GroupWise School Admin Tips
Novell Cool Solutions: Trench
Digg This -
Posted: 10 Jul 2002
We asked our school system administrators to share their pet tips and tricks, and we got some nice nuggets from the school of hard knocks. These suggestions range from basic to advanced, but they're all tried and true by working professionals. No matter how basic an idea is, if it solves your problem, it's perfect.
You have one of the most challenging IT environments. As one of our readers recently observed, "Our educational site has about 2000 computers at 5 different sites (WAN), and we are currently maintaining 20 Novell servers, in one NDS. We also have strict work deadlines, and students and teachers are the most demanding users I have ever met."
Hope these ideas will help make your life easier...
And if you think of a tip you'd like to share, send it to email@example.com and you could see your name in lights.
- George Vogel NEW
- Allison Thompson NEW
- Jan van de Voort NEW
- Christian Lamsbach
- Susan Hope Dundas
- Wallace Frist
We have several hundred students coming through each year. Accounts get deleted at the end of the year. With that in mind several become part of our staff from time to time. They leave and come back a few weeks or months later, and want their old mail.
John Doe leaves our University to go work somewhere else. His account gets deleted. He decides, you know what the grass really isn't greener on the other side and comes back to work for us. I need my email back.
Jane Doe leaves the University. Account gets deleted. About a week later. Mike the director calls and says Jane had the budget in a shared folder. I've got to have it back!!!
All 3 or these scenarios leave you with restoring the PO and about 8 hours of lost time.
Nah, try this.
Get an old server or decent PC (if you can't afford a full blown server for this). Put a post office on it and call it let's say POX (x=expire)
To disable the account:
Next time a user leaves, split the NDS and Groupwise account and move the user (only if you have migrated to GroupWise 6)to that new post office.(shared folder rights issues and proxy issues). When removing the GW attributes from the NDS account remember to disable NDS, Disable GW, and set the visibility to none and external sync to do not sync reguardless.
To enable or get data back:
Whether it is 2 weeks or 2 months later all you need to do is set the visiblity back to system and the external sync, maybe reset the password and move the user back to the original PO or access the account by blowing away the password.
And Voila! it took you a whole 5 minutes instead of 8 hours to restore that user or shared doc the director was looking for.
Now sit back and enjoy.
The PC does not have to be high end because you do not have massive connections hitting it, you only have 1 or 2 live users.
And if you want about once a year you can purge the accounts. We are instating a 270 day data retension policy, when we disable the account we are noting in one of the fields the month.
Example today is 4/1/2002 and nine months out is roughly, 1/1/2003. In one of the fields put 1/03. Then each month you search for 5/02,6/02... as time progresses,and when 1/03 hits for this user...purge that account. This way you can clean up after yourself after time. The only other method I figured was created 2 POX's and clean each one up every six months.
We have a select group of students that needed to be in the groupwise email system so teachers could send them stuff - but they did not have internet permission. Therefore they would not be allowed incoming or outgoing internet email.
So I created a separate post office for those students, went into the access control area of the GWIA object, created a new class of service called "internal only" and put just that one post office in it. Then I went to the SMTP tabs of that class of service and checked "prevent incoming/outgoing messages".
Now those students can participate in the class projects without sending or receiving internet email.
My tip is nothing more than a smart mixture of Novell and other products to keep viruses out while never ever updating anything manually.
Problem: in a school environment, keeping out viruses permanently and in an automated way from mail AND any other source without ever changing any workstation or server setting.
- Novell eDirectory
- Novell ZENworks
- Novell NDS Corporate Edition
- Novell GroupWise GWIA
- Novell toolbox (free)
- Novell cron (free)
- McAfee standard antivirus software
- McAfee WebShield SMTP
- McAfee superdat
- SecureCast Channel
- Microsoft NT server 4.0
- Microsoft Scheduled Tasks
- Autoadminlogon (documented)
- Xxcopy (shareware)
Basically, the problem for my organization is that we have very few persons to administer quite a lot of locations. So any process we are able to automate, we automate. Much time is involved in eradicating viruses, especially in a school environment, where the virus source can be various, but mostly limited to mail (attachments) or just plain files from diskettes.
I had to find a way to:
- Block viruses from mail sources
- Update antivirus software without any manual task involved in order to block viruses in general
Here's how to do it.
- At the internet border, have an NT server 4.0 with McAfee Webshield SMTP. This relatively easy-to-configure product will block mail viruses. Configure it to relay all incoming mail to the real mail server which is GroupWise GWIA on a NetWare 5.x or 6.x server. Configure GWIA to route all outgoing mail to WebShield SMTP. WebShield SMTP will be nothing more than a front end to the mail system. This solution is not spectacular, it is just an implementation of existing commercial software. But this way, and since WebShield SMTP can be configured to retrieve virus update files from McAfee automatically, you already block viruses at the border right before they enter your network. So you diminish the risk of virus by a factor x.
- To keep the machine manageable, install eDirectory CE so you don't have to worry about extra accounts.
- Now use this same machine to retrieve superdat files from McAfee. The superdat files are a fine way to update your antivirus software on the workstations. SecureCast update channel with the McAfee channel will periodically push superdat files to this front end computer automatically.
- So on this "internet border" NT machine, you will get superdat files automatically, about every two weeks. These are named e.g. sdat4180.exe or similar.
- These files, that will be the source for virus updates on the workstations, are located in a subdirectory of c:\program files\securecast\?
- The trick is then to:
- - Have a routine on this NT server to regularly check for the most recent superdat files, and copy if necessary.
- Have a routine that, at the same time, copies the most recent file to another location, e.g. c:\transfer
- Have a routine that renames sdatversionnumber.exe to superdat.exe
- Copy superdat.exe at night to remote locations
- Silently check for new superdat files at startup of the workstations in the morning
How to do this?
- Have a routine that checks for most recent superdat files: the best tool that I found is xxcopy. Xxcopy allows you to use wildcards for subdirectories AND to specify that copy should only take place if the file (SDATversionnnumber.exe in some subdirectory in c:\program files\) is not more than nn hours old. So with xxcopy, you can accomplish something like:
copy the sdatverssionnumber.exe file only to location c:\transfer only if it's not older than 24 hours
Automate this process with Ms Scheduled Tasks.
- If xxcopy finds a "to copy" file, allow it to xxcopy the file with the original name to a transfer directory, e.g. c:\transfer
- In the same batch job (scheduled with ms scheduled tasks) that runs xxcopy, put a simple copy command, that would look like:
copy c:\transfer\sdat*.exe t:\transfer\antiviru\superdat.exe
where t: is a mapping to a NetWare server
- Since the old copy command still allows you to rename the file during the copy routine, you will end up with a servername:volumename\transfer\antiviru\superdat.exe file.
- Copy this file during the night to other servers. Best results with toolbox.nlm (copy command included) and cron.nlm (for automation)
- With ZENworks application launcher, create an application object with the following command:
\\servername\volumename\directoryname\superdat.exe, and in command line parameters /s.
Associate it with users, as a forced run.
That way, each morning the user will check for mc afee virus signature updates automatically using superdat.exe, and the best is: since the file is always called superdat.exe?you never create an application object for virus updates again!
Details: use autoadmin logon for this: in case the NT server goes down, while rebooting, all services and scheduled tasks are performed without interruption.
If you have any questions you may contact Jan at firstname.lastname@example.org
We had a distribution group, which was called "all". Yeah, you think right, it's a group every user in our company is a member of. The problem is that some users used it for mails like "Today is my last day here", "I'll be on holiday the next 2 weeks", etc. These things don't interest everyone and cause unnecessary traffic.
So I built a second group called "list", made all users a member of it, and set the visibility to "none". Then I deleted all users from the "all" group, and only left me as a member of it.
Only a few people know the name of the "list" group and when they want to write something important to all users in the company, they write to "all" and BC to "list".
(Using the BC makes it so that the recipients will only see that the mail has gone to "all" but not to "list", so they don't learn the trick.)
I am the only one who sees anything addressed to "all", so I can intercept the unnecessary emails sent to everyone. If something is important enough to send to everyone, I can send it on to "list".
A simple trick with great effect, I think...
If you have any questions you may contact Christian at email@example.com
I work in the IT department of the University of Michigan Housing, and all of us collaboratively provide both help desk and systems administration support. We use Novell GroupWise for our e-mail system, and for a long time we've just used a HelpDesk e-mail distribution list for customer support and IT-related topics. It tends to generate a *lot* of mail, so we're switching to a newer system:
- A HelpDesk-Chat shared folder that functions as a threaded discussion, so we can have ongoing and archived discussions without cluttering up our main mailbox.
- A HelpDesk resource account to which we all have full proxy access, and individual shared folders within so we can sort out our assigned tasks/mail, and also use for corresponding with customers, so we don't have to worry about losing an important customer message in the flood of other mail.
And because we can have multiple main windows open, we can have a view of the incoming HelpDesk mail anytime we want, or simply subscribe to the notifications on that account.
If you have any questions you may contact Susan at firstname.lastname@example.org
WebAccess and Passwords
One of the most frustrating things for me is when an off-site user forgets their GroupWise password. It starts when they are in-house. They select the option for GroupWise to remember their password which isn't a problem in itself, but a week or a month later when they are trying to get their mail from a remote location through WebAccess they find that they have forgotten it because they don't have to type it in all the time.
Normally I make the GroupWise changes connected to the primary domain and let it propagate from there. But for the convenience of time (mine and the off-site user) I now connect directly to the domain housing WebAccess and change the password for that user there. This gives the user almost instant access and by the time the he/she gets back in-house the password has replicated throughout the GroupWise system.
If you have any questions you may contact Wallace at email@example.com
To see other tips helpful to school administrators, check out:
- ZENworks School Admin Tips
- BorderManager School Admin Tips
- Security in the Schools
- Security in the Schools, Part 2
- Blocking Napster
- Main Vault (See the section marked Especially for School Admins)