Automated Software Rollouts

[Tim Bazzinett 0]

A question came up for one of our clients dealing with how to simplify the rolling out of software. This client, a manager of a car dealership with around 70 PC's is wanting something that is as simple as taking a mouse, clicking on a software package icon, then highlighting a few computers and dropping and dragging the software icon to those PC's, allowing software to install. This goes for all and any software packages. Sounds easy, but we all know it is never like that.

 

The network is a win2000 AD domain. Win2000 server, 70 some win2000 professional client PC's. Two administrative users, everyone has just standard user privileges (meaning, no software installs allowed. After all, they are car dealers who want nothing more than to have gator, comet cursor, and all sorts of **** ).

 

So, is there any software similar to this that will allow an ease of software rollout from a centralized distribution point. The most PC savvy at the dealership is still blown away by an MMC console, meaning, this software has to geared to a someone with little PC experience. There is really no on-staff network admin, just one person who has played around with a PC in her spare time.

 

I know of two possible solutions, Microsoft SMS and Ghost Enterprise. Ghost requires the use of snapshots, before and after a software install. My client has already purchased Ghost on her own. But this method is far too intimi[censored] for her to try to learn. She wants something much easier to use. Also, myself, I have never worked with SMS server to suggest that as a purchase.

 

Any good suggestions?

[clutch 1]

I use SMS 2.0 right now, and it is quite intimi[censored] as well. However, it will let you install just about anything as long as it can be scripting (passing command line args normally). MSIs are pretty easy to push with it as well, but nowhere *near* as easy as AD is. However, AD will only handle MSI files for pushes, so that might not cover everything you are looking for. SMS also handles many other inventory and asset control functions as well, but all of this may be overkill anyway. The next version is supposed to be more user friendly, but I don't think that helps you now...

 

[DosFreak 2]

What kind of software are you looking at for deployments?

Do ALL pc's need ALL of this software?

How easy is it to install this software?

 

 

Okay, SMS is WAY overkill in this situation. It's also not at the level that you are looking for. It is getting better however and Microsoft it still up[censored] it. In fact the SMS Value Pack should be out pretty soon which is supposed to integrate further with their SUS (Software Update Service) program.

 

In fact I recommend you do this:

1. Install and implement Microsoft SUS

(The way this works is that you install a Server Side Component on a Windows 2000 IIS Server Non-Domain Controller, this program will synchronize with the Microsoft Windows Update Server and download all Update for Windows 2000/XP Systems.

The next step is a client side which simply needs to be run on all clients (the installation program does not have to be configured) After the client is installed on all computers then use Group Policy to push out the proper Update settings for all Clients)

 

This program ONLY pushes out Security Updates for now.

 

2. Buy the programs from Shavlik Technologies.

(These programs include Account Inspector/Password Inspector/Baseline Security Analyzer/Hotfix Scanner

Account Inspector is handy. Not as informative as the freeware tool Dumpsec but Account Inspector is better for the WGM or for management types and it just concerns ACCOUNT information.

Password Inspector in my opinion is a piece of junk. It just checks that your passwords are compliant with whatever policy that you have for them. It doesn't crack passwords. So ignore this program abd buy L0phtcrack 4 (LC4)

 

Baseline Security Analyzer - Same as the Microsoft Baseline Security Analyzer except these are the guys who made the prog. Also this version can upload results to an SQL server and includes other handy-dandy options. (EXCELLENT TOOL...especially for the people who you have describe)

 

Hotfix Checker- More advanced than the Security Analyzer and probably not for the people you described. Doesn't include hints on how to configure your system like Security Analyzer does but it's more configurable and easier to for scanning purposes.

 

3. Buy LC4. L0phtcrack 4 is THE password cracker. Every network should have it.

 

4. Learn Group Policy. Through it you can do lots of neat stuff and it's exactly what your looking for. Buy an .MSI program from Installshield and teach them how to use it or learn how to use the simpler programs based off Installshield Technology that come on your Windows 2000 CD's. I recommend buying the Install Shield Stuff.

 

 

As far as I know there's no program that will say:

 

Load up a GUI that lists all computers in your domain.

Prompt for setup program executable and has you run through the program options and install.

Complies the installation information into a file and compiles the package.

Prompt you to deploy.

 

You CAN do this with SMS but it's not as simple as I just described. It's one of those yes it is easy and no it isn't easy kind of things. For instance, once you compile the package you THEN have 2 options for deployment. 2 Queries. 1 query for ALL clients who do not have the programd and 1 Query for All clients who DO have the program. To create these queries you also have to know what executables or registry entries to check for to verify that the program did/did not install on the client computer. The second option is to use .MIF's which when pushed to ALL clients will gather the information automagically and report it back to you, BUT you still have to create the Queries! hehehe.

 

Queries can be as simple as you need them to be or they can be highly advanced scripting languages. Considering that you look like you want to deploy lots of programs with the most easy of use....I recoemmend you stay away from SMS and look for a better solution. I seem to recall there being other solutions that SMS for deployment but I can't recall what they were, I think Group Policy is what you want tho. It's already on your network....you just need to figure out how to use it and how to teach it to your admins.

[Tim Bazzinett 0]

Thanks for the replies up above. I did read up on something on group policies this afternoon. Might have to dig further. Hopefully, with the hectic schedule I have to maintain, I can get a few hours to study up on this. Thanks!!

[Four and Twenty 0]

Quote:

1. Install and implement Microsoft SUS

where do you get SUS
and why can't i run it on my domain controller?
The only 2 servers on my network are pdc and bdc
i am not going to be psyched about setting up another comp just for updates but i might do that i have an old celeron that i was going make into a game server maybe i could get it to do alot more than that

[DosFreak 2]

Don't feel too far behind. The Final ver was realeased on Friday.

 

After I set it up on my network and was about to post it to NT Compatible I noticed it was already on the Front Page.....for about 2 secs. We really need either a sorting/ranking system and a commentary system for the front page because this little gem just flashed right on by.

 

http://www.microsoft.com/windows2000/windowsupdate/sus/

 

Read ALL of the documentation before you begin.

 

Also this works just fine on non-AD domains. It's just a ***** to setup compared to an AD domain. (Okay, not that bad) I just haven't figured out how to push the clients settings out via SMS yet.

[clutch 1]

I read about the betas of this in my newsletters, but it's nice to see that it's finally out. As for using SMS, I wrote that it was pretty much overkill (which it is), but AD would be *exactly* what he is looking for if the software uses MSI files (or someone is willing to repackage them into MSIs). I use AD to push out office via group policies, and it is very simple to assign any object and/or container a group policy; it just has to be defined in AD (which is simple) and then you bind the policy to it (which is just as simple).

[futuretech 0]

They could use AD and push some software with ZAP files.The clients have to have rights to access add remove programs, and install programs.

The ZAP files are not hard to write, and can only be published not assigned.(use drop down list and selectZAW files instead of .msi)

[clutch 1]

Quote:

The clients have to have rights to access add remove programs, and *install* programs.

Seems like letting users have the right to install programs would begin to defeat the purpose of half the security functionality of the OS. This is especially true since one of the intended goals was:

Quote:

Clipped from TBazzinett's post
The network is a win2000 AD domain. Win2000 server, 70 some win2000 professional client PC's. Two administrative users, everyone has just standard user privileges (meaning, no software installs allowed. After all, they are car dealers who want nothing more than to have gator, comet cursor, and all sorts of **** ).

And if they could install the apps, you could probably execute most apps silently with switches, right?

[dcxman 0]

Ever think of Citrix? Works wonders for me. Interface isn't too bad either.

 

Hope that helps.