Quote:

But in your case though, it seems like internal policies should be revised than building custom, hard to maintain solutions to go around the problem instead of solving it.




Well, rewind to 2003...at the time not much was available. SUS 1.0 had just come out and it was hardly a solution. 1.2 promised a few fixes and never delivered. Therefore I scripted a solution.

Quote:


First of all, why can non-controlled PC's be added to the domain at all? If anyone has these credentials in your domain, patching will do nothing for security in your domain anyhow.

Secondly, how do do you handle installations? Isn't there standard images for example? Have you considered image-based installations using RIS or similar solutions for example?




We use ghost images for our base OS. These are updated about every 3-6 months to contain the latest patches. All software is packaged and pushed down through GPO.

However, we're in a somewhat distributed environment and for various political reasons we have staff who can add machines to the domain within their delegated OU. They also sometimes perform manual software installs on their own machines. I know this is a problem, but it's one of those political battles that is beyond my control.

Therefore as soon as you bootup in the domain we scan/patch the machine.

On top of that we have about 300 laptops out in the field for months at a time. Then they come back to the office for 1 day to update assignments, and they're back out again. So for that 8 hours they're on the network they need to be patched...so we scan/patch them before they even login via the startup script.

Again, I am aware that a scripted solution is not ideal....but when the products out there don't address the needs you have that's when you turn to scripting. My scrips only required one major code change...that was the switchover from HFNETCHK to MBSACLI...about 8 hours of my time. Look at the major upgrades you would have incurred if you had gone SUS 1.0, SUS 1.2, WUS (what ever happened with that?) and now WSUS.

Nonetheless I am looking to replace the scripted solution, and it seems WSUS+Client script is the way to go.