted to remove the disk.
[0220] 4. The installation proceeds without manual interaction, using information from the database.
[0221] At that point, the operator may continue to another machine, and start the same process there. Meanwhile, the automated installation does the following:
[0222] Uses the barcode to check the asset database record for this machine.
[0223] Identifies the brand, model and type number from the asset database based on the barcode.
[0224] Once the model is known, the system locates a BIOS upgrade for this model and applies the BIOS upgrade.
[0225] Partitions and formats the hard disk(s) (unless the database specifies otherwise).
[0226] Windows NT is installed.
[0227] The database is queried for network card information, and relevant drivers are loaded.
[0228] Display drivers are also loaded as per the asset database.
[0229] A computer account is created in the domain and the machine joins the domain.
[0230] If the computer is a Laptop, ThinkPad Features (and--if relevant--Mwave) are loaded. Due to the mobile nature of a laptop computer (e.g., a ThinkPad), a different build is required on this type of hardware. Since the laptop is often operated while disconnected from the main network (Local Area Network or LAN), a modem can be provided for dial-up connectivity. "MWAVE" is an example of a modem that can be used; MWAVE is an IBM internal modem that can be used with a ThinkPad.
[0231] The database dictates what (if any) custom application set gets loaded onto the machine.
[0232] `Standard` software such as Tivoli and the Service Pack is installed.
[0233] Security is implemented on the workstation, both for the file system and the Windows registry.
[0234] The time taken for the installation varies depending on factors such as the application set selected, workstation hardware, and network load. Typically, a complete installation takes about 1 hour.
[0235] Ten or twelve machines can safely be installed at the same time without negatively affecting performance, but any number of installations can be initiated at once. Any excess is simply placed in a "holding queue" from which the installations are progressively released as other machines complete their builds.
[0236] Throughout the installation process, a number of logfiles are written to the server. At the end of the installation, an alert is sent across the network to the person that initiated the build, advising that person that it has completed.
[0237] 3.2 Supported Hardware
[0238] Minimum Hardware Requirements
[0239] The following hardware configuration is a minimum that an organization might select for running a Windows NT workstation.
[0240] Although the following specifications are well above what is considered the minimum requirements by Microsoft, the perceived performance depends on a number of factors. For example, a person that uses a machine for Computer Aided Design (CAD) or Desktop Publishing (DTP) work is more likely to raise concerns over performance issues than someone who is simply using a terminal emulation package.
[0241] Processor Speed
[0242] An Intel Pentium (or faster) processor is recommended.
[0243] RAM
[0244] Sixty-four MB RAM is preferably the minimum standard for desktop and laptop models. Greater memory requirements may be necessary for specialized applications, such as Adobe Photoshop.TM..
[0245] Hard Disk Size
[0246] For desktops, the recommended minimum hard disk size is at least 3.0 GB. For laptops, the requirements may be increased to cater for H: and S: network drives being local.
[0247] Supported Models
[0248] Within an organizations's environment, many different models of hardware may exist prior to a migration to Windows NT. Due to the minimum hardware requirements specified, the number of unique models can be reduced, but there may still be around a dozen common configurations.
[0249] Set out below are the supported models, on both the desktop and laptop sides, together with brief descriptions of each, with which the embodiments of the invention are preferably implemented.
[0250] Manufacturers (e.g. IBM) regularly manufacture more than one `model` while still using the same `model number` (e.g. `760 ED` or `300
GL`). Thus, it is important to identify machines by the type number (see sample ThinkPad label) rather than model designation. All the following model numbers are in respect of IBM products. However, the same principles would apply to products by other manufacturers without departing from the scope and spirit of the invention.
[0251] Desktops
[0252] PC 300GL with CD
[0253] The PC300 GL is the most common model within environment with the preferred embodiment of the invention. This model has a P200 MMX processor and 32 MB of RAM standard and may include a CD-ROM. Memory should be increased to 64 MB.
[0254] PC 300GL without CD
[0255] This model makes up the bulk of the desktop stock in accordance with the preferred embodiment. These are identical to model PC 300GL, except that this model does not include the CD-ROM.
[0256] PC 300PL
[0257] Only a small number of models of this type are used in the preferred embodiment.
[0258] PC 350
[0259] Only a small number of these models are used preferably, as these have P200 processors.
[0260] PC 365 with SCSI
[0261] These machines are preferably used for CAD and DTP applications. The machines have Pentium Pro--200 processors and typically substantial amounts (64 MB or more) of RAM. In addition, the machines preferably have SCSI interfaces as well as SCSI hard disks, which contribute to improved performance.
[0262] PC 365 without SCSI
[0263] The PC365 is very similar to the PC365 model mentioned above. However, this model does not include SCSI.
[0264] P75
[0265] These 3 models are all older style Pentium-75 based machines, which have been upgraded with larger drives and more memory to provide reasonable performance. Although listed as 3 separate models, the models are essentially identical. The different type numbers indicate that the models were supplied with different drive sizes and operating systems.
[0266] P100
[0267] Similar to the P75 models, but based on a Pentium-100 processor.
[0268] Laptops
[0269] Although there may not be quite as many types of laptops as desktops in use by an organization typically, there may still be some variety.
[0270] In the embodiment of the invention, older ThinkPad 750- and 755- series models, which may use 486-series CPUs, have been replaced with Pentium-based ThinkPads from the 760- or 765- series.
[0271] Four primary types of IBM ThinkPads are preferably used. Further, laptops with 48 MB of RAM have generally adequate performance.
[0272] 765D
[0273] This is a common model of the ThinkPad range used in the embodiments of the invention and typically has 48 MB of RAM and a PCMCIA modem. The memory should be increased to at least 64 MB.
[0274] 760ED (XGA Version)
[0275] Although somewhat older, the performance of this model is adequate. These machines may have an optional Telephony Adaptor for Mwave, but some utilise card-modems of various brands and types. This model is the 2.sup.nd most common ThinkPad utilized in the embodiment of the invention (roughly 20 machines of this type in use).
[0276] 760E
[0277] This model is essentially a 760ED without the CD-ROM. Only a handful of these are used.
[0278] 760XD
[0279] The 760XD is quite similar to the 760E/ED, and a little bit faster. Only one or two are used.
[0280] 560-series
[0281] ThinkPad 560's may also be used if the machines have been upgraded. The machines can be tested and included in the standard.
[0282] Supported Network Cards
[0283] A number of different network cards were in the embodiment prior to the NT migration. Although there may be some variety, new machines all come with a `standard` card. In addition, a number of commonly occurring older cards have been identified as `preferred` and included as options in the build.
[0284] ISA Network Cards for Desktops
[0285] Although all of the following ISA cards may use the same DOS-level drivers (and thus can use the same boot disk), the individual card type must still be selected in the Asset Database for the NT installation to be successful.
[0286] IBM Token Ring Autowake
[0287] All new desktop machines are preferably supplied with the IBM ISA Autowake card. As the name implies, this card supports the auto-wake on LAN feature, but for this to work, the relevant cables must be correctly connected. This card is sometimes identified as IBMTOK5, and that is the driver which must be selected for the card to work correctly.
[0288] IBM Token Ring 16/4
[0289] This is an older type of network card, which exists in a number of variants. Although the exact shape of the card varies considerably between revisions, most of the cards are visually similar to the IBM Token Ring Autowake Card. However, there is a newer release of this card, which may tend to cause a bit of confusion.
[0290] The principal difference between the cards is that there is nowhere to connect any autowake cables on this model. All of the Auto 16/4 ISA cards should--regardless of the physical layout and size of the card--be able to use the IBMTOK4 drivers.
[0291] PCMCIA Network Cards for Laptops
[0292] Just as there are different network cards used on the desktops, there are a number of different PCMCIA network cards used on the Laptops.
[0293] IBM Token Ring Turbo 16/4 (PCMCIA)
[0294] The Turbo 16/4 PCMCIA card is commonly supplied with Laptops. The card can be distinguished by "Turbo 16/4" being printed in Green letters over a reflective background. This card actually looks rather similar to the older style `Auto` card, but uses completely different NT drivers. In addition, the network cable is not quite the same. This card is identified in the asset database as `T16PCM`.
[0295] IBM Token Ring Auto 16/4 (PCMCIA)
[0296] The Auto 16/4 PCMCIA card is often used on older Laptops. In addition, this card is sometimes supplied with new machines (typically in case the `preferred` model is out of stock). This card looks very similar to the newer style `Turbo` card, but uses completely different NT drivers. As mentioned above, the network cable is somewhat different. If the cable does not fit, connection between the cable and card should not be forced. In the Asset Database, this card is referred to as the `A16PCM`.
[0297] Please note that although these two cards may appear similar (and use the same DOS-drivers), they are different. If the wrong type is selected in the asset database, NT may not be able to install and configure the drivers.
[0298] IBM Turbo 10/100 Ethernet (PCMCIA)
[0299] The Turbo Ethernet Card is the currently most common network interface card utilized on laptops. While this card physically appears similar to the Token Ring cards, a different cable is required and a different set of drivers is necessary for it to function properly in the laptop.
[0300] 3.3 Supported Software
[0301] There is a considerable variety of software used within an organization's environment in accordance with the preferred embodiment of the invention.
[0302] Software Build Options
[0303] A number of applications are considered `standard` and get installed on every machine. This application set is known as the `BASE` build. In addition, other application sets are also available. These other applications sets are normally based on the common `BASE` application set, with custom additions.
[0304] Table 1 briefly lists the contents of each build set in accordance with the preferred embodiment.
1TABLE 1
BASE Software Build Lotus Smartsuite 97
Organiser 97 GS Lotus Notes 4.6
IBM Antivirus v3.0
IBM Personal Communications v4.1
Trim 4.1
DB2 5.0
JD Edwards 7.3 (aka GUI-400) ABC Software Build All BASE software Flowcharter v7.0
TRAINING Software Build all BASE software Pace training package CAD Software Build all BASE software Microstation Photoshop v4.0
Adobe Type Manager & Custom Fonts DTP Software Build all BASE software Photoshop v4.0
Adobe Illustrator Quark Xpress v4.0
Acrobat Reader 3.0
Adobe Type Manager & Custom Fonts
[0305] The foregoing is merely an example of the types of software that may be used in one or more builds. Different software may be used without departing from the scope and spirit of the invention. In addition to the above `regular` builds, two `special` builds warrant further discussion. First, there is a `Laptop` build, which is designed for Laptops. Preferably all laptops of the preferred embodiment are built with this software combination. Attempting to load other builds on a laptop is not supported. Secondly, a `Support` build has been created for the convenience of onsite staff. This contains all the software that is on the client machine, but has a few additions that are designed to simplify matters for support staff.
2 TABLE 2
LAPTOP Software Build all BASE software Acrobat Reader 3.0
IP Dialler (aka IGN) Xerox Textbridge Suretrak Winzip SUPPORT Software Build all BASE software DPU Technet NT Server tools VM session IP Dialler (aka IGN) Flowcharter
[0306] Again, different software may be practiced without departing from the scope and spirit of the invention.
[0307] Non-Standard Software
[0308] If any combination of software is requested that is not available as part of a standard software build option, the matter should be referred to a Site Manager, who may authorise the addition of further (non-standard) software on a given machine. Should this be necessary, it becomes especially important to ensure that the Asset Database accurately reflects the configuration of the machine.
[0309] 3.4 Asset Database
[0310] A central database or "asset database" acts as central repository of all information relevant to the configuration of each of the machines. For example, the database contains information about hardware configurations, making it easy to identify all machines with, say, a particular network card or hard disk size. In addition, the asset database provides information about the software that is installed on a machine. Last, but not least, this database is used by the build process to install various software, depending on what is selected in the database. For example, device drivers for network cards and display interfaces are loaded based on the selections in the database. Similarly, the database also controls the selection of application software that is installed on the client workstation.
[0311] Features and Benefits
[0312] The Asset Database offers a number of important benefits, the key ones being that the Asset Database:
[0313] acts as a Central Asset repository,
[0314] avoids duplication or re-entry of data,
[0315] tracks non-standard machines,
[0316] simplifies reporting, and
[0317] provides information that the build process uses to decide what to install on a machine.
[0318] Usage
[0319] During the installation, a build process communicates with the asset database, but this is typically transparent to the operator.
[0320] Help Desk staff should familiarise themselves with the information available in the database (and its layout) as such staff may from time to time be required to verify that current entries are correct. Network card settings are probably the one item that are regularly used by Help Desk staff. However, maintenance of the Asset Database should generally be the responsibility of the Asset Manager.
[0321] Selecting a Build Option in the Database
[0322] Before building a machine, the asset database needs to be up to date. Normally, all required hardware-related fields already filled in as part of the regular asset control procedures. Software options may not be known in advance, so before a machine gets built, one should confirm that--at a minimum--the software selected is appropriate and relevant to the ultimate user of the machine.
[0323] FIG. 4 is a screenshot of a Microsoft Access Summary window 400
illustrating a configuration of a personal computer from the database.
[0324] If a machine is being re-built, there is not normally a need to change anything in the database. However, if the machine is to be delivered to another user, or has had hardware upgraded or replaced, the user should ensure that the database contains the correct information before starting the installation. If the site manager has authorised that a machine be setup with non-standard software, it would normally be based on one of the standard builds. Once the `base` software has been loaded, further software may be installed manually. In such a case, the `non-standard` checkbox in the database should be utilised together with the `Other Information` field to provide a detailed record of how the machine is configured.
[0325] Maintenance
[0326] The asset database is normally managed by an on-site asset manager. Anyone involved in the build process should understand what the various options are and do. This way, unnecessary rebuilds due to miscommunication are minimised.
[0327] 3.5 Boot Disks
[0328] The creation and use of network boot disks are now described. The boot disks are necessary to connect to the network and start the installation of NT to a client machine.
[0329] Creation
[0330] The tool which is used to create the network boot disk is called MAKEDISK. MAKEDISK is a computer script program utilized to build/create a bootable floppy disk. This disk enables a "virgin" computer to boot and is given enough intelligence to load files over the network. This capability allows an operating system to be loaded onto the hard disk drive and installed locally on the virgin desktop computer. FIGS. 19A-10D illustrates an example of a makedisk.bat file.
[0331] Running Makedisk
[0332] MAKEDISK can be run by anyone that needs to create a network boot disk and has sufficient access rights to the network. Typically, the person that actually ends up using the diskette creates the diskette, but it may also be done by a supervisor or administrator. There are two ways of starting makedisk (the one that is most appropriate at any given time may be used):
[0333] While booting of an existing boot-disk, simply wait for the barcode prompt to come up. Then, instead of entering a Barcode, type MAKEDISK and press enter.
[0334] Alternatively, the program can be run from within Windows NT, either by running it from a DOS-prompt, or by clicking on the icon for the file. The programs name and location is: I:.backslash.SCRIPTS.backsla- sh.IMAGE.backslash.MAKEDISK.
[0335] FIG. 5 is a screenshot 500 of the text prompt for the makedisk command. At this stage, the name of the login id is typed that `owns` this boot disk. 0- accounts must not be used, as this would compromise security. This architecture utilizes a convention whereby a "0" is added to the beginning of an account ID. The "0" account is preferably a domain privileged account, which the login script parses and bypasses all login scripting. This bypass prevents certain profile information from being loaded onto the client system when a domain administrator logs onto the client to perform any required maintenance, software or hardware. Instead, a `normal` domain account is used that has been made a member of the `PC Installation Team` group. Under normal circumstances, the entire login script is desirably executed. A normal account is used to execute the entire login script so that all logging and configuration steps are accomplished.
[0336] Selecting the Network Card
[0337] Once you have entered a name, another prompt is received, presenting a user with the available network cards as options.
[0338] Preferably there are only 2 choices:
[0339] `Autowake ISA` or `Auto 16/4 ISA`, which is used for any of the supported network cards for desktop machines.
[0340] `Turbo 16 PCMCIA` or `Auto 16 PCMCIA`, which is used for any of the supported Laptop network cards.
[0341] Once the card-type has been selected, the boot disk is automatically created. FIG. 6 is a screenshot 600 illustrating the text interface displayed during this process.
[0342] Although the boot-disks can use identical drivers for multiple cards, the same does not apply to Windows NT. The exact card (e.g. IBMTOK4 or IBMTOK5) must be selected in the asset database when building a machine, even though the same bootdisk may work for both of these cards.
[0343] Technical Details
[0344] The process of preparing the boot disk takes approximately 3 or 4
minutes. The reason that it takes so long is that MAKEDISK.BAT has to FORMAT the disk, then make sure that it is bootable. The diskette also has to be modified so that the diskette can be used as an IBM BIOS upgrade disk. Finally, the network files have to be copied down to the disk and configured with a unique computer (machine) name. In addition, the disk is personalised and logfiles tracking the process are written to the server.
[0345] Labelling
[0346] Once the diskette is ready, the operator is presented with a suggested labelling layout 700, for example, as shown in FIG. 7. Users are encouraged to label their diskettes in a manner similar to this one, so that different diskette versions and owners can be readily identified.
[0347] Duplication
[0348] At this point, the operator may choose to create further boot disks. If desired, one can create multiple boot disks for a particular user. Even if the disks are used at the same time, the disks still work (since the disks are unique). Conversely, please note that simply running DISKCOPY or a similar command only provides a backup copy of the disk--will not be able to use a DISKCOPY'd boot disk at the same time as a `real` one as the copy does not have a unique computer or machine name, etc.
[0349] Usage
[0350] First Time
[0351] The first time that a boot disk is used, the operator is prompted to `validate` the boot disk. The operator does this by typing (and then re-confirming) his or her password. This process ensures that the person actually using the boot-disk is the same person that the disk was created for. This helps to ensure the integrity the system in relation to security in general and logfile creation in particular.
[0352] Normal Usage
[0353] During general usage, the process is straight forward. To start an installation, the operator:
[0354] 1. Inserts the Boot Disk
[0355] 2. Enters the barcode when prompted
[0356] 3. Removes the boot disk when prompted (this should happen within a couple of minutes).
[0357] Although the build may take an hour or more, the bootdisk may immediately be used for other machines.
[0358] Security
[0359] Once the operator has validated the boot disk, the disk effectively becomes a `key` to the installation and is to be treated as such. In other words, once validated, the boot disks contain network authentication information, which is another reason why the disks need to be treated responsibly. In particular, that keys (disks) are personal and should not be lent. If a boot-disk is lost, that operator's domain password should be changed to render the diskette invalid. The installation requires the operator to be a member of the `PC Installation Team` group on the domain before the boot disks can be used.
[0360] It is recommended that any accounts that are made members of this group and issued with network boot disks have only `user` rights, so as to minimise unnecessary security exposure.
[0361] 3.6 The Build Process
[0362] Installation Process--Overview
[0363] The installation process consists of a number of automated stages, where necessary separated by automatic reboots. Throughout these processes, feedback is provided to the operator(s) through screen output, logfiles and alert messages. The installation process may be considered from either a `physical` or a `logical` perspective, and it may be useful to compare and contrast the two. The various reboots are highly visible parts of the installation, and the installation sequence is therefore summarised hereinafter reboot by reboot.
[0364] Physical Sequence
[0365] 1st Floppy Boot
[0366] Connects to the network (using a computername from the bootdisk).
[0367] Synchronises time with the server.
[0368] Prompts the operator for the barcode of the machine.
[0369] Checks the Asset database and validates the selected settings.
[0370] Loads updated BIOS (if available).
[0371] FDISK's and FORMAT's the harddisk.
[0372] Reboots the machine.
[0373] 2nd Floppy Boot:
[0374] Connects to the network (using the above computername).
[0375] Copies minimal network files to the client machine (and configures them).
[0376] Prompts the operator to remove the boot diskette.
[0377] At this point, the operator may leave and the bootup-disk can be used for another machine.
[0378] Reboots the machine.
[0379] 1st Hard Disk Boot:
[0380] Connects to the network (using the barcode as a computername).
[0381] Starts an unattended NT installation.
[0382] Configures the network card using information from the asset database.
[0383] Configures the display driver (also using information from the asset database).
[0384] Reboots the machine.
[0385] 2nd Hard Disk Boot:
[0386] Logs on to the local machine.
[0387] Creates a computer account on the domain.
[0388] Brings the machine into the domain.
[0389] Maps a temporary network drive to the server.
[0390] Installs any applications (e.g. ThinkPad Features) that need to be installed using the actual `Administrator` account.
[0391] Reboots the machine.
[0392] 3rd Hard Disk Boot:
[0393] Logs on to the domain.
[0394] Installs applications as per the asset database record.
[0395] Installs `standard` software, e.g. Tivoli.
[0396] Installs the Service Pack (and any applicable hotfixes).
[0397] Updates the master logfile to provide a record of what machines have been built.
[0398] Sends an alert to the person that started the build, advising that the build has now completed.
[0399] Shuts down the machine.
[0400] Logical Sequence
[0401] In comparison to the `physical` sequence described hereinbefore, the `logical` sequence of events during an installation is much more structured, as shown in Table 3.
3 TABLE 3
Booting from the diskette Automatic preparation of the machine Loading BIOS updates Partitioning & formatting the drive Automatic Installation of the Operating System Windows NT Network Drivers Display Drivers Joining the Domain Automatic Modifications to the Registry Swap file size Logon Bitmap Wallpaper Packet Size Automatic Installation of Applications Applications are loaded as per the asset database `Standard` system software (e.g. Tivoli) NT Service Pack
[0402] In Table 3, automatic preparation of the machine involves loading BIOS updates and partitioning and formatting a hard disk drive, for example. Similar comments apply to automatic installation of the operating system and automatic modifications to the Registry.
[0403] With regard to automatic installation of applications, applications are loaded in accordance with the asset database, including standard system software and an NT service pack, for example. This is the process step whereby the asset database is read, the products destined for the specific asset are determined, and installation of the applications on the hard disk drive of the destination PC is performed.
[0404] 3.7 Feedback
[0405] While a machine is being built, various types of feedback are provided for the convenience of operators and administrators. This feedback takes the form of Courtesy Alerts, Logfiles, and--sometimes--simple screen output.
[0406] Courtesy Alerts
[0407] Once an installation has been completed, an alert message 800 shown in FIG. 8 is sent to `interested parties`. The message looks similar to the above and may be sent to the following accounts:
[0408] (1) The operator that initiated the build is the primary recipient of the message;
[0409] (2) However, since the operator is possibly back at his or her desk and is logged on using a 0-account (i.e. the admin account) rather than the `user` account that was used for the build process, a message is also sent to the corresponding 0-account; and
[0410] (3) In addition, messages are sent to listed build administrators.
[0411] Logfiles
[0412] At the end of the installation, a master logfile is updated as a summary of what machines have been installed. This is in addition to the individual (and rather comprehensive) log file which is continuously updated throughout the build of each machine. Other activities that are tracked through logfiles include the installation of `unusual` applications (e.g. Photoshop, Flowcharter, etc.), that have their own application specific logfiles in order to simplify auditing and licence management. Similarly, Boot Disk creation is tracked through the bootdisk.log file.
[0413] MASTER.LOG
[0414] For each machine that is built, a summary line is created in MASTER.LOG 900, containing a timestamp, the barcode of the machine, and the name of the operator that installed this machine as shown in FIG. 9A.
[0415] BOOTDISK.LOG
[0416] As a boot disk is being created, BOOTDISK.LOG 950 is updated to identify who created a bootdisk for whom. In addition, the version number and type of network card(s) that this disk is intended for is logged as shown in FIG. 9B. This information is collected both for troubleshooting purposes and to allow prompt replacement of any boot disks if a new version be released.
[0417] Mxxxxx.LOG
[0418] For each machine that is built, a detailed logfile 1000 is also created. The name of this file is Mxxxxx.LOG, where xxxxx is the barcode of the machine in question. As can be seen from the sample shown in FIGS. 10A-10C, the level of detail in this file is quite high.
[0419] Application Logfiles
[0420] From a licencing point of view, perhaps the most important logfiles of all are those that relate to a particularly `expensive` product. Examples that fit into this category include applications such as Quark Xpress or Adobe Photoshop. The format of such a logfile can be seen from the extract from the PHOTOSHOP.LOG file 1100 shown in FIG. 11.
[0421] 3.8 Server Setup
[0422] Certain aspects of the server configuration affect the workstation clients. The most visible influence is the drive letters that are used for various network drives. These are generally allocated through the logon scripts, which also handle printer assignments. Finally, system policies also affect the look and feel of the client machine.
[0423] Drive Mappings
[0424] A number of network drives are mapped for almost all client machines. The logon scripts generally control these mappings. However, some of the mappings that are used on the laptops point to `virtual` drives that are local to the workstation. Such mappings are necessary to ensure that the machine behaves consistently regardless of whether the machine is on or off the network. The primary reason for this setup is to simplify the setup of Lotus Notes, since Lotus Notes can now be configured the `same` for both laptops and desktops. The common drive letters that are preferably used are as follows:
[0425] G: drive
[0426] This is the "Group` drive, which is used by a department or similar work group to share data.
[0427] P: drive
[0428] The P: drive is (historically) the `Applications` drive.
[0429] S: drive
[0430] This drive is available for the entire organisation, and contains common items like Smartsuite templates, etc. A local version of this drive is used for laptops.
[0431] H: drive
[0432] This is the users home directory, which typically resides on the server. A local version of this drive is used for laptops. Synchronising laptop data to a server (if desired) becomes the responsibility of the user, which requires a manual process.
[0433] Logon Scripts
[0434] A number of login scripts are used by an organisation in accordance with the preferred embodiment. Firstly, there is a common script, which is run by `everyone`, followed by smaller (often departmental) modules that handle group drives and printer mappings. In addition, provision exists for users to have individual modules on their H: drives. Preferably, this is done for the Lotus Approach application that handles non-standard printer selections in the preferred embodiment.
[0435] Login scripts are well known, as is their function. Such scripts are important for how user profiles are mapped to groups and subsequently follow an individual from PC to PC in the preferred embodiment. The scripts perform many tasks at each logon, such as:
[0436] (1) mapping favourite/group printers to a user upon logon,
[0437] (2) setting the time (based on an atomic clock sync connection on the time server),
[0438] (3) mapping network drives,
[0439] (4) spelling dictionary updates and the like, and simple application installations and updates (e.g. fonts).
[0440] COMMON.CMD
[0441] This is a common script, which is run by `everyone`. This script sets up common drive mappings and synchronises the time between the client and the server. An example of this script is shown in FIG. 17A-17C.
[0442] LAPTOP.CMD
[0443] This is a minor variation of COMMON.CMD and is used on the laptops. The primary difference between the two is that LAPTOP.CMD does not attempt to map S: and H: drives. Instead, these drives are mapped from the laptop itself as the laptop boots up.
[0444] Group-Specific Modules (e.g. TECHNOLOGY.CMD)
[0445] Each group or department in an organization often requires a custom login script. When applicable, any unique settings that are required by a group can be kept in a separate module. This avoids duplication of data and simplifies maintenance. Such logon script modules are normally named after the department, e.g. `TECHNOLOGY.CMD` and take care of printer mappings and group drives. FIG. 18 illustrates an example of such a technology.cmd.
[0446] User-Specific PRINTERS.CMD on H:
[0447] An additional login script module is created on a user's H: drive if the user makes use of custom printer mappings tool. If such a file exists, the script module is called from the main COMMON.CMD script.
[0448] System Policies
[0449] The final component of the server setup that affects the client workstations is System Policies. Policies are used to control a number of things that affect both the look and feel of the client machine, as well as what the user can and cannot do. Preferably, there is a common policy for all of an organization's desktop users in the preferred embodiment. For historical reasons, this policy is named `PolTrain` in the preferred embodiment, and all desktop users should be members of this Policy Group. Laptop users should not be members of this group, as it would interfere with the operation of their machines. The POLTRAIN policy preferably controls the following:
[0450] Disables Desktop Icons
[0451] All desktop icons are hidden, so as to provide a `clean` interface that is less likely to distract the users.
[0452] Maps Start Menu To `Default User`
[0453] The start menu is mapped to a known location for all users. This further helps in reducing the clutter as the `all users` part of the menu is no longer necessary.
[0454] Forces Background Wallpaper
[0455] Predetermined images or patterns appear as the background desktop wallpaper.
[0456] Disables Last User Name
[0457] For security reasons, the last logged on user's name is not displayed in the logon dialog box.
[0458] The system policy is a powerful tool, the setup of which has been carefully tuned and tested to provide optimal results for an organization's environment in the preferred embodiment. Due to the interaction and delicate balance between login scripts, applications, the registry and System Policies, changes to the system policies are not recommended, as such changes are likely to result in disruption of service.
[0459] 3.9 Ongoing Support
[0460] Issues that may assist Help Desk staff with day to day operations are described hereinafter. In the preferred embodiment, a `static` environment is provided, with no changes to the client software once deployed. In addition, only a set, small, number of `non-standard` machines is allowed, and the definition of `non-standard` is quite strict.
[0461] Modularity
[0462] The standard environment of the preferred embodiment is designed to be modular. This ensures that the sections of code that relate to a particular product can easily be replaced when a new version of the product is released, or even if a product is removed, added, or substituted altogether. However, this does not necessarily mean that a section of code can be used standalone. There are still unavoidable interdependencies between modules.
[0463] Remote Management
[0464] TME (`Tivoli`) is the product preferably used to provide remote management for the environment of the preferred embodiment. However, a lot of functionality is possible even without reliance on Tivoli. Also, other software similar in function may be used without departing from the scope and spirit of the invention.
[0465] Using Tivoli
[0466] Tivoli is used for Remote Control, Hardware and Software inventory, and Software Distribution.
[0467] Manually
[0468] If Tivoli is not available, remote management may still be done. For example, login scripts can interrogate VERSION.BAT to see what is installed on the machine (or the drive can be searched directly). VERSION.BAT is a computer script and part of Tivoli application that performs the function of locating, from a broad list of possible software applications, identifying and determining the version number of software installed. Contingency has been allowed for support of applications that may not be functioning properly or to test specific module functions, scripts may be called and executed manually. Help Desk staff with sufficient access rights can simply do a NET USE to a remote machine, and control things that way, either manually or through a batch file.
[0469] Modifications of the Build
[0470] Modifications to the build can be preferably coordinated through a Standard Operating Environment Group. However, Onsite Support may perform minor modifications to the login scripts (that do not affect the build process) in conjunction with Central LAN Management (CLM), as long as formal change control procedures are followed.
[0471] 3.10 Technical Reference
[0472] Application Reference
[0473] This section lists brief descriptions of all the applications that are known to be in use in the organization of the preferred embodiment under the Windows NT standard. Any relevant information about the application, including how the application is configured is included. In addition, non-standard applications are identified.
[0474] Lotus Smartsuite 97
[0475] Lotus Smartsuite is preferably used for WordProcessing (WordPro), Spreadsheets (Lotus 123), and databases (Approach). All modules are installed, with the exception of ScreenCam and Organiser. Due to the modularity of the NT standard, shipping a new version of a product is not a problem. Existing machines can be preferably upgraded using the Software Distribution tools available in Tivoli, or--as a backup plan--by using Logon scripts.
[0476] Lotus Notes 4.6
[0477] Lotus Notes is the standard email client of the preferred embodiment. In addition, this product is used to access various bulletin boards with company `public` information. A dial-up connection can be offered, where users can dial into the Notes server.
[0478] DB2
[0479] The DB2 client is used to provide a connection using TCPIP to the TRIM database.
[0480] Trim 4.1
[0481] Trim (currently version 4.1) is preferably used to access an in-house document database. This application can be installed on all machines.
[0482] As the configuration of the Trim server has changed over time (new box, new name, new operating system, new protocol), any previously configured Trim workstations may have to be reconfigured for the application to work. However, any machines built naturally have the most up to date Trim configuration automatically loaded as part of the build process.
[0483] Norton Anti-Virus
[0484] Preferably, Norton Anti-virus is utilised. Alternatively, IBM Anti-Virus can be installed on the client. IBM AV suppor