How to use FastTrack Script to make a useful, quick to deploy 'corporate commandments' system to serve your company terms & conditions to staff
“I Saw Her Standing There” (by the wrong printer)
Not long ago a customer came to us with a bit of a problem, which when we broke it down, kind of reminded me of one of those ‘If Billy had 1 pint of water, a 1Kg bag of marbles of 1/2 inch diameter AND two 45ml cups, how many…’ maths questions from school.
Quite often we find, that the limitation with Automation Studio is not the software itself, but actually our own ability to break down a customer problem and then our creativity to figure out a way to solve it. To cap it all, it’s of critical importance to us that any delivered solution is completely manageable & maintainable by the customer.
Solutions which rely on regular professional service calls? That’s just not how we roll.
Here’s a basic break down of their pesky printer puzzle, with staff & printer numbers (dramatically) scaled down to simplify:
Imagine – one large room for dispatch. The room has two desks and one printer over on the left side, and two desks and another printer way over there on the right side of the room.
Being dispatch, people are working on packing stuff, and therefore, it’s essential that each person has access to the right printer. They also need to print to the other printer, but only if their one is out of service.
Just for fun, let’s call our four dispatchers John, Paul, Ringo and George. John & Paul work on the left side of the room, Ringo and George on the right (and before you write in telling me that it’s unlikely that John and Paul would ever have chosen to work on the same side of the room together – this is just a hypothetical example OK??!!!!).
So both John and Paul need to have the printer down their side of the room (lefts call it Printer-Left) set as default. But additionally, they still need to have Ringo & Georges printer (Printer-Right) mapped in case Printer-Left has a problem.
Likewise George and Ringo need to have Printer-Right set as their default printer, but again, they still need to be able to print to Printer-Left if their printer goes down.
Hopefully you can see the crux of the problem. Now imagine, if you added many more rooms, with many more desks, and a couple of dozen Beetles tribute bands thrown in many of whom decide to ‘swap bands’ – what sort of IT printing nightmare would ensue!!! Relevant Beetles song titles that come to mind are ‘Help!’, ‘I’m Down’ & ‘Misery’.
More importantly, if printers stopped working, or jobs printed off the wrong dispatch printer, that would cause havoc and the result of that would be calls to an already hard pressed IT department, delays and perhaps even a tangible cost to the business. No matter how IT tried with windows printer management, messing about with group policy object assignment, at the end of the day, it was a case of ‘Place your bets Gentleman please!”, because that’s how reliable printing was.
Enter FastTrack Automation Studio, which has been designed to deal with exactly such situations as above – and actually far more complex even. Printers (be they on server shares, or direct to IP Printers) are simply loaded into Automation Studio, and ‘conditions’ are then set as to who gets what. What’s set as default, STAYS as default. See the image below for a typical list of conditions, but more functionality can be scripted if required.
So in ‘The End’, with some clever logic & group creation, Automation Studio was able to solve the entire printing enigma, and once and for all, everyone now was printing to the right (or left!) printer, plus a backup.
It’s therefore true that ‘Money Can’t Buy Me Love’…. but if you were to use a little to buy your company a copy of Automation Studio Enterprise, it can absolutely remove the daily gamble of what & where your default printer is!
FastTrack & Outlook – Your Low Cost Advertising Amigos!
When most people think of running a social media marketing campaign, they instantly reach for mass email marketing campaigns, social page interactions (posts, likes etc.) and of course emptying their wallets into online ads. It’s highly likely however, that they’ve missed out a really important and virtually free channel – their number one customer ‘touch point’ – EMAIL!
So why not leverage your Outlook – signatures in particular, as a marketing platform in its own right? Automation Studio Enterprise not only ships with the innovative Signature Banner Ad system, but also features to take the pain out of managing social media icons & links in Outlook signatures.
Think of your company’s Outlook deployment as a giant Piñata – a huge untapped resource, stuffed full of marketing potential to enable every staff member to help spreading your Social Media story.
Stand well back. Take a run up if you have to. Just make sure you give Outlook a good old whack with Automation Studio – and watch all those social media goodies come flying out!
The perils of staff using their own social media icons in signatures are obvious. At best, these self-grabbed icons are typically of poor quality, and can look unprofessional. At worst, you could actually end up in hot water with the likes of Twitter / Facebook etc – they really do get rather stroppy about the use of non-official logos. So our Social Media Icon feature ensures your staff are using perfectly uniform & official Social Media handles that look right, and link right.
Now that you’re using Automation Studio to effortlessly deploy and manage your company’s Outlook Signatures with professionally produced company specific social media handles, the next step is to identify those ‘star players’ in your staff that deserve their own personal social media handles so their popularity, boosts yours. Deploying personal links to a subset could be a headache, but not with Automation Studio. Simply create save a new copy of your generic template and assign this to whatever groups you want. These users will now be able to personalise their own handles – whilst still perfectly adhering to your corporate look and feel.
Interested? Here’s an example we cooked up earlier!
Scenario: Our fictitious Mexican restaurant chain ‘La Firma Cocineros’ wants to better connect its clientele with their team of award winning chefs in order to nurture and build the chains social media following.
Solution: In conjunction with traditional / conventional marketing – your Outlook Signatures are deployed group wide, ensuring that all chefs participating in the social media awareness program now have personalised social media links on all emails they send out.
Step 1 – Edit your existing company-wide Outlook signature template, which, thanks to our editor, is very easy to do!
Step 2 – We’re going to add some personal links for staff, so how about updating the signature with a little graphic to draw people’s attention to this?
Step 3 – Now we’re ready to add those social media icons and links. Clicking on the ‘Social Icons’ at the top brings up the following dialogue box. In this case, we’re adding the Facebook icon, and we set the link to ‘personalised’ via the check box option.
Step 4 – We’ve finished adding the rest of the icons to our standard template. Time to deploy.
Step 5 – Your signature is served! One beautifully produced, company-wide, socially engaging Outlook signature. Let’s hope Head Chef Julio hasn’t got a temper! Buen provecho, as they say!!!!
Grab Your Free Automation Studio Trial Today!
What are you waiting for!? Click the link below to get started with Automation Studio and start battering your Outlook Piñata!!
It’s been six years since we added Outlook Signature design and deployment commands to our Automation Studio product, and today this functionality is still one of the most popular reasons people buy it.
If you are in the processing of taking our free trial, then this blog should come in handy. I will cover the three different software editions which you can achieve Outlook Signature automation with and discuss some ideal usage (real life!) scenarios.
Before I get going however, I think it’s worth to start out by talking a little about our solution in general. Why, when the Internet is awash with many other Outlook Signature solutions (some of them free) do so many IT professionals still choose our Automation Studio?
Simple Outlook Signatures: Save yourself! (time & money)
Having been an IT manager myself, I know all about the ‘overhead’ of any software that fills a need. Solutions generally need infrastructure (be it on premises or cloud), this in turn needs to be managed, then there is configuration, monitoring, and as you roll it out, desktop support too. A package that initially looks cheap on paper, suddenly doesn’t save you money, and just generates new problems that replace the old ones.
Because our Outlook Signature solution is completely contained within a tiny (and pretty remarkable) 2MB executable file (FSH.EXE), the engine behind our solution is ultra-thin at its core.
This compactness makes our solution supremely robust and is many cases, completely infrastructure free. Our customers appreciate the fact that it is versatile enough to work pretty much on any version of Windows, old or new, and being truly portable, any type of deployment type, be it desktop or VDI.
With Automation Studio, your signature appears right underneath your email inside of Outlook, so you can see before you send. An essential feature if you are running multiple email accounts under different brands.
No changes to your email server setup are required, and there is no need to route email via a 3rd party system as with some competitive solutions. Privacy issues aside, routing via 3rd party servers makes your email dependent on the signature provider, which means yet another system to check if emails go AWOL.
A Signature Is Unique. Buy Something Unique To Your Needs.
Depending on the edition you choose, you will also appreciate the awesome power of FSH.EXE in how you are able to tweak and tune it, leveraging over 1,500 powerful IT Administration commands. I will demonstrate some of these simply yet powerful tricks later in the blog.
Really though, you are likely reading this because you just need a solution that makes your Outlook Signature problem ‘go away’, and to do so with a minimum amount of time & effort spent on your behalf.
You came to the right place.
Compare Our Editions
We package Outlook Signature automation and deployment into three distinct editions: Outlook Edition, Enterprise Edition and Platinum Edition.
Let’s take a closer look at each edition so you know you’ve got the functionality you need. But why limit yourself to just that you know you need?
You might discover functionality you didn’t know you needed!
Outlook Edition: Signatures in seconds!
Starting with the most economical edition, Outlook Edition is extremely popular for those are in a hurry and have perhaps got frustrated with other more complex solutions. If you have a 100s (or 1,000s!) of staff and your boss just told you he wants signatures sorted ‘by end of play’… Outlook Edition is the answer.
The beauty of our Outlook Edition is that there is no requirement for any infrastructure, databases, collecting user details and importing. Windows O/S support goes way back to XP, but naturally includes all the latest O/S too.
Rolling out Outlook signatures company-wide works like this:
- Copy your design into our free WYSIWYG signature designer (we do not charge for this and so you can use as many copies of our designer as you have licenses)
- Configure various signature options such as the ability for users to fill in their own details
- Test your signature using the test feature on your local Outlook
- Build your signature as either an MSI or EXE
- Send out to users, either via software deployment solution, running from a logon script or simply host it on a network share and get users to run manually.
- If you need to generate different signatures for different groups, simply create a new design, and create a new EXE / MSI. There is no limit on the number of signatures you can create.
Outlook Edition: Great For
- Extremely rapid signature deployment to many 1,000s of Outlook users
- Situations where you do not have user details up to date and stored centrally
- When you have a limited budget
Consider another edition if:
- Have many departments and want multiple signatures per user / per department
- Want to be able to re-design signatures without having to re-build signatures to new MSI / EXE files
- Have some custom functionality / specific situations which is important (more on that next)
Case study: Outlook Edition Delivers An Architecture-less Email Signature architecture… for Architects!
A London based Architecture firm with 300 staff needed to move their offices in a hurry and did not have a company-wide Outlook Signature solution in place. In an afternoon they needed to roll out a new signature which informed customers & suppliers of their new address. There was no time to set up a new server based solution, correct user details, or make big architectural changes to their out sourced email solution.
The new email signature was designed in a few minutes, built to an MSI and rolled out via MSI software distribution (GPO). When users next logged in they were presented with a form in which they were shown their contact details automatically taken from Active Directory, which they could adjust if not up to date.
This ‘zero architecture’ solution was implemented in the same morning as purchase, and most signatures had been deployed after staff logged in when they came back from their lunch break.
Enterprise Edition: The essential automation tool for Enterprise networks
Automation Studio Enterprise Edition is the solution which most customers end up with simply because of its huge feature set and the ability to adjust and customise scripts that enables IT departments to engineer and automate themselves out of problems.
Customers that already have Software Deployment, online inventory, printer management, drive mapping and EXE/MSI packaging solutions could suddenly find themselves being able ditch separate disjointed systems (some perhaps built in house and no longer supported), and switch to Automation Studio – one product that handles everything.
If you are simply looking for Outlook Signatures alone, the core benefit of the Enterprise Edition is that together with Logon Script functionality, you can dynamically build signatures on the fly at logon. So there is no need to design a signature, build to EXE or MSI and then distribute, this task happens at logon. Therefore all that needs to be done is to edit the signature design template, hit save, and there is nothing more to do.
Because the signature creation workflow is done at logon, it makes it far easier to create multiple signatures for multiple departments. With Outlook Edition, you would need to create multiple EXE or MSI, so if you have 20 departments, with different languages perhaps, then Enterprise Edition is going to save you a lot of time.
Being based on Logon Scripts, requiring no additional infrastructure, and being entirely run from your existing NETLOGON directory, our solution is therefore is automatically as fault tolerant, highly available and as scale-able as your own Active Directory. It will be just as easy to roll out Outlook Signatures to offices in the UK, than those in New York and Singapore, if they are all connected on AD. This is another example of how our product is designed with simplicity and ‘thin-ness’ in mind.
Another aspect of Enterprise Edition is customisability.
Here are two great examples that I can share which highlight to specific instances where the power of FSH scripting was able to easily fix unforeseen problems:
Mit freundlichen Grüßen / Sincères amities
A Swiss customer had rolled out Enterprise Edition to manage Outlook Signatures but they soon discovered a bit of a problem. Being Swiss, staff in the company spoke both Swiss French, and Swiss German. However, it was not the case that everyone in a particular office / department used one language over another.
Each member of staff had a German email signature and a French email signature; however, the ‘default’ signature was initially only selectable via an AD group or OU – which was not useful.
The customers IT manger (who, incidentally, had only been using our FastTrack Scripting language for a day), figured out a solution all by himself:
If UserIsMemberOf SALES-DEPARTMENT Then If [UserCustomProperty preferredLanguage] = "DE" Then SetNewEmailSignature My Company AG - DE SetReplyEmailSignature My Company AG - DE End If If [UserCustomProperty preferredLanguage] = "FR" Then SetNewEmailSignature My Company AG - FR SetReplyEmailSignature My Company AG - FR End If End If
This little custom script simply checks for the ‘preferred language’ custom setting in AD and then selects the appropriate signature that matches this. The result is that the member of staff has a default signature language that matches whatever they have their preferred language set to. Beautifully simple!
Japanese managed Active Directory drives Dutch sales outlet up the ‘van de Walle’
A customer in the Netherlands is a sales outlet that is headquartered in Japan. Much to the annoyance of IT staff in the Dutch office, all the Active Directory management was run out of Japan and there was no permission to edit user names or other attributes.
The problem was that in Japan, Dutch staff details were not always correctly entered. Dutch names such as ‘van de Walle’ would get entered in Active Directory as ‘vandewalle’. As such, this is what would get slapped on their Outlook Signatures.
Again with a little custom scripting, the problem was easily fixed:
If [UserCompany]=EXAMPLE-COMPANY Then Set Name = [PrettyPrintUpper [UserFirstName] [UserLastName]] Set Name = [Replace [Var Name], " vandewalle ", " van de Walle"] InstallSignature Signature.docx, COMPANY-SIG SetNewEmailSignature COMPANY-SIG End If
So with the above snippet loaded into our Logon Script solution we are first auto capitalising ‘First Names’ and ‘Last Names’ and then we look for specific surnames, and essentially do a find / replace on the fly, so we take the ‘wrong’ AD name and replace it with the correct one.
Let your workforce advertise for you!
As covered on this blog, Enterprise Edition also ships with the nifty ‘Local Banner’ solution, a clever system which allows you to tag what are essentially banner ads in designated campaign placement areas underneath your signature designs. Banners can be enabled / disabled on scheduled dates, so are a really useful means to subliminally disseminate marketing messages, or simply company information such as opening hours over public holidays.
There are too many other features contained within Enterprise Edition to list them on this blog, but you will find other blogs on this site which cover included functionality on this site.
Enterprise Edition: Great for
- When you have multiple departments that all need different signatures
- If you have certain custom requirements that cannot be met using standard functionality
- If you have identified one or other functions shipping with Enterprise that you need
- If you are interested in utilising the Local Banner functionality
Enterprise Edition contains all the functionality of Outlook Edition, so if you wish to deploy EXE or MSI signatures to customers, then you can still cover these guys with Enterprise Edition
Consider Platinum Edition if:
- You have identified platinum functionality you need (eg SCCM integration)
- You like the look of our ‘Cloud Banner’ functionality’
Platinum Edition: Makes Every Email Sell Your Story!
As I mentioned above, the only difference from an Outlook Signature perspective with our Platinum Edition and Enterprise Editions, is the inclusion of the additional ‘Campaign Banner’ functionality of ‘Cloud Banners’.
In short, Cloud Banners give Marketing departments the ability to manage email signature campaign banner images completely outside of their company IT systems. So where with Local Banners, Marketing would have to upload images files and links to a network share, with Cloud Banners, they can log into our portal and control from there.
Being a portal-based solution Cloud Banners can be configured to track views and clicks too, which is useful to test and track the effectiveness of your email banner ads.
You can read more about our Campaign Banner solution on a blog written here.
The More You Learn, The More You Like!
I hope I have given you a good overview of our three Outlook Signature solutions, and this will make the task of deciding which of them is going to best fit your requirements.
My final word, which I have previously explained on this blog, is that with Automation Studio, it’s just as much about learning what you don’t know that can be done, verses simply just want you think you need.
It’s a mantra of mine that with regards to Automation Studio, it really is a case of ‘The more you learn, the more you like!’
It’s not always right to chuck your users in GPO Jail for everything….
(..and why the best Administrators usher them in calmly, and leave the cell door open)
It’s tough being an I.T. Systems Admin. On the one hand, you need to ensure that you assemble some form of order from the chaos that unfolds daily, but on the other, you don’t want to come across as the Dirty Harry of ‘GPO-PD’:
“Sandra in accounts…take your hands off the keyboard, step away from your computer and assume the position!”
When I think back to my own heady days as an I.T. Manager – I can easily remember the most badly received ‘policy’ that I decided to spring on my unwitting users one morning. Using Group Policy I decided that the entire company was going to have my choice of desktop wallpaper, and as we were a computer manufacturer – how about a nice picture of a computer? One that I designed, of course. Which won an award. Yes, perhaps it was a just little self-promotional and my ego was a little oversized, but in my opinion, this was so much better for your desktop than a photo of Kylie Minogue in a t shirt.
But I was soon to discover, apparently not!
And so there was an office revolt, a humiliating climb-down and before you could say ‘I could be so lucky’, Kylie was again emblazoned across the desktops in corporate sales.
And so how refreshing was it, when Nathan Cunningham, IT systems analyst, emailed in a request asking if it was possible to use Automation Studio to change the desktop wallpaper of his users. But he wanted this to happen…. only once.
Only once? Now fancy that. What a great idea.
Here is an IT administrator, I thought, that fully understands how to wield ‘soft power’ in I.T. Yes you change everyone’s desktop wall paper, but folks, if you don’t like it, go ahead and change it to something else. And because users know that they can change it if they want to… most of them probably won’t.
So then – how do we roll this out?
Out of the box Automation Studio does let you set desktop wallpaper through the GUI, but doing it this way, it’s a set change for everyone and will be ‘enforced’. However as with many things, Automation Studio really comes into its own when you start playing with custom scripts. So to achieve Nathans requirement, all that was needed was the addition of a single line of custom script:
If UserOnce Wallpaper Then SetWallPaper WallPaper.jpg
And that’s it. As long as the file ‘Wallpaper.jpg’ is in your FastTracks /fshbin, you’re done.
So the point of this blog entry is, the ‘UserOnce’ and associate ‘UserOnceASecond/Minute/Hour/Day/Week/Month’ commands are a great illustration of how simple, yet smart Automation Studio commands can help you run not just tighter IT…
….but nicer IT too!
Five reasons why running advertising creatives on your email signatures is a great idea:
- Market your organisations products and services on every email your entire organisation sends out
- Automatically keep your existing customers up to date on your latest offers
- Empower marketing to create and manage campaign creatives outside of I.T.
- Use as free A/B ad testing platform, use ad tracking data to gauge ad performance
- Cost per click (CPC) = ZERO!
Do you like the idea of free advertising?
Surely everyone would answer this question with a resounding ‘YES’ however most would ask a follow up question of ‘What’s the catch?’. Well there is none. Whilst marketing departments might plough many thousands of pounds into Google Ads or LinkedIn campaigns, it’s quite possible they overlooked a premium advertising space that is right under their noses and completely free to use. We are talking of course, about the area of white space that sits underneath your company email signatures.
Make every email sell your story!
With Automation Studio Outlook Signatures, you automatically improve the quality of your organisations email signatures (delivering a more consistent, coordinated and professional impression on your customers). With our campaign banner functionality, you get to strap a virtual sandwich board on to every single member of your organisation. The entire workforce would then (without having to actually ‘do’ anything) dutifully spread whatever wonderfully crafted messaging your marketing guys come up with.
If you have 50 people emailing in your company, then you have 50 people advertising your services that were not doing so before. Most of their emails are to clients, so that’s great to get new offers / reinforcement. There’s also a ‘halo effect’ in ‘non customer’ contact, so staff emailing suppliers, family and friends, the vet, school, who knows – everyone gets the message.
The key here is we feel *passionately* that every email that leaves an organisation has to not only ‘look’ the part first, but also – what’s wrong with it also ‘selling the part’ too? After all – it’s company email – it’s a completely untapped resource with huge opportunities.
Choose your banners: Local or Cloud?
There are two features within Automation Studio which enable a ‘Banner Ad’ like functionality: Local Banners, and Cloud Banners.
Included in Automation Studio Enterprise Edition, Local Banners are essentially ‘placement’ areas for images within signatures, and these banner images are taken from ‘locally’ inside your business, perhaps on a network share. So you set the placement area up in our Outlook Signature designer, tell it where the source for the image(s) from and that’s it.
With multiple signature templates for different teams, you would now be able to assign different banner sources, and therefore different banner images to different teams. When more than one banner image exists in a directory, the image is shuffled when the user logs in.
Updating a banner image, or batch of images in a set of local Banners is very easy. All that needs to be done is to physically change the images out on the network share, there is no need to touch any of your Outlook Signature configuration. As such, images could theoretically be batch created and therefore automatically updated, if that was what you wanted to do.
The big difference with Local Banners vs Campaign Banners, is that as these images exist on your premises, images and the use of them are not ‘tracked ‘so you get no metrics back from users clicking on them. If you created some special links for your network banners, then you could at least glean some click metrics that way.
To set up Local Banners:
Step 1: Open your email signature template and select where you would like to place your banner
Step 2: Click the ‘Campaign Banner’ icon (top right) to bring up the banner type selection screen. Click ‘Local Banner’
Step 3: Paste in the network share / resource where you banner images reside. After you paste in, your banner images will appear in a preview window below. If you have multiple images, use the arrows to shuffle through them to preview all banner images you have loaded in.
Step 4: That’s it – your local banner(s) are now all set. Whoever has this signature template assigned will see the banner appear to all their outgoing email the next time they log in. Every time they login after the banner image will shuffle if multiple banners were used.
Automation Studio Platinum Edition ships with Local Banner functionality, but also includes the more advanced variant, Cloud Banners.
Cloud Banners work quite differently from Local Banners, in that the campaign images themselves are uploaded to a portal which we run. Because these images are ‘centrally stored’ it’s now possible to collect campaign metrics such as impressions, clicks and more information such as IP address, country etc.
Having the banner images loaded in to a portal means that it’s much easier for Marketing Departments to manage banners, and they can do so from anywhere. There is no need to update images on a local network share as would be required for Local Banners.
To set up Cloud Banners:
Step 1: Load your campaign images into the Cloud Banner portal. Make a note of the ‘Campaign ID’ provided’ (not visible in this screen shot).
Step 2: After clicking the Campaign Banner icon in Outlook Signature Designer, click ‘Cloud Banners’ option
Step 3: Enter the 12 Digit Campaign ID that was generated in step 1, you will then see your banner preview appear, just like with Local Banners, you can use the arrows to shuffle through your Cloud Banners to preview them
Step 4: Your Cloud Banner placeholder is now complete, and shows your unique campaign ID.
How the completed signature / banner combination looks when sent with Outlook
Suggestion: Keep your Outlook Signature banner ads bright, interesting and informative!
So now we have empowered you with the ability to leverage Outlook as an extremely cost effective advertising platform, it’s important not to go completely mad, and start hard selling ads over email.
We are using a ‘personal communication’ space to transfer messaging, so it’s important that images you use for Outlook banners, convey a ‘softer’ message, less pushy, more interesting and informative. If you don’t have the in house marketing skills to do this, we would certainly recommend employing the services of a professional marketing agency to take this task on – it will result in much better engagement.
Is OneDrive Driving You Nuttier Than Beorn’s Honey Nut Cake?
As master of your I.T. domain, just as you relax having thwarted the army of USB drive wielding hordes from Finance, all of a sudden, the Witch-king of Angmar sticks his head round your door with a request for Office 365 and One Drive For Business drive mapping. For everyone. Orcs included.
Being a forward thinking I.T. professional, you’ve embraced the cloud as the low cost and scaleable storage resource it is, and let’s face it, that extra server storage for the development Hobbits, that’s just not happening. However, before your pack the entire company off into the murky depths of Microsoft’s ‘Middle Earth’ in the cloud, there is a problem. Legacy apps. Legacy Data. Active Directory authentication. Printers. Laptops. And the stuff the boss doesn’t let you see, and told you it must in no circumstances leave the premises because he must be able to physically touch it.
The result is a one-way ticket to a place we call ‘Neither-Nor-Dor’ – the harsh and inhospitable land of cloud compromise. You still retain the benefits (and challenges) of keeping key assets on premise in order to run the business, however for cloud storage, users need to log in to MS O365 OneDrive For Business on their PCs. Worse still, some have SharePoint storage accounts they collaborate with, so these need to be set up too.
FastTrack Automation Studio: Taking The Sting Out Of Mapping Microsoft Cloud Storage
If the thought of organising all of this makes you yearn for Shelob to jump down and give you one of her silky cuddles, fear not, brave one! Automation Studio now equips you with a blue glowing ‘Sting’ of your own to slice your way right through the w’ork-load.
Introducing Automation Studio’s SharePoint and OneDrive For Business Active Directory GUI Mapping!
Welcome To OneDor!
Automation Studio’s functionality here is positively elven in both ingenuity and beauty:
Step 1: Go ahead and create a drive mapping in the Automation Studio Logon Script Wizard just like you would for any normal server drive mapping. Simply click on the ‘Add SharePoint’ or ‘Add OneDrive’ button the right.
Step 2a: For SharePoint – select the desired drive letter, SharePoint URL and the name of the drive you want to display in your users File Explorer.
Step2b: For OneDrive For Business, again simply set the drive letter, the tenant name, and the name of the drive.
Step 3: Set the condition(s) – so who gets the drive.
Step 4: That’s it – you’re done. Next time the user logs in, they’ll need to authenticate with MS Online just the once, and after that – they’ll have their One Drive well and truly – ‘On the map’.
Return Of The King (That’s you – to the peace and quiet of your favourite website)
Let’s be realistic here. Yes your stay in ‘NeitherNorDor’ may last longer than planned, but at least with FastTrack Automation Studio at your side, it will help restore more enough the illusion of normality, perhaps even tranquillity. Meaning you can get back to ‘real’ work.
Or put another way: The Great Eagles of Arda? No need.
If you have a little more time, check out our other blog ‘The More You Learn The More You Like‘ for some more OneDrive and MS SharePoint tricks!
Version 6 of Admin By Request brings with it a rather ‘tasty’ new functionality which enables ‘per app’ elevations using the traditional ‘run as administrator’ method which most users are familiar with. So with the launch of ‘run as’ functionality, we thought it would be a good time to dish up a brief re-cap of all three elevations methods available in Admin By Request, and cover the best situation to use them in.
Elevation Via Whitelisting
Admin By Request comes with sophisticated approval workflows built in, which enable portal administrators to process each elevation request based on a ‘reason’ and to then decide on whether or not to approve it.
But what if you have a known application, perhaps legacy, that some staff need to use all the time? You don’t want to have to ‘workflow’ these requests, but at the same time you don’t want there to be a Local Admin ‘free buffet’ either.
This is the ideal scenario for application white-listing.
To set up an application for Whitelist:
- Log in to the portal and navigate to ‘Settings > Whitelist’
- Select ‘new’ to create a new Whitelist entry
- Enter the location of the file (program files, Windows directory, any, or custom) and then the file name.
- On the Whitelist setting is changed it might take a few hours for settings to be taken up by clients.
Any user can now run this program without having to gain full local admin rights to their system.
For more granular control, you can deploy a sub setting and create additional Whitelist entries for those users in that sub setting – so if you need to Whitelist an application for engineering, you would add this only to the engineering sub setting Whitelist, so only that department could auto elevate it.
TIP: Learning Mode automatically detects elevations and enables one click adding to Whitelists.
Run As Administrator Elevation
(Above) If a user / group has ‘Run As Admin’ mode enabled, they can request elevation simply by right clicking on the application in question and selecting the ‘Run as administrator’ icon from the properties.
New in Admin By Request 6 is the ability to perform ‘per app’ elevations. The main benefit of this is, like whitelisting, you are giving the user the ability to elevate just a single application, rather than granting elevated access to the entire system. Another benefit of the new ‘Run As Admin’ mode is that it works the exact the same way as users likely got apps to run with Admin Elevation before, so there is minimal need to ‘re-educate’ users in how to get elevated rights when running apps.
Unlike whitelisting, ‘Run As’ elevations can be configured to require the user to:
- Fill out a ‘reason’ for the elevation
- Require manual approval to run the application elevated
You have the option to assign different users / groups of staff different combinations of these options, with the use of our sub settings functionality.
So when you need to manage the granting of elevation ‘per application’ and not the entire system, the ‘Run As Administrator’ method is the right choice.
Full Session Elevation
(Above) In order to obtain ‘Full Session’ elevation (again only if enabled for the user/group), right clicking on the green ‘Admin By Request’ icon in the tray invokes the ‘Request administrator access’ option from where the user can start the full session elevation workflow.
Sort of self-explanatory, full session elevation provides exactly that, in that any user given full session elevation gets full local admin rights on their system.
Full session elevation mode is ideal for the following situations:
- Developer using a lot of elevated applications
- Elevation access to ‘system’ resources such as drivers, printers etc
- Someone that needs to have their elevation only for a specific amount of time
As with ‘Run As’ mode, everything in the elevation session is audited, so you will get to see the reason why the person needs the elevation, anything installed, uninstalled or run.
Some extra protections were added to Full Session elevation mode in version 6, such as the ability to block the elevation of any system files (CMD.EXE etc) whilst running elevated, and the ability to ‘force terminate’ any elevated processes once the timer has run down.
No Elevation, Elevation!
(Above) if you have excluded a user from Admin By Request in order to deny them the ability to request elevations, it is still possible to perform an ad-hoc elevation with a single use PIN. The end user (or IT support person working on PC) would enter PIN 1 into the portal, and use this to generate PIN 2.
Technically there are FOUR ways to get elevation in Admin By Request, the forth way is not ‘user self initiated’ and so should be treated separately.
Let’s say you deploy Admin By Request to your entire organisation of say 1,000 staff, however you only want to give 600 people the ability to use Admin By Request to elevate as and when they want. To do this you set up a master ‘Global Scope’ in the portal settings. This scope defines who is able to run Admin By Request in order to either auto elevate or request elevation. Anyone not in this scope, can’t use Admin By Request to elevate unilaterally.
However, a very nice feature, new in version 6, is that even if a user is out of the Admin By Request user scope, it is still possible to obtain elevation, via a special single use challenge / response PIN code. This code is ONLY be obtained from IT / portal administrator.
So if a user brings their laptop into your IT department and you know this user is out of Admin By Request user scope, and they need elevation ‘in profile’, all is not lost. You can easily generate a PIN and start an elevated session, hopefully while that user pops out to buy you a plate of prawn sushi – served three ways!
You replaced their Simpsons desktop wallpaper with corporate messaging. You blocked them from checking Kim Kardashians Facebook page. Candy Crush got… crushed.
Being the IT professional in charge of your organisations desktop security, your policies are about as popular as an unexpected Windows 10 update. That said, there is a general begrudging acceptance that your dictatorial edicts are probably sensible and for the good of the company. After all, you are merely following Management guidelines: For staff computing practice, productivity trumps personality every time. Right?
After putting it off for years, the task of revoking and properly managing Local Admin rights company wide can be delayed no longer. Failure to complete would almost certainly trigger an embarrassing ‘non-conformity’ in your next security framework audit, resulting in an embarrassing, and expensive, reassessment.
So what’s the hold up?
Well perhaps it’s the negative consequences of revoking Local Admin rights. These are easy to predict. Developers, Designers, Sales & Support will all be up in arms, forming an unlikely union of mass protest. Before you know it, they’ll all be wearing yellow vests to work.
Local Admin right is not a human right!
The problem for you is that this time, you find yourself in unfamiliar territory: the wrong side of the productivity argument.
Without Local Admin rights, staff simply can’t do many of the simple and safe things they need to do, when they need to do them. Install printer drivers at home, set up VPN software late at night from a hotel room, or even install an online meeting software plugin.
To do any of these things would now require immediate (and likely always urgent) involvement from you or your IT staff. The result is an operational drag on the workforce and worse, constant disruption for your already stretched (and likely even more unpopular) IT department.
Such a traumatic arrangement would therefore not last long. Staff would go behind your back to complain to your superiors. Top management would be sympathetic to your intentions but without cold hard facts to add to an executive risk assessment, you’d likely lose the argument, and with that, a chunk of your authority too.
Staff 1 : Geeks 0.
Admin By Request: Rights revocation done RIGHT
Admin By Request is a Privilege Management Solution that is easy to deploy, even easier to use, and requires the tiniest of local system resources to run. However the ingenious functionality is not limited to the technical capabilities we have built into the product. At FastTrack Software, we understand that deployment of the best product in class might not result in a successful implementation, if the ‘socio-political’ aspect of rights removal are not carefully planned.
And so, with Admin By Request, we deliberately put a great deal of thought in to designing our solution to enable IT Departments to perform the ‘humane disposal’ of Local Admin rights.
What does that really mean? It means you get to complete your project, without being reported to the United Nations on a humans rights violation!
Set phasers to stun! (actually, more like ‘none’ than stun)
After downloading the free trial and confirming that Admin By Request does everything you need, you order your subscription, and immediately push the tiny 3MB client MSI out to all staff. Come the morning, you adopt the posture of ‘Doctor Doom’ and observe (with an evil grin) as the mass Local Admin cull begins. Right?
Well, actually … wrong!
The key to a successful Local Admin Rights removal project depends on three factors:
Learning mode (AKA ‘Stealth mode!’)
Rather than an initiate an immediate an humiliating revocation of all Local Admin rights, we recommend a softer approach.
Set up your Admin By Request portal with minimal restrictions for all (no authorisation required) and enable ‘Learning Mode’ which disables the rights revocation ability. Users are simply shown the new and super easy way to get Local Admin rights, either using ‘Run As Administrator’ mode or ‘full session’ local admin. They won’t mind, because it’s easy, and they still get admin. Happy days!
Unknown to them, as the name suggests, Learning Mode is quietly logging every single thing that is getting elevated.
Complaint avoidance by stealth
You may be all seeing and all knowing, but it’s just possible that there are some obscure (but important) applications which certain departments need to run as admin for jobs to be done, that you are not aware of. Learning Mode will show these up in the ‘Learning Mode Collection’, enabling you to consider them for white-listing. When it comes to finally revoke rights, all white-listed apps will get automatic elevation. This means no cause for complaint, no loss of productivity, and no egg on face for you.
Evidence of risk / compliance breach
For me, as an ex IT Manager, this is the killer. At the end of your Learning Mode period, you would not only have identified the use of ‘safe approved apps’ for white-listing, but also bad apps, and perhaps some unintentional bad practice too. Accidental elevation of email clients and web browsers, perhaps.
Before you remove rights, you submit this long list of misdemeanours to your superiors who will no doubt recoil in horror and ask you to do something about it. Learning Mode comes off, you tighten things right up. Now any complaints to senior management will receive short thrift. Victory is yours!
Now I know what you are thinking. You mentioned stealth, evidence and flexibility. What’s flexible about this, it sounds down right sneaky and pretty brutal right!?
Bear with me…..
Flexibility in.. delegation
Admin By Request has an extremely powerful ability to granularise settings in to ‘sub setting’ groups.
You would start everyone off at most strict, and as each department head comes to you begging for leniency, you can be gracious and offer compromise. However on one condition: That THEY, the departmental heads themselves, take the responsibility of handling the approvals and denials for their own teams.
This is a win-win for both. Departmental heads get more control, independence and responsibility, whilst IT are no longer burdened with the day to day processing of – let’s face it – generally trivial requests for every day trusted tasks.
Final thought: Forget the human aspect of rights management at your peril!
The takeaway message I would like to leave you with here is this.
Admin By Request not only solves your Local Admin problem, but with our Learning Mode feature, it presents you with a method to achieve this with the minimum of emotional trauma for you, your management, and your staff.
Yes we are all human and we all have rights. Just not Local Admin!
If you are ‘scoping out’ a Local Admin rights management solution, Admin By Request hits the bullseye!