I need some advice on using WSUS. I tried using it but we had XP, Vista 32/64b, 7 32/64b, and 2003 so there was just a huge amount of files in the list to sort through and I lost patience with it. My remote office requested it and they only have about 15 computer instead of my 150 and they are all Windows 7 64b. I'm going through the installation now but it's the selecting of the updates that I find a bit confusing.
How do I go about choosing which updates to approve and reject? I'm planning on only doing the Windows ones, no drivers or anything. The last time I played around with WSUS I had something like 35,000 updates listed and it never got smaller as I rejected or approved.
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Turns out this helpdesk position is more like a generalized IT support on a small team, so instead of just mindlessly cycling tickets, I get to mess up servers and stick my fingers in sockets and break exchange!
I went from my first job as the IT person for 15 people and about 20 computers where I sat around most days and documented things to someone who creates tickets while testing software for network equipment to my current job which is basically the first job +160 employees and I'm way more busy.
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Turns out this helpdesk position is more like a generalized IT support on a small team, so instead of just mindlessly cycling tickets, I get to mess up servers and stick my fingers in sockets and break exchange!
I need some advice on using WSUS. I tried using it but we had XP, Vista 32/64b, 7 32/64b, and 2003 so there was just a huge amount of files in the list to sort through and I lost patience with it. My remote office requested it and they only have about 15 computer instead of my 150 and they are all Windows 7 64b. I'm going through the installation now but it's the selecting of the updates that I find a bit confusing.
How do I go about choosing which updates to approve and reject? I'm planning on only doing the Windows ones, no drivers or anything. The last time I played around with WSUS I had something like 35,000 updates listed and it never got smaller as I rejected or approved.
If this is your driving question, there is little in the way of hard, fast rules about approvals. Stick to only the OS's you have in play, and only Windows/Office and maybe ubiquitous software like Silverlight that most users are going to either install themselves or bitch about the fact that they can't.
If you're talking just workstations, auto-approvals are your friend. Go to Options in the left hand pane of the MCC and then Auotmatic Approvals should be about 5th down the list in the right hand pane. For workstations only, auto-approve all critical and security updates.
Don't auto approve a goddamn thing for a server. Don't approve any major OS/Application Update Rollups or Service packs. You want to be installing those by hand for the most part.
At the outset, yes there is going to be an utterly obscene amount of updates. Even windows 7 is 3 years old already.
I'm not even bothering including the server in WSUS so I'm not worried about that part. I've set auto approve for the workstations that I have separated in AD with a GPO set for updates. I also set WSUS to use GPO to group the computers, only problem I see so far is that the Update Services is not separating them like they are in AD.
edit: Figured it out, forgot to set the group membership in the GPO, should be seeing my groups once the policies update.
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Is this were we tell stories about the wacky stuff our users pull? Oh goodie!
I do field support for "agents" of my company who are located all around the U.S. in their small work-from-home offices. Even though these computers are bought by the agents, they are locked down systems that are encrypted and have extra policy management software running in the background. They are intimately attached to the systems here at Home Office. One such agent thought she would hire her 16 year old son to be her "IT person" her computer. The idea was the son would get "hands on" experience working with mom's company computer, and she would no longer have to call us for support. He told me she wanted me to get her son "up to speed" on how our systems worked, and handed the phone to him.
"Hey there", I said.
"Hi", the kid said... waaay to enthusiastically.
"You you want to be the 'IT Guy'"
"Yup!" he answered, "So let's start at the top. What the administrator password?"
I was so surprised by the question I laughed out loud on the headset.
Like, I didn't mean to guffaw over the phone, but it was one of those hearty belly-laughs reserved only for Santa.
"I was being serious" He said sheepishly.
"So was I!" I answered back. "First of all, you are not going to get an administrator password because there's no administrator account on the system."
"I noticed, so under my mom's login, I made a local account, but I couldn't even find the 'Administrators group' to add myself to."
"That's because we remove it from all the field machines."
"So I'm stuck with just a limited account?"
"Actually no", I corrected. "When you reboot the computer is going to delete your local account. They are only allowed if they can authenticate against our Active Directory and have cached credentials"
The kid sounded heartbroken... "So how do I log in?"
"You don't"
He was kind of quiet for a while. "So what can I do?" he asked.
"Well, you can help your mom hook up a printer, or maybe troubleshoot the internet going in. You are not getting access to the computer, and in fact you are not authorized to use it."
He thanked me and hung up. I kind of felt bad for him. He was about to get fired from his first "IT job" he ever had.
halkun on
+1
Options
jaziekBad at everythingAnd mad about it.Registered Userregular
Is this were we tell stories about the wacky stuff our users pull? Oh goodie!
I do field support for "agents" of my company who are located all around the U.S. in their small work-from home offices. Even though these computers are bought by the agents, they are locked down systems that are encrypted and have extra policy management software running in the background. They are intimately attached to the systems here at Home Office. One such agent thought she would hire her 16 year old son to be her "IT person" her computer. The idea was the son would get "hands on" experience working with mom's company computer, and she would no longer have to call us for support. He told me she wanted me to get her son "up to speed" on how our systems worked, and handed the phone to him.
"Hey there", I said.
"Hi", the kid said... waaay to enthusiastically.
"You you want to be the 'IT Guy'"
"Yup!" he answered, "So let's start at the top. What the administrator password?"
I was so surprised by the question I laughed out loud on the headset.
Like, I didn't mean to guffaw over the phone, but it was one of those hearty belly-laughs reserved only for Santa.
"I was being serious" He said sheepishly.
"So was I!" I answered back. "First of all, you are not going to get an administrator password because there's no administrator account on the system."
"I noticed, so under my mom's login, I made a local account, but I couldn't even find the 'Administrators group' to add myself to."
"That's because we remove it from all the field machines."
"So I'm stuck with just a limited account?"
"Actually no", I corrected. "When you reboot the computer is going to delete your local account. They are only allowed if they can authenticate against our Active Directory and have cached credentials"
The kid sounded heartbroken... "So how do I log in?"
"You don't"
He was kind of quiet for a while. "So what can I do?" he asked.
"Well, you can help your mom hook up a printer, or maybe troubleshoot the internet going in. You are not getting access to the computer, and in fact you are not authorized to use it."
He thanked me and hung up. I kind of felt bad for him. He was about to get fired from his first "IT job" he ever had.
I mean, I know his heart was in the right place, but lots of of agents don't realize how locked down the systems are. Between the transparent encryption and Single Sign On, it behaves almost like a home system (by design). However, the agents will always trip across something that causes them to realize that we control the horizontal. One such story was when we discovered that an Office update that we pushed wound up corrupting windows if they had Publisher installed. (Our Office suite does not come with Publisher, and we strongly discourage installing office products for this very reason.) When this issue was discovered, we decided use one of our software management programs to scan of all the field systems to see who had Publisher installed. When we found one, we sent the user an email saying they needed to uninstall Publisher so that our office patch could go though. Failure to do so would result in the system being locked down until support could go in and uninstall it so we could update office manually.
Oh boy we got some irritated agents not liking the idea that we scanned their systems and then telling them they can't run their expensive software they just bought. They will always try and pull the "I bought this computer" argument when they think we are being too intrusive. I have to let them know that if they want to use the system as a personal computer, they are more then welcome to use the computer branded system recovery disk and turn it into a home system. However, when they do that they will lose all their data, and will only have a recycle bin and internet explorer. (No more Office!). *and* they will no longer be able to connect to Corp.
I kind of wish the field systems were configured like the ones here, but I have to go through 7 logins (one with an authenticator) to start my work day and, admittingly, it's kind of a pain in the ass.
Heard this over the PA system just now "Will so and so please pick up a call on some number" and I think to myself.... that guy doesn't work here anymore. I call up the reception desk and tell him he's been gone for a month, "Well that was embarrassing".
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
What if you're locked in a cube and have no direct access to a window so you don't know what the weather is outside? I mean come on at least allow a for a little human decency
It's called using your browser to go to www.weather.com if you want to know what it's like outside your cell.
Sorry for the delayed post; I was out of commission for the last 2 weeks and am getting caught up.
While I agree that being insensitive is an issue, so is being oversensitive.
What if you're locked in a cube and have no direct access to a window so you don't know what the weather is outside? I mean come on at least allow a for a little human decency
It's called using your browser to go to www.weather.com if you want to know what it's like outside your cell.
Sorry for the delayed post; I was out of commission for the last 2 weeks and am getting caught up.
Blocked 'outside life' related.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
I'm not even bothering including the server in WSUS so I'm not worried about that part. I've set auto approve for the workstations that I have separated in AD with a GPO set for updates. I also set WSUS to use GPO to group the computers, only problem I see so far is that the Update Services is not separating them like they are in AD.
edit: Figured it out, forgot to set the group membership in the GPO, should be seeing my groups once the policies update.
I'd be a little weary about using auto-approve. There were issues in the past where an update was auto-approved and it turned out to be a crap patch. While yeah you can later set the update to be declined and then approved for uninstall, it's still a pain in the ass.
While I agree that being insensitive is an issue, so is being oversensitive.
Somewhere here posted, maybe, a month or so back about a replacement for the cisco ASA firewall/router devices. Does anyone have that link? I stupidly forgot to bookmark it like a dumbie.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
@aiserou do you know how that license fee works? Do you need that fee for the hardware or is that if you want to use their cloud based setup/deploy stuff?
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
I don't have one myself. I saw them brought up in the same conversation you did and have been trying to justify the costs since. As far as I can tell though, yea, you need to have a license for it to work at all.
Okay, well those are just separate systems. It's not like one continuous chain of logins.
I've got 7 or 8 that I need to get into by default on any given day plus about 30 more that crop up. Fortunately a lot of them use built in AD authentication or are covered by our SSO app.
@aiserou do you know how that license fee works? Do you need that fee for the hardware or is that if you want to use their cloud based setup/deploy stuff?
I don't need a ton of bells and whistles, and the price is pretty good since I'd only need maybe 1 or 2 licenses.
My wife uses it. I've never heard her say much wildly positive or negative about it. It pretty much provides vanilla remote support, from all I've seen or heard. Not the best or worst.
0
Options
jaziekBad at everythingAnd mad about it.Registered Userregular
Okay, well those are just separate systems. It's not like one continuous chain of logins.
I've got 7 or 8 that I need to get into by default on any given day plus about 30 more that crop up. Fortunately a lot of them use built in AD authentication or are covered by our SSO app.
Since starting this job a month and a bit ago, the amount of passwords I'm having to memorise is getting silly already. (VPN password + 10-15 different server passwords + firewall passwords) x 10 or so clients that I'm working on. Plus passwords to get on machines that you have to use to connect to said VPNS, plus passwords to the VMs running on the machines you have to remote onto to get onto the VPNs, plus passwords for test servers. I am running out of head space for actual things.
Do we have a central store for all these? Hell no. Find it in a randomly named text file in the labyrinthine setup of file servers. Maybe.
Corp systems don't use SSO becuse I can change roles and require differnt identites at differnt times. They all auth against the same AD, for the most part.
Okay, well those are just separate systems. It's not like one continuous chain of logins.
I've got 7 or 8 that I need to get into by default on any given day plus about 30 more that crop up. Fortunately a lot of them use built in AD authentication or are covered by our SSO app.
Since starting this job a month and a bit ago, the amount of passwords I'm having to memorise is getting silly already. (VPN password + 10-15 different server passwords + firewall passwords) x 10 or so clients that I'm working on. Plus passwords to get on machines that you have to use to connect to said VPNS, plus passwords to the VMs running on the machines you have to remote onto to get onto the VPNs, plus passwords for test servers. I am running out of head space for actual things.
Do we have a central store for all these? Hell no. Find it in a randomly named text file in the labyrinthine setup of file servers. Maybe.
Okay, well those are just separate systems. It's not like one continuous chain of logins.
I've got 7 or 8 that I need to get into by default on any given day plus about 30 more that crop up. Fortunately a lot of them use built in AD authentication or are covered by our SSO app.
Since starting this job a month and a bit ago, the amount of passwords I'm having to memorise is getting silly already. (VPN password + 10-15 different server passwords + firewall passwords) x 10 or so clients that I'm working on. Plus passwords to get on machines that you have to use to connect to said VPNS, plus passwords to the VMs running on the machines you have to remote onto to get onto the VPNs, plus passwords for test servers. I am running out of head space for actual things.
Do we have a central store for all these? Hell no. Find it in a randomly named text file in the labyrinthine setup of file servers. Maybe.
That does look pretty slick, but the lack of NetOp support is a dealbreaker, and how well does it handle remote sessions within remote sessions? Like, VNC into a machine -> Open up a VM -> Connect that VM to a VPN -> NetOP Into the system that I actually want to do something on.
Okay, well those are just separate systems. It's not like one continuous chain of logins.
I've got 7 or 8 that I need to get into by default on any given day plus about 30 more that crop up. Fortunately a lot of them use built in AD authentication or are covered by our SSO app.
Since starting this job a month and a bit ago, the amount of passwords I'm having to memorise is getting silly already. (VPN password + 10-15 different server passwords + firewall passwords) x 10 or so clients that I'm working on. Plus passwords to get on machines that you have to use to connect to said VPNS, plus passwords to the VMs running on the machines you have to remote onto to get onto the VPNs, plus passwords for test servers. I am running out of head space for actual things.
Do we have a central store for all these? Hell no. Find it in a randomly named text file in the labyrinthine setup of file servers. Maybe.
That does look pretty slick, but the lack of NetOp support is a dealbreaker, and how well does it handle remote sessions within remote sessions? Like, VNC into a machine -> Open up a VM -> Connect that VM to a VPN -> NetOP Into the system that I actually want to do something on.
And I'm not sure I get your question? Whatever you can do in VNC, it can do to since it's launching VNC in the background.
0
Options
mightyjongyoSour CrrmEast Bay, CaliforniaRegistered Userregular
Has anyone here ever done AD with mixed windows and Linux systems? Engineering is on Linux and rest of company is on Windows, and IT is slowly making the move to cut off everything that isn't tied to AD (and refusing to help us, which is not necessarily surprising or unwarranted but still frustrating nonetheless).
So far I see Likewise Open (or whatever it's called now) as the best free option without needing to do too much voodoo magic, but if anyone else has any recommendations...
Okay, well those are just separate systems. It's not like one continuous chain of logins.
I've got 7 or 8 that I need to get into by default on any given day plus about 30 more that crop up. Fortunately a lot of them use built in AD authentication or are covered by our SSO app.
Since starting this job a month and a bit ago, the amount of passwords I'm having to memorise is getting silly already. (VPN password + 10-15 different server passwords + firewall passwords) x 10 or so clients that I'm working on. Plus passwords to get on machines that you have to use to connect to said VPNS, plus passwords to the VMs running on the machines you have to remote onto to get onto the VPNs, plus passwords for test servers. I am running out of head space for actual things.
Do we have a central store for all these? Hell no. Find it in a randomly named text file in the labyrinthine setup of file servers. Maybe.
I kinda prefer Terminals, which is like Remote Desktop Manager on steroids, with native support for VNC, SSH, screen cap auto export to flickr, built in ping, trace, dns lookup, whois, Terminal Services admin console, can wake on lan other machines. It can connect to your damn vcenter server and do VM console sessions too. It's pretty fucking awesome.
Also if you just need to remember a lot of passwords, look into KeePass. Not only does it store them in an encrypted, centralized, searchable database with a nice gui and room for notes, you can actually train it to auto-type usernames and passwords into the appropriate windows for you, and copy/paste the passwords without ever seeing them in clear text.
Posts
How do I go about choosing which updates to approve and reject? I'm planning on only doing the Windows ones, no drivers or anything. The last time I played around with WSUS I had something like 35,000 updates listed and it never got smaller as I rejected or approved.
Teach me :P . We've got an cert issue at work that I've been trying to fix on and off for the better part of 2 weeks.
Did that, then changed the virtual host for port 80 to use rewrite and force people to https
Job..get
Turns out this helpdesk position is more like a generalized IT support on a small team, so instead of just mindlessly cycling tickets, I get to mess up servers and stick my fingers in sockets and break exchange!
Pig...In...Shit
These are the BEST jobs, seriously.
If this is your driving question, there is little in the way of hard, fast rules about approvals. Stick to only the OS's you have in play, and only Windows/Office and maybe ubiquitous software like Silverlight that most users are going to either install themselves or bitch about the fact that they can't.
If you're talking just workstations, auto-approvals are your friend. Go to Options in the left hand pane of the MCC and then Auotmatic Approvals should be about 5th down the list in the right hand pane. For workstations only, auto-approve all critical and security updates.
Don't auto approve a goddamn thing for a server. Don't approve any major OS/Application Update Rollups or Service packs. You want to be installing those by hand for the most part.
At the outset, yes there is going to be an utterly obscene amount of updates. Even windows 7 is 3 years old already.
edit: Figured it out, forgot to set the group membership in the GPO, should be seeing my groups once the policies update.
I do field support for "agents" of my company who are located all around the U.S. in their small work-from-home offices. Even though these computers are bought by the agents, they are locked down systems that are encrypted and have extra policy management software running in the background. They are intimately attached to the systems here at Home Office. One such agent thought she would hire her 16 year old son to be her "IT person" her computer. The idea was the son would get "hands on" experience working with mom's company computer, and she would no longer have to call us for support. He told me she wanted me to get her son "up to speed" on how our systems worked, and handed the phone to him.
"Hey there", I said.
"Hi", the kid said... waaay to enthusiastically.
"You you want to be the 'IT Guy'"
"Yup!" he answered, "So let's start at the top. What the administrator password?"
I was so surprised by the question I laughed out loud on the headset.
Like, I didn't mean to guffaw over the phone, but it was one of those hearty belly-laughs reserved only for Santa.
"I was being serious" He said sheepishly.
"So was I!" I answered back. "First of all, you are not going to get an administrator password because there's no administrator account on the system."
"I noticed, so under my mom's login, I made a local account, but I couldn't even find the 'Administrators group' to add myself to."
"That's because we remove it from all the field machines."
"So I'm stuck with just a limited account?"
"Actually no", I corrected. "When you reboot the computer is going to delete your local account. They are only allowed if they can authenticate against our Active Directory and have cached credentials"
The kid sounded heartbroken... "So how do I log in?"
"You don't"
He was kind of quiet for a while. "So what can I do?" he asked.
"Well, you can help your mom hook up a printer, or maybe troubleshoot the internet going in. You are not getting access to the computer, and in fact you are not authorized to use it."
He thanked me and hung up. I kind of felt bad for him. He was about to get fired from his first "IT job" he ever had.
Thats so sad.
I mean, I know his heart was in the right place, but lots of of agents don't realize how locked down the systems are. Between the transparent encryption and Single Sign On, it behaves almost like a home system (by design). However, the agents will always trip across something that causes them to realize that we control the horizontal. One such story was when we discovered that an Office update that we pushed wound up corrupting windows if they had Publisher installed. (Our Office suite does not come with Publisher, and we strongly discourage installing office products for this very reason.) When this issue was discovered, we decided use one of our software management programs to scan of all the field systems to see who had Publisher installed. When we found one, we sent the user an email saying they needed to uninstall Publisher so that our office patch could go though. Failure to do so would result in the system being locked down until support could go in and uninstall it so we could update office manually.
Oh boy we got some irritated agents not liking the idea that we scanned their systems and then telling them they can't run their expensive software they just bought. They will always try and pull the "I bought this computer" argument when they think we are being too intrusive. I have to let them know that if they want to use the system as a personal computer, they are more then welcome to use the computer branded system recovery disk and turn it into a home system. However, when they do that they will lose all their data, and will only have a recycle bin and internet explorer. (No more Office!). *and* they will no longer be able to connect to Corp.
I kind of wish the field systems were configured like the ones here, but I have to go through 7 logins (one with an authenticator) to start my work day and, admittingly, it's kind of a pain in the ass.
What the fuck.
I bet they don't have to worry about fucking weatherbug.
So, they've got that going for them.
Sorry for the delayed post; I was out of commission for the last 2 weeks and am getting caught up.
Blocked 'outside life' related.
I don't need a ton of bells and whistles, and the price is pretty good since I'd only need maybe 1 or 2 licenses.
That's exactly it, thanks.
#1 System Login
#2 VPN Login (with authenticor)
#3 Virtual Machine Login
#4 Ticket System Login
#5 CRM login
#6 Time Tracker login
#7 Remote desktop login
Yea, it's kind of annoying.
Unless you are talking about the agents. They have it easy
That plays a HUGE role into whatever I decide to buy or support/install.
I've got 7 or 8 that I need to get into by default on any given day plus about 30 more that crop up. Fortunately a lot of them use built in AD authentication or are covered by our SSO app.
https://docs.meraki.com/display/kb/Meraki+Licensing+FAQ
My wife uses it. I've never heard her say much wildly positive or negative about it. It pretty much provides vanilla remote support, from all I've seen or heard. Not the best or worst.
Since starting this job a month and a bit ago, the amount of passwords I'm having to memorise is getting silly already. (VPN password + 10-15 different server passwords + firewall passwords) x 10 or so clients that I'm working on. Plus passwords to get on machines that you have to use to connect to said VPNS, plus passwords to the VMs running on the machines you have to remote onto to get onto the VPNs, plus passwords for test servers. I am running out of head space for actual things.
Do we have a central store for all these? Hell no. Find it in a randomly named text file in the labyrinthine setup of file servers. Maybe.
Sounds like you need this: http://remotedesktopmanager.com/
That does look pretty slick, but the lack of NetOp support is a dealbreaker, and how well does it handle remote sessions within remote sessions? Like, VNC into a machine -> Open up a VM -> Connect that VM to a VPN -> NetOP Into the system that I actually want to do something on.
I see NetOp support here: http://remotedesktopmanager.com/Home/AddOn
And I'm not sure I get your question? Whatever you can do in VNC, it can do to since it's launching VNC in the background.
So far I see Likewise Open (or whatever it's called now) as the best free option without needing to do too much voodoo magic, but if anyone else has any recommendations...
I kinda prefer Terminals, which is like Remote Desktop Manager on steroids, with native support for VNC, SSH, screen cap auto export to flickr, built in ping, trace, dns lookup, whois, Terminal Services admin console, can wake on lan other machines. It can connect to your damn vcenter server and do VM console sessions too. It's pretty fucking awesome.
Also if you just need to remember a lot of passwords, look into KeePass. Not only does it store them in an encrypted, centralized, searchable database with a nice gui and room for notes, you can actually train it to auto-type usernames and passwords into the appropriate windows for you, and copy/paste the passwords without ever seeing them in clear text.