I have a customer that runs a business with 18 employees. Each employee has at least one computer, and several have a “work” and a “home” computer. There are also 6 servers. The entire firm runs on a Windows domain and has Windows-based computers.

Servers:
2 are running Windows 2000 Server SP4 fully up to date (1 BES, 1 File/Print Server/Domain Controller)
2 are desktop systems that have been converted to run Server 2003 Standard SP2 (1 Domain Controller/Backup system,
1 is running XP Pro SP2 on a single 18GB SCSI HD
1 is running Windows 2003 Standard SP2 64 bit edition

Desktops:
Anything from a 2.4GHz Celeron with 512MB RAM to a 2.2GHz Core 2 Quad with 6GB RAM. The operating systems include:
XP Home Edition SP2
XP Home Edition SP3
XP Pro Edition SP2
XP Pro Edition SP3
Vista Home Basic 32bit
Vista Home Premium 32bit
Vista Home Premium 32bit SP1
Vista Home Premium 64bit SP1
Vista Business 32bit SP1
Vista Ultimate 32bit
Vista Ultimate 64bit
Vista Ultimate 32bit SP1
Vista Ultimate 64bit SP1

I know what you’re thinking, and it’s true: not all of the computers are on the domain. We all (in the IT world) know what this means: that Group Policies are not enforced. Without enforced group policies, users have full control over their systems and are not forced to update Windows with patches. And when I was forcing the domain-connected systems to download and install important patches, I was told that people complained because the computer was reminding them to reboot throughout the day and it was “annoying”. I then had to change it to install at 5PM instead of 9AM.

I also noticed that every user is listed as a local administrator. Even on the domain-connected computers. I was told they had it done this way because some of their software required it. I asked if they had tried using either folder permissions or powerusers groups, and they stared at me as if I had lobsters crawling out of my ears.

Most of the systems do not have the same password set for the local administrator account. This means that nobody knows the local passwords in case the domain is unavailable.

This environment has Exchange 2007 that was upgraded from Exchange 2000 and 2003. Exchange is in Standard Version – which means that the store can handle 40GB worth of data. Many of these users have 2 to 6GB worth of emails. Obviously they don’t like archiving. They have another 8 or 9GB worth of room before *someone* has to make a secondary store and move users to that new store.

The systems run Symantec AV version 10.2 (10.1.5 for non-vista machines). The “home” users rarely, if ever, get updates to Symantec because they DO NOT stay connected long enough to get the forced updates.

They have a firewall, but do not use it as such because it’s “too limiting”. There is no content filtering and no threat protection.

Recently their backup LTO3 tape drive failed. And by recent, I really mean 2 months ago. They now backup on-site to an external HD. This HD never leaves the server room and can only hold 4 previous days worth of stuff.

I offered some advice to them on upgrading their antivirus to Eset’s Nod32. It is $15 cheaper per license than Symantec’s offerings and, in my opinion, a much better product for catching “bad things”. I even went out of my way and received a free 90 day trial with 30 licenses and the server package. I then set it up for them. But before I could push an installer out, one of the big-wigs downloaded the trial from the ESET website and installed it. His complaints:

It’s too intrusive. I want an antivirus that just sits in the background and does its thing. I don’t want to know if it found any infections or that it is getting updates or that it isn’t getting updates. Symantec just sits there. I like that.
It put a ‘scanned by eset advertisement’ on the bottom of every email. And there’s no way to remove it once it’s there. I don’t want to have ads in my emails. It should leave them alone.
When it finds an infection and lets me know, I can’t get it to leave the file alone. It keeps finding it over and over and over again.
It keeps popping up saying the program or virus definitions have been updated. And since it’s not in a Microsoft bubble I can’t just click on it to make it go away.

I mentioned that if he would have waited and the product had been pushed from the FULLY CONFIGURED server, almost none of his issues would have been there. I’ll conceded that the “leave this file alone” habits of Nod are, uh, not as good as I hoped. But all the other “problems” are complete retardation.

He paid my company over $140 to switch his linksys router from WPA2-TKIP to WPA2-AES because he read that someone somewhere had “hacked into WPA2 TKIP”. It took us a long time because he couldn’t remember the password to the router, so everything had to be reset.

The company recently upgraded from a T1 to Comcast Business Cable. Kudos to Comcast – the speed difference is huge, and the price difference… well, they pay a lot less. However, they required the use of their current firewall/VPN device hardware. This box was EOL (End of Life) back in 2005. It’s old. The latency, when pinging 4.2.2.2, jumped from 10ms to 65ms just from this box. DNS requests went from 10ms up to a whopping 240ms. Ouch.

His primary switch stack has the default admin/password login. In fact, pretty much everything has the default password left on it.

Almost every printer, of which there are 8 different models/brands, has problems with Vista.

Each system requires the use of Corel’s WordPerfect suite. Each system also requires the use of Microsoft Outlook. On the file server resides all the installers for software required, however there are also plenty of keygen applications. That means that virtually none of the software on hand is legit.

The Everyone group had read/write/modify access to the entire fileserver’s c$ share. I fixed that issue and no one even complained.

The previous consulting firm liked to browse the internet while “working” on projects at this company. They would browse using Internet Explorer on a server system. At least they used the same server each time to make it easier to clean up the downloaded malware/downloader trojans.

Every non-domain-joined computer has a host file full of “servername [ip address]” information. This leads to problems when the user takes the same machine home, as mail.domain points to an internal IP address.

Several users complain about the slowness of their systems. One, in particular, has a Centrino 1.6GHz with 1GB RAM 30GB HD laptop running Vista Ultimate SP1. This user said he disabled Symantec and it seems to have made the computer run faster, but now he ocassionally gets popup advertising while browsing websites.

I wrote up a script to send a daily report on the size of user’s mailboxes on Exchange to one of the big-wigs. He complained later that he didn’t want so many emails send from exchange to him and that he only wanted it sent once a week. It now sends every Wednesday morning.