Remote administration of windows clients?

Started by dinuanzz, Apr 06, 2023, 12:07 AM

Previous topic - Next topic

dinuanzzTopic starter

We have a network consisting of approximately 600 Windows machines that operate without a domain and lack any form of automation. All tasks are performed manually, which presents numerous challenges. Additionally, the absence of a domain means the lack of SCCM and similar tools, primarily due to cost-saving policies.

Given this context, the question arises: which tools can assist in administering and automating software updates and installations, managing local accounts, and overall configuration management for a significant number of Windows machines?

While I am aware of chef, puppet, and Ansible, it seems that these solutions are primarily designed for Unix-based systems, and may not be the ideal fit for our Windows environment. It would be beneficial to explore alternative tools or approaches tailored specifically for Windows administration and automation.


The responsibility of managing the IT department falls on the head, but it's important to remember that the funds for this work come from the business itself, as they are the ones paying your salary (which is, in essence, why you are employed there).

Contrary to other suggestions, I would not recommend focusing on implementing key infrastructure components such as a domain controller (regardless of whether it's on Linux or Windows) or any form of centralized server on the PCs (as purchasing one might not be feasible). However, taking on the task of setting up, configuring, and eventually fixing these components will enhance your professional growth and add value to your skillset. It will also provide you with opportunities to escape this arduous situation in the future.

For immediate solutions:
- Install a remote control agent on each machine to reduce the need for constant physical movement between them.
- Standardize software and its installation methods (even if it means utilizing simple command scripts) to eliminate the time wasted on navigating through repetitive installation wizards.
- Overall, find ways to minimize unnecessary tasks and dedicate more time towards self-education and making qualitative improvements to the current situation, rather than just quantitative adjustments.


The only aspect of Active Directory (AD) that has been relatively well-implemented is the centralized administration of user accounts. However, everything else lacks efficiency. As a network administrator overseeing around 6500 Windows PCs without a domain, I am familiar with the challenges this unique network environment presents. Unlike typical office setups, the computers in our network are not primarily used by live users but rather for specific software functions that run continuously. Consequently, there are no issues regarding user database storage and maintenance.

To streamline operations, we rely on Powershell Remoting for all tasks. Daily computer statistics are collected and consolidated into a central database. We have also implemented WSUS to centralize updates, and KES is deployed with its own version of group policies, managed by other team members. Initially, we experimented with Zabbix for monitoring and management, but ultimately found Powershell to be more convenient and efficient for our needs. Additionally, Ansible can be used to interact with Windows machines through Powershell Remoting.

In short, I highly recommend becoming proficient in Powershell, if you haven't already. A good starting point would be writing a script to remotely activate Powershell Remoting on all the computers using Psеxec :)


It is important to communicate to your superiors that in order to effectively support the current infrastructure, additional personnel need to be hired. Consider the cost-effectiveness: would it be more cost-efficient to employ a specialist who can handle manual tasks and constantly move between PCs, or to invest in automation and server installation for AD, SCCM, and other necessary tools?

While Puppet can function adequately on Windows, its configuration process can be challenging and somewhat tricky, especially when dealing with a large software inventory. It's not uncommon to encounter unexpected issues or obstacles, based on my personal experience. On the flip side, mastering Puppet can open doors to opportunities in higher-paying positions at other organizations.

Adding from my perspective, it's crucial to evaluate the long-term benefits of automation and centralized management solutions. By investing time and resources into setting up robust systems, you can enhance efficiency, reduce manual labor, and ultimately improve the overall productivity of the IT department.


For a Windows environment without a domain, there are several tools and approaches you can consider for administering and automating tasks such as software updates, installations, managing local accounts, and configuration management. Here are a few options to explore:

1. PowerShell: PowerShell is a powerful scripting language developed by Microsoft specifically for Windows administration. With PowerShell, you can write scripts to automate various tasks, including software updates, installations, and user management. It has extensive support for managing Windows components and can integrate with other tools and technologies.

2. Chocolatey: Chocolatey is a package manager for Windows that allows you to easily install, upgrade, and manage software packages from a command-line interface. It provides a vast repository of software packages and can be used to automate software installations and updates on multiple machines simultaneously.

3. Boxstarter: Boxstarter is a tool built on top of Chocolatey that simplifies the process of setting up new Windows machines. It enables you to script and automate the installation of software, apply configurations, and perform system updates. Boxstarter also supports creating repeatable installation scripts for multiple machines.

4. PDQ Deploy: PDQ Deploy is a software deployment tool designed for Windows environments. It allows you to remotely push software installations and updates to multiple machines at once. PDQ Deploy comes with a library of pre-packaged software deployments and supports custom deployments as well.

5. Batch Scripts and Group Policy: Although not as sophisticated as some of the other options mentioned, batch scripts can still be effective for automating certain tasks in a Windows environment. You can use batch scripts and Windows Group Policy to deploy software, manage local accounts, and enforce configuration settings across multiple machines.

It's worth mentioning that while tools like Chef, Puppet, and Ansible have a stronger emphasis on Unix-based systems, they can still be used to manage Windows machines to some extent. However, if you prefer a more Windows-centric approach, exploring the options mentioned above should provide you with a good starting point for administering and automating your Windows environment without a domain.

Here are a few more tools and approaches you can consider for Windows administration and automation in your environment:

1. Microsoft Endpoint Configuration Manager (formerly SCCM): Although you mentioned cost-saving policies as a barrier to using SCCM, it's worth exploring if it aligns with your organization's needs and budget. SCCM offers comprehensive capabilities for software deployment, patch management, and configuration management in Windows environments.

2. Windows PowerShell Desired State Configuration (DSC): DSC is a PowerShell extension that enables you to define the desired state of Windows machines using declarative configuration files. It can be used to ensure consistency in configurations, manage software installations, and enforce compliance across multiple machines.

3. Microsoft Intune: Intune is a cloud-based service that allows you to manage and secure Windows devices remotely. It provides several features for software deployment, patch management, and configuration management. Intune can be particularly useful if your machines are mobile or remote, as it allows centralized management without requiring domain connectivity.

4. GPO (Group Policy Objects): Group Policy is a powerful feature in Windows that enables centralized management and configuration of machines in a Windows Active Directory domain. While you mentioned not having a domain, you might still be able to leverage GPO for managing some aspects of configuration and security settings on individual machines.

5. Windows Admin Center: Windows Admin Center is a browser-based management tool for Windows servers and Windows 10 desktops. It provides a graphical interface for performing various administrative tasks, including software updates, configuration changes, and user management. Windows Admin Center can also integrate with PowerShell, allowing for script automation.

Few more tools and approaches you can consider for Windows administration and automation in your environment:

1. BatchPatch: BatchPatch is a software patch management tool designed specifically for Windows. It allows you to remotely install updates, patches, and software deployments across multiple machines simultaneously. BatchPatch also provides scheduling, automation, and reporting capabilities.

2. Microsoft Windows Admin Center (formerly Project Honolulu): Windows Admin Center is a locally deployed, browser-based tool for managing Windows servers, clusters, and hyper-converged infrastructure. It provides a unified interface for various administrative tasks, including software management, user and group management, and configuration settings.

3. Advanced Installer: Advanced Installer is a Windows installer authoring tool that simplifies the creation and deployment of MSI packages. It offers features for packaging applications, customizing installation options, and distributing software updates. Advanced Installer also supports automation through command-line parameters and scripting.

4. Ivanti Patch Management: Ivanti Patch Management is a comprehensive patching solution specifically designed for Windows environments. It offers automated patch scanning, testing, and deployment capabilities. Ivanti Patch Management integrates with popular vulnerability assessment tools and provides reporting and compliance features.

5. Goverlan Reach: Goverlan Reach is a remote IT support and systems management software. It allows you to remotely manage and support Windows machines, perform software deployments and updates, and manage local accounts. Goverlan Reach also offers features like remote control, scripting, and reporting.