RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix

[Joe]

Title: Message

Good thoughts.   1. I have tested the attribute to greater than 2048 ascii characters. I should have mentioned this in the original post. That should be a considerable number of hotfixes. I have gone back and forth in my head on dropping the prefix letters since no one will be googling AD to do the search... It does make sense that way someone doesn't have to try and figure out if the fix was a KB or a Q when setting up the search "operatingsystemhotfix=*;824146;*".   2. This would assume that the person running the update has the permission to modify the attribute which in some secure installations wouldn't be correct such as ours. Hotfix would have to force the update to go through the computers localsystem account. Yes the computer itself has more rights in our directory than the person who is an admin on the computer in most every case and most of the people don't have an idea that localsystem could be more powerful than a local admin....   3. Bah, you skipped the part about lets not debate how this is done. This makes my head hurt... Though I think it looks at the registry as well as does something else because it does know if a hotfix hasn't been properly applied because say it needs a reboot to be completed. Long term my goal would be to have something native in the code to do the checks but I also want to release a V1 that does something, and then make it better... Sound familiar? I'll try to leave out the buffer overflows though. :op     joe   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, September 12, 2003 9:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Any AD GURUS who Patch Systems? - using operating SystemHotFix In general, I like the concept. A few thoughts.   First - what's the size limit of the attribute? Some Win2k systems have required upwards of 30 patches, if not more, between service packs - which is 30x9 +1 = 271 bytes. So if that's a 255 char limit, you're going to overflow it. If that's the limit, what about storing as hex and dropping the leading KB or Q number?   Second - I'd suggest a push for hotfix.exe to be modified to append whatever appropriate value is decided upon for the first issue to that attrib. That strikes me as fairly simple, assuming permissions on that attribute are logical. Obviously this would require some buy in from the team at Microsoft, but its there and usable, it should be used.   Third - Where does QFECheck get its information? It can't scan the drives - it is WAY too fast for that. I'm guessing its stored in the registry (I know most hotfixes are stored there by default). I'd think that might be a faster and more trustworthy scheme than scraping the output of QFECheck.   If I ever get out from under my current workload (the end is definitely in sight) I'd be willing to chip in and help with that. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Any AD GURUS who Patch Systems? - using operatingSystemHotFix Howdy!   As you may or may not know there is an attribute in Active Directory tied to computer objects called operatingSystemHotFix (Operating-System-Hotfix).   As you may or may not know MS does not currently use this attribute though they do use operatingSystem and operatingSystemServicePack.   Has anyone heard from anyone at MS any intent whatsoever to use that attribute other than "yeah, we will use it some day". For instance any time line bounded by a year or possible structure of the attribute when it is used?   Unfortunately that attribute is a single value 2.5.5.12 (insensitive unicode string) when it should probably have been a multivalue. Oh well...   Anyway, if no one has heard of any definitive plans of using this and anyone who has followed any of posts here and in other places knows how much I want them to use that attribute I am going to propose a format for the attribute so I can write something that will populate it and if I get input, others might also find joeware that I write useful as well.   Of course this brings up the whole issue of patch management and the ever present questions about how do you really know if a hotfix is loaded or not on a machine (i.e. has it been overwritten and regressed or superceded or whatever). I have gone around and around with MS PSS on this issue enough and don't want to rehash here right now. So my basic method of gathering, for good or bad, at least initially would be based on qfecheck. Basically take the hotfixes from there that say current on system.   Ok so now say we have the list of hotfixes we want to be placed in the AD attribute. What should the format be? To start the debate if any exists I would propose the format of hotfix semicolon delimited list with a leading and trailing semicolon for the whole string.   The hotfixes would be normalized to all uppercase.   Sort order would be ascending binary sort.   OK so basically the attribute would look something like:     No hotfixes <null> Blank Nada   1 hotfix ;KB824146;   Multiple hotfixes ;KB282010;KB817778;KB820291;KB821253;KB821557;KB823559;KB823980;KB824105;KB824146;Q282784;Q323255;Q324720;Q327979;Q328310;Q329048;Q329115;Q329170;Q329390;Q329441;Q329834;Q331953;Q810565;Q810577;Q810833;Q811493;Q811630;Q814033;Q814995;Q815021;Q817287;Q817606;Q819696;     For best searching the attribute should be set up with a tuple index (it isn't indexed at all right now).   I visualize a simple basic application that could be run as a background service that functionally runs a qfecheck (and initally actually may just spawn qfecheck and scrape the output) and then formats the data and writes it. Whether on a run once or whenever case or as a background service on some period or after reboots. Application would have to be run with an id that has access to write the attribute for the specific computer, if run on the computer itself as a service this would be fine as local system.   Thoughts?       joe