The problem is all the companies with these stringent change control processes have been, to speak proverbially, bitten squarely in the ass by a lack of change control. I work for the polar opposite - a company where no change control exists and where the head of IT makes changes, often in the middle of the full working day, for no good operational reason that result in loss of service on other, related systems. I have also worked at companies with very strict change processes and know which one I prefer, if I had to choose an extreme. My boss decided to perform an upgrade to Active Directory 2008 not long ago and WebSense has not functioned properly since, which is annoying when 25% of my users are now browsing the net unfiltered. He upgraded our AppSense server to 2008 and then I spent a week putting it back onto a 2003 system because he hadn't done any testing. I shudder to think what will happen when he turns his upgrade-addicted eyes onto our Exchange 2007 infrastructure.
Of course, I am sure people would say "just leave", but we are in the middle of a testing economic time and I have a wife recovering from an operation and two hungry babies to feed. I'd rather work somewhere where change control was a happy medium, but IMHO, tighter than a gnat's ass beats the cowboy approach every time. Apologies for taking the topic off on a tangent :-) 2009/8/31 David Lum <david....@nwea.org> > Sounds like they’re trying hard not to be around very long if they are so > near sighted. Do they change the oil but not the filter on their cars too? > > > > Seems a simple matter of “my time at xx/hr = ThisMuch, vs this product + > install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to > ThatMuch spead over three months… > > > > Seriously, the last job I had I LEFT because they had similar asinine > thinking (can’t reboot a hung server unless you have it in Change Review > Board meeting and yes, you must attend the 1.5hr long meeting. 1.5HRS for a > hung system , hellloooo!!) . A company not thinking sensibly is a company I > will not work for. > > > > Dave > > > > *From:* tony patton [mailto:tony.pat...@quinn-insurance.com] > *Sent:* Monday, August 31, 2009 8:08 AM > *To:* NT System Admin Issues > *Subject:* Re: [On-Topic] Patching with PSEXEC > > > > What I mean by no control is two-fold: > 1. I don't have any say over most of the policies, only a subset; > 2. We have to go through a long-winded change management process to do any > changes to GPOs. > > The things that run at start-up include software installs, reg-settings, > short-cut creation, some redundant, some could be better moved to staging > ou's. > > The main issue is due to the majority of PC's being about 5 years old with > 512mb ram, sometimes if they went any slower they'd be going backwards. > They're still only ordering them in with 1gb rather than spend a little > extra to get 2gb, it'll end up costing more in the long term, but they only > care about now. > > Not confusing start-up with logon, that's a whole other issue for another > time. > > Regards > > Tony Patton > Desktop Operations Cavan > Ext 8078 > Direct Dial 049 435 2878 > email: tony.pat...@quinn-insurance.com > > From: > > Jonathan Link <jonathan.l...@gmail.com> > > To: > > "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> > > Date: > > 31/08/2009 15:30 > > Subject: > > Re: [On-Topic] Patching with PSEXEC > > > ------------------------------ > > > > > Out of curiosity, what exactly is running at machine startup (and why can't > you control it)? Or are you confusing startup with logon? Startup and > logon are two distinct events, despite their close timing. > > > > On Mon, Aug 31, 2009 at 10:18 AM, tony patton < > tony.pat...@quinn-insurance.com> wrote: > The reasoning for not using GPO's is the amount of things that are already > running on machine startup, no control over this. > > Machine shutdown GPO is an option. > > -sc, the reason I mentioned logging, or lack thereof, is that we're pushing > for a proper patch management/deployment system, there is supposedly a > project kicking off over the next few months for this. I can log by > scripting it, that's not a problem, but we don't want a PSEXEC deployment > solution to do everything we need. > We only need it in the interim, we don't want it as a long term solution. > > To use PSEXEC long-term would be a full-time job, and we have enough to do > at the minute. > > Regards > > Tony Patton > Desktop Operations Cavan > Ext 8078 > Direct Dial 049 435 2878 > email: tony.pat...@quinn-insurance.com > > From: > > "Sam Cayze" <sam.ca...@rollouts.com> > > To: > > "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> > > Date: > > 31/08/2009 13:35 > > Subject: > > RE: [On-Topic] Patching with PSEXEC > > > ------------------------------ > > > > > > +1 > > I just use psexec for the random one-off tasks. > > Sam > ------------------------------ > > *From:* Kennedy, Jim > [mailto:kennedy...@elyriaschools.org<kennedy...@elyriaschools.org> > ] * > Sent:* Monday, August 31, 2009 6:57 AM > * > To:* NT System Admin Issues > * > Subject:* RE: [On-Topic] Patching with PSEXEC > > > Ok, I am going off in a completely different direction. I did not see the > part where you talked to others about PSEXEC so I don’t know why you are > going in that direction. > > Why not just script it to the machines via GPO. If it is a machine policy > the install/update will run with elevated privs so you will not have any > trouble. You can get a run down on almost any app at this site, as far as > what switches and what package to use to get them deployed. > * > *http://www.appdeploy.com/ > > Your script can log the ip/machine name as it deploys….. > > > *From:* tony patton > [mailto:tony.pat...@quinn-insurance.com<tony.pat...@quinn-insurance.com>] > * > Sent:* Monday, August 31, 2009 5:59 AM* > To:* NT System Admin Issues > * > Subject:* [On-Topic] Patching with PSEXEC > > Hey all, > > Following on from IE8 doesn't work thread, management here wants start > using PSEXEC to patch applications. > > I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, > flash, firefox and UltraVNC, fine for running scripts and such, just not > sure about patching. > > Logging is a whole other thing, personally, I don't want to be able to log > which machines were successful, failed or not on > as there would be no incentive to get a proper patching solution. > I can wrap a batch file around it to re-direct output to a file, so the > possibility of logging is there. > > What are the pitfalls that any of you that use this approach have come > across? > > Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted > to work out the command for Flash but this does it, saved me a bit of work > :-) > > Slightly off-topic, don't know why anyone would want to leave this list, > keeps me sane most days. > > Sorry if this is a bit all over the place, 11am and been here before 7 :-( > All information greatly appreciated. > > Regards > > Tony Patton > Desktop Operations Cavan > Ext 8078 > Direct Dial 049 435 2878 > email: tony.pat...@quinn-insurance.com > ==================================================================== * > *http://www.quinn-insurance.com > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
