Deploying patches to client machines via GP

  • Thread starter Thread starter Dr Zoidberg
  • Start date Start date
D

Dr Zoidberg

We have a mixture of client PCs at work. 2k and xp machines are around 45%
each with 10% being old 98 laptops.

Installation of software isn't much of a problem as that's rarely upgraded ,
but I would like to make deployment of patches and service packs much
simpler.
If I were to just use the default domain policy to assign them to PCs then
I'd be trying to install XP service packs on 2k machines and so on and that
could cause no end of problems.

What I think would be the best way of doing this would be to create two new
OUs in active directory called XP and 2K and put the client PCs in the
respective OU according to operating system installed.
Then I can create a new GPO for each OU and deploy software and patches
accordingly.

With only 40 or so client machines at present it's just about feasible to go
round them and install patches manually buut I'd rather spend a bit longer
setting up an automated system now in preparation for when new machines get
added.

Can anyone see any problems with what I have in mind , or a better solution?

--
Alex

"I laugh in the face of danger"

"Then I hide until it goes away"

www.drzoidberg.co.uk
 
An alternative that saves you having to alter your OU configuration (which
you may want to adjust other ways for other reasons) is to create separate
security groups for your XP/2k/98 boxen. Then use the security groups to
deny the Apply Policy permission to boxes that should not receive the given
patch -- i.e. make a GPO that patches XP (and deny the 2k and 98 security
group the apply policy permission), make a GPO to patch 2k (deny XP, 98) and
one to patch 98 (deny XP, 2k). You can now apply all 3 GPOs to every OU and
be assured that each computer will receive the appropriate patch.

Let me know if that's unclear.
\\ MadDHatteR
 
Microsoft don't recommend using Group Policy to apply software patches,
chief problem being the lack of msi files for them. Service Packs are a
different matter and these can be installed with a GPO as per these guides

http://support.microsoft.com/?id=260301
http://support.microsoft.com/?id=278503
http://support.microsoft.com/?id=269732

For patches and hotfixes you have 4 realistic choices. SMS with the SUS
feature pack (for enterprises only), A standalone SUS server (for midsize
companies), plain old Windows Update (for small offices only) or a 3rd party
tool like hfnetchk pro. Of these choices, SUS stands out as it is free but
if you have budget to spare hfnetchk pro is much easier to set up and use.
 
Simon said:
Microsoft don't recommend using Group Policy to apply software
patches, chief problem being the lack of msi files for them. Service
Packs are a different matter and these can be installed with a GPO as
per these guides

http://support.microsoft.com/?id=260301
http://support.microsoft.com/?id=278503
http://support.microsoft.com/?id=269732

For patches and hotfixes you have 4 realistic choices. SMS with the
SUS feature pack (for enterprises only), A standalone SUS server (for
midsize companies), plain old Windows Update (for small offices only)
or a 3rd party tool like hfnetchk pro. Of these choices, SUS stands
out as it is free but if you have budget to spare hfnetchk pro is
much easier to set up and use.
Click to expand...
At present we have the machines set to use windows update as that was the
quickest way to bring them up to date.
Before I started there was no common standard so some machines were updated
regularly , others had no service packs at all.

SMS isn't really an option , but I'll give SUS a look and see how easy it is
to get going.
My wages constitute the entire budget for this project , so paying for third
party software would not be possible I'm afraid.

Thanks for the advice.

--
Alex

"I laugh in the face of danger"

"Then I hide until it goes away"

www.drzoidberg.co.uk
 
Back
Top