Domain Administrators help please Options

[Genders]

Hi,

After some help from more experienced / senior domain administrators.

How do you handle your third party application updates?

I have WSUS sorted and working well.

Though I know from checking my domain I have a lot of clients out there with Fire Fox, Adobe Reader, Flash Player, Java, Chrome, 7 Zip / Win Rar, etc...that all need updating and managing or removing.
We get updates from out external support vendor when a major Windows issue comes around and it gets patched by WSUS.

But what about all the third party application updates?

Thanks

GENDERS

[mudg3]

Lol they aren't supported. There is what is apart of the SOE and then BL. Users can update them selves. Things like Java and adobe reader we just package up and push out via SCCM.

[Jeruselem]

Those software have their own updating systems, no need to worry.

[elvenwhore]

We have a standard image with the tested and approved SOE and updates to things like Java are, as mudg3 said, packaged and pushed out via SCCM. If it's not on the SOE, we don't support it and we don't manage it, users have to do this themselves if they want to go down this road.

[Mordenakhnen]

If you find you can trust a little app called Ninite (www.ninite.com) then you should be able to deal with the small apps that it knows about via the small download you get from there.
If you are unfamiliar with it, you select from a fairly decent list of apps on their site and download a small program that when run checks for any installed versions and updates/installs as necessary,
taking into account x86/x64 of both OS and the apps (and it leaves out any crap such as third-party toolbars). To update, you simply run the same little program whenever you see fit to check.
The only issue I have had was Yahoo Messenger breaking once on some machines but not others, a manual download & install did the same so it wasn't Ninites fault.
I have no idea how quickly they react to new versions of the supported software, I don't update that often.

This post has been edited by Mordenakhnen: May 4 2012, 09:32 PM

[xnatex]

we use managesoft, it works well with group policy and its easy to push out updates from your core to the DC's in the child domains.

http://www.flexerasoftware.com/managesoft.htm

[gunny]

we use managesoft, it works well with group policy and its easy to push out updates from your core to the DC's in the child domains.

http://www.flexerasoftware.com/managesoft.htm

Check Ninite Pro www.ninite.com as a easy way to manage 3rd party app updating

[xnatex]

as much as i would love to change our updating program we look after about 50 or so domains with this managesoft dug deep into our system :(

[Genders]

Thanks for the suggestions. I've just got back from holiday.

I know the majority of the applications have a self updating ability. But from my audit I've found that they are all out of date. It's a big risk, more so then Windows Updates. I'll have a look at the suggestions and work from there.

I'd prefer more control over the clients then what I / we as IT currently have. You'll freak at this but every user on my domain has local admin rights to their computer and the Administrator password for ever client is the same. Old legacy issue...

[fatal_boot]

Those software have their own updating systems, no need to worry.

No no no. I repackage/rescript apps to turn auto updates OFF. Need consistant versioning for deployment. You don't want users using different versions of software without testing and approval. Standardisation!

We use SCCM.

Also, you can use SCUP catalogs. Reference:
http://blogs.adobe.com/adobereader/2011/02...-x-is-here.html

[xnatex]

I'd prefer more control over the clients then what I / we as IT currently have. You'll freak at this but every user on my domain has local admin rights to their computer and the Administrator password for ever client is the same. Old legacy issue...

Thats really keen, is the domain admins group nested in the local SAM administrators group?
How big is your network?
are you very comfortable in making group policies? you should load up vmware and create a test domain and try copying current user permissions and try to lock it down with group policy. You are at quite a high risk if there is a major system compromise (i.e. a disgrunteled user)

[mudg3]

I'd prefer more control over the clients then what I / we as IT currently have. You'll freak at this but every user on my domain has local admin rights to their computer and the Administrator password for ever client is the same. Old legacy issue...

Find a new job, Users do not get local admin unless they are out in the field. It causes more issues then its worth.

[SquallStrife]

In a nice ideal world, users dont need local admin on their machines.

In the horrible real world of sloppy vendor software, it's a cruel reality.

[Jeruselem]

I'd love not to give users local admin but you try running PLC software in non-admin mode.

[DonutKing]

I manage a domain of about 100 PC's.
You don't need SCCM or anything fancy to do this.

Most of the software you listed in the OP is available as an MSI. So all you need to do is download the MSI or extract it from the installer, then open your group policy management console, and assign it to Software Installation under Computer Configuration. It will automatically install the software when the system next boots. Make sure you store the MSI on a file share where computer objects have at least read permissions.

If you want to customize the MSI to get rid of desktop shortcuts or autorun registry entries (like java auto updater for example) you can download InstEd for free and make a transform, then delete the records in the MSI you don't want.
You can make basic MSI's for free using a program called Advanced Installer (more complex MSI's require a licence).

If you absolutely cannot make it work with an MSI you can just script it. If you are using Vista or win 7, or have XP with the Group Policy Client side extensions installed, then you can actually use Group Policy Preferences to create a new scheduled task on domain computers. Write a script to run the install, then use the scheduled task to run this script on computer startup, with highest privileges. If you save credentials in the scheduled task it is apparently possible to retrieve the password from the group policy objects on the domain controller (although it takes quite a bit of effort) so you shouldn't use a domain admin account for this, instead just use an account with admin rights to the PC and no rights to the domain.

I prefer to use MSI's whenever possible though. This is how I manage all our software. As for Microsoft updates we just use WSUS for that.