RE: Change control (was RE: [On-Topic] Patching with PSEXEC)

2009-09-01 Thread Erik Goldoff
  I used to work with/for a guy who thought it was expedient and
efficient to put out an 85% completed system into production, and *then*
tweak it.
( He was the Application Dev Manager while I was responsible for
infrastructure )
So partway into the game, his 15% updates required infrastructure or system
changes that were NOT on-the-fly updates, or he'd push out a change that
flooded the vpns with chatty, inefficient message queueing, and my team and
I were expect to solve ALL the problems and support the app without causing
any downtime
 
Actually, the guy was 85% brilliant in some of his ideas and did the company
very well for years, it was the 15% not that, well, ..

Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

  _  

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Monday, August 31, 2009 3:59 PM
To: NT System Admin Issues
Subject: Re: Change control (was RE: [On-Topic] Patching with PSEXEC)


I've worked for a number of outsourcing companies and the change control is
always very tight. It's the only way they can do it, but I admit it is
completely inflexible for the client - particularly those that retain IT
staff who now have to watch their systems managed by others who don't
understand the particular intricacies of the business or the infrastructure.

You are right about good change control being right in the middle of the
change control spectrum. Can't say I've ever found a company that managed to
strike the balance exactly right though.

The reason my boss gets away with his cowboy approach is because he is
prepared to sit there for 36 hours+ trying to get it working. I, on the
other hand, am not. He bodges solutions together and then expects me to
sanitize them and make them supportable.I love his approach though - he
breaks something, then sends an email out to let users know that it is
broken, and then puts the fastest fix in place he can find - usually
reverting to where he started. He once deleted a snapshot I took before I'd
finished testing, and made me completely unable to roll back my changes. He
never seems to face any repercussions because our users (who are probably
used to things packing up during the day) are happy as long as they get
informed as to what's busted. Things would be much smoother if I could run
them my way, but that's unlikely to happen because he is popular amongst the
golf-playing directorship (ain't it always the same?) I, on the other hand,
prefer boxing to golf and have an unfortunate habit of calling a spade a
spade, which seems to preclude me from breaking into the management "click".
Ho-hum. Still - it's only ten minutes drive from home :-)




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Change control (was RE: [On-Topic] Patching with PSEXEC)

2009-09-01 Thread Chris Orovet
Hmm do we work for the same company?

 

Regards,

 

Chris Orovet  





 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Monday, August 31, 2009 3:59 PM
To: NT System Admin Issues
Subject: Re: Change control (was RE: [On-Topic] Patching with PSEXEC)

 

I've worked for a number of outsourcing companies and the change control
is always very tight. It's the only way they can do it, but I admit it
is completely inflexible for the client - particularly those that retain
IT staff who now have to watch their systems managed by others who don't
understand the particular intricacies of the business or the
infrastructure.

You are right about good change control being right in the middle of the
change control spectrum. Can't say I've ever found a company that
managed to strike the balance exactly right though.

The reason my boss gets away with his cowboy approach is because he is
prepared to sit there for 36 hours+ trying to get it working. I, on the
other hand, am not. He bodges solutions together and then expects me to
sanitize them and make them supportable.I love his approach though - he
breaks something, then sends an email out to let users know that it is
broken, and then puts the fastest fix in place he can find - usually
reverting to where he started. He once deleted a snapshot I took before
I'd finished testing, and made me completely unable to roll back my
changes. He never seems to face any repercussions because our users (who
are probably used to things packing up during the day) are happy as long
as they get informed as to what's busted. Things would be much smoother
if I could run them my way, but that's unlikely to happen because he is
popular amongst the golf-playing directorship (ain't it always the
same?) I, on the other hand, prefer boxing to golf and have an
unfortunate habit of calling a spade a spade, which seems to preclude me
from breaking into the management "click". Ho-hum. Still - it's only ten
minutes drive from home :-)

2009/8/31 David Lum 

I totally understand the need for change control, but there certainly
are efficient ways to implement it. %DAYJOB% has good change control,
%FORMERDAYJOB% didn't.  To put names to it, I used to work for Textron
and they had good change control. After being there 10 years they
outsourced *some* of the IT infrastructure (the support portion, not the
programmers) to CSC and CSC's change control was insane.

 

I do realize leaving in these economic times is tougher, but it wouldn't
stop me from looking

 

Does your boss not face any repercussions from deploying w/out testing?
I would use them as an opportunity to either work with him or go above
him with a plan on "this is how we should handle change, xxx problems
happened because we had no process and ExampleA and ExampleB problems
would have been prevented, here's how"

 

Dave

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Monday, August 31, 2009 12:09 PM
To: NT System Admin Issues
Subject: Re: [On-Topic] Patching with PSEXEC

 

The problem is all the companies with these stringent change control
processes have been, to speak proverbially, bitten squarely in the ass
by a lack of change control. I work for the polar opposite - a company
where no change control exists and where the head of IT makes changes,
often in the middle of the full working day, for no good operational
reason that result in loss of service on other, related systems. I have
also worked at companies with very strict change processes and know
which one I prefer, if I had to choose an extreme. My boss decided to
perform an upgrade to Active Directory 2008 not long ago and WebSense
has not functioned properly since, which is annoying when 25% of my
users are now browsing the net unfiltered. He upgraded our AppSense
server to 2008 and then I spent a week putting it back onto a 2003
system because he hadn't done any testing. I shudder to think what will
happen when he turns his upgrade-addicted eyes onto our Exchange 2007
infrastructure.

Of course, I am sure people would say "just leave", but we are in the
middle of a testing economic time and I have a wife recovering from an
operation and two hungry babies to feed. I'd rather work somewhere where
change control was a happy medium, but IMHO, tighter than a gnat's ass
beats the cowboy approach every time.

Apologies for taking the topic off on a tangent :-)

2009/8/31 David Lum 

Sounds like they're trying hard not to be around very long if they are
so near sighted. Do they change the oil but not the filter on their cars
too?

 

Seems a simple matter of "my time at xx/hr = ThisMuch, vs this product +
install/setup/hardware = ThatMuch. Do ThisMuch x three months and
compare to ThatMuch spead over three months...

 

Seriously, the last job I had I LEFT because they had similar asinine
thinking (can't reboot a hung 

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Brian Desmond
I have patched tens of thousands of boxes with psexec. My current patching 
script I use is a VBScript which I launch from psexec. Works great. Logging is 
built-in to the scripts...

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: tony patton [mailto:tony.pat...@quinn-insurance.com]
Sent: Monday, August 31, 2009 4:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC

Hey all,

Following on from IE8 doesn't work thread, management here wants start using 
PSEXEC to patch applications.

I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, 
flash, firefox and UltraVNC, fine for running scripts and such, just not sure 
about patching.

Logging is a whole other thing, personally, I don't want to be able to log 
which machines were successful, failed or not on
as there would be no incentive to get a proper patching solution.
I can wrap a batch file around it to re-direct output to a file, so the 
possibility of logging is there.

What are the pitfalls that any of you that use this approach have come across?

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to 
work out the command for Flash but this does it, saved me a bit of work :-)

Slightly off-topic, don't know why anyone would want to leave this list, keeps 
me sane most days.

Sorry if this is a bit all over the place, 11am and been here before 7 :-(
All information greatly appreciated.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com<mailto:tony.pat...@quinn-insurance.com>



http://www.quinn-insurance.com



This e-mail is intended only for the addressee named above. The contents

should not be copied nor disclosed to any other person. Any views or

opinions expressed are solely those of the sender and

do not necessarily represent those of QUINN-Insurance, unless otherwise

specifically stated . As internet communications are not secure,

QUINN-Insurance is not responsible for the contents of this message nor

responsible for any change made to this message after it was sent by the

original sender. Although virus scanning is used on all inbound and

outbound e-mail, we advise you to carry out your own virus check before

opening any attachment. We cannot accept liability for any damage sustained

as a result of any software viruses.







QUINN-Life Direct Limited is regulated by the Financial Regulator.

QUINN-Insurance Limited is regulated by the Financial Regulator and

regulated by the Financial Services Authority for the conduct of UK

business.







QUINN-Life Direct Limited is registered in Ireland, registration number

292374 and is a private company limited by shares.

QUINN-Insurance Limited is registered in Ireland, registration number

240768 and is a private company limited by shares.

Both companies have their head office at Dublin Road, Cavan, Co. Cavan.





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Change control (was RE: [On-Topic] Patching with PSEXEC)

2009-08-31 Thread Jon Harris
Arguing with the boss or pointing out their mistakes only makes for a bad
work environment which can lead to you losing your job or him making your
work life H%%%. At this point in time your answer shows great understanding
for the basic fact that 1) the boss is always right, and 2) if the boss is
wrong refer to 1).

Jon

On Mon, Aug 31, 2009 at 3:58 PM, James Rankin  wrote:

> I've worked for a number of outsourcing companies and the change control is
> always very tight. It's the only way they can do it, but I admit it is
> completely inflexible for the client - particularly those that retain IT
> staff who now have to watch their systems managed by others who don't
> understand the particular intricacies of the business or the infrastructure.
>
> You are right about good change control being right in the middle of the
> change control spectrum. Can't say I've ever found a company that managed to
> strike the balance exactly right though.
>
> The reason my boss gets away with his cowboy approach is because he is
> prepared to sit there for 36 hours+ trying to get it working. I, on the
> other hand, am not. He bodges solutions together and then expects me to
> sanitize them and make them supportable.I love his approach though - he
> breaks something, then sends an email out to let users know that it is
> broken, and then puts the fastest fix in place he can find - usually
> reverting to where he started. He once deleted a snapshot I took before I'd
> finished testing, and made me completely unable to roll back my changes. He
> never seems to face any repercussions because our users (who are probably
> used to things packing up during the day) are happy as long as they get
> informed as to what's busted. Things would be much smoother if I could run
> them my way, but that's unlikely to happen because he is popular amongst the
> golf-playing directorship (ain't it always the same?) I, on the other hand,
> prefer boxing to golf and have an unfortunate habit of calling a spade a
> spade, which seems to preclude me from breaking into the management "click".
> Ho-hum. Still - it's only ten minutes drive from home :-)
>
>
> 2009/8/31 David Lum 
>
>>  I totally understand the need for change control, but there certainly
>> are efficient ways to implement it. %DAYJOB% has good change control,
>> %FORMERDAYJOB% didn’t.  To put names to it, I used to work for Textron and
>> they had good change control. After being there 10 years they outsourced *
>> *some** of the IT infrastructure (the support portion, not the
>> programmers) to CSC and CSC’s change control was insane.
>>
>>
>>
>> I do realize leaving in these economic times is tougher, but it wouldn’t
>> stop me from looking….
>>
>>
>>
>> Does your boss not face any repercussions from deploying w/out testing? I
>> would use them as an opportunity to either work with him or go above him
>> with a plan on “this is how we should handle change, xxx problems happened
>> because we had no process and ExampleA and ExampleB problems would have been
>> prevented, here’s how….”
>>
>>
>>
>> Dave
>>
>>
>>
>> *From:* James Rankin [mailto:kz2...@googlemail.com]
>> *Sent:* Monday, August 31, 2009 12:09 PM
>> *To:* NT System Admin Issues
>> *Subject:* Re: [On-Topic] Patching with PSEXEC
>>
>>
>>
>> The problem is all the companies with these stringent change control
>> processes have been, to speak proverbially, bitten squarely in the ass by a
>> lack of change control. I work for the polar opposite - a company where no
>> change control exists and where the head of IT makes changes, often in the
>> middle of the full working day, for no good operational reason that result
>> in loss of service on other, related systems. I have also worked at
>> companies with very strict change processes and know which one I prefer, if
>> I had to choose an extreme. My boss decided to perform an upgrade to Active
>> Directory 2008 not long ago and WebSense has not functioned properly since,
>> which is annoying when 25% of my users are now browsing the net unfiltered.
>> He upgraded our AppSense server to 2008 and then I spent a week putting it
>> back onto a 2003 system because he hadn't done any testing. I shudder to
>> think what will happen when he turns his upgrade-addicted eyes onto our
>> Exchange 2007 infrastructure.
>>
>> Of course, I am sure people would say "just leave", but we are in the
>> middle of a testing economic time and I have a wife recovering from an
>> operation and two hungry babies to feed. I'd rathe

Re: Change control (was RE: [On-Topic] Patching with PSEXEC)

2009-08-31 Thread James Rankin
I've worked for a number of outsourcing companies and the change control is
always very tight. It's the only way they can do it, but I admit it is
completely inflexible for the client - particularly those that retain IT
staff who now have to watch their systems managed by others who don't
understand the particular intricacies of the business or the infrastructure.

You are right about good change control being right in the middle of the
change control spectrum. Can't say I've ever found a company that managed to
strike the balance exactly right though.

The reason my boss gets away with his cowboy approach is because he is
prepared to sit there for 36 hours+ trying to get it working. I, on the
other hand, am not. He bodges solutions together and then expects me to
sanitize them and make them supportable.I love his approach though - he
breaks something, then sends an email out to let users know that it is
broken, and then puts the fastest fix in place he can find - usually
reverting to where he started. He once deleted a snapshot I took before I'd
finished testing, and made me completely unable to roll back my changes. He
never seems to face any repercussions because our users (who are probably
used to things packing up during the day) are happy as long as they get
informed as to what's busted. Things would be much smoother if I could run
them my way, but that's unlikely to happen because he is popular amongst the
golf-playing directorship (ain't it always the same?) I, on the other hand,
prefer boxing to golf and have an unfortunate habit of calling a spade a
spade, which seems to preclude me from breaking into the management "click".
Ho-hum. Still - it's only ten minutes drive from home :-)

2009/8/31 David Lum 

>  I totally understand the need for change control, but there certainly are
> efficient ways to implement it. %DAYJOB% has good change control,
> %FORMERDAYJOB% didn’t.  To put names to it, I used to work for Textron and
> they had good change control. After being there 10 years they outsourced *
> *some** of the IT infrastructure (the support portion, not the
> programmers) to CSC and CSC’s change control was insane.
>
>
>
> I do realize leaving in these economic times is tougher, but it wouldn’t
> stop me from looking….
>
>
>
> Does your boss not face any repercussions from deploying w/out testing? I
> would use them as an opportunity to either work with him or go above him
> with a plan on “this is how we should handle change, xxx problems happened
> because we had no process and ExampleA and ExampleB problems would have been
> prevented, here’s how….”
>
>
>
> Dave
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Monday, August 31, 2009 12:09 PM
> *To:* NT System Admin Issues
> *Subject:* Re: [On-Topic] Patching with PSEXEC
>
>
>
> The problem is all the companies with these stringent change control
> processes have been, to speak proverbially, bitten squarely in the ass by a
> lack of change control. I work for the polar opposite - a company where no
> change control exists and where the head of IT makes changes, often in the
> middle of the full working day, for no good operational reason that result
> in loss of service on other, related systems. I have also worked at
> companies with very strict change processes and know which one I prefer, if
> I had to choose an extreme. My boss decided to perform an upgrade to Active
> Directory 2008 not long ago and WebSense has not functioned properly since,
> which is annoying when 25% of my users are now browsing the net unfiltered.
> He upgraded our AppSense server to 2008 and then I spent a week putting it
> back onto a 2003 system because he hadn't done any testing. I shudder to
> think what will happen when he turns his upgrade-addicted eyes onto our
> Exchange 2007 infrastructure.
>
> Of course, I am sure people would say "just leave", but we are in the
> middle of a testing economic time and I have a wife recovering from an
> operation and two hungry babies to feed. I'd rather work somewhere where
> change control was a happy medium, but IMHO, tighter than a gnat's ass beats
> the cowboy approach every time.
>
> Apologies for taking the topic off on a tangent :-)
>
> 2009/8/31 David Lum 
>
> Sounds like they’re trying hard not to be around very long if they are so
> near sighted. Do they change the oil but not the filter on their cars too?
>
>
>
> Seems a simple matter of “my time at xx/hr = ThisMuch, vs this product +
> install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to
> ThatMuch spead over three months…
>
>
>
> Seriously, the last job I had I LEFT because they had similar asinine
> thinking (can’t re

Change control (was RE: [On-Topic] Patching with PSEXEC)

2009-08-31 Thread David Lum
I totally understand the need for change control, but there certainly are 
efficient ways to implement it. %DAYJOB% has good change control, 
%FORMERDAYJOB% didn't.  To put names to it, I used to work for Textron and they 
had good change control. After being there 10 years they outsourced *some* of 
the IT infrastructure (the support portion, not the programmers) to CSC and 
CSC's change control was insane.

I do realize leaving in these economic times is tougher, but it wouldn't stop 
me from looking

Does your boss not face any repercussions from deploying w/out testing? I would 
use them as an opportunity to either work with him or go above him with a plan 
on "this is how we should handle change, xxx problems happened because we had 
no process and ExampleA and ExampleB problems would have been prevented, here's 
how"

Dave

From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Monday, August 31, 2009 12:09 PM
To: NT System Admin Issues
Subject: Re: [On-Topic] Patching with PSEXEC

The problem is all the companies with these stringent change control processes 
have been, to speak proverbially, bitten squarely in the ass by a lack of 
change control. I work for the polar opposite - a company where no change 
control exists and where the head of IT makes changes, often in the middle of 
the full working day, for no good operational reason that result in loss of 
service on other, related systems. I have also worked at companies with very 
strict change processes and know which one I prefer, if I had to choose an 
extreme. My boss decided to perform an upgrade to Active Directory 2008 not 
long ago and WebSense has not functioned properly since, which is annoying when 
25% of my users are now browsing the net unfiltered. He upgraded our AppSense 
server to 2008 and then I spent a week putting it back onto a 2003 system 
because he hadn't done any testing. I shudder to think what will happen when he 
turns his upgrade-addicted eyes onto our Exchange 2007 infrastructure.

Of course, I am sure people would say "just leave", but we are in the middle of 
a testing economic time and I have a wife recovering from an operation and two 
hungry babies to feed. I'd rather work somewhere where change control was a 
happy medium, but IMHO, tighter than a gnat's ass beats the cowboy approach 
every time.

Apologies for taking the topic off on a tangent :-)
2009/8/31 David Lum mailto:david@nwea.org>>

Sounds like they're trying hard not to be around very long if they are so near 
sighted. Do they change the oil but not the filter on their cars too?



Seems a simple matter of "my time at xx/hr = ThisMuch, vs this product + 
install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to 
ThatMuch spead over three months...



Seriously, the last job I had I LEFT because they had similar asinine thinking 
(can't reboot a hung server unless you have it in Change Review Board meeting 
and yes, you must attend the 1.5hr long meeting. 1.5HRS for a hung system , 
helll!!) . A company not thinking sensibly is a company I will not work for.



Dave



From: tony patton 
[mailto:tony.pat...@quinn-insurance.com<mailto:tony.pat...@quinn-insurance.com>]
Sent: Monday, August 31, 2009 8:08 AM

To: NT System Admin Issues
Subject: Re: [On-Topic] Patching with PSEXEC



What I mean by no control is two-fold:
1. I don't have any say over most of the policies, only a subset;
2. We have to go through a long-winded change management process to do any 
changes to GPOs.

The things that run at start-up include software installs, reg-settings, 
short-cut creation, some redundant, some could be better moved to staging ou's.

The main issue is due to the majority of PC's being about 5 years old with 
512mb ram, sometimes if they went any slower they'd be going backwards.
They're still only ordering them in with 1gb rather than spend a little extra 
to get 2gb, it'll end up costing more in the long term, but they only care 
about now.

Not confusing start-up with logon, that's a whole other issue for another time.
Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com<mailto:tony.pat...@quinn-insurance.com>


From:


Jonathan Link mailto:jonathan.l...@gmail.com>>


To:


"NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>



Date:


31/08/2009 15:30


Subject:


Re: [On-Topic] Patching with PSEXEC








Out of curiosity, what exactly is running at machine startup (and why can't you 
control it)?  Or are you confusing startup with logon?  Startup and logon are 
two distinct events, despite their close timing.



On Mon, Aug 31, 2009 at 10:18 AM, tony patton 
mailto:tony.pat...@quinn-insurance.com>> wrote:
The reasoning for not using GPO&#x

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread James Rankin
The problem is all the companies with these stringent change control
processes have been, to speak proverbially, bitten squarely in the ass by a
lack of change control. I work for the polar opposite - a company where no
change control exists and where the head of IT makes changes, often in the
middle of the full working day, for no good operational reason that result
in loss of service on other, related systems. I have also worked at
companies with very strict change processes and know which one I prefer, if
I had to choose an extreme. My boss decided to perform an upgrade to Active
Directory 2008 not long ago and WebSense has not functioned properly since,
which is annoying when 25% of my users are now browsing the net unfiltered.
He upgraded our AppSense server to 2008 and then I spent a week putting it
back onto a 2003 system because he hadn't done any testing. I shudder to
think what will happen when he turns his upgrade-addicted eyes onto our
Exchange 2007 infrastructure.

Of course, I am sure people would say "just leave", but we are in the middle
of a testing economic time and I have a wife recovering from an operation
and two hungry babies to feed. I'd rather work somewhere where change
control was a happy medium, but IMHO, tighter than a gnat's ass beats the
cowboy approach every time.

Apologies for taking the topic off on a tangent :-)

2009/8/31 David Lum 

>  Sounds like they’re trying hard not to be around very long if they are so
> near sighted. Do they change the oil but not the filter on their cars too?
>
>
>
> Seems a simple matter of “my time at xx/hr = ThisMuch, vs this product +
> install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to
> ThatMuch spead over three months…
>
>
>
> Seriously, the last job I had I LEFT because they had similar asinine
> thinking (can’t reboot a hung server unless you have it in Change Review
> Board meeting and yes, you must attend the 1.5hr long meeting. 1.5HRS for a
> hung system , helll!!) . A company not thinking sensibly is a company I
> will not work for.
>
>
>
> Dave
>
>
>
> *From:* tony patton [mailto:tony.pat...@quinn-insurance.com]
> *Sent:* Monday, August 31, 2009 8:08 AM
> *To:* NT System Admin Issues
> *Subject:* Re: [On-Topic] Patching with PSEXEC
>
>
>
> What I mean by no control is two-fold:
> 1. I don't have any say over most of the policies, only a subset;
> 2. We have to go through a long-winded change management process to do any
> changes to GPOs.
>
> The things that run at start-up include software installs, reg-settings,
> short-cut creation, some redundant, some could be better moved to staging
> ou's.
>
> The main issue is due to the majority of PC's being about 5 years old with
> 512mb ram, sometimes if they went any slower they'd be going backwards.
> They're still only ordering them in with 1gb rather than spend a little
> extra to get 2gb, it'll end up costing more in the long term, but they only
> care about now.
>
> Not confusing start-up with logon, that's a whole other issue for another
> time.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
>
>   From:
>
> Jonathan Link 
>
> To:
>
> "NT System Admin Issues" 
>
> Date:
>
> 31/08/2009 15:30
>
> Subject:
>
> Re: [On-Topic] Patching with PSEXEC
>
>
>  --
>
>
>
>
> Out of curiosity, what exactly is running at machine startup (and why can't
> you control it)?  Or are you confusing startup with logon?  Startup and
> logon are two distinct events, despite their close timing.
>
>
>
> On Mon, Aug 31, 2009 at 10:18 AM, tony patton <
> tony.pat...@quinn-insurance.com> wrote:
> The reasoning for not using GPO's is the amount of things that are already
> running on machine startup, no control over this.
>
> Machine shutdown GPO is an option.
>
> -sc, the reason I mentioned logging, or lack thereof, is that we're pushing
> for a proper patch management/deployment system, there is supposedly a
> project kicking off over the next few months for this.  I can log by
> scripting it, that's not a problem, but we don't want a PSEXEC deployment
> solution to do everything we need.
> We only need it in the interim, we don't want it as a long term solution.
>
> To use PSEXEC long-term would be a full-time job, and we have enough to do
> at the minute.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
>
> From:
>
> "Sam Cayze" 
>
&g

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread David Lum
Sounds like they're trying hard not to be around very long if they are so near 
sighted. Do they change the oil but not the filter on their cars too?

Seems a simple matter of "my time at xx/hr = ThisMuch, vs this product + 
install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to 
ThatMuch spead over three months...

Seriously, the last job I had I LEFT because they had similar asinine thinking 
(can't reboot a hung server unless you have it in Change Review Board meeting 
and yes, you must attend the 1.5hr long meeting. 1.5HRS for a hung system , 
helll!!) . A company not thinking sensibly is a company I will not work for.

Dave

From: tony patton [mailto:tony.pat...@quinn-insurance.com]
Sent: Monday, August 31, 2009 8:08 AM
To: NT System Admin Issues
Subject: Re: [On-Topic] Patching with PSEXEC

What I mean by no control is two-fold:
1. I don't have any say over most of the policies, only a subset;
2. We have to go through a long-winded change management process to do any 
changes to GPOs.

The things that run at start-up include software installs, reg-settings, 
short-cut creation, some redundant, some could be better moved to staging ou's.

The main issue is due to the majority of PC's being about 5 years old with 
512mb ram, sometimes if they went any slower they'd be going backwards.
They're still only ordering them in with 1gb rather than spend a little extra 
to get 2gb, it'll end up costing more in the long term, but they only care 
about now.

Not confusing start-up with logon, that's a whole other issue for another time.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com

From:

Jonathan Link 

To:

"NT System Admin Issues" 

Date:

31/08/2009 15:30

Subject:

Re: [On-Topic] Patching with PSEXEC






Out of curiosity, what exactly is running at machine startup (and why can't you 
control it)?  Or are you confusing startup with logon?  Startup and logon are 
two distinct events, despite their close timing.



On Mon, Aug 31, 2009 at 10:18 AM, tony patton 
mailto:tony.pat...@quinn-insurance.com>> wrote:
The reasoning for not using GPO's is the amount of things that are already 
running on machine startup, no control over this.

Machine shutdown GPO is an option.

-sc, the reason I mentioned logging, or lack thereof, is that we're pushing for 
a proper patch management/deployment system, there is supposedly a project 
kicking off over the next few months for this.  I can log by scripting it, 
that's not a problem, but we don't want a PSEXEC deployment solution to do 
everything we need.
We only need it in the interim, we don't want it as a long term solution.

To use PSEXEC long-term would be a full-time job, and we have enough to do at 
the minute.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com<mailto:tony.pat...@quinn-insurance.com>
From:

"Sam Cayze" 

To:

"NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>

Date:

31/08/2009 13:35

Subject:

RE: [On-Topic] Patching with PSEXEC







+1

I just use psexec for the random one-off tasks.

Sam

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org
]
Sent: Monday, August 31, 2009 6:57 AM

To: NT System Admin Issues

Subject: RE: [On-Topic] Patching with PSEXEC


Ok, I am going off in a completely different direction. I did not see the part 
where you talked to others about PSEXEC so I don't know why you are going in 
that direction.

Why not just script it to the machines via GPO. If it is a machine policy the 
install/update will run with elevated privs so you will not have any trouble. 
You can get a run down on almost any app at this site, as far as what switches 
and what package to use to get them deployed.

http://www.appdeploy.com/

Your script can log the ip/machine name as it deploys.


From: tony patton [mailto:tony.pat...@quinn-insurance.com]
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC

Hey all,

Following on from IE8 doesn't work thread, management here wants start using 
PSEXEC to patch applications.

I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, 
flash, firefox and UltraVNC, fine for running scripts and such, just not sure 
about patching.

Logging is a whole other thing, personally, I don't want to be able to log 
which machines were successful, failed or not on
as there would be no incentive to get a proper patching solution.
I can wrap a batch file around it to re-direct output to a file, so the 
possibility of logging is there.

What are the pitfalls that any of you that use this approach have come across?

Als

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread James Rankin
Quite correcton our psexec-utilizing batch script patching routines, we
managed to write in a passable amount of error handling, but reporting had
to be written as a separate utility.

2009/8/31 Steven M. Caesare 

>  Indeed.
>
>
>
> However, one shouldn’t overlook the value of logging, reporting, error
> handling, etc…
>
>
>
> It’s a significant challenge.
>
>
>
> -sc
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Monday, August 31, 2009 11:32 AM
> *To:* NT System Admin Issues
> *Subject:* Re: [On-Topic] Patching with PSEXEC
>
>
>
> Ah yes. Read threads fully before responding, one must.
>
> GPO would be the way to go then - although I tend to use the Citrix
> Application Packager when the fit takes me, although obviously the fact that
> I run a Citrix farm kinda helps me out there. You can also do third-party
> kit through VMWare Update Manager (Shavlik for VirtualCenter essentially)
> and SCCM, but those have all the cost implications we all know about. Psexec
> comes in quite handy once you've packaged applications up to install
> quietly, if you can - or identified all the necessary switches. Adobe's
> customisation tool is quite good for building customised installers (one of
> the few things Adobe seems to do well)
>
> 2009/8/31 Steven M. Caesare 
>
> I agree on the “it becomes a full time job part”.
>
>
>
> However, he specifically mention non-MS apps… and WSUS won’t do that.
>
>
>
> -sc
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Monday, August 31, 2009 9:49 AM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* Re: [On-Topic] Patching with PSEXEC
>
>
>
> We used to use a batch script using psexec to patch 500 Windows NT Server
> systems because management wouldn't pay for anything. We had to do the OS,
> Internet Explorer (all versions), Adobe, Office, all the other stuff. We
> started off using a text file full of data being parsed for the relevant
> systems so that we'd know what to install on each system as they were
> discovered. Someone (me) ended up working on this data file and the script
> almost full time, spending hours after every patch release working out where
> the files were updated, how to test if it applied, which systems needed it,
> and how to work the logic into the batch script to make sure it didn't go
> where it didn't. And this is in the pre-64-bit and virtualisation days. I
> can't imagine how complex it would be now.
>
> Most sensible accounts at this time paid for UpdateExpert or HfNetChk. When
> MS released WSUS, we all breathed a collective sigh of relief and went back
> to other day-to-day admin tasks. We, as others probably do, only use psexec
> for one-off tasks now. Patching is far too complex a beast for it, unless
> you like having to spend all your time what MS will do for you for nothing.
>
> 2009/8/31 tony patton 
>
> Hey all,
>
> Following on from IE8 doesn't work thread, management here wants start
> using PSEXEC to patch applications.
>
> I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader,
> flash, firefox and UltraVNC, fine for running scripts and such, just not
> sure about patching.
>
> Logging is a whole other thing, personally, I don't want to be able to log
> which machines were successful, failed or not on
> as there would be no incentive to get a proper patching solution.
> I can wrap a batch file around it to re-direct output to a file, so the
> possibility of logging is there.
>
> What are the pitfalls that any of you that use this approach have come
> across?
>
> Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted
> to work out the command for Flash but this does it, saved me a bit of work
> :-)
>
> Slightly off-topic, don't know why anyone would want to leave this list,
> keeps me sane most days.
>
> Sorry if this is a bit all over the place, 11am and been here before 7 :-(
> All information greatly appreciated.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
>
> 
>
> http://www.quinn-insurance.com
>
>
>
> This e-mail is intended only for the addressee named above. The contents
>
> should not be copied nor disclosed to any other person. Any views or
>
> opinions expressed are solely those of the sender and
>
> do not necessarily represent those of QUINN-Insurance, unless otherwise
>
> specifically stated . As interne

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Jon Harris
Ah, now it makes a lot more sense.  Yeah WSUS could do patching of other
stuff (well is it is suppose to anyway but...) I would look at something
from Shavlik or Eeye for what you really want to do.  Patching without the
necessary proof is just time spent running in place.  Good luck staying out
of the hole someone is digging for you.

Jon

On Mon, Aug 31, 2009 at 11:48 AM, tony patton <
tony.pat...@quinn-insurance.com> wrote:

> Forget to say in the original email, we use WSUS for the Microsoft stuff,
> but have nothing for anything else.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
>
>
>   From: Jon Harris  To: "NT System Admin Issues" <
> ntsysadmin@lyris.sunbelt-software.com>
>  Date: 31/08/2009 16:37
>  Subject: Re: [On-Topic] Patching with PSEXEC
>
> --
>
>
>
> Okay I will bite on this, why no WSUS?  I am directing this to the OP now.
> It is relativity free, it does require a license for a machine but it will
> run on a desktop (not very well but it will run).  Server licenses are not
> cheap but with that many machines you should be able to get one license and
> not break the bank.  It does not need a real fast or beefy machine to run
> it.
>
> Jon
>
> On Mon, Aug 31, 2009 at 11:08 AM, tony patton <*
> tony.pat...@quinn-insurance.com* > wrote:
> What I mean by no control is two-fold:
> 1. I don't have any say over most of the policies, only a subset;
> 2. We have to go through a long-winded change management process to do any
> changes to GPOs.
>
> The things that run at start-up include software installs, reg-settings,
> short-cut creation, some redundant, some could be better moved to staging
> ou's.
>
> The main issue is due to the majority of PC's being about 5 years old with
> 512mb ram, sometimes if they went any slower they'd be going backwards.
> They're still only ordering them in with 1gb rather than spend a little
> extra to get 2gb, it'll end up costing more in the long term, but they only
> care about now.
>
> Not confusing start-up with logon, that's a whole other issue for another
> time.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: *tony.pat...@quinn-insurance.com* 
>
>   From: Jonathan Link <*jonathan.l...@gmail.com* 
> >  To: "NT System Admin Issues" 
> > <*ntsysad...@lyris.sunbelt-software.com*
> >  Date: 31/08/2009 15:30  Subject: Re: [On-Topic] Patching with PSEXEC
>
> --
>
>
>
>
> Out of curiosity, what exactly is running at machine startup (and why can't
> you control it)?  Or are you confusing startup with logon?  Startup and
> logon are two distinct events, despite their close timing.
>
>
>
> On Mon, Aug 31, 2009 at 10:18 AM, tony patton <*
> tony.pat...@quinn-insurance.com* > wrote:
>
> The reasoning for not using GPO's is the amount of things that are already
> running on machine startup, no control over this.
>
> Machine shutdown GPO is an option.
>
> -sc, the reason I mentioned logging, or lack thereof, is that we're pushing
> for a proper patch management/deployment system, there is supposedly a
> project kicking off over the next few months for this.  I can log by
> scripting it, that's not a problem, but we don't want a PSEXEC deployment
> solution to do everything we need.
> We only need it in the interim, we don't want it as a long term solution.
>
> To use PSEXEC long-term would be a full-time job, and we have enough to do
> at the minute.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: *tony.pat...@quinn-insurance.com* 
>   From: "Sam Cayze"   To: "NT System Admin Issues"
> <*ntsysad...@lyris.sunbelt-software.com*
> >  Date: 31/08/2009 13:35  Subject: RE: [On-Topic] Patching with PSEXEC
>
>
> --
>
>
>
>
> +1
>
> I just use psexec for the random one-off tasks.
>
> Sam
>
> --
> *From:* Kennedy, Jim 
> [*mailto:kennedy...@elyriaschools.org*
> ] *
> Sent:* Monday, August 31, 2009 6:57 AM *
>
> To:* NT System Admin Issues *
>
> Subject:* RE: [On-Topic] Patching with PSEXEC
>
>
> Ok, I am going off in a completely different direction. I did not see the
> part where you talked to others about PSEXEC so I don’t know why you are
> going in that direction.
>
> Why not just script it to the machines via GPO. If it is a machine policy

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Steven M. Caesare
Indeed.

 

However, one shouldn't overlook the value of logging, reporting, error
handling, etc...

 

It's a significant challenge.

 

-sc

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Monday, August 31, 2009 11:32 AM
To: NT System Admin Issues
Subject: Re: [On-Topic] Patching with PSEXEC

 

Ah yes. Read threads fully before responding, one must.

GPO would be the way to go then - although I tend to use the Citrix
Application Packager when the fit takes me, although obviously the fact
that I run a Citrix farm kinda helps me out there. You can also do
third-party kit through VMWare Update Manager (Shavlik for VirtualCenter
essentially) and SCCM, but those have all the cost implications we all
know about. Psexec comes in quite handy once you've packaged
applications up to install quietly, if you can - or identified all the
necessary switches. Adobe's customisation tool is quite good for
building customised installers (one of the few things Adobe seems to do
well)

2009/8/31 Steven M. Caesare 

I agree on the "it becomes a full time job part".

 

However, he specifically mention non-MS apps... and WSUS won't do that.

 

-sc

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Monday, August 31, 2009 9:49 AM


To: NT System Admin Issues

Subject: Re: [On-Topic] Patching with PSEXEC

 

We used to use a batch script using psexec to patch 500 Windows NT
Server systems because management wouldn't pay for anything. We had to
do the OS, Internet Explorer (all versions), Adobe, Office, all the
other stuff. We started off using a text file full of data being parsed
for the relevant systems so that we'd know what to install on each
system as they were discovered. Someone (me) ended up working on this
data file and the script almost full time, spending hours after every
patch release working out where the files were updated, how to test if
it applied, which systems needed it, and how to work the logic into the
batch script to make sure it didn't go where it didn't. And this is in
the pre-64-bit and virtualisation days. I can't imagine how complex it
would be now.

Most sensible accounts at this time paid for UpdateExpert or HfNetChk.
When MS released WSUS, we all breathed a collective sigh of relief and
went back to other day-to-day admin tasks. We, as others probably do,
only use psexec for one-off tasks now. Patching is far too complex a
beast for it, unless you like having to spend all your time what MS will
do for you for nothing.

2009/8/31 tony patton 

Hey all, 

Following on from IE8 doesn't work thread, management here wants start
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe
reader, flash, firefox and UltraVNC, fine for running scripts and such,
just not sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to
log which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't
attempted to work out the command for Flash but this does it, saved me a
bit of work :-) 

Slightly off-topic, don't know why anyone would want to leave this list,
keeps me sane most days. 

Sorry if this is a bit all over the place, 11am and been here before 7
:-( 
All information greatly appreciated. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com


http://www.quinn-insurance.com
 
This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance is not responsible for the contents of this message nor
responsible for any change made to this message after it was sent by the
original sender. Although virus scanning is used on all inbound and
outbound e-mail, we advise you to carry out your own virus check before
opening any attachment. We cannot accept liability for any damage
sustained
as a result of any software viruses.
 

 
QUINN-Life Direct Limited is regulated by the Financial Regulator.
QUINN-Insurance Limited is regulated by the Financial Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.
 

 
QUINN-Life Direct Limited is registe

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread tony patton
Forget to say in the original email, we use WSUS for the Microsoft stuff, 
but have nothing for anything else.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



From:
Jon Harris 
To:
"NT System Admin Issues" 
Date:
31/08/2009 16:37
Subject:
Re: [On-Topic] Patching with PSEXEC



Okay I will bite on this, why no WSUS?  I am directing this to the OP 
now.  It is relativity free, it does require a license for a machine but 
it will run on a desktop (not very well but it will run).  Server licenses 
are not cheap but with that many machines you should be able to get one 
license and not break the bank.  It does not need a real fast or beefy 
machine to run it.
 
Jon

On Mon, Aug 31, 2009 at 11:08 AM, tony patton <
tony.pat...@quinn-insurance.com> wrote:
What I mean by no control is two-fold: 
1. I don't have any say over most of the policies, only a subset; 
2. We have to go through a long-winded change management process to do any 
changes to GPOs. 

The things that run at start-up include software installs, reg-settings, 
short-cut creation, some redundant, some could be better moved to staging 
ou's. 

The main issue is due to the majority of PC's being about 5 years old with 
512mb ram, sometimes if they went any slower they'd be going backwards. 
They're still only ordering them in with 1gb rather than spend a little 
extra to get 2gb, it'll end up costing more in the long term, but they 
only care about now. 

Not confusing start-up with logon, that's a whole other issue for another 
time. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 


From: 
Jonathan Link  
To: 
"NT System Admin Issues"  
Date: 
31/08/2009 15:30 
Subject: 
Re: [On-Topic] Patching with PSEXEC





Out of curiosity, what exactly is running at machine startup (and why 
can't you control it)?  Or are you confusing startup with logon?  Startup 
and logon are two distinct events, despite their close timing. 


  
On Mon, Aug 31, 2009 at 10:18 AM, tony patton <
tony.pat...@quinn-insurance.com> wrote: 
The reasoning for not using GPO's is the amount of things that are already 
running on machine startup, no control over this. 

Machine shutdown GPO is an option. 

-sc, the reason I mentioned logging, or lack thereof, is that we're 
pushing for a proper patch management/deployment system, there is 
supposedly a project kicking off over the next few months for this.  I can 
log by scripting it, that's not a problem, but we don't want a PSEXEC 
deployment solution to do everything we need. 
We only need it in the interim, we don't want it as a long term solution. 

To use PSEXEC long-term would be a full-time job, and we have enough to do 
at the minute. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 

From: 
"Sam Cayze"  
To: 
"NT System Admin Issues"  
Date: 
31/08/2009 13:35 
Subject: 
RE: [On-Topic] Patching with PSEXEC






+1 
  
I just use psexec for the random one-off tasks. 
  
Sam 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org 
] 
Sent: Monday, August 31, 2009 6:57 AM 

To: NT System Admin Issues 

Subject: RE: [On-Topic] Patching with PSEXEC 


Ok, I am going off in a completely different direction. I did not see the 
part where you talked to others about PSEXEC so I don?t know why you are 
going in that direction. 
  
Why not just script it to the machines via GPO. If it is a machine policy 
the install/update will run with elevated privs so you will not have any 
trouble. You can get a run down on almost any app at this site, as far as 
what switches and what package to use to get them deployed. 
  
http://www.appdeploy.com/ 
  
Your script can log the ip/machine name as it deploys?.. 
  
  
From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC 
  
Hey all, 

Following on from IE8 doesn't work thread, management here wants start 
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, 
flash, firefox and UltraVNC, fine for running scripts and such, just not 
sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to log 
which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the 
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come 
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't 
attempted to work out the command for Flash but this does it, saved me a 
bit of w

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Jon Harris
Okay I will bite on this, why no WSUS?  I am directing this to the OP now.
It is relativity free, it does require a license for a machine but it will
run on a desktop (not very well but it will run).  Server licenses are not
cheap but with that many machines you should be able to get one license and
not break the bank.  It does not need a real fast or beefy machine to run
it.

Jon

On Mon, Aug 31, 2009 at 11:08 AM, tony patton <
tony.pat...@quinn-insurance.com> wrote:

> What I mean by no control is two-fold:
> 1. I don't have any say over most of the policies, only a subset;
> 2. We have to go through a long-winded change management process to do any
> changes to GPOs.
>
> The things that run at start-up include software installs, reg-settings,
> short-cut creation, some redundant, some could be better moved to staging
> ou's.
>
> The main issue is due to the majority of PC's being about 5 years old with
> 512mb ram, sometimes if they went any slower they'd be going backwards.
> They're still only ordering them in with 1gb rather than spend a little
> extra to get 2gb, it'll end up costing more in the long term, but they only
> care about now.
>
> Not confusing start-up with logon, that's a whole other issue for another
> time.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
>
>
>   From: Jonathan Link  To: "NT System Admin
> Issues" 
>  Date: 31/08/2009 15:30 Subject: Re: [On-Topic] Patching with PSEXEC
> --
>
>
>
> Out of curiosity, what exactly is running at machine startup (and why can't
> you control it)?  Or are you confusing startup with logon?  Startup and
> logon are two distinct events, despite their close timing.
>
>
>
>  On Mon, Aug 31, 2009 at 10:18 AM, tony patton <*
> tony.pat...@quinn-insurance.com* > wrote:
> The reasoning for not using GPO's is the amount of things that are already
> running on machine startup, no control over this.
>
> Machine shutdown GPO is an option.
>
> -sc, the reason I mentioned logging, or lack thereof, is that we're pushing
> for a proper patch management/deployment system, there is supposedly a
> project kicking off over the next few months for this.  I can log by
> scripting it, that's not a problem, but we don't want a PSEXEC deployment
> solution to do everything we need.
> We only need it in the interim, we don't want it as a long term solution.
>
> To use PSEXEC long-term would be a full-time job, and we have enough to do
> at the minute.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: *tony.pat...@quinn-insurance.com* 
>
>   From: "Sam Cayze"   To: "NT System Admin Issues"
> <*ntsysad...@lyris.sunbelt-software.com*
> >  Date: 31/08/2009 13:35  Subject: RE: [On-Topic] Patching with PSEXEC
>
> ------
>
>
>
>
> +1
>
> I just use psexec for the random one-off tasks.
>
> Sam
>
> --
> *From:* Kennedy, Jim 
> [*mailto:kennedy...@elyriaschools.org*
> ] *
> Sent:* Monday, August 31, 2009 6:57 AM
> *
> To:* NT System Admin Issues
> *
> Subject:* RE: [On-Topic] Patching with PSEXEC
>
>
> Ok, I am going off in a completely different direction. I did not see the
> part where you talked to others about PSEXEC so I don’t know why you are
> going in that direction.
>
> Why not just script it to the machines via GPO. If it is a machine policy
> the install/update will run with elevated privs so you will not have any
> trouble. You can get a run down on almost any app at this site, as far as
> what switches and what package to use to get them deployed.
>   *
> **http://www.appdeploy.com/* <http://www.appdeploy.com/>
>
> Your script can log the ip/machine name as it deploys…..
>
>
> *From:* tony patton 
> [*mailto:tony.pat...@quinn-insurance.com*]
> *
> Sent:* Monday, August 31, 2009 5:59 AM*
> To:* NT System Admin Issues*
> Subject:* [On-Topic] Patching with PSEXEC
>
> Hey all,
>
> Following on from IE8 doesn't work thread, management here wants start
> using PSEXEC to patch applications.
>
> I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader,
> flash, firefox and UltraVNC, fine for running scripts and such, just not
> sure about patching.
>
> Logging is a whole other thing, personally, I don't want to be able to log
> which machines were successful, failed or not on
> as there would be no incentive to get a proper patching solution.

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread James Rankin
Ah yes. Read threads fully before responding, one must.

GPO would be the way to go then - although I tend to use the Citrix
Application Packager when the fit takes me, although obviously the fact that
I run a Citrix farm kinda helps me out there. You can also do third-party
kit through VMWare Update Manager (Shavlik for VirtualCenter essentially)
and SCCM, but those have all the cost implications we all know about. Psexec
comes in quite handy once you've packaged applications up to install
quietly, if you can - or identified all the necessary switches. Adobe's
customisation tool is quite good for building customised installers (one of
the few things Adobe seems to do well)

2009/8/31 Steven M. Caesare 

>  I agree on the “it becomes a full time job part”.
>
>
>
> However, he specifically mention non-MS apps… and WSUS won’t do that.
>
>
>
> -sc
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Monday, August 31, 2009 9:49 AM
> *To:* NT System Admin Issues
> *Subject:* Re: [On-Topic] Patching with PSEXEC
>
>
>
> We used to use a batch script using psexec to patch 500 Windows NT Server
> systems because management wouldn't pay for anything. We had to do the OS,
> Internet Explorer (all versions), Adobe, Office, all the other stuff. We
> started off using a text file full of data being parsed for the relevant
> systems so that we'd know what to install on each system as they were
> discovered. Someone (me) ended up working on this data file and the script
> almost full time, spending hours after every patch release working out where
> the files were updated, how to test if it applied, which systems needed it,
> and how to work the logic into the batch script to make sure it didn't go
> where it didn't. And this is in the pre-64-bit and virtualisation days. I
> can't imagine how complex it would be now.
>
> Most sensible accounts at this time paid for UpdateExpert or HfNetChk. When
> MS released WSUS, we all breathed a collective sigh of relief and went back
> to other day-to-day admin tasks. We, as others probably do, only use psexec
> for one-off tasks now. Patching is far too complex a beast for it, unless
> you like having to spend all your time what MS will do for you for nothing.
>
> 2009/8/31 tony patton 
>
> Hey all,
>
> Following on from IE8 doesn't work thread, management here wants start
> using PSEXEC to patch applications.
>
> I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader,
> flash, firefox and UltraVNC, fine for running scripts and such, just not
> sure about patching.
>
> Logging is a whole other thing, personally, I don't want to be able to log
> which machines were successful, failed or not on
> as there would be no incentive to get a proper patching solution.
> I can wrap a batch file around it to re-direct output to a file, so the
> possibility of logging is there.
>
> What are the pitfalls that any of you that use this approach have come
> across?
>
> Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted
> to work out the command for Flash but this does it, saved me a bit of work
> :-)
>
> Slightly off-topic, don't know why anyone would want to leave this list,
> keeps me sane most days.
>
> Sorry if this is a bit all over the place, 11am and been here before 7 :-(
> All information greatly appreciated.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
>
> 
>
> http://www.quinn-insurance.com
>
>
>
> This e-mail is intended only for the addressee named above. The contents
>
> should not be copied nor disclosed to any other person. Any views or
>
> opinions expressed are solely those of the sender and
>
> do not necessarily represent those of QUINN-Insurance, unless otherwise
>
> specifically stated . As internet communications are not secure,
>
> QUINN-Insurance is not responsible for the contents of this message nor
>
> responsible for any change made to this message after it was sent by the
>
> original sender. Although virus scanning is used on all inbound and
>
> outbound e-mail, we advise you to carry out your own virus check before
>
> opening any attachment. We cannot accept liability for any damage sustained
>
> as a result of any software viruses.
>
>
>
> 
>
>
>
> QUINN-Life Direct Limited is regulated by the Financial Regulator.
>
> QUINN-Insurance Limited is regulated by the Financial Regulator and
>

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread tony patton
What I mean by no control is two-fold:
1. I don't have any say over most of the policies, only a subset;
2. We have to go through a long-winded change management process to do any 
changes to GPOs.

The things that run at start-up include software installs, reg-settings, 
short-cut creation, some redundant, some could be better moved to staging 
ou's.

The main issue is due to the majority of PC's being about 5 years old with 
512mb ram, sometimes if they went any slower they'd be going backwards.
They're still only ordering them in with 1gb rather than spend a little 
extra to get 2gb, it'll end up costing more in the long term, but they 
only care about now.

Not confusing start-up with logon, that's a whole other issue for another 
time.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



From:
Jonathan Link 
To:
"NT System Admin Issues" 
Date:
31/08/2009 15:30
Subject:
Re: [On-Topic] Patching with PSEXEC



Out of curiosity, what exactly is running at machine startup (and why 
can't you control it)?  Or are you confusing startup with logon?  Startup 
and logon are two distinct events, despite their close timing.


 
On Mon, Aug 31, 2009 at 10:18 AM, tony patton <
tony.pat...@quinn-insurance.com> wrote:
The reasoning for not using GPO's is the amount of things that are already 
running on machine startup, no control over this. 

Machine shutdown GPO is an option. 

-sc, the reason I mentioned logging, or lack thereof, is that we're 
pushing for a proper patch management/deployment system, there is 
supposedly a project kicking off over the next few months for this.  I can 
log by scripting it, that's not a problem, but we don't want a PSEXEC 
deployment solution to do everything we need. 
We only need it in the interim, we don't want it as a long term solution. 

To use PSEXEC long-term would be a full-time job, and we have enough to do 
at the minute. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 


From: 
"Sam Cayze"  
To: 
"NT System Admin Issues"  
Date: 
31/08/2009 13:35 
Subject: 
RE: [On-Topic] Patching with PSEXEC





+1 
  
I just use psexec for the random one-off tasks. 
  
Sam 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org
] 
Sent: Monday, August 31, 2009 6:57 AM 

To: NT System Admin Issues

Subject: RE: [On-Topic] Patching with PSEXEC


Ok, I am going off in a completely different direction. I did not see the 
part where you talked to others about PSEXEC so I don?t know why you are 
going in that direction. 
  
Why not just script it to the machines via GPO. If it is a machine policy 
the install/update will run with elevated privs so you will not have any 
trouble. You can get a run down on almost any app at this site, as far as 
what switches and what package to use to get them deployed. 
  
http://www.appdeploy.com/ 
  
Your script can log the ip/machine name as it deploys?.. 
  
  
From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC 
  
Hey all, 

Following on from IE8 doesn't work thread, management here wants start 
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, 
flash, firefox and UltraVNC, fine for running scripts and such, just not 
sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to log 
which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the 
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come 
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't 
attempted to work out the command for Flash but this does it, saved me a 
bit of work :-) 

Slightly off-topic, don't know why anyone would want to leave this list, 
keeps me sane most days. 

Sorry if this is a bit all over the place, 11am and been here before 7 :-( 

All information greatly appreciated. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 
 
http://www.quinn-insurance.com 
  
This e-mail is intended only for the addressee named above. The contents 
should not be copied nor disclosed to any other person. Any views or 
opinions expressed are solely those of the sender and 
do not necessarily represent those of QUINN-Insurance, unless otherwise 
specifically stated . As internet communications are not secure, 
QUINN-Insurance is not responsible for the contents of this message nor 
res

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread tony patton
It is in your sig, and it stood out from the rest of the rubbish i typed 
:-)

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



From:
"Steven M. Caesare" 
To:
"NT System Admin Issues" 
Date:
31/08/2009 15:57
Subject:
RE: [On-Topic] Patching with PSEXEC



Gotcha. And agreed? it would be a full time.. and still not give you the 
features a true patch management system should.
 
-sc
 
(and the dash isn?t part of my initials?.  ;-)
From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Monday, August 31, 2009 10:18 AM
To: NT System Admin Issues
Subject: RE: [On-Topic] Patching with PSEXEC
 
The reasoning for not using GPO's is the amount of things that are already 
running on machine startup, no control over this. 

Machine shutdown GPO is an option. 

-sc, the reason I mentioned logging, or lack thereof, is that we're 
pushing for a proper patch management/deployment system, there is 
supposedly a project kicking off over the next few months for this.  I can 
log by scripting it, that's not a problem, but we don't want a PSEXEC 
deployment solution to do everything we need. 
We only need it in the interim, we don't want it as a long term solution. 

To use PSEXEC long-term would be a full-time job, and we have enough to do 
at the minute. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 


From: 
"Sam Cayze"  
To: 
"NT System Admin Issues"  
Date: 
31/08/2009 13:35 
Subject: 
RE: [On-Topic] Patching with PSEXEC
 




+1 
  
I just use psexec for the random one-off tasks. 
  
Sam 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Monday, August 31, 2009 6:57 AM
To: NT System Admin Issues
Subject: RE: [On-Topic] Patching with PSEXEC

Ok, I am going off in a completely different direction. I did not see the 
part where you talked to others about PSEXEC so I don?t know why you are 
going in that direction. 
  
Why not just script it to the machines via GPO. If it is a machine policy 
the install/update will run with elevated privs so you will not have any 
trouble. You can get a run down on almost any app at this site, as far as 
what switches and what package to use to get them deployed. 
  
http://www.appdeploy.com/ 
  
Your script can log the ip/machine name as it deploys?.. 
  
  
From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC 
  
Hey all, 

Following on from IE8 doesn't work thread, management here wants start 
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, 
flash, firefox and UltraVNC, fine for running scripts and such, just not 
sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to log 
which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the 
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come 
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't 
attempted to work out the command for Flash but this does it, saved me a 
bit of work :-) 

Slightly off-topic, don't know why anyone would want to leave this list, 
keeps me sane most days. 

Sorry if this is a bit all over the place, 11am and been here before 7 :-( 

All information greatly appreciated. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 
 
http://www.quinn-insurance.com 
  
This e-mail is intended only for the addressee named above. The contents 
should not be copied nor disclosed to any other person. Any views or 
opinions expressed are solely those of the sender and 
do not necessarily represent those of QUINN-Insurance, unless otherwise 
specifically stated . As internet communications are not secure, 
QUINN-Insurance is not responsible for the contents of this message nor 
responsible for any change made to this message after it was sent by the 
original sender. Although virus scanning is used on all inbound and 
outbound e-mail, we advise you to carry out your own virus check before 
opening any attachment. We cannot accept liability for any damage 
sustained 
as a result of any software viruses. 
  
 
  
QUINN-Life Direct Limited is regulated by the Financial Regulator. 
QUINN-Insurance Limited is regulated by the Financial Regulator and 
regulated by the Financial Services Authority for the conduct of UK 
business. 
  
=

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Steven M. Caesare
Gotcha. And agreed... it would be a full time.. and still not give you
the features a true patch management system should.

 

-sc

 

(and the dash isn't part of my initials  ;-)

From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Monday, August 31, 2009 10:18 AM
To: NT System Admin Issues
Subject: RE: [On-Topic] Patching with PSEXEC

 

The reasoning for not using GPO's is the amount of things that are
already running on machine startup, no control over this. 

Machine shutdown GPO is an option. 

-sc, the reason I mentioned logging, or lack thereof, is that we're
pushing for a proper patch management/deployment system, there is
supposedly a project kicking off over the next few months for this.  I
can log by scripting it, that's not a problem, but we don't want a
PSEXEC deployment solution to do everything we need. 
We only need it in the interim, we don't want it as a long term
solution. 

To use PSEXEC long-term would be a full-time job, and we have enough to
do at the minute. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 



From: 

"Sam Cayze"  

To: 

"NT System Admin Issues"  

Date: 

31/08/2009 13:35 

Subject: 

RE: [On-Topic] Patching with PSEXEC

 






+1 
  
I just use psexec for the random one-off tasks. 
  
Sam 



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org
<mailto:kennedy...@elyriaschools.org> ] 
Sent: Monday, August 31, 2009 6:57 AM
To: NT System Admin Issues
Subject: RE: [On-Topic] Patching with PSEXEC

Ok, I am going off in a completely different direction. I did not see
the part where you talked to others about PSEXEC so I don't know why you
are going in that direction. 
  
Why not just script it to the machines via GPO. If it is a machine
policy the install/update will run with elevated privs so you will not
have any trouble. You can get a run down on almost any app at this site,
as far as what switches and what package to use to get them deployed. 
  
http://www.appdeploy.com/ <http://www.appdeploy.com/>  
  
Your script can log the ip/machine name as it deploys. 
  
  
From: tony patton [mailto:tony.pat...@quinn-insurance.com
<mailto:tony.pat...@quinn-insurance.com> ] 
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC 
  
Hey all, 

Following on from IE8 doesn't work thread, management here wants start
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe
reader, flash, firefox and UltraVNC, fine for running scripts and such,
just not sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to
log which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't
attempted to work out the command for Flash but this does it, saved me a
bit of work :-) 

Slightly off-topic, don't know why anyone would want to leave this list,
keeps me sane most days. 

Sorry if this is a bit all over the place, 11am and been here before 7
:-( 
All information greatly appreciated. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 
 
http://www.quinn-insurance.com <http://www.quinn-insurance.com/>  
  
This e-mail is intended only for the addressee named above. The contents

should not be copied nor disclosed to any other person. Any views or 
opinions expressed are solely those of the sender and 
do not necessarily represent those of QUINN-Insurance, unless otherwise 
specifically stated . As internet communications are not secure, 
QUINN-Insurance is not responsible for the contents of this message nor 
responsible for any change made to this message after it was sent by the

original sender. Although virus scanning is used on all inbound and 
outbound e-mail, we advise you to carry out your own virus check before 
opening any attachment. We cannot accept liability for any damage
sustained 
as a result of any software viruses. 
  
 
  
QUINN-Life Direct Limited is regulated by the Financial Regulator. 
QUINN-Insurance Limited is regulated by the Financial Regulator and 
regulated by the Financial Services Authority for the conduct of UK 
business. 
  
 
  
QUINN-Life Direct Limited is registered in Ireland, registrat

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Steven M. Caesare
I agree on the "it becomes a full time job part".

 

However, he specifically mention non-MS apps... and WSUS won't do that.

 

-sc

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Monday, August 31, 2009 9:49 AM
To: NT System Admin Issues
Subject: Re: [On-Topic] Patching with PSEXEC

 

We used to use a batch script using psexec to patch 500 Windows NT
Server systems because management wouldn't pay for anything. We had to
do the OS, Internet Explorer (all versions), Adobe, Office, all the
other stuff. We started off using a text file full of data being parsed
for the relevant systems so that we'd know what to install on each
system as they were discovered. Someone (me) ended up working on this
data file and the script almost full time, spending hours after every
patch release working out where the files were updated, how to test if
it applied, which systems needed it, and how to work the logic into the
batch script to make sure it didn't go where it didn't. And this is in
the pre-64-bit and virtualisation days. I can't imagine how complex it
would be now.

Most sensible accounts at this time paid for UpdateExpert or HfNetChk.
When MS released WSUS, we all breathed a collective sigh of relief and
went back to other day-to-day admin tasks. We, as others probably do,
only use psexec for one-off tasks now. Patching is far too complex a
beast for it, unless you like having to spend all your time what MS will
do for you for nothing.

2009/8/31 tony patton 

Hey all, 

Following on from IE8 doesn't work thread, management here wants start
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe
reader, flash, firefox and UltraVNC, fine for running scripts and such,
just not sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to
log which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't
attempted to work out the command for Flash but this does it, saved me a
bit of work :-) 

Slightly off-topic, don't know why anyone would want to leave this list,
keeps me sane most days. 

Sorry if this is a bit all over the place, 11am and been here before 7
:-( 
All information greatly appreciated. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com


http://www.quinn-insurance.com
 
This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance is not responsible for the contents of this message nor
responsible for any change made to this message after it was sent by the
original sender. Although virus scanning is used on all inbound and
outbound e-mail, we advise you to carry out your own virus check before
opening any attachment. We cannot accept liability for any damage
sustained
as a result of any software viruses.
 

 
QUINN-Life Direct Limited is regulated by the Financial Regulator.
QUINN-Insurance Limited is regulated by the Financial Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.
 

 
QUINN-Life Direct Limited is registered in Ireland, registration number
292374 and is a private company limited by shares.
QUINN-Insurance Limited is registered in Ireland, registration number
240768 and is a private company limited by shares.
Both companies have their head office at Dublin Road, Cavan, Co. Cavan.

 

 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

http://raythestray.blogspot.com

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Jonathan Link
Out of curiosity, what exactly is running at machine startup (and why can't
you control it)?  Or are you confusing startup with logon?  Startup and
logon are two distinct events, despite their close timing.



On Mon, Aug 31, 2009 at 10:18 AM, tony patton <
tony.pat...@quinn-insurance.com> wrote:

> The reasoning for not using GPO's is the amount of things that are already
> running on machine startup, no control over this.
>
> Machine shutdown GPO is an option.
>
> -sc, the reason I mentioned logging, or lack thereof, is that we're pushing
> for a proper patch management/deployment system, there is supposedly a
> project kicking off over the next few months for this.  I can log by
> scripting it, that's not a problem, but we don't want a PSEXEC deployment
> solution to do everything we need.
> We only need it in the interim, we don't want it as a long term solution.
>
> To use PSEXEC long-term would be a full-time job, and we have enough to do
> at the minute.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
>
>
>   From: "Sam Cayze"  To: "NT System Admin Issues"
>  Date: 31/08/2009 13:35 Subject: RE:
> [On-Topic] Patching with PSEXEC
> --
>
>
>
> +1
>
> I just use psexec for the random one-off tasks.
>
> Sam
>
> ------
> *From:* Kennedy, Jim 
> [mailto:kennedy...@elyriaschools.org
> ] *
> Sent:* Monday, August 31, 2009 6:57 AM *
> To:* NT System Admin Issues
> *
> Subject:* RE: [On-Topic] Patching with PSEXEC
>
>
> Ok, I am going off in a completely different direction. I did not see the
> part where you talked to others about PSEXEC so I don’t know why you are
> going in that direction.
>
> Why not just script it to the machines via GPO. If it is a machine policy
> the install/update will run with elevated privs so you will not have any
> trouble. You can get a run down on almost any app at this site, as far as
> what switches and what package to use to get them deployed.
>
> *http://www.appdeploy.com/* <http://www.appdeploy.com/>
>
> Your script can log the ip/machine name as it deploys…..
>
>
> *From:* tony patton 
> [mailto:tony.pat...@quinn-insurance.com]
> *
> Sent:* Monday, August 31, 2009 5:59 AM*
> To:* NT System Admin Issues*
> Subject:* [On-Topic] Patching with PSEXEC
>
>  Hey all,
>
> Following on from IE8 doesn't work thread, management here wants start
> using PSEXEC to patch applications.
>
> I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader,
> flash, firefox and UltraVNC, fine for running scripts and such, just not
> sure about patching.
>
> Logging is a whole other thing, personally, I don't want to be able to log
> which machines were successful, failed or not on
> as there would be no incentive to get a proper patching solution.
> I can wrap a batch file around it to re-direct output to a file, so the
> possibility of logging is there.
>
> What are the pitfalls that any of you that use this approach have come
> across?
>
> Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted
> to work out the command for Flash but this does it, saved me a bit of work
> :-)
>
> Slightly off-topic, don't know why anyone would want to leave this list,
> keeps me sane most days.
>
> Sorry if this is a bit all over the place, 11am and been here before 7 :-(
> All information greatly appreciated.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
> 
> http://www.quinn-insurance.com
>
> This e-mail is intended only for the addressee named above. The contents
> should not be copied nor disclosed to any other person. Any views or
> opinions expressed are solely those of the sender and
> do not necessarily represent those of QUINN-Insurance, unless otherwise
> specifically stated . As internet communications are not secure,
> QUINN-Insurance is not responsible for the contents of this message nor
> responsible for any change made to this message after it was sent by the
> original sender. Although virus scanning is used on all inbound and
> outbound e-mail, we advise you to carry out your own virus check before
> opening any attachment. We cannot accept liability for any damage sustained
> as a result of any software viruses.
>
> 
>
> QUINN-Life Direct Limited is regula

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread tony patton
The reasoning for not using GPO's is the amount of things that are already 
running on machine startup, no control over this.

Machine shutdown GPO is an option.

-sc, the reason I mentioned logging, or lack thereof, is that we're 
pushing for a proper patch management/deployment system, there is 
supposedly a project kicking off over the next few months for this.  I can 
log by scripting it, that's not a problem, but we don't want a PSEXEC 
deployment solution to do everything we need.
We only need it in the interim, we don't want it as a long term solution.

To use PSEXEC long-term would be a full-time job, and we have enough to do 
at the minute.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



From:
"Sam Cayze" 
To:
"NT System Admin Issues" 
Date:
31/08/2009 13:35
Subject:
RE: [On-Topic] Patching with PSEXEC



+1
 
I just use psexec for the random one-off tasks.
 
Sam

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Monday, August 31, 2009 6:57 AM
To: NT System Admin Issues
Subject: RE: [On-Topic] Patching with PSEXEC

Ok, I am going off in a completely different direction. I did not see the 
part where you talked to others about PSEXEC so I don?t know why you are 
going in that direction.
 
Why not just script it to the machines via GPO. If it is a machine policy 
the install/update will run with elevated privs so you will not have any 
trouble. You can get a run down on almost any app at this site, as far as 
what switches and what package to use to get them deployed.
 
http://www.appdeploy.com/
 
Your script can log the ip/machine name as it deploys?..
 
 
From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC
 
Hey all, 

Following on from IE8 doesn't work thread, management here wants start 
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, 
flash, firefox and UltraVNC, fine for running scripts and such, just not 
sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to log 
which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the 
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come 
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't 
attempted to work out the command for Flash but this does it, saved me a 
bit of work :-) 

Slightly off-topic, don't know why anyone would want to leave this list, 
keeps me sane most days. 

Sorry if this is a bit all over the place, 11am and been here before 7 :-( 

All information greatly appreciated. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com

http://www.quinn-insurance.com
 
This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance is not responsible for the contents of this message nor
responsible for any change made to this message after it was sent by the
original sender. Although virus scanning is used on all inbound and
outbound e-mail, we advise you to carry out your own virus check before
opening any attachment. We cannot accept liability for any damage 
sustained
as a result of any software viruses.
 

 
QUINN-Life Direct Limited is regulated by the Financial Regulator.
QUINN-Insurance Limited is regulated by the Financial Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.
 

 
QUINN-Life Direct Limited is registered in Ireland, registration number
292374 and is a private company limited by shares.
QUINN-Insurance Limited is registered in Ireland, registration number
240768 and is a private company limited by shares.
Both companies have their head office at Dublin Road, Cavan, Co. Cavan.
 
 
 
 
 
 

http://www.quinn-insurance.com

This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stat

Re: [On-Topic] Patching with PSEXEC

2009-08-31 Thread James Rankin
We used to use a batch script using psexec to patch 500 Windows NT Server
systems because management wouldn't pay for anything. We had to do the OS,
Internet Explorer (all versions), Adobe, Office, all the other stuff. We
started off using a text file full of data being parsed for the relevant
systems so that we'd know what to install on each system as they were
discovered. Someone (me) ended up working on this data file and the script
almost full time, spending hours after every patch release working out where
the files were updated, how to test if it applied, which systems needed it,
and how to work the logic into the batch script to make sure it didn't go
where it didn't. And this is in the pre-64-bit and virtualisation days. I
can't imagine how complex it would be now.

Most sensible accounts at this time paid for UpdateExpert or HfNetChk. When
MS released WSUS, we all breathed a collective sigh of relief and went back
to other day-to-day admin tasks. We, as others probably do, only use psexec
for one-off tasks now. Patching is far too complex a beast for it, unless
you like having to spend all your time what MS will do for you for nothing.

2009/8/31 tony patton 

> Hey all,
>
> Following on from IE8 doesn't work thread, management here wants start
> using PSEXEC to patch applications.
>
> I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader,
> flash, firefox and UltraVNC, fine for running scripts and such, just not
> sure about patching.
>
> Logging is a whole other thing, personally, I don't want to be able to log
> which machines were successful, failed or not on
> as there would be no incentive to get a proper patching solution.
> I can wrap a batch file around it to re-direct output to a file, so the
> possibility of logging is there.
>
> What are the pitfalls that any of you that use this approach have come
> across?
>
> Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted
> to work out the command for Flash but this does it, saved me a bit of work
> :-)
>
> Slightly off-topic, don't know why anyone would want to leave this list,
> keeps me sane most days.
>
> Sorry if this is a bit all over the place, 11am and been here before 7 :-(
> All information greatly appreciated.
>
> Regards
>
> Tony Patton
> Desktop Operations Cavan
> Ext 8078
> Direct Dial 049 435 2878
> email: tony.pat...@quinn-insurance.com
>
> http://www.quinn-insurance.com
>
> This e-mail is intended only for the addressee named above. The contents
> should not be copied nor disclosed to any other person. Any views or
> opinions expressed are solely those of the sender and
> do not necessarily represent those of QUINN-Insurance, unless otherwise
> specifically stated . As internet communications are not secure,
> QUINN-Insurance is not responsible for the contents of this message nor
> responsible for any change made to this message after it was sent by the
> original sender. Although virus scanning is used on all inbound and
> outbound e-mail, we advise you to carry out your own virus check before
> opening any attachment. We cannot accept liability for any damage sustained
> as a result of any software viruses.
>
> 
>
> QUINN-Life Direct Limited is regulated by the Financial Regulator.
> QUINN-Insurance Limited is regulated by the Financial Regulator and
> regulated by the Financial Services Authority for the conduct of UK
> business.
>
> 
>
> QUINN-Life Direct Limited is registered in Ireland, registration number
> 292374 and is a private company limited by shares.
> QUINN-Insurance Limited is registered in Ireland, registration number
> 240768 and is a private company limited by shares.
> Both companies have their head office at Dublin Road, Cavan, Co. Cavan.
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

http://raythestray.blogspot.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Steven M. Caesare
You don't want logging? Did you mean that? I'd suggest it's critical.

 

I'd say that trying "roll your own" methods for patch management on 2800
desktops is going to be pretty tough to manage, unless you have a VERY
locked down and cookie-cutter infrastructure.

 

-sc

 

From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC

 

Hey all, 

Following on from IE8 doesn't work thread, management here wants start
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe
reader, flash, firefox and UltraVNC, fine for running scripts and such,
just not sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to
log which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't
attempted to work out the command for Flash but this does it, saved me a
bit of work :-) 

Slightly off-topic, don't know why anyone would want to leave this list,
keeps me sane most days. 

Sorry if this is a bit all over the place, 11am and been here before 7
:-( 
All information greatly appreciated. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com


http://www.quinn-insurance.com
 
This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance is not responsible for the contents of this message nor
responsible for any change made to this message after it was sent by the
original sender. Although virus scanning is used on all inbound and
outbound e-mail, we advise you to carry out your own virus check before
opening any attachment. We cannot accept liability for any damage
sustained
as a result of any software viruses.
 

 
QUINN-Life Direct Limited is regulated by the Financial Regulator.
QUINN-Insurance Limited is regulated by the Financial Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.
 

 
QUINN-Life Direct Limited is registered in Ireland, registration number
292374 and is a private company limited by shares.
QUINN-Insurance Limited is registered in Ireland, registration number
240768 and is a private company limited by shares.
Both companies have their head office at Dublin Road, Cavan, Co. Cavan.

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Sam Cayze
+1
 
I just use psexec for the random one-off tasks.
 
Sam



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Monday, August 31, 2009 6:57 AM
To: NT System Admin Issues
Subject: RE: [On-Topic] Patching with PSEXEC



Ok, I am going off in a completely different direction. I did not see
the part where you talked to others about PSEXEC so I don't know why you
are going in that direction.

 

Why not just script it to the machines via GPO. If it is a machine
policy the install/update will run with elevated privs so you will not
have any trouble. You can get a run down on almost any app at this site,
as far as what switches and what package to use to get them deployed.

 

http://www.appdeploy.com/

 

Your script can log the ip/machine name as it deploys.

 

 

From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC

 

Hey all, 

Following on from IE8 doesn't work thread, management here wants start
using PSEXEC to patch applications. 

I'm a bit hesitant to use it for patching 2800 desktops for Adobe
reader, flash, firefox and UltraVNC, fine for running scripts and such,
just not sure about patching. 

Logging is a whole other thing, personally, I don't want to be able to
log which machines were successful, failed or not on 
as there would be no incentive to get a proper patching solution. 
I can wrap a batch file around it to re-direct output to a file, so the
possibility of logging is there. 

What are the pitfalls that any of you that use this approach have come
across? 

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't
attempted to work out the command for Flash but this does it, saved me a
bit of work :-) 

Slightly off-topic, don't know why anyone would want to leave this list,
keeps me sane most days. 

Sorry if this is a bit all over the place, 11am and been here before 7
:-( 
All information greatly appreciated. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com


http://www.quinn-insurance.com
 
This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance is not responsible for the contents of this message nor
responsible for any change made to this message after it was sent by the
original sender. Although virus scanning is used on all inbound and
outbound e-mail, we advise you to carry out your own virus check before
opening any attachment. We cannot accept liability for any damage
sustained
as a result of any software viruses.
 

 
QUINN-Life Direct Limited is regulated by the Financial Regulator.
QUINN-Insurance Limited is regulated by the Financial Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.
 

 
QUINN-Life Direct Limited is registered in Ireland, registration number
292374 and is a private company limited by shares.
QUINN-Insurance Limited is registered in Ireland, registration number
240768 and is a private company limited by shares.
Both companies have their head office at Dublin Road, Cavan, Co. Cavan.

 

 

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: [On-Topic] Patching with PSEXEC

2009-08-31 Thread Kennedy, Jim
Ok, I am going off in a completely different direction. I did not see the part 
where you talked to others about PSEXEC so I don't know why you are going in 
that direction.

Why not just script it to the machines via GPO. If it is a machine policy the 
install/update will run with elevated privs so you will not have any trouble. 
You can get a run down on almost any app at this site, as far as what switches 
and what package to use to get them deployed.

http://www.appdeploy.com/

Your script can log the ip/machine name as it deploys.


From: tony patton [mailto:tony.pat...@quinn-insurance.com]
Sent: Monday, August 31, 2009 5:59 AM
To: NT System Admin Issues
Subject: [On-Topic] Patching with PSEXEC

Hey all,

Following on from IE8 doesn't work thread, management here wants start using 
PSEXEC to patch applications.

I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, 
flash, firefox and UltraVNC, fine for running scripts and such, just not sure 
about patching.

Logging is a whole other thing, personally, I don't want to be able to log 
which machines were successful, failed or not on
as there would be no incentive to get a proper patching solution.
I can wrap a batch file around it to re-direct output to a file, so the 
possibility of logging is there.

What are the pitfalls that any of you that use this approach have come across?

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to 
work out the command for Flash but this does it, saved me a bit of work :-)

Slightly off-topic, don't know why anyone would want to leave this list, keeps 
me sane most days.

Sorry if this is a bit all over the place, 11am and been here before 7 :-(
All information greatly appreciated.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



http://www.quinn-insurance.com



This e-mail is intended only for the addressee named above. The contents

should not be copied nor disclosed to any other person. Any views or

opinions expressed are solely those of the sender and

do not necessarily represent those of QUINN-Insurance, unless otherwise

specifically stated . As internet communications are not secure,

QUINN-Insurance is not responsible for the contents of this message nor

responsible for any change made to this message after it was sent by the

original sender. Although virus scanning is used on all inbound and

outbound e-mail, we advise you to carry out your own virus check before

opening any attachment. We cannot accept liability for any damage sustained

as a result of any software viruses.







QUINN-Life Direct Limited is regulated by the Financial Regulator.

QUINN-Insurance Limited is regulated by the Financial Regulator and

regulated by the Financial Services Authority for the conduct of UK

business.







QUINN-Life Direct Limited is registered in Ireland, registration number

292374 and is a private company limited by shares.

QUINN-Insurance Limited is registered in Ireland, registration number

240768 and is a private company limited by shares.

Both companies have their head office at Dublin Road, Cavan, Co. Cavan.





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

[On-Topic] Patching with PSEXEC

2009-08-31 Thread tony patton
Hey all,

Following on from IE8 doesn't work thread, management here wants start 
using PSEXEC to patch applications.

I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, 
flash, firefox and UltraVNC, fine for running scripts and such, just not 
sure about patching.

Logging is a whole other thing, personally, I don't want to be able to log 
which machines were successful, failed or not on
as there would be no incentive to get a proper patching solution.
I can wrap a batch file around it to re-direct output to a file, so the 
possibility of logging is there.

What are the pitfalls that any of you that use this approach have come 
across?

Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't 
attempted to work out the command for Flash but this does it, saved me a 
bit of work :-)

Slightly off-topic, don't know why anyone would want to leave this list, 
keeps me sane most days.

Sorry if this is a bit all over the place, 11am and been here before 7 :-(
All information greatly appreciated.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com

http://www.quinn-insurance.com

This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance is not responsible for the contents of this message nor
responsible for any change made to this message after it was sent by the
original sender. Although virus scanning is used on all inbound and
outbound e-mail, we advise you to carry out your own virus check before
opening any attachment. We cannot accept liability for any damage sustained
as a result of any software viruses.



QUINN-Life Direct Limited is regulated by the Financial Regulator.
QUINN-Insurance Limited is regulated by the Financial Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.



QUINN-Life Direct Limited is registered in Ireland, registration number
292374 and is a private company limited by shares.
QUINN-Insurance Limited is registered in Ireland, registration number
240768 and is a private company limited by shares.
Both companies have their head office at Dublin Road, Cavan, Co. Cavan.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~