RE: Change control (was RE: [On-Topic] Patching with PSEXEC)
Hmm do we work for the same company? Regards, Chris Orovet From: James Rankin [mailto:kz2...@googlemail.com] Sent: Monday, August 31, 2009 3:59 PM To: NT System Admin Issues Subject: Re: Change control (was RE: [On-Topic] Patching with PSEXEC) I've worked for a number of outsourcing companies and the change control is always very tight. It's the only way they can do it, but I admit it is completely inflexible for the client - particularly those that retain IT staff who now have to watch their systems managed by others who don't understand the particular intricacies of the business or the infrastructure. You are right about good change control being right in the middle of the change control spectrum. Can't say I've ever found a company that managed to strike the balance exactly right though. The reason my boss gets away with his cowboy approach is because he is prepared to sit there for 36 hours+ trying to get it working. I, on the other hand, am not. He bodges solutions together and then expects me to sanitize them and make them supportable.I love his approach though - he breaks something, then sends an email out to let users know that it is broken, and then puts the fastest fix in place he can find - usually reverting to where he started. He once deleted a snapshot I took before I'd finished testing, and made me completely unable to roll back my changes. He never seems to face any repercussions because our users (who are probably used to things packing up during the day) are happy as long as they get informed as to what's busted. Things would be much smoother if I could run them my way, but that's unlikely to happen because he is popular amongst the golf-playing directorship (ain't it always the same?) I, on the other hand, prefer boxing to golf and have an unfortunate habit of calling a spade a spade, which seems to preclude me from breaking into the management click. Ho-hum. Still - it's only ten minutes drive from home :-) 2009/8/31 David Lum david@nwea.org I totally understand the need for change control, but there certainly are efficient ways to implement it. %DAYJOB% has good change control, %FORMERDAYJOB% didn't. To put names to it, I used to work for Textron and they had good change control. After being there 10 years they outsourced *some* of the IT infrastructure (the support portion, not the programmers) to CSC and CSC's change control was insane. I do realize leaving in these economic times is tougher, but it wouldn't stop me from looking Does your boss not face any repercussions from deploying w/out testing? I would use them as an opportunity to either work with him or go above him with a plan on this is how we should handle change, xxx problems happened because we had no process and ExampleA and ExampleB problems would have been prevented, here's how Dave From: James Rankin [mailto:kz2...@googlemail.com] Sent: Monday, August 31, 2009 12:09 PM To: NT System Admin Issues Subject: Re: [On-Topic] Patching with PSEXEC The problem is all the companies with these stringent change control processes have been, to speak proverbially, bitten squarely in the ass by a lack of change control. I work for the polar opposite - a company where no change control exists and where the head of IT makes changes, often in the middle of the full working day, for no good operational reason that result in loss of service on other, related systems. I have also worked at companies with very strict change processes and know which one I prefer, if I had to choose an extreme. My boss decided to perform an upgrade to Active Directory 2008 not long ago and WebSense has not functioned properly since, which is annoying when 25% of my users are now browsing the net unfiltered. He upgraded our AppSense server to 2008 and then I spent a week putting it back onto a 2003 system because he hadn't done any testing. I shudder to think what will happen when he turns his upgrade-addicted eyes onto our Exchange 2007 infrastructure. Of course, I am sure people would say just leave, but we are in the middle of a testing economic time and I have a wife recovering from an operation and two hungry babies to feed. I'd rather work somewhere where change control was a happy medium, but IMHO, tighter than a gnat's ass beats the cowboy approach every time. Apologies for taking the topic off on a tangent :-) 2009/8/31 David Lum david@nwea.org Sounds like they're trying hard not to be around very long if they are so near sighted. Do they change the oil but not the filter on their cars too? Seems a simple matter of my time at xx/hr = ThisMuch, vs this product + install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to ThatMuch spead over three months... Seriously, the last job I had I LEFT because they had similar asinine thinking (can't reboot a hung server unless you have it in Change Review Board meeting and yes, you must attend the 1.5hr long meeting
RE: Change control (was RE: [On-Topic] Patching with PSEXEC)
deja vu I used to work with/for a guy who thought it was expedient and efficient to put out an 85% completed system into production, and *then* tweak it. ( He was the Application Dev Manager while I was responsible for infrastructure ) So partway into the game, his 15% updates required infrastructure or system changes that were NOT on-the-fly updates, or he'd push out a change that flooded the vpns with chatty, inefficient message queueing, and my team and I were expect to solve ALL the problems and support the app without causing any downtime Actually, the guy was 85% brilliant in some of his ideas and did the company very well for years, it was the 15% not that, well, .. Erik Goldoff IT Consultant Systems, Networks, Security _ From: James Rankin [mailto:kz2...@googlemail.com] Sent: Monday, August 31, 2009 3:59 PM To: NT System Admin Issues Subject: Re: Change control (was RE: [On-Topic] Patching with PSEXEC) I've worked for a number of outsourcing companies and the change control is always very tight. It's the only way they can do it, but I admit it is completely inflexible for the client - particularly those that retain IT staff who now have to watch their systems managed by others who don't understand the particular intricacies of the business or the infrastructure. You are right about good change control being right in the middle of the change control spectrum. Can't say I've ever found a company that managed to strike the balance exactly right though. The reason my boss gets away with his cowboy approach is because he is prepared to sit there for 36 hours+ trying to get it working. I, on the other hand, am not. He bodges solutions together and then expects me to sanitize them and make them supportable.I love his approach though - he breaks something, then sends an email out to let users know that it is broken, and then puts the fastest fix in place he can find - usually reverting to where he started. He once deleted a snapshot I took before I'd finished testing, and made me completely unable to roll back my changes. He never seems to face any repercussions because our users (who are probably used to things packing up during the day) are happy as long as they get informed as to what's busted. Things would be much smoother if I could run them my way, but that's unlikely to happen because he is popular amongst the golf-playing directorship (ain't it always the same?) I, on the other hand, prefer boxing to golf and have an unfortunate habit of calling a spade a spade, which seems to preclude me from breaking into the management click. Ho-hum. Still - it's only ten minutes drive from home :-) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: [On-Topic] Patching with PSEXEC
Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don't know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys. From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: [On-Topic] Patching with PSEXEC
+1 I just use psexec for the random one-off tasks. Sam From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Monday, August 31, 2009 6:57 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don't know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys. From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: [On-Topic] Patching with PSEXEC
You don't want logging? Did you mean that? I'd suggest it's critical. I'd say that trying roll your own methods for patch management on 2800 desktops is going to be pretty tough to manage, unless you have a VERY locked down and cookie-cutter infrastructure. -sc From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: [On-Topic] Patching with PSEXEC
We used to use a batch script using psexec to patch 500 Windows NT Server systems because management wouldn't pay for anything. We had to do the OS, Internet Explorer (all versions), Adobe, Office, all the other stuff. We started off using a text file full of data being parsed for the relevant systems so that we'd know what to install on each system as they were discovered. Someone (me) ended up working on this data file and the script almost full time, spending hours after every patch release working out where the files were updated, how to test if it applied, which systems needed it, and how to work the logic into the batch script to make sure it didn't go where it didn't. And this is in the pre-64-bit and virtualisation days. I can't imagine how complex it would be now. Most sensible accounts at this time paid for UpdateExpert or HfNetChk. When MS released WSUS, we all breathed a collective sigh of relief and went back to other day-to-day admin tasks. We, as others probably do, only use psexec for one-off tasks now. Patching is far too complex a beast for it, unless you like having to spend all your time what MS will do for you for nothing. 2009/8/31 tony patton tony.pat...@quinn-insurance.com Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: [On-Topic] Patching with PSEXEC
The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC +1 I just use psexec for the random one-off tasks. Sam From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Monday, August 31, 2009 6:57 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don?t know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys?.. From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet
Re: [On-Topic] Patching with PSEXEC
Out of curiosity, what exactly is running at machine startup (and why can't you control it)? Or are you confusing startup with logon? Startup and logon are two distinct events, despite their close timing. On Mon, Aug 31, 2009 at 10:18 AM, tony patton tony.pat...@quinn-insurance.com wrote: The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC -- +1 I just use psexec for the random one-off tasks. Sam -- *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.orgkennedy...@elyriaschools.org ] * Sent:* Monday, August 31, 2009 6:57 AM * To:* NT System Admin Issues * Subject:* RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don’t know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. *http://www.appdeploy.com/* http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys….. *From:* tony patton [mailto:tony.pat...@quinn-insurance.comtony.pat...@quinn-insurance.com] * Sent:* Monday, August 31, 2009 5:59 AM* To:* NT System Admin Issues* Subject:* [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768
RE: [On-Topic] Patching with PSEXEC
I agree on the it becomes a full time job part. However, he specifically mention non-MS apps... and WSUS won't do that. -sc From: James Rankin [mailto:kz2...@googlemail.com] Sent: Monday, August 31, 2009 9:49 AM To: NT System Admin Issues Subject: Re: [On-Topic] Patching with PSEXEC We used to use a batch script using psexec to patch 500 Windows NT Server systems because management wouldn't pay for anything. We had to do the OS, Internet Explorer (all versions), Adobe, Office, all the other stuff. We started off using a text file full of data being parsed for the relevant systems so that we'd know what to install on each system as they were discovered. Someone (me) ended up working on this data file and the script almost full time, spending hours after every patch release working out where the files were updated, how to test if it applied, which systems needed it, and how to work the logic into the batch script to make sure it didn't go where it didn't. And this is in the pre-64-bit and virtualisation days. I can't imagine how complex it would be now. Most sensible accounts at this time paid for UpdateExpert or HfNetChk. When MS released WSUS, we all breathed a collective sigh of relief and went back to other day-to-day admin tasks. We, as others probably do, only use psexec for one-off tasks now. Patching is far too complex a beast for it, unless you like having to spend all your time what MS will do for you for nothing. 2009/8/31 tony patton tony.pat...@quinn-insurance.com Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: [On-Topic] Patching with PSEXEC
Gotcha. And agreed... it would be a full time.. and still not give you the features a true patch management system should. -sc (and the dash isn't part of my initials ;-) From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 10:18 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC +1 I just use psexec for the random one-off tasks. Sam From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org mailto:kennedy...@elyriaschools.org ] Sent: Monday, August 31, 2009 6:57 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don't know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. http://www.appdeploy.com/ http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys. From: tony patton [mailto:tony.pat...@quinn-insurance.com mailto:tony.pat...@quinn-insurance.com ] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com http://www.quinn-insurance.com/ This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited
RE: [On-Topic] Patching with PSEXEC
It is in your sig, and it stood out from the rest of the rubbish i typed :-) Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Steven M. Caesare scaes...@caesare.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 15:57 Subject: RE: [On-Topic] Patching with PSEXEC Gotcha. And agreed? it would be a full time.. and still not give you the features a true patch management system should. -sc (and the dash isn?t part of my initials?. ;-) From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 10:18 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC +1 I just use psexec for the random one-off tasks. Sam From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Monday, August 31, 2009 6:57 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don?t know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys?.. From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business
Re: [On-Topic] Patching with PSEXEC
What I mean by no control is two-fold: 1. I don't have any say over most of the policies, only a subset; 2. We have to go through a long-winded change management process to do any changes to GPOs. The things that run at start-up include software installs, reg-settings, short-cut creation, some redundant, some could be better moved to staging ou's. The main issue is due to the majority of PC's being about 5 years old with 512mb ram, sometimes if they went any slower they'd be going backwards. They're still only ordering them in with 1gb rather than spend a little extra to get 2gb, it'll end up costing more in the long term, but they only care about now. Not confusing start-up with logon, that's a whole other issue for another time. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Jonathan Link jonathan.l...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 15:30 Subject: Re: [On-Topic] Patching with PSEXEC Out of curiosity, what exactly is running at machine startup (and why can't you control it)? Or are you confusing startup with logon? Startup and logon are two distinct events, despite their close timing. On Mon, Aug 31, 2009 at 10:18 AM, tony patton tony.pat...@quinn-insurance.com wrote: The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC +1 I just use psexec for the random one-off tasks. Sam From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org ] Sent: Monday, August 31, 2009 6:57 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don?t know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys?.. From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible
Re: [On-Topic] Patching with PSEXEC
Ah yes. Read threads fully before responding, one must. GPO would be the way to go then - although I tend to use the Citrix Application Packager when the fit takes me, although obviously the fact that I run a Citrix farm kinda helps me out there. You can also do third-party kit through VMWare Update Manager (Shavlik for VirtualCenter essentially) and SCCM, but those have all the cost implications we all know about. Psexec comes in quite handy once you've packaged applications up to install quietly, if you can - or identified all the necessary switches. Adobe's customisation tool is quite good for building customised installers (one of the few things Adobe seems to do well) 2009/8/31 Steven M. Caesare scaes...@caesare.com I agree on the “it becomes a full time job part”. However, he specifically mention non-MS apps… and WSUS won’t do that. -sc *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Monday, August 31, 2009 9:49 AM *To:* NT System Admin Issues *Subject:* Re: [On-Topic] Patching with PSEXEC We used to use a batch script using psexec to patch 500 Windows NT Server systems because management wouldn't pay for anything. We had to do the OS, Internet Explorer (all versions), Adobe, Office, all the other stuff. We started off using a text file full of data being parsed for the relevant systems so that we'd know what to install on each system as they were discovered. Someone (me) ended up working on this data file and the script almost full time, spending hours after every patch release working out where the files were updated, how to test if it applied, which systems needed it, and how to work the logic into the batch script to make sure it didn't go where it didn't. And this is in the pre-64-bit and virtualisation days. I can't imagine how complex it would be now. Most sensible accounts at this time paid for UpdateExpert or HfNetChk. When MS released WSUS, we all breathed a collective sigh of relief and went back to other day-to-day admin tasks. We, as others probably do, only use psexec for one-off tasks now. Patching is far too complex a beast for it, unless you like having to spend all your time what MS will do for you for nothing. 2009/8/31 tony patton tony.pat...@quinn-insurance.com Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road
Re: [On-Topic] Patching with PSEXEC
Okay I will bite on this, why no WSUS? I am directing this to the OP now. It is relativity free, it does require a license for a machine but it will run on a desktop (not very well but it will run). Server licenses are not cheap but with that many machines you should be able to get one license and not break the bank. It does not need a real fast or beefy machine to run it. Jon On Mon, Aug 31, 2009 at 11:08 AM, tony patton tony.pat...@quinn-insurance.com wrote: What I mean by no control is two-fold: 1. I don't have any say over most of the policies, only a subset; 2. We have to go through a long-winded change management process to do any changes to GPOs. The things that run at start-up include software installs, reg-settings, short-cut creation, some redundant, some could be better moved to staging ou's. The main issue is due to the majority of PC's being about 5 years old with 512mb ram, sometimes if they went any slower they'd be going backwards. They're still only ordering them in with 1gb rather than spend a little extra to get 2gb, it'll end up costing more in the long term, but they only care about now. Not confusing start-up with logon, that's a whole other issue for another time. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Jonathan Link jonathan.l...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 15:30 Subject: Re: [On-Topic] Patching with PSEXEC -- Out of curiosity, what exactly is running at machine startup (and why can't you control it)? Or are you confusing startup with logon? Startup and logon are two distinct events, despite their close timing. On Mon, Aug 31, 2009 at 10:18 AM, tony patton * tony.pat...@quinn-insurance.com* tony.pat...@quinn-insurance.com wrote: The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: *tony.pat...@quinn-insurance.com* tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues *ntsysad...@lyris.sunbelt-software.com*ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC -- +1 I just use psexec for the random one-off tasks. Sam -- *From:* Kennedy, Jim [*mailto:kennedy...@elyriaschools.org*kennedy...@elyriaschools.org ] * Sent:* Monday, August 31, 2009 6:57 AM * To:* NT System Admin Issues * Subject:* RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don’t know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. * **http://www.appdeploy.com/* http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys….. *From:* tony patton [*mailto:tony.pat...@quinn-insurance.com*tony.pat...@quinn-insurance.com] * Sent:* Monday, August 31, 2009 5:59 AM* To:* NT System Admin Issues* Subject:* [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want
Re: [On-Topic] Patching with PSEXEC
Forget to say in the original email, we use WSUS for the Microsoft stuff, but have nothing for anything else. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Jon Harris jk.har...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 16:37 Subject: Re: [On-Topic] Patching with PSEXEC Okay I will bite on this, why no WSUS? I am directing this to the OP now. It is relativity free, it does require a license for a machine but it will run on a desktop (not very well but it will run). Server licenses are not cheap but with that many machines you should be able to get one license and not break the bank. It does not need a real fast or beefy machine to run it. Jon On Mon, Aug 31, 2009 at 11:08 AM, tony patton tony.pat...@quinn-insurance.com wrote: What I mean by no control is two-fold: 1. I don't have any say over most of the policies, only a subset; 2. We have to go through a long-winded change management process to do any changes to GPOs. The things that run at start-up include software installs, reg-settings, short-cut creation, some redundant, some could be better moved to staging ou's. The main issue is due to the majority of PC's being about 5 years old with 512mb ram, sometimes if they went any slower they'd be going backwards. They're still only ordering them in with 1gb rather than spend a little extra to get 2gb, it'll end up costing more in the long term, but they only care about now. Not confusing start-up with logon, that's a whole other issue for another time. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Jonathan Link jonathan.l...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 15:30 Subject: Re: [On-Topic] Patching with PSEXEC Out of curiosity, what exactly is running at machine startup (and why can't you control it)? Or are you confusing startup with logon? Startup and logon are two distinct events, despite their close timing. On Mon, Aug 31, 2009 at 10:18 AM, tony patton tony.pat...@quinn-insurance.com wrote: The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC +1 I just use psexec for the random one-off tasks. Sam From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org ] Sent: Monday, August 31, 2009 6:57 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don?t know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys?.. From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash
RE: [On-Topic] Patching with PSEXEC
Indeed. However, one shouldn't overlook the value of logging, reporting, error handling, etc... It's a significant challenge. -sc From: James Rankin [mailto:kz2...@googlemail.com] Sent: Monday, August 31, 2009 11:32 AM To: NT System Admin Issues Subject: Re: [On-Topic] Patching with PSEXEC Ah yes. Read threads fully before responding, one must. GPO would be the way to go then - although I tend to use the Citrix Application Packager when the fit takes me, although obviously the fact that I run a Citrix farm kinda helps me out there. You can also do third-party kit through VMWare Update Manager (Shavlik for VirtualCenter essentially) and SCCM, but those have all the cost implications we all know about. Psexec comes in quite handy once you've packaged applications up to install quietly, if you can - or identified all the necessary switches. Adobe's customisation tool is quite good for building customised installers (one of the few things Adobe seems to do well) 2009/8/31 Steven M. Caesare scaes...@caesare.com I agree on the it becomes a full time job part. However, he specifically mention non-MS apps... and WSUS won't do that. -sc From: James Rankin [mailto:kz2...@googlemail.com] Sent: Monday, August 31, 2009 9:49 AM To: NT System Admin Issues Subject: Re: [On-Topic] Patching with PSEXEC We used to use a batch script using psexec to patch 500 Windows NT Server systems because management wouldn't pay for anything. We had to do the OS, Internet Explorer (all versions), Adobe, Office, all the other stuff. We started off using a text file full of data being parsed for the relevant systems so that we'd know what to install on each system as they were discovered. Someone (me) ended up working on this data file and the script almost full time, spending hours after every patch release working out where the files were updated, how to test if it applied, which systems needed it, and how to work the logic into the batch script to make sure it didn't go where it didn't. And this is in the pre-64-bit and virtualisation days. I can't imagine how complex it would be now. Most sensible accounts at this time paid for UpdateExpert or HfNetChk. When MS released WSUS, we all breathed a collective sigh of relief and went back to other day-to-day admin tasks. We, as others probably do, only use psexec for one-off tasks now. Patching is far too complex a beast for it, unless you like having to spend all your time what MS will do for you for nothing. 2009/8/31 tony patton tony.pat...@quinn-insurance.com Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number
Re: [On-Topic] Patching with PSEXEC
Ah, now it makes a lot more sense. Yeah WSUS could do patching of other stuff (well is it is suppose to anyway but...) I would look at something from Shavlik or Eeye for what you really want to do. Patching without the necessary proof is just time spent running in place. Good luck staying out of the hole someone is digging for you. Jon On Mon, Aug 31, 2009 at 11:48 AM, tony patton tony.pat...@quinn-insurance.com wrote: Forget to say in the original email, we use WSUS for the Microsoft stuff, but have nothing for anything else. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Jon Harris jk.har...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 16:37 Subject: Re: [On-Topic] Patching with PSEXEC -- Okay I will bite on this, why no WSUS? I am directing this to the OP now. It is relativity free, it does require a license for a machine but it will run on a desktop (not very well but it will run). Server licenses are not cheap but with that many machines you should be able to get one license and not break the bank. It does not need a real fast or beefy machine to run it. Jon On Mon, Aug 31, 2009 at 11:08 AM, tony patton * tony.pat...@quinn-insurance.com* tony.pat...@quinn-insurance.com wrote: What I mean by no control is two-fold: 1. I don't have any say over most of the policies, only a subset; 2. We have to go through a long-winded change management process to do any changes to GPOs. The things that run at start-up include software installs, reg-settings, short-cut creation, some redundant, some could be better moved to staging ou's. The main issue is due to the majority of PC's being about 5 years old with 512mb ram, sometimes if they went any slower they'd be going backwards. They're still only ordering them in with 1gb rather than spend a little extra to get 2gb, it'll end up costing more in the long term, but they only care about now. Not confusing start-up with logon, that's a whole other issue for another time. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: *tony.pat...@quinn-insurance.com* tony.pat...@quinn-insurance.com From: Jonathan Link *jonathan.l...@gmail.com* jonathan.l...@gmail.com To: NT System Admin Issues *ntsysad...@lyris.sunbelt-software.com*ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 15:30 Subject: Re: [On-Topic] Patching with PSEXEC -- Out of curiosity, what exactly is running at machine startup (and why can't you control it)? Or are you confusing startup with logon? Startup and logon are two distinct events, despite their close timing. On Mon, Aug 31, 2009 at 10:18 AM, tony patton * tony.pat...@quinn-insurance.com* tony.pat...@quinn-insurance.com wrote: The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: *tony.pat...@quinn-insurance.com* tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues *ntsysad...@lyris.sunbelt-software.com*ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC -- +1 I just use psexec for the random one-off tasks. Sam -- *From:* Kennedy, Jim [*mailto:kennedy...@elyriaschools.org*kennedy...@elyriaschools.org ] * Sent:* Monday, August 31, 2009 6:57 AM * To:* NT System Admin Issues * Subject:* RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don’t know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. * **http://www.appdeploy.com/* http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys….. * From:* tony patton [*mailto:tony.pat...@quinn-insurance.com*tony.pat
Re: [On-Topic] Patching with PSEXEC
Quite correcton our psexec-utilizing batch script patching routines, we managed to write in a passable amount of error handling, but reporting had to be written as a separate utility. 2009/8/31 Steven M. Caesare scaes...@caesare.com Indeed. However, one shouldn’t overlook the value of logging, reporting, error handling, etc… It’s a significant challenge. -sc *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Monday, August 31, 2009 11:32 AM *To:* NT System Admin Issues *Subject:* Re: [On-Topic] Patching with PSEXEC Ah yes. Read threads fully before responding, one must. GPO would be the way to go then - although I tend to use the Citrix Application Packager when the fit takes me, although obviously the fact that I run a Citrix farm kinda helps me out there. You can also do third-party kit through VMWare Update Manager (Shavlik for VirtualCenter essentially) and SCCM, but those have all the cost implications we all know about. Psexec comes in quite handy once you've packaged applications up to install quietly, if you can - or identified all the necessary switches. Adobe's customisation tool is quite good for building customised installers (one of the few things Adobe seems to do well) 2009/8/31 Steven M. Caesare scaes...@caesare.com I agree on the “it becomes a full time job part”. However, he specifically mention non-MS apps… and WSUS won’t do that. -sc *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Monday, August 31, 2009 9:49 AM *To:* NT System Admin Issues *Subject:* Re: [On-Topic] Patching with PSEXEC We used to use a batch script using psexec to patch 500 Windows NT Server systems because management wouldn't pay for anything. We had to do the OS, Internet Explorer (all versions), Adobe, Office, all the other stuff. We started off using a text file full of data being parsed for the relevant systems so that we'd know what to install on each system as they were discovered. Someone (me) ended up working on this data file and the script almost full time, spending hours after every patch release working out where the files were updated, how to test if it applied, which systems needed it, and how to work the logic into the batch script to make sure it didn't go where it didn't. And this is in the pre-64-bit and virtualisation days. I can't imagine how complex it would be now. Most sensible accounts at this time paid for UpdateExpert or HfNetChk. When MS released WSUS, we all breathed a collective sigh of relief and went back to other day-to-day admin tasks. We, as others probably do, only use psexec for one-off tasks now. Patching is far too complex a beast for it, unless you like having to spend all your time what MS will do for you for nothing. 2009/8/31 tony patton tony.pat...@quinn-insurance.com Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited
RE: [On-Topic] Patching with PSEXEC
Sounds like they're trying hard not to be around very long if they are so near sighted. Do they change the oil but not the filter on their cars too? Seems a simple matter of my time at xx/hr = ThisMuch, vs this product + install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to ThatMuch spead over three months... Seriously, the last job I had I LEFT because they had similar asinine thinking (can't reboot a hung server unless you have it in Change Review Board meeting and yes, you must attend the 1.5hr long meeting. 1.5HRS for a hung system , helll!!) . A company not thinking sensibly is a company I will not work for. Dave From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 8:08 AM To: NT System Admin Issues Subject: Re: [On-Topic] Patching with PSEXEC What I mean by no control is two-fold: 1. I don't have any say over most of the policies, only a subset; 2. We have to go through a long-winded change management process to do any changes to GPOs. The things that run at start-up include software installs, reg-settings, short-cut creation, some redundant, some could be better moved to staging ou's. The main issue is due to the majority of PC's being about 5 years old with 512mb ram, sometimes if they went any slower they'd be going backwards. They're still only ordering them in with 1gb rather than spend a little extra to get 2gb, it'll end up costing more in the long term, but they only care about now. Not confusing start-up with logon, that's a whole other issue for another time. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Jonathan Link jonathan.l...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 15:30 Subject: Re: [On-Topic] Patching with PSEXEC Out of curiosity, what exactly is running at machine startup (and why can't you control it)? Or are you confusing startup with logon? Startup and logon are two distinct events, despite their close timing. On Mon, Aug 31, 2009 at 10:18 AM, tony patton tony.pat...@quinn-insurance.commailto:tony.pat...@quinn-insurance.com wrote: The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.commailto:tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC +1 I just use psexec for the random one-off tasks. Sam From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org ] Sent: Monday, August 31, 2009 6:57 AM To: NT System Admin Issues Subject: RE: [On-Topic] Patching with PSEXEC Ok, I am going off in a completely different direction. I did not see the part where you talked to others about PSEXEC so I don't know why you are going in that direction. Why not just script it to the machines via GPO. If it is a machine policy the install/update will run with elevated privs so you will not have any trouble. You can get a run down on almost any app at this site, as far as what switches and what package to use to get them deployed. http://www.appdeploy.com/ Your script can log the ip/machine name as it deploys. From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 5:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks
Re: [On-Topic] Patching with PSEXEC
The problem is all the companies with these stringent change control processes have been, to speak proverbially, bitten squarely in the ass by a lack of change control. I work for the polar opposite - a company where no change control exists and where the head of IT makes changes, often in the middle of the full working day, for no good operational reason that result in loss of service on other, related systems. I have also worked at companies with very strict change processes and know which one I prefer, if I had to choose an extreme. My boss decided to perform an upgrade to Active Directory 2008 not long ago and WebSense has not functioned properly since, which is annoying when 25% of my users are now browsing the net unfiltered. He upgraded our AppSense server to 2008 and then I spent a week putting it back onto a 2003 system because he hadn't done any testing. I shudder to think what will happen when he turns his upgrade-addicted eyes onto our Exchange 2007 infrastructure. Of course, I am sure people would say just leave, but we are in the middle of a testing economic time and I have a wife recovering from an operation and two hungry babies to feed. I'd rather work somewhere where change control was a happy medium, but IMHO, tighter than a gnat's ass beats the cowboy approach every time. Apologies for taking the topic off on a tangent :-) 2009/8/31 David Lum david@nwea.org Sounds like they’re trying hard not to be around very long if they are so near sighted. Do they change the oil but not the filter on their cars too? Seems a simple matter of “my time at xx/hr = ThisMuch, vs this product + install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to ThatMuch spead over three months… Seriously, the last job I had I LEFT because they had similar asinine thinking (can’t reboot a hung server unless you have it in Change Review Board meeting and yes, you must attend the 1.5hr long meeting. 1.5HRS for a hung system , helll!!) . A company not thinking sensibly is a company I will not work for. Dave *From:* tony patton [mailto:tony.pat...@quinn-insurance.com] *Sent:* Monday, August 31, 2009 8:08 AM *To:* NT System Admin Issues *Subject:* Re: [On-Topic] Patching with PSEXEC What I mean by no control is two-fold: 1. I don't have any say over most of the policies, only a subset; 2. We have to go through a long-winded change management process to do any changes to GPOs. The things that run at start-up include software installs, reg-settings, short-cut creation, some redundant, some could be better moved to staging ou's. The main issue is due to the majority of PC's being about 5 years old with 512mb ram, sometimes if they went any slower they'd be going backwards. They're still only ordering them in with 1gb rather than spend a little extra to get 2gb, it'll end up costing more in the long term, but they only care about now. Not confusing start-up with logon, that's a whole other issue for another time. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Jonathan Link jonathan.l...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 15:30 Subject: Re: [On-Topic] Patching with PSEXEC -- Out of curiosity, what exactly is running at machine startup (and why can't you control it)? Or are you confusing startup with logon? Startup and logon are two distinct events, despite their close timing. On Mon, Aug 31, 2009 at 10:18 AM, tony patton tony.pat...@quinn-insurance.com wrote: The reasoning for not using GPO's is the amount of things that are already running on machine startup, no control over this. Machine shutdown GPO is an option. -sc, the reason I mentioned logging, or lack thereof, is that we're pushing for a proper patch management/deployment system, there is supposedly a project kicking off over the next few months for this. I can log by scripting it, that's not a problem, but we don't want a PSEXEC deployment solution to do everything we need. We only need it in the interim, we don't want it as a long term solution. To use PSEXEC long-term would be a full-time job, and we have enough to do at the minute. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: Sam Cayze sam.ca...@rollouts.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 13:35 Subject: RE: [On-Topic] Patching with PSEXEC -- +1 I just use psexec for the random one-off tasks. Sam -- *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.orgkennedy...@elyriaschools.org ] * Sent:* Monday, August 31, 2009 6:57 AM * To:* NT System Admin Issues * Subject:* RE: [On-Topic
Change control (was RE: [On-Topic] Patching with PSEXEC)
I totally understand the need for change control, but there certainly are efficient ways to implement it. %DAYJOB% has good change control, %FORMERDAYJOB% didn't. To put names to it, I used to work for Textron and they had good change control. After being there 10 years they outsourced *some* of the IT infrastructure (the support portion, not the programmers) to CSC and CSC's change control was insane. I do realize leaving in these economic times is tougher, but it wouldn't stop me from looking Does your boss not face any repercussions from deploying w/out testing? I would use them as an opportunity to either work with him or go above him with a plan on this is how we should handle change, xxx problems happened because we had no process and ExampleA and ExampleB problems would have been prevented, here's how Dave From: James Rankin [mailto:kz2...@googlemail.com] Sent: Monday, August 31, 2009 12:09 PM To: NT System Admin Issues Subject: Re: [On-Topic] Patching with PSEXEC The problem is all the companies with these stringent change control processes have been, to speak proverbially, bitten squarely in the ass by a lack of change control. I work for the polar opposite - a company where no change control exists and where the head of IT makes changes, often in the middle of the full working day, for no good operational reason that result in loss of service on other, related systems. I have also worked at companies with very strict change processes and know which one I prefer, if I had to choose an extreme. My boss decided to perform an upgrade to Active Directory 2008 not long ago and WebSense has not functioned properly since, which is annoying when 25% of my users are now browsing the net unfiltered. He upgraded our AppSense server to 2008 and then I spent a week putting it back onto a 2003 system because he hadn't done any testing. I shudder to think what will happen when he turns his upgrade-addicted eyes onto our Exchange 2007 infrastructure. Of course, I am sure people would say just leave, but we are in the middle of a testing economic time and I have a wife recovering from an operation and two hungry babies to feed. I'd rather work somewhere where change control was a happy medium, but IMHO, tighter than a gnat's ass beats the cowboy approach every time. Apologies for taking the topic off on a tangent :-) 2009/8/31 David Lum david@nwea.orgmailto:david@nwea.org Sounds like they're trying hard not to be around very long if they are so near sighted. Do they change the oil but not the filter on their cars too? Seems a simple matter of my time at xx/hr = ThisMuch, vs this product + install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to ThatMuch spead over three months... Seriously, the last job I had I LEFT because they had similar asinine thinking (can't reboot a hung server unless you have it in Change Review Board meeting and yes, you must attend the 1.5hr long meeting. 1.5HRS for a hung system , helll!!) . A company not thinking sensibly is a company I will not work for. Dave From: tony patton [mailto:tony.pat...@quinn-insurance.commailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 8:08 AM To: NT System Admin Issues Subject: Re: [On-Topic] Patching with PSEXEC What I mean by no control is two-fold: 1. I don't have any say over most of the policies, only a subset; 2. We have to go through a long-winded change management process to do any changes to GPOs. The things that run at start-up include software installs, reg-settings, short-cut creation, some redundant, some could be better moved to staging ou's. The main issue is due to the majority of PC's being about 5 years old with 512mb ram, sometimes if they went any slower they'd be going backwards. They're still only ordering them in with 1gb rather than spend a little extra to get 2gb, it'll end up costing more in the long term, but they only care about now. Not confusing start-up with logon, that's a whole other issue for another time. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.commailto:tony.pat...@quinn-insurance.com From: Jonathan Link jonathan.l...@gmail.commailto:jonathan.l...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: 31/08/2009 15:30 Subject: Re: [On-Topic] Patching with PSEXEC Out of curiosity, what exactly is running at machine startup (and why can't you control it)? Or are you confusing startup with logon? Startup and logon are two distinct events, despite their close timing. On Mon, Aug 31, 2009 at 10:18 AM, tony patton tony.pat...@quinn-insurance.commailto:tony.pat...@quinn-insurance.com wrote: The reasoning for not using GPO's is the amount of things that are already running on machine startup
Re: Change control (was RE: [On-Topic] Patching with PSEXEC)
I've worked for a number of outsourcing companies and the change control is always very tight. It's the only way they can do it, but I admit it is completely inflexible for the client - particularly those that retain IT staff who now have to watch their systems managed by others who don't understand the particular intricacies of the business or the infrastructure. You are right about good change control being right in the middle of the change control spectrum. Can't say I've ever found a company that managed to strike the balance exactly right though. The reason my boss gets away with his cowboy approach is because he is prepared to sit there for 36 hours+ trying to get it working. I, on the other hand, am not. He bodges solutions together and then expects me to sanitize them and make them supportable.I love his approach though - he breaks something, then sends an email out to let users know that it is broken, and then puts the fastest fix in place he can find - usually reverting to where he started. He once deleted a snapshot I took before I'd finished testing, and made me completely unable to roll back my changes. He never seems to face any repercussions because our users (who are probably used to things packing up during the day) are happy as long as they get informed as to what's busted. Things would be much smoother if I could run them my way, but that's unlikely to happen because he is popular amongst the golf-playing directorship (ain't it always the same?) I, on the other hand, prefer boxing to golf and have an unfortunate habit of calling a spade a spade, which seems to preclude me from breaking into the management click. Ho-hum. Still - it's only ten minutes drive from home :-) 2009/8/31 David Lum david@nwea.org I totally understand the need for change control, but there certainly are efficient ways to implement it. %DAYJOB% has good change control, %FORMERDAYJOB% didn’t. To put names to it, I used to work for Textron and they had good change control. After being there 10 years they outsourced * *some** of the IT infrastructure (the support portion, not the programmers) to CSC and CSC’s change control was insane. I do realize leaving in these economic times is tougher, but it wouldn’t stop me from looking…. Does your boss not face any repercussions from deploying w/out testing? I would use them as an opportunity to either work with him or go above him with a plan on “this is how we should handle change, xxx problems happened because we had no process and ExampleA and ExampleB problems would have been prevented, here’s how….” Dave *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Monday, August 31, 2009 12:09 PM *To:* NT System Admin Issues *Subject:* Re: [On-Topic] Patching with PSEXEC The problem is all the companies with these stringent change control processes have been, to speak proverbially, bitten squarely in the ass by a lack of change control. I work for the polar opposite - a company where no change control exists and where the head of IT makes changes, often in the middle of the full working day, for no good operational reason that result in loss of service on other, related systems. I have also worked at companies with very strict change processes and know which one I prefer, if I had to choose an extreme. My boss decided to perform an upgrade to Active Directory 2008 not long ago and WebSense has not functioned properly since, which is annoying when 25% of my users are now browsing the net unfiltered. He upgraded our AppSense server to 2008 and then I spent a week putting it back onto a 2003 system because he hadn't done any testing. I shudder to think what will happen when he turns his upgrade-addicted eyes onto our Exchange 2007 infrastructure. Of course, I am sure people would say just leave, but we are in the middle of a testing economic time and I have a wife recovering from an operation and two hungry babies to feed. I'd rather work somewhere where change control was a happy medium, but IMHO, tighter than a gnat's ass beats the cowboy approach every time. Apologies for taking the topic off on a tangent :-) 2009/8/31 David Lum david@nwea.org Sounds like they’re trying hard not to be around very long if they are so near sighted. Do they change the oil but not the filter on their cars too? Seems a simple matter of “my time at xx/hr = ThisMuch, vs this product + install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to ThatMuch spead over three months… Seriously, the last job I had I LEFT because they had similar asinine thinking (can’t reboot a hung server unless you have it in Change Review Board meeting and yes, you must attend the 1.5hr long meeting. 1.5HRS for a hung system , helll!!) . A company not thinking sensibly is a company I will not work for. Dave *From:* tony patton [mailto:tony.pat...@quinn-insurance.com] *Sent:* Monday, August 31, 2009 8
Re: Change control (was RE: [On-Topic] Patching with PSEXEC)
Arguing with the boss or pointing out their mistakes only makes for a bad work environment which can lead to you losing your job or him making your work life H%%%. At this point in time your answer shows great understanding for the basic fact that 1) the boss is always right, and 2) if the boss is wrong refer to 1). Jon On Mon, Aug 31, 2009 at 3:58 PM, James Rankin kz2...@googlemail.com wrote: I've worked for a number of outsourcing companies and the change control is always very tight. It's the only way they can do it, but I admit it is completely inflexible for the client - particularly those that retain IT staff who now have to watch their systems managed by others who don't understand the particular intricacies of the business or the infrastructure. You are right about good change control being right in the middle of the change control spectrum. Can't say I've ever found a company that managed to strike the balance exactly right though. The reason my boss gets away with his cowboy approach is because he is prepared to sit there for 36 hours+ trying to get it working. I, on the other hand, am not. He bodges solutions together and then expects me to sanitize them and make them supportable.I love his approach though - he breaks something, then sends an email out to let users know that it is broken, and then puts the fastest fix in place he can find - usually reverting to where he started. He once deleted a snapshot I took before I'd finished testing, and made me completely unable to roll back my changes. He never seems to face any repercussions because our users (who are probably used to things packing up during the day) are happy as long as they get informed as to what's busted. Things would be much smoother if I could run them my way, but that's unlikely to happen because he is popular amongst the golf-playing directorship (ain't it always the same?) I, on the other hand, prefer boxing to golf and have an unfortunate habit of calling a spade a spade, which seems to preclude me from breaking into the management click. Ho-hum. Still - it's only ten minutes drive from home :-) 2009/8/31 David Lum david@nwea.org I totally understand the need for change control, but there certainly are efficient ways to implement it. %DAYJOB% has good change control, %FORMERDAYJOB% didn’t. To put names to it, I used to work for Textron and they had good change control. After being there 10 years they outsourced * *some** of the IT infrastructure (the support portion, not the programmers) to CSC and CSC’s change control was insane. I do realize leaving in these economic times is tougher, but it wouldn’t stop me from looking…. Does your boss not face any repercussions from deploying w/out testing? I would use them as an opportunity to either work with him or go above him with a plan on “this is how we should handle change, xxx problems happened because we had no process and ExampleA and ExampleB problems would have been prevented, here’s how….” Dave *From:* James Rankin [mailto:kz2...@googlemail.com] *Sent:* Monday, August 31, 2009 12:09 PM *To:* NT System Admin Issues *Subject:* Re: [On-Topic] Patching with PSEXEC The problem is all the companies with these stringent change control processes have been, to speak proverbially, bitten squarely in the ass by a lack of change control. I work for the polar opposite - a company where no change control exists and where the head of IT makes changes, often in the middle of the full working day, for no good operational reason that result in loss of service on other, related systems. I have also worked at companies with very strict change processes and know which one I prefer, if I had to choose an extreme. My boss decided to perform an upgrade to Active Directory 2008 not long ago and WebSense has not functioned properly since, which is annoying when 25% of my users are now browsing the net unfiltered. He upgraded our AppSense server to 2008 and then I spent a week putting it back onto a 2003 system because he hadn't done any testing. I shudder to think what will happen when he turns his upgrade-addicted eyes onto our Exchange 2007 infrastructure. Of course, I am sure people would say just leave, but we are in the middle of a testing economic time and I have a wife recovering from an operation and two hungry babies to feed. I'd rather work somewhere where change control was a happy medium, but IMHO, tighter than a gnat's ass beats the cowboy approach every time. Apologies for taking the topic off on a tangent :-) 2009/8/31 David Lum david@nwea.org Sounds like they’re trying hard not to be around very long if they are so near sighted. Do they change the oil but not the filter on their cars too? Seems a simple matter of “my time at xx/hr = ThisMuch, vs this product + install/setup/hardware = ThatMuch. Do ThisMuch x three months and compare to ThatMuch spead over three months
RE: [On-Topic] Patching with PSEXEC
I have patched tens of thousands of boxes with psexec. My current patching script I use is a VBScript which I launch from psexec. Works great. Logging is built-in to the scripts... Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Monday, August 31, 2009 4:59 AM To: NT System Admin Issues Subject: [On-Topic] Patching with PSEXEC Hey all, Following on from IE8 doesn't work thread, management here wants start using PSEXEC to patch applications. I'm a bit hesitant to use it for patching 2800 desktops for Adobe reader, flash, firefox and UltraVNC, fine for running scripts and such, just not sure about patching. Logging is a whole other thing, personally, I don't want to be able to log which machines were successful, failed or not on as there would be no incentive to get a proper patching solution. I can wrap a batch file around it to re-direct output to a file, so the possibility of logging is there. What are the pitfalls that any of you that use this approach have come across? Also thanks to Sam Cayze for the PSEXEC command for Adobe, hadn't attempted to work out the command for Flash but this does it, saved me a bit of work :-) Slightly off-topic, don't know why anyone would want to leave this list, keeps me sane most days. Sorry if this is a bit all over the place, 11am and been here before 7 :-( All information greatly appreciated. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.commailto:tony.pat...@quinn-insurance.com http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~