[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 15/01/14 22:54, Simon Waters wrote: > Had you down as the kind of person to install WSUS when a second > computer arrives on the network, given your "nothing changes without > me authorising it" approach to system admin. > > What's the alternative you'd suggest for smaller networks? of Windows > machines. Say the 0 to 50 desktops range. > > Microsoft say set a group policy to use Windows Update, which is > probably sound advice for a small domain, with just regular boring > desktops for Word-processing and Email, and little other > infrastructure to break. > > Somewhere an admin is sticking Windows update monitoring into Nagios > and cursing the vagaries of Powershell and Windows admin rights, but > that is probably fine for the odd server inflicted on us by history, > in a tightly controlled environment, where we just need the odd bit > of Microsoft server software to work, and Nagios or similar is a > given for the Linux or Unix side of thing. We'll know it needs > patching, we'll do it manually, and test, and roll-out in a really > small deployment (of Windows anyway). Even here WSUS is looking like > it might have some benefits. > > I'm definitely not a Windows admin, so curious where folks go here, > and how well it works. > > Microsoft seem to see the third party software update thing, as well > as some improved management, as a revenue stream, which is perhaps > where Linux distros went wrong, if Debian had a penny for every > package I'd updated from their mirrors.... > Ha, I do have WSUS running here at home actually, but then I have more computer resources than a lot of small shops do, and more instances (especially counting the VM herds). But I do mostly work here and all my testing, learning and experimenting with new stuff is done at home so I've got one of almost everything to hand that I might run into at work. For a smaller shop of 0-50 machines WSUS is still useful, especially if it's one of the local ones you guys sometimes mention that are on terrible internet connections - just the bandwidth savings alone would be useful. It's easy to setup and use, I'd say it mostly depends on whether you already have the existing hardware and licensing stuff in place, i.e., you won't have to spend any more money on it. So if you've already got a couple of 2008/2012 Windows Server boxes in place that aren't working very hard or doing much, might as well turn it on! Otherwise, it depends on the era of your Windows stuff - if it's creakier, like Vista/XP + Server 2003 then yeah, group policies set from the PDC. Super modern (all 2012/r2 and 8/8.1) then it's powershell scripts all the way. In between or mixed, and you'll end up using both. The other critical factor is how managed your environment - if it's a small shop with only a handful of non-idiotic, relatively skilled windows users they can usually be trusted with Admin or at least elevation rights and to not install crap/interfere with the update process. In almost all bigger environments though, by necessity you're going to be exercising much tighter control and in many places, updates have to be tested against custom images first to check for breakage *before* they're rolled out to the network at large. I'm used to the bigger/more controlled environments personally so have nearly always used WSUS as a matter of course. It's as much about locking out user interference and ensuring ongoing patch checking as anything else. How dearly I wish that Nagios ran properly on Windows... I've tried and used lots of things that are a start (like NSClient) but it's all just crap compared to Nagios on *nix. As per usual, I end up having to do most of this stuff natively with WMI + powershell. I also wish that just writing bash scripts for Windows was a proper option, and whilst I'm at, I'd like a pony too. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq