Re: At last, the big zamboni hits the playing field

["K. M. Peterson" <KMP@WI.MIT.EDU>]

Well, not to pour gasoline on the fire, but...

Strata Rose Chalup wrote:

> Microsoft is finally abandoning the zero administration lie.  A friend
> forwarded me a long and highly entertaining post about Windows 2000 and
> the new "datacenter" versions, high uptime, etc-- a post full of
> extremely precise language along the lines of "chocolate frosted sugar
> bombs belongs on the same table with any good breakfast".  The "yes!!!"
> moment came here, though:
>
> > To get the highest level of availability from any operating system,
> > including Windows, requires an IT environment built around sound
> > operating guidelines and staffed by well-trained employees.
>

Microsoft lies a lot, but I have to take issue with your comments about "Zero
Administration".  In the original announcement, Microsoft talked about a
"Zero Administration initiative" and the "Zero Administration Kit" (ZAK), but
the term "Zero Administration" refers to the _client_ (generally, WinNT
Workstation), not NT Server.  It's a framework with registry files and
scripts and a protocol that one could use to begin to develop a WinNT
Workstation environment that would not require administrative support.

How?  By making it almost impossible for a user to "break" the system -
securing the OS environment so that a user could not install software
applications, change system settings, or even see any object on the desktop
or Start Menu that wasn't explicitly approved.  IIRC, you could even set the
system to not allow the user to change their desktop background!  Working
under this level of control (which I call fascist mode) is untenable for
systems administrators, but if you're in a bank with 2000 WinNT boxes on your
teller and branch customer-service reps desks, you really _don't_ want them
monkeying with the things.

And that's the environment that this is meant for.  A fundamental thing that
we Unix SysAdmins take for granted is that we set up a box and don't give out
the root password and thus prevent people from erasing configuration files.
That's a good part of what the Zero Administration thing is about.  Microsoft
only promises that ZAK allows administrators to set up an environment to
lessen support costs by ensuring that any large number of boxes can be
deployed and remain virtually identical by locking out write access to files
and the registry (and even hiding files and directories) against end-users.

We use many of those disciplines here.  A lot of users don't like it, the
same way that they didn't like it when we took root away from those folks
using Unix workstations.  We're working now on a policy and framework to
allow "enhanced user access" to workstations where people are doing software
development, or need to install their own stuff and can (knowledgeably) take
responsibility for their own actions ... but in the meantime, for the most
part, things work well because people can't (easily) hose the machines on
their desk, and it isn't in their job descriptions to do Windows systems
administration.

The Microsoft salesdroids are probably ignorant, and that's Microsoft's
fault.  But the ZAK is a good place to start to try to get some reasonable
level of control in a large environment over systems folks having to clean up
other people's messes.

_KMP

--
K. M. Peterson                                  voice: +1 617 258 0927
Manager, Computer Operations Group
<mailto:KMP@WI.MIT.EDU>            <http://www-genome.wi.mit.edu/~kmp>
Whitehead Institute/MIT Center for Genome Research
320 Charles Street - Cambridge, MA  02141-2023    fax: +1 617 258 0903

(This email was written on a Mac in Netscape, and sent by sendmail 8.9 - no
Microsoft products used to produce this communication).