[Dredd]

I work for a company on active directory. We need to get some of the clients up to date with service pack 3 for Windows 2000. It will be a royal pain to go around to 20 computers and install the sp3 and the other windows updates. Is there a easy and "simple" way to deploy these over the network and not disrupt the users too much? Thanks,

-Damon

[DS3Circuit]

If you are using a Domain security context

1. Place the computers that need to be updated in their specific OU

2. Extract SP3 onto a server share that has the correct permissions for those to access it. Read access is enough

3. Create a GP for that OU and create a GPO that has (for computers) a software installation that maps to the update.msi that is located once you extract all the service pack ... you can use winzip for this.

4.Once the Group Policy is in place, have your users reboot their machines, and upon startup the MSI for Service Pack 3 will come down, install on their machines, reboot again, and thats it.

5. There is a place to check in the policy to "not uninstall the software" when "management falls out of scope", otherwise when you move the computers to another OU, Service Pack 3 will uninstall itself.

HTH

[Astatine]

Do the users login under the regular account? And does their account need local admin rights?

[DS3Circuit]

Login normally

Assigned MSIs run under the context of machine level security. They are installed before a user ever logins.

[Astatine]

Just got a couple more questions about this, DS3Circuit...

1. Can the PCs be allocated to the same organizational unit as people? (ie. you have a unit called "headoffice" with all the people and PCs there)

2. Have you used this approach for any other type of installations such as Office? Is it effective?

[DS3Circuit]

Sure thing

In response to 1 = Sure, you only deploy service packs to computers anyways, just disable the GPO portion that is for User configurations (a faster load of the GPO) ... in a side note, for managerial and logical administration, I put them in separate OUs, but thats just me.

IN response to 2 = Same deal with office, but you can also specify it by machine AND user. Create an MST (configuration file) using the Office Resource Kit to custom your install. Also, this one can be either assigned or published. Personally, its how we do it on my networks.

HTH

[Astatine]

Would Software Update Services (SUS) work in a similar configuration? I've currently got a test group policy applied to just the IT staff logins, but of course, we need local administrator access to use it (which we do have). Obviously, if the updates are applied regardless of the login name, that'd be great.

[DS3Circuit]

SUS doesnt work with Service Pack Deployment

Only Hotfixes

[Astatine]

Quote:

SUS doesnt work with Service Pack Deployment

Only Hotfixes

No, I mean, at the moment, I have a group policy setup to do automatic updates from the SUS server. The policy is applied on users. What I was trying to ask was, could I apply the policy directly to the machines (in a similar fashion to how the policy on the machines is used to install SP3/Office 2000, etc) and still have it work?

[DS3Circuit]

Though I havent played with SUS recently, I believe it can be applied to machines as well as users. I should read their ADM file.

Try it out on a test machine

[Astatine]

Quote:

Though I havent played with SUS recently, I believe it can be applied to machines as well as users. I should read their ADM file.

Try it out on a test machine

Just a followup on this - I created an organisational unit last night and assigned a policy to do the SUS updating and moved a test machine into the unit. The user reported it downloaded 80megs of stuff and then asked to reboot. All done. Logs on the SUS server confirmed the updating and when visiting the Windows Update site manually, there was no critical updates that needed installing.