Tag Archives: Windows

SCOM – SQL Management Pack Configuration

SCOM is a bastard of a product, isn’t it? It’s even more so¬†when you’re trying to monitor a SQL instance or two. It’s also quite amusing that Chrome doesn’t recognise SCOM as a word in its dictionary and that it suggests SCAM as a possible word ūüôā

My major project at work for the past few months has been SCOM. I am monitoring about 300 Windows VMs, about a third of which have a SQL database instances on them. I’ve kept with using the LocalSystem account as the SCOM action account and for the majority of the time, that’s enough. However, there have been a few times where it hasn’t been enough. It’s always a permissions issue, the LocalSystem account doesn’t have access to one or more of the databases so the discovery and monitoring scripts can’t run and you get a myriad of alerts.

When it comes to adding a management pack into SCOM,¬†always read the damn documentation that comes with the MP. I know it’s tedious but it’s necessary. Reading the documentation for the SQL Management pack found at Microsoft’s website¬†gives you some interesting recommendations. They suggest that you have three action accounts for SQL:

  1. A discovery account
  2. A default action account
  3. A monitoring account

They also recommend that you put the monitoring and discovery account into an additional AD group. Once you do that, you have to add the users to SQL, assign them specific permissions to databases, give them access to parts of the Windows registry, assign them permissions to various WMI namespaces, grant them local logon privileges and more. I’m not going to go over the whole process, if you really want to see it look at Microsoft’s documentation.

The point is, it’s a lot of work. Wouldn’t it be nice if we could automate it? Well, I’ve written a script that does precisely that. It’s a big one:


Function Set-WmiNamespaceSecurity
{
[cmdletbinding()]
Param ( [parameter(Mandatory=$true,Position=0)][string] $namespace,
[parameter(Mandatory=$true,Position=1)][string] $operation,
[parameter(Mandatory=$true,Position=2)][string] $account,
[parameter(Position=3)][string[]] $permissions = $null,
[bool] $allowInherit = $false,
[bool] $deny = $false,
[string] $computerName = ".",
[System.Management.Automation.PSCredential] $credential = $null)

Process {
#$ErrorActionPreference = "Stop"

Function Get-AccessMaskFromPermission($permissions) {
$WBEM_ENABLE = 1
$WBEM_METHOD_EXECUTE = 2
$WBEM_FULL_WRITE_REP = 4
$WBEM_PARTIAL_WRITE_REP = 8
$WBEM_WRITE_PROVIDER = 0x10
$WBEM_REMOTE_ACCESS = 0x20
$WBEM_RIGHT_SUBSCRIBE = 0x40
$WBEM_RIGHT_PUBLISH = 0x80
$READ_CONTROL = 0x20000
$WRITE_DAC = 0x40000

$WBEM_RIGHTS_FLAGS = $WBEM_ENABLE,$WBEM_METHOD_EXECUTE,$WBEM_FULL_WRITE_REP,`
$WBEM_PARTIAL_WRITE_REP,$WBEM_WRITE_PROVIDER,$WBEM_REMOTE_ACCESS,`
$READ_CONTROL,$WRITE_DAC
$WBEM_RIGHTS_STRINGS = "Enable","MethodExecute","FullWrite","PartialWrite",`
"ProviderWrite","RemoteAccess","ReadSecurity","WriteSecurity"

$permissionTable = @{}

for ($i = 0; $i -lt $WBEM_RIGHTS_FLAGS.Length; $i++) {
$permissionTable.Add($WBEM_RIGHTS_STRINGS[$i].ToLower(), $WBEM_RIGHTS_FLAGS[$i])
}

$accessMask = 0

foreach ($permission in $permissions) {
if (-not $permissionTable.ContainsKey($permission.ToLower())) {
throw "Unknown permission: $permission`nValid permissions: $($permissionTable.Keys)"
}
$accessMask += $permissionTable[$permission.ToLower()]
}

$accessMask
}

if ($PSBoundParameters.ContainsKey("Credential")) {
$remoteparams = @{ComputerName=$computer;Credential=$credential}
} else {
$remoteparams = @{ComputerName=$computerName}
}

$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@"} + $remoteParams

$output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor
if ($output.ReturnValue -ne 0) {
throw "GetSecurityDescriptor failed: $($output.ReturnValue)"
}

$acl = $output.Descriptor
$OBJECT_INHERIT_ACE_FLAG = 0x1
$CONTAINER_INHERIT_ACE_FLAG = 0x2

$computerName = (Get-WmiObject @remoteparams Win32_ComputerSystem).Name

if ($account.Contains('\')) {
$domainaccount = $account.Split('\')
$domain = $domainaccount[0]
if (($domain -eq ".") -or ($domain -eq "BUILTIN")) {
$domain = $computerName
}
$accountname = $domainaccount[1]
} elseif ($account.Contains('@')) {
$domainaccount = $account.Split('@')
$domain = $domainaccount[1].Split('.')[0]
$accountname = $domainaccount[0]
} else {
$domain = $computerName
$accountname = $account
}

$getparams = @{Class="Win32_Account";Filter="Domain='$domain' and Name='$accountname'"}

$win32account = Get-WmiObject @getparams

if ($win32account -eq $null) {
throw "Account was not found: $account"
}

switch ($operation) {
"add" {
if ($permissions -eq $null) {
throw "-Permissions must be specified for an add operation"
}
$accessMask = Get-AccessMaskFromPermission($permissions)

$ace = (New-Object System.Management.ManagementClass("win32_Ace")).CreateInstance()
$ace.AccessMask = $accessMask
if ($allowInherit) {
$ace.AceFlags = $OBJECT_INHERIT_ACE_FLAG + $CONTAINER_INHERIT_ACE_FLAG
} else {
$ace.AceFlags = 0
}

$trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance()
$trustee.SidString = $win32account.Sid
$ace.Trustee = $trustee

$ACCESS_ALLOWED_ACE_TYPE = 0x0
$ACCESS_DENIED_ACE_TYPE = 0x1

if ($deny) {
$ace.AceType = $ACCESS_DENIED_ACE_TYPE
} else {
$ace.AceType = $ACCESS_ALLOWED_ACE_TYPE
}

$acl.DACL += $ace.psobject.immediateBaseObject
}

"delete" {
if ($permissions -ne $null) {
throw "Permissions cannot be specified for a delete operation"
}

[System.Management.ManagementBaseObject[]]$newDACL = @()
foreach ($ace in $acl.DACL) {
if ($ace.Trustee.SidString -ne $win32account.Sid) {
$newDACL += $ace.psobject.immediateBaseObject
}
}

$acl.DACL = $newDACL.psobject.immediateBaseObject
}

default {
throw "Unknown operation: $operation`nAllowed operations: add delete"
}
}

$setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams

$output = Invoke-WmiMethod @setparams
if ($output.ReturnValue -ne 0) {
throw "SetSecurityDescriptor failed: $($output.ReturnValue)"
}
}
}

Function Add-DomainUserToLocalGroup
{
[cmdletBinding()]
Param(
[Parameter(Mandatory=$True)]
[string]$computer,
[Parameter(Mandatory=$True)]
[string]$group,
[Parameter(Mandatory=$True)]
[string]$domain,
[Parameter(Mandatory=$True)]
[string]$user
)
$de = [ADSI]‚ÄúWinNT://$computer/$Group,group‚ÄĚ
$de.psbase.Invoke(‚ÄúAdd‚ÄĚ,([ADSI]‚ÄúWinNT://$domain/$user‚ÄĚ).path)
} #end function Add-DomainUserToLocalGroup

Function Add-UserToLocalLogon
{
[cmdletBinding()]
Param(
[Parameter(Mandatory=$True)]
[string]$UserSID
)
$tmp = [System.IO.Path]::GetTempFileName()
secedit.exe /export /cfg "$($tmp)"
$c = Get-Content -Path $tmp
$currentSetting = ""

foreach($s in $c) {
if( $s -like "SeInteractiveLogonRight*") {
$x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
}
}

if( $currentSetting -notlike "*$($UserSID)*" ) {
if( [string]::IsNullOrEmpty($currentSetting) ) {
$currentSetting = "*$($UserSID)"
} else {
$currentSetting = "*$($UserSID),$($currentSetting)"
}

$outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SeInteractiveLogonRight = $($currentSetting)
"@

$tmp2 = [System.IO.Path]::GetTempFileName()

$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force

Push-Location (Split-Path $tmp2)

try {
secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS

} finally {
Pop-Location
}
}
}

#Set Global Variables

$Default_Action_Account = "om_aa_sql_da"
$Discovery_Action_Account = "om_aa_sql_disc"
$Monitoring_Action_Account = "om_aa_sql_mon"
$LowPrivGroup = "SQLMPLowPriv"

$WindowsDomain = "Intranet"
#Add users to local groups

Add-DomainUserToLocalGroup -computer $env:COMPUTERNAME -group "Performance Monitor Users" -user $Monitoring_Action_Account -domain $WindowsDomain
Add-DomainUserToLocalGroup -computer $env:COMPUTERNAME -group "Performance Monitor Users" -user $Default_Action_Account -domain $WindowsDomain
Add-DomainUserToLocalGroup -computer $env:COMPUTERNAME -group "Event Log Readers" -user $Monitoring_Action_Account -domain $WindowsDomain
Add-DomainUserToLocalGroup -computer $env:COMPUTERNAME -group "Event Log Readers" -user $Default_Action_Account -domain $WindowsDomain
Add-DomainUserToLocalGroup -computer $env:COMPUTERNAME -group "Users" -user $LowPrivGroup -domain $WindowsDomain
Add-DomainUserToLocalGroup -computer $env:COMPUTERNAME -group "Users" -user $Default_Action_Account -domain $WindowsDomain
#
#AD SIDs for Default Action Account user and Low Priv group - required for adding users to local groups and for service security settings.

#Define SIDs for Default Action and Low Priv group. To get a SID, use the following command:
#Get-ADUser -identity [user] | select SID
#and
#Get-ADGroup -identity [group] | select SID
#Those commands are part of the AD management pack which is why they're not in this script, I can't assume that this script is being run on a DC or on
#a machine with the AD management shell installed
#>

$SQLDASID = "S-1-5-21-949506055-860247811-1542849698-1419242"
$SQLMPLowPrivsid = "S-1-5-21-949506055-860247811-1542849698-1419239"

Add-UserToLocalLogon -UserSID $SQLDASID
Add-UserToLocalLogon -UserSID $SQLMPLowPrivsid

#Set WMI Namespace Security

Set-WmiNamespaceSecurity root add $WindowsDomain\$Default_Action_Account MethodExecute,Enable,RemoteAccess,Readsecurity
Set-WmiNamespaceSecurity root\cimv2 add $WindowsDomain\$Default_Action_Account MethodExecute,Enable,RemoteAccess,Readsecurity
Set-WmiNamespaceSecurity root\default add $WindowsDomain\$Default_Action_Account MethodExecute,Enable,RemoteAccess,Readsecurity
if (Get-WMIObject -class __Namespace -namespace root\microsoft\sqlserver -filter "name='ComputerManagement10'") {
Set-WmiNamespaceSecurity root\Microsoft\SqlServer\ComputerManagement10 add $WindowsDomain\$Default_Action_Account MethodExecute,Enable,RemoteAccess,Readsecurity }
if (Get-WMIObject -class __Namespace -namespace root\microsoft\sqlserver -filter "name='ComputerManagement11'") {
Set-WmiNamespaceSecurity root\Microsoft\SqlServer\ComputerManagement11 add $WindowsDomain\$Default_Action_Account MethodExecute,Enable,RemoteAccess,Readsecurity }

Set-WmiNamespaceSecurity root add $WindowsDomain\$LowPrivGroup MethodExecute,Enable,RemoteAccess,Readsecurity
Set-WmiNamespaceSecurity root\cimv2 add $WindowsDomain\$LowPrivGroup MethodExecute,Enable,RemoteAccess,Readsecurity
Set-WmiNamespaceSecurity root\default add $WindowsDomain\$LowPrivGroup MethodExecute,Enable,RemoteAccess,Readsecurity
if (Get-WMIObject -class __Namespace -namespace root\microsoft\sqlserver -filter "name='ComputerManagement10'") {
Set-WmiNamespaceSecurity root\Microsoft\SqlServer\ComputerManagement10 add $WindowsDomain\$LowPrivGroup MethodExecute,Enable,RemoteAccess,Readsecurity }
if (Get-WMIObject -class __Namespace -namespace root\microsoft\sqlserver -filter "name='ComputerManagement11'") {
Set-WmiNamespaceSecurity root\Microsoft\SqlServer\ComputerManagement11 add $WindowsDomain\$LowPrivGroup MethodExecute,Enable,RemoteAccess,Readsecurity }

#Set Registry Permissions

$acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server'
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule ("$($WindowsDomain)\$($Default_Action_Account)","readkey","ContainerInherit","None","Allow")
$acl.SetAccessRule($Rule)
$acl | Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server'
$acl = $null
$acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server'
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule ("$($WindowsDomain)\$($LowPrivGroup)","readkey","ContainerInherit","None","Allow")
$acl.SetAccessRule($Rule)
$acl | Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server'
$acl = $null

$SQLInstances = Get-ChildItem 'registry::hklm\SOFTWARE\Microsoft\Microsoft SQL Server' | ForEach-Object {Get-ItemProperty $_.pspath } | Where-Object {$_.pspath -like "*MSSQL1*" }

$SQLInstances | Foreach {
$acl = Get-Acl "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.PSChildName)\MSSQLSERVER\Parameters"
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule ("$($WindowsDomain)\$($LowPrivGroup)","readkey","ContainerInherit","None","Allow")
$acl.SetAccessRule($Rule)
$acl | Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.PSChildName)\MSSQLSERVER\Parameters"
$acl = $null

$acl = Get-Acl "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.PSChildName)\MSSQLSERVER\Parameters"
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule ("$($WindowsDomain)\$($Default_Action_Account)","readkey","ContainerInherit","None","Allow")
$acl.SetAccessRule($Rule)
$acl | Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.PSChildName)\MSSQLSERVER\Parameters"
$acl = $null

}

#Set SQL Permissions

#Get SQL Version
if ($SQLInstances.Count -eq $null) {

$version = Get-ItemProperty "registry::HKLM\Software\Microsoft\Microsoft SQL Server\$($SQLInstances.PSChildName)\MSSQLSERVER\CurrentVersion"

} else {

$version = Get-ItemProperty "registry::HKLM\Software\Microsoft\Microsoft SQL Server\$($SQLInstances[0].PSChildName)\MSSQLSERVER\CurrentVersion"

}
#Import appropriate SQL PowerShell module

if ($version.CurrentVersion -ge 11) {
#Import SQL 2012 Module
Import-Module sqlps
#change out of sql context
c:
} else {
#Add SQL 2008 Snap-in
Add-PSSnapin SqlServerCmdletSnapin100
Add-PSSnapin SqlServerProviderSnapin100
}

#Create database users and assign permissions

$CreateDatabaseUsers = "use master
go

create login [$($WindowsDomain)\$($LowPrivGroup)] from windows
go

grant view server state to [$($WindowsDomain)\$($LowPrivGroup)]
grant view any definition to [$($WindowsDomain)\$($LowPrivGroup)]
grant view any database to [$($WindowsDomain)\$($LowPrivGroup)]
grant select on sys.database_mirroring_witnesses to [$($WindowsDomain)\$($LowPrivGroup)]
go

create login [$($WindowsDomain)\$($Default_Action_Account)] from windows
go

grant view server state to [$($WindowsDomain)\$($Default_Action_Account)]
grant view any definition to [$($WindowsDomain)\$($Default_Action_Account)]
grant view any database to [$($WindowsDomain)\$($Default_Action_Account)]
grant alter any database to [$($WindowsDomain)\$($Default_Action_Account)]
grant select on sys.database_mirroring_witnesses to [$($WindowsDomain)\$($Default_Action_Account)]
go"

#Generate query to assign users and permissions to databases
$DatabaseUsers1 = "SELECT 'use ' + name + ' ;'
+ char(13) + char(10)
+ 'create user [$($WindowsDomain)\$($LowPrivGroup)] FROM login [$($WindowsDomain)\$($LowPrivGroup)];'
+ char(13) + char(10) + 'go' + char(13) + char(10)
FROM sys.databases WHERE database_id = 1 OR database_id >= 3
UNION
SELECT 'use msdb; exec sp_addrolemember @rolename=''SQLAgentReaderRole'', @membername=''$($WindowsDomain)\$($LowPrivGroup)'''
+ char(13) + char(10) + 'go' + char(13) + char(10)
UNION
SELECT 'use msdb; exec sp_addrolemember @rolename=''PolicyAdministratorRole'', @membername=''$($WindowsDomain)\$($LowPrivGroup)'''
+ char(13) + char(10) + 'go' + char(13) + char(10)
"

$DatabaseUsers2 = "SELECT 'use ' + name + ' ;'
+ char(13) + char(10)
+ 'create user [$($WindowsDomain)\$($Default_Action_Account)] FROM login [$($WindowsDomain)\$($Default_Action_Account)];'
+ 'exec sp_addrolemember @rolename=''db_owner'', @membername=''$($WindowsDomain)\$($Default_Action_Account)'';'
+ 'grant alter to [$($WindowsDomain)\$($Default_Action_Account)];'
+ char(13) + char(10) + 'go' + char(13) + char(10)
FROM sys.databases WHERE database_id = 1 OR database_id >= 3
UNION
SELECT 'use msdb; exec sp_addrolemember @rolename=''SQLAgentReaderRole'', @membername=''$($WindowsDomain)\$($Default_Action_Account)'''
+ char(13) + char(10) + 'go' + char(13) + char(10)
UNION
SELECT 'use msdb; exec sp_addrolemember @rolename=''PolicyAdministratorRole'', @membername=''$($WindowsDomain)\$($Default_Action_Account)'''
+ char(13) + char(10) + 'go' + char(13) + char(10)
"

#
$SQLInstances | Foreach {
if ($_.PSChildName.split('.')[-1] -eq "MSSQLSERVER") {
$InstanceName = $env:COMPUTERNAME
} else {
$InstanceName = "$($env:COMPUTERNAME)\$($_.PSChildName.split('.')[-1])" }

Invoke-Sqlcmd -ServerInstance $InstanceName $CreateDatabaseUsers
$Provision1 = Invoke-Sqlcmd -ServerInstance $InstanceName $DatabaseUsers1
$Provision2 = Invoke-Sqlcmd -ServerInstance $InstanceName $DatabaseUsers2

$Provision1 | foreach {
Invoke-Sqlcmd -ServerInstance $InstanceName $_.ItemArray[0]
}
$Provision2 | foreach {
Invoke-Sqlcmd -ServerInstance $InstanceName $_.ItemArray[0]
}
}

#Grant Default Action account rights to start and stop SQL Services

$SQLServices = Get-Service -DisplayName "*SQL*"

$SQLServices | Foreach {
& c:\windows\system32\sc.exe sdset $_.Name D`:`(A`;`;GRRPWP`;`;`;$($SQLDASID)`)`(A`;`;CCLCSWRPWPDTLOCRRC`;`;`;SY`)`(A`;`;CCDCLCSWRPWPDTLOCRSDRCWDWO`;`;`;BA`)`(A`;`;CCLCSWLOCRRC`;`;`;IU`)`(A`;`;CCLCSWLOCRRC`;`;`;SU`)`S`:`(AU`;FA`;CCDCLCSWRPWPDTLOCRSDRCWDWO`;`;`;WD`)
}

There are huge swathes of this script that I can not take credit for, mostly the functions.

The SetWMINameSpaceSecurity function was pilfered directly from here:¬†https://live.paloaltonetworks.com/t5/Management-Articles/PowerShell-Script-for-setting-WMI-Permissions-for-User-ID/ta-p/53646. I got it from Palo Alto’s website but it appears to have been written by Microsoft themselves

The Add-DomainUserToLocalGroup function was stolen from the Hey, Scripting Guy! Blog, found here: https://blogs.technet.microsoft.com/heyscriptingguy/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group/

The Add-UserToLocalLogon function was lifted wholesale from here: https://ikarstein.wordpress.com/2012/10/12/powershell-script-to-add-account-to-allow-logon-locally-privilege-on-local-security-policy/

The rest, however, is all mine which you can probably tell from the quality of the code. You will need to change some variables from line 223 to match your environment. That said, it works and that’s all I care about. Enjoy!

Sigh, sometimes, software can be too bloody clever for its own good. The Code Block module that I’m using isn’t doing a very good job of formatting this script and it’s replaced some characters such as &, < and > with their HTML equivalents. I¬†think I’ve weeded them all out but I may not have. If not, let me know.

The Grand(ish) Experiment – Two weeks in

It’s been two weeks since I started using the Dell tablet in anger. You may be wondering where the promised updates have gone. Well, here’s one.

I think that the biggest question that I needed to answer was “Can one of these tablets cope as my primary workstation?”. The answer to that is an unequivocal “Yes”. I have been¬†using a Dell Venue 11 Pro 7139. This tablet¬†has a dual core 1.6GHz Core i5, 4GB RAM and a 128GB SSD in there. It is more powerful than a significant portion of the desktop machines in our college and frankly, I would be shocked if it couldn’t. The only thing I’d really want from it would be some more RAM, 4GB is a bit tight these days; sometimes the tablet would freeze while¬†I was using certain System Center components which can be a bit RAM hungry.

The dock that we received was a revision A00 dock which appears to have some issues when using it with multiple monitors. You may recall in my last blog post that I mentioned that I was having difficultly getting a DisplayPort to DVI adapter to work and that I thought I would need an Active one instead. Well, I ordered an Active one and that didn’t work either. This should be a supported configuration. After a bit of research, I found out that that Dell have put out an A01 revision of this dock which fixes these issues. It looks like Dell still have a load of stock of the A00s as the order number on the box was from the end of November and it’s a complete lottery as to which revision you’ll get when you order one. We ordered ours from BT Business so maybe you’d have more luck if you ordered from Dell directly.

This aside, the dock still worked with the DisplayPort to VGA adapter that we ordered so I have been using that to connect my second monitor. This has been OK but there has been the odd occasion where the tablet “forgets” that there is a monitor attached after the displays or the tablet wakes up ¬†after going to sleep. Sometimes telling Windows to reactivate the display works, sometimes you need to undock and redock the tablet to force it to start working again. However, I don’t think that this will be an issue for the people who are going to end up using them as most of them won’t have two monitors attached.

The DPI difference between the tablet’s display and the external monitors has been a source of annoyance for me. Each time I undocked the tablet to use elsewhere, I ended up logging it off and back on so that the desktop was usable. When I redocked afterwards, again I logged off and on so that everything wasn’t massive. Again, I don’t know if a teacher would find this to be an issue.

As a point of interest, when the new Windows 10 build (9926) appeared, I installed it on another 7139 I had lying around and the same resolution issues were still there.

There are still a few things for me to test; I’ve not brought it home to try yet and I haven’t had the opportunity to take it to many meetings. I haven’t tried it in a classroom scenario with visualisers and interactive whiteboards either which is something I will need to do.

The next step is to give a dock and tablet to a teacher and see what they make of it!

The Grand(ish) Experiment, 1st day in

Just a quick post here. The docking stations and cables for the Dell Venues arrived today and I wanted to post my first impressions.

In terms of the hardware, it is surprisingly solid. It’s very weighty and feels like a quality piece of kit. Docking the tablet is easy, it goes smoothly in and out although I think it would be better if the dock had the guiding lugs like the keyboards have but with the docking station it’s just the dock connector that holds that tablet on. You can twist the tablet on the¬†connector a little which feels a bit scary when you first notice it.

The dock itself has three SuperSpeed USB 3 ports, an HDMI port, a DisplayPort and a USB 2.0 Fast Ethernet (100 megabit only) port. The tablet is charged by the dock when it’s plugged in.

We bought a DisplayPort to DVI and a DisplayPort to VGA adapter to go with it as well as an HDMI to DVI cable. The HDMI cable worked as expected but the DisplayPort to DVI cable didn’t. Looking further at the spec of the cable that we bought, it appears to be a passive adapter and for a passive adapter to work, the port needs to be a DisplayPort++ port and I don’t think the port on the is. I think we would need an Active adapter instead. The VGA adapter works though so I’ve been using that.

It all seems to work nicely but there is something of a quirk. The tablet has a 10.8″ 1080p screen. This means that it has a rather small dot pitch and to use the tablet’s desktop comfortably, you need to turn scaling on. When you plug the tablet into the dock with a standard DPI monitor attached to it, Windows attempts to run one level of scaling on one monitor and another on the other but this isn’t entirely successful. By the looks of it, Windows seems to run the screen at the scaling level of the main display¬†across all screens¬†but resizes and resamples the contents of the windows which are on the higher/lower DPI screen. This makes the contents of the windows look rather blurred. It also does strange things to the taskbar and the chrome of the windows, they are either really tiny or really large depending on which screen is nominated as your primary when you log on. I probably haven’t explained this very well, it’s quite hard to describe.

Otherwise it’s more or less like using a standard Windows 8.1 desktop. I will say it’s nice to have a third screen on which your email client and helpdesk can sit on their own while the “real” work stuff can sit on the other two.

Venue11Pro_keyboard-900-90

The Grand(ish) Experiment

There has been a lot of discussion at work recently about the future and how we’re going to embrace it. Specifically, a lot of the discussion has been around tablet computers and how the college is going to start using them.

There are a lot of people who hear the word “Tablet” and think “iPad”. This is understandable; while the iPad was far from the first tablet on the market, it was the first to really grab¬†the attention of the general public and it’s probably safe to say that it’s the best known brand of tablet out there.

We looked very hard at the iPad and we also looked very hard at various Android tablets, Windows RT tablets and even some full blown Intel Windows tablets. We bought some of each and have found some good uses for them. For example, our Security teams have cellular enabled Nexus 7 tablets with which they can log onto our MIS System and identify students and check to see if they should be in lessons or not. Our Music department have been using iPads as music sequencers. To my considerable surprise, there are even some people who like the Surface RT, a device that I absolutely loathe. For the most part, people seem to like them because they have a desktop, keyboard and mouse and that they can use them for remoting onto a terminal server relatively easily. In other words, it seems to me that they like them because they’re like thin and light laptops.

In the end, we, perhaps rather predictably, decided to attempt to standardise on¬†the full Windows tablets. This was because, primarily, iPads and the like are single user devices; the user “owns” the device, has their¬†email/apps/documents/settings on there and woe betide anyone else who wants to use it. That’s OK if you’re got the budget to buy 2500 devices and assign one per member of staff and student but not so good if you want to buy classroom sets and have different people use them. Yes, you can put Office on an iPad but to use it effectively and save your documents, you have to sign the Office apps into Office 365 and you have to remind people to log out of it when they’re finished. It would only be a matter of time before someone gets to data they shouldn’t be able to get at.

With a full Windows device, we can join it to the domain. Different people can log on to it¬†and get their own settings and documents. The device can be managed by standard management systems like ConfigMgr, KACE, Altiris or whatever else tickles your fancy. They can run standard Windows software on the desktop so you don’t have to get a whole load of new applications or retrain your users that much. Windows Enterprise has a very nifty feature called DirectAccess which acts as a transparent VPN connecting the user to the corporate network wherever they are as long as they have an internet connection. In addition, a lot of the Windows devices out there are “Hybrid” devices, they frequently come with or have optional keyboard docks so they convert into a almost standard laptop for when a user wants to do a lot of “conventional” work and despite the noise about the Modern environment, Windows is a good a tablet operating system as any other and it’s been improving steadily since Windows 8 first came onto the market. There is a lot of flexibility with Windows tablets¬†which I’ve come to appreciate since I’ve started looking at them.

Using Windows does bring its own set of disadvantages; the only way to get “Modern” (i.e. touch friendly, tablet enabled) applications is through the Windows¬†Store. The Windows¬†Store is somewhat behind Apple’s and Google’s in terms of number and usefulness of apps. In terms of manageability, it’s way behind Apple’s app store. At the moment, there is no way to bulk-buy apps from there.¬†Modern apps are installed in the User’s profile, not assigned to machines so anyone who wants a Modern app needs to either have a Microsoft account attached to their domain account or we need to obtain¬†a sideloading key and get unsigned AppX packages from software publishers to push out to machines. I haven’t looked much at the latter option as I suspect the amount of companies willing to do that can be counted on one hand.

Anyway, despite the disadvantages being presented by Windows 8.1 and the Modern interface, we decided to use Windows tablets. We looked at the lines from various manufacturers and settled on the Dell Venue range. It is¬†vast, it ranges from the small 8″ tablets going to 720p 10″ 32 ¬†bit Atom tablets to 1080p 64 bit Atoms to dual core Core Ms to Core i3s, i5s and i7s. You can get them with large amounts of storage and RAM. They also come with a standard range of accessories such as docking stations, keyboard docks, styluses and network cards. The styluses and NICs work with the entire range, the keyboards and the docking stations work with all of the 10″ tablets.¬†The other advantage of choosing Dell as a manufacturer is that for their corporate lines at least, they tend to standardise on parts and accessories for a number of years which is attractive if you need to support a device for¬†the long term.

So, we’ve selected our software platform and we’ve selected our hardware platform. The question has been, what exactly are we going to do with them? There have been various ideas proposed. The 8″ Venues are really nice devices, they perform relatively well for the spec, they’re light and they’re just the right size and weight to use in portrait mode and type on them. We’re considering using those as classroom machines to replace a load of god-awful Intel Classmate convertibles we bought a few years back. However, the idea that’s really caught the imagination¬†so far is to replace all of the teacher’s computers with them.

At the moment, our college has a desktop PC in each classroom attached to an interactive whiteboard, projector, monitor, sometimes a visualiser, a keyboard and mouse. Each department also has a staff workroom where the majority of teachers either have a dedicated PC for them to work on or a space for them to work on a¬†laptop issued to them by the college. The idea has been to issue a 10″ Venue to each member of staff, replace the classroom and workroom¬†PCs with docking stations for the Dell Venues and take the laptops off those who have them. The teacher could come in a the beginning of the day, dock their Venue at their desk and do some work. When it’s time for a class, they undock the tablet and go to their class. Once they’re in the class, they dock the tablet again and they’re connected to their whiteboard, projector, visualiser and any other equipment they need.¬†There would be no need for them to log in, they’d just wake the tablet up and unlock it. They would no longer be tied to a specific classroom if they need a special piece of software installed, they’d just take it around with them. With accessories like wireless projection systems such as WiDi or Miracast, they could have the interactive whiteboard software open on their tablet and wander around the room scribbling on their tablets with a stylus and still have what they’re working on displayed on the screen. They could go back to their desk and write on the whiteboard again. Then when they’ve finished the class, they could go back to their workroom, find a free space and dock again. If there is no free space, grab a keyboard dock and sit on an empty desk or a sofa. The idea has a lot of potential and the teachers that I’ve spoken to about it so far have seen the advantages.

So with this in mind, we have ordered some Dell tablets, one 7140 based on the Core M CPU and some refurbished 7139s based on a 1.6GHz Core i5. Both tablets have a 11″ 1080p screen, 4GB RAM and a 128GB SSD. We have ordered some Dell “Slim” tablet keyboards for them. We have also ordered and received a Dell “Mobile” tablet keyboard which is the same as the “Slim” except it has an additional battery in it and also a Folio keyboard. We have ordered a pair of docking stations and a couple of styluses. We want to give the idea a go with a few people and see how well it works.

So, what’s the big experiment you ask? Well, I think that it’s unfair that I hoist all of this stuff on teachers without trying it for myself first. I intend to use one of these tablets as my primary workstation for a couple of weeks and see how I get on. I’ll put the software that I need¬†on it and see how it copes. While my workflow¬†is completely¬†different to a¬†teacher’s, it’s probably reasonably safe to say that I put at least as much stress on a computer as a teacher does, possibly more. I’ll carry it around with me everywhere I go, take notes for any meetings that I go to on it and maybe even bring it home once or twice to see how well DirectAccess works. Then when I’ve done that, I’ll offload the setup onto someone else (possibly the college Principal, he’s expressed an interest and he’s one of the Surface RT proponents). I’ll write about my¬†experience on this blog. I’ll talk about how well it performs, the good bits, the bad bits and everything else besides. I have to admit, I’m actually quite looking forward to this.

 

 

%d bloggers like this: