Remote access scripting and automation tools are making life easier than ever for managed service providers and network administrators alike. Access to client PCs and servers from an outside location changes the landscape of the world of support for providers everywhere.
Along with all the potential for active support that remote access brings, the automated features stand out as well. Instead of needing to update settings or pass updates to each device individually, scripting and automation tools have the power to push these through without an active connection from a network technician.
PowerShell is a tool used to send many different types of automation commands from a central source. Group policy allows for broad settings changes on individual devices or across an entire network. Windows Server Update Services (WSUS for short) offers a way to organize and push out operating system updates in a controlled manner.
Here's an overview of the benefits of automated scripting and a breakdown of how each of these pieces work.
Table of Contents
Why You Need to Start Scripting?
Scripting has brought many different benefits to both network support personnel and end-users. Network administrators and managed service providers are able to get more work done than they would be able to do manually. They are also able to simplify processes. For their part, end users can limit downtime, because updates and settings changes can be pushed through at the most convenient times.
- Complete more tasks in less time. Manual processes involve support personnel connecting to each device individually and pushing through updates or making settings changes by hand. Thanks to remote scripting tools, these changes can be pushed to multiple devices at once. Rather than having to work off of each individual device, technicians can run all of these scripts from one central server.
- Uniformity throughout your network. Creating uniformity throughout your network guarantees easier troubleshooting and simplicity in shared information. Rather than have to trust technicians to complete the same processes in a uniform way over and over again, one script can execute identical commands on each of your devices so that uniformity is guaranteed throughout the network. Tools are also available to verify existing configurations.
- Off-hour unattended processing. Even when it’s scheduled, system downtime can seriously affect a business's performance. Scripting can be easily run at the most convenient times for a business, so that downtime is limited. Furthermore, scripts can be scheduled to run in advance. This way, there is no need for a technician to be available late into the night or on weekends to push scripts through.
Having remote access to individual devices is the first level of benefits of this technology. Being able to run scripts to automate processes takes things to a totally different level.
Powershell is a tool that can be used to send commands and tasks from a server to client PCs throughout a network. Powershell offers an array of different commands, providing a good amount of control to administrators. Following are some best practices for using PowerShell, and a few of the best commands to know.
As with any networking tool, there are a few different rules to follow to make sure that you are actively harnessing the effects of PowerShell. Here are three best practices to follow.
- Have a good understanding before you start. PowerShell is very powerful. It’s important to know what you are doing before you start writing or debugging PowerShell scripts. If you aren’t sure how to use PowerShell properly, enlist the help of someone who does.
- Use Get-Help as much as possible. This PowerShell command displays a list of options for each command in PowerShell. If you are stumped on how to use a command, Get-Help may be able to get you there.
- Add plenty of comments. When writing scripts to be run later, add plenty of comments so that others who may use your script later have a good understanding of what your script is meant to do. This way, a good script can be passed on and remain usable into the future.
This is just a start. Before diving too deep into writing PowerShell scripts, do some research so that you are able to get the most out of it.
PowerShell can be used in two different ways: Via written scripts, or via a command-line interface. When issuing commands directly from the command line, here are a few tools to use to make things simpler:
- Get-Service - Displays all of the services running on the desired machine, and their status.
- Get-EventLog - Displays the event log for the target machine. Helpful for researching or troubleshooting any issues that arise.
- Get-History - Displays all of the commands run during the current session. It also shows the status and runtime of each command.
- Copy-Item - Used for making copies of items. This command can be used for copying files and folders.
- Get-Content - Used for reading the content within files. Very useful if you need to find out what's in a specific document.
This is just a few of the many commands that can be used. It’s a good idea to have a good understanding of how most of the PowerShell commands work before utilizing it as a tool.
Group Policy offers administrators another way to make settings and configuration changes for the entire network off of a central server. Although this tool is most effective when managed through Active Directory, every Windows PC has its own Group Policy interface, which allows it to be used on individual computers as well.
Just like with PowerShell, there is a list of best practices to be used when working with Group Policy. If you are new to Group Policy, here’s a good place to start.
- Use descriptive names for policies that you create. Not only do you need to be able to remember what your policies were meant for - you need other administrators to have an understanding of each policy as well. Use names that will describe each policy’s purpose.
- Implement change policies throughout your organization. Have a written policy that is followed by all of the administrators on your network. Technicians should have an understanding of your policies so that everyone is on the same page.
- Make good backups before implementing changes. Group Policy is a powerful tool. If the wrong changes are made, entire operating systems could be corrupted. Make sure that everything is backed up properly before making any changes.
A common theme here is proper documentation and preparedness. Neither of these are overtly technical concepts. Common sense practices will help you now, and into the future.
Settings to Know
Administrators can use Group Policy to take greater control of the network that they administer. Here are the top settings changes to make the best use of the tools available.
- Lock down control panel access. You don’t want non-technical users to be able to access all of the settings that the Control Panel offers. Restrict access to only the control panel items that the users need.
- Force users to use secure passwords. Group Policy can be used to create password requirements to better secure your network. This includes policies for complexity and minimum password length.
- Disable the Guest account. The Guest account is a vulnerability on any PC. Although access to it is limited by default, it is still a gateway into the operating system. Group Policy can be used to disable access into this account.
- Disable command prompt access. Users who don't know what they are doing should not be granted access to the command prompt. So, in a general user environment, command prompt access should be disabled within Group Policy.
- Change the administrator account name. Hackers trying to access administrative levels of a PC will try to do so by logging in as the local administrator. To make this harder for them to do, you can use Group Policy to change the administrator account name. This way, infiltrators won't be able to log in without knowing this information first.
Group Policy is easier to figure out than PowerShell, but is equally as effective. Because of this, administrators should have a good understanding of the best practices and recommended settings changes.
WSUS, or Windows Server Update Services, is a service and software package designed to make update and patch distribution more manageable for administrators. Here is an overview of what WSUS is and some best practices for WSUS management.
What is WSUS?
Windows Server Update Services is typically run from a domain controller. WSUS is used to download and push all operating system updates from a central location. There are also a number of different features that it offers. Here’s what to know about it:
- It’s a central repository for updates. With WSUS, rather than having individual PCs downloading updates and using up valuable bandwidth, all of your updates can be downloaded to a central server and redistributed from there. This also means that updates can be kept uniform throughout your network.
- Schedule updates for the right times. Rather than running updates as they are discovered and slowing down the network during inconvenient times, updates can be scheduled for off-hours when network usage is at a minimum. Additionally, non-essential updates can be postponed until they have been tested thoroughly.
- Keep a record of the history of your updates for your entire network. Every once in a while, updates can go awry. It’s a good policy to keep a record of which updates cause issues. This way, it’s much easier to respond. If needed, update rollbacks can be managed from the WSUS interface as well.
WSUS may seem simple, but it is a powerful tool for administrators. Having control of the update services on your network is a great way to manage what’s going on with your network.
WSUS Best Practices
There are a number of best practices to consider with WSUS. Here are three of the most important.
- Push through security patches swiftly. While non-essential updates can be scheduled at times with limited network activity and after a little bit of testing has been completed, security updates work differently in some cases. Patching security holes is faster and more efficient than ever. Administrators will be able to trust that the most important updates have been pushed on to each and every device in their network.
- Decline all superseded updates. Sometimes, multiple updates are put out back-to-back, with one patching another’s mistake. WSUS gives administrators the option to bypass updates that have already been superceded - avoiding the potential of passing on bad updates to client devices.
- Take advantage of the WSUS Server Cleanup Wizard. As updates are downloaded to the server, space and resources are used. The WSUS Server Cleanup wizard is effective in deleting older updates from your system to free space and resources.
- WSUS best practices are a little easier to comprehend and follow compared to PowerShell and Group Policy. Because of this, WSUS is a great way for first-time administrators to start using remote automation tools to manage their network.
Remote access scripting and automation tools are a very effective way for network administrators and managed service providers to take control of their networks in an efficient manner. Reducing the amount of time and effort it takes to push out updates, issue commands, and change settings for network devices will in turn make network administration more cost-effective. When these cost savings are passed on to those managing and using the network, everyone benefits.