5

I have an AD domain and I don't want my users to have admin privileges on their local computer. I have WSUS for Windows updates and stuff but what about Firefox, Flash and other third party program updates? Isn't there a better solution than to go to everyone's computer and give them my username/password so that the update will actually go through?

blsub6
  • 1,101
  • 6
  • 25
  • 44
  • Please see this [related question](http://serverfault.com/questions/158483/managing-self-updating-windows-software-in-gpo-deployed-packages/174791) about deploying updates. There are myriad ways to handle this. – jscott Oct 28 '10 at 17:43
  • Another related question: http://serverfault.com/questions/145527/how-do-large-companies-handle-software-updates-for-users-without-administrative-r – Evan Anderson Oct 28 '10 at 17:58

4 Answers4

3

but what about Firefox, Flash and other third party program updates?

It is called update hell. Seriously.

Isn't there a better solution than to go to everyone's computer and give them my username/password so that the update will actually go through?

SCOM etc. can roll out install packages to selected computers that run with admin priviledges anre update the systems.

You could run logon scripts with admin priviledges trying to do the same. With acrobat we roll out new versions via AD when they arrive.

I seriously hope the WIndows Update mechanism (which WSUS piggibacks on) gets opened to third parties at one point. The pressure will be terrific to actually have them get their act together and USE IT.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • +1 For wishing WSUS gets third-party-app plugins, or the ilk. That would make my life *much* easier. – jscott Oct 28 '10 at 17:44
  • 1
    @jscott: WSUS has support for third-party aps. Microsoft doesn't expose the functionality in their "for free" tools. System Center Updates Publisher allows you to deploy third-party updates, as do the for-pay tools from Eminent Software(eminentware.com). The API is called "local publishing". There's a nice thread about some attempts to write a tool to publish updates here: http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/f7dd5052-60d2-4f44-bc3e-bacdbb9165e7 and code at https://sourceforge.net/projects/localupdatepubl – Evan Anderson Oct 28 '10 at 17:57
  • Sadly that does not solve the problem. What we need is Winwosdows Udpate toe be OPEN so that the PRODUCERS of the software can publish their stuff. No more "check 10 companies" only "run windowsupdate". – TomTom Oct 28 '10 at 18:01
  • @Evan Thanks. Guess I dream of some msi/msp/msu-based-update-utopia where the Adobes, the Apples and the Oracles of the Window-software-world publish their updates in some Grand Unified Windows Updater format that I can click-and-load into WSUS/SCCM and fire away at clients without so much messing around. I will follow up on your provided links. – jscott Oct 28 '10 at 18:03
  • 2
    @TomTom: I'm no Microsoft apologist, but I'd argue that openness isn't the problem in this case. It amazes me that third-party developers think that not using Windows Installer is somehow "adding value". If third-parties would just follow Microsoft's published best-practices for installation then this would all be much, much easier. When your product ships with a NullSoft, custom EXE, or other non-MSI, installer, you're not doing a service to the sysadmins who have to install and support your product. I don't know why software companies can't understand that. – Evan Anderson Oct 28 '10 at 18:06
  • 3
    The Adobe Flash installer is a great example. Here's a company that makes perfectly usable MSI's for Acrobat and Reader, but their heads are firmly up their asses re: Flash, which is just a big "Custom Action" to run the EXE-based installer (which is problematic). The company already has developers who are, clearly, familiar with developing MSIs but they can't use them for Flash! Idiocy. Having a satisfactory installation experience is the first step to a good experience with your software. Why wouldn't you want the install to be reliable and manageable? >sigh – Evan Anderson Oct 28 '10 at 18:09
  • @Evan, the other problem is that everyone uses Flash and Reader, etc. So there's no way to get around NOT using it. But you're right. The other thing that annoys me about Flash in particular is having to load it twice, once for IE and once again for Firefox.... – Holocryptic Oct 28 '10 at 18:22
2

The hard part is figuring out how to perform unattended installs / uninstalls / patches for each and every 3rd party app. Frameworks like Active Directory Group Policy, wpgk, etc, solve the easy part of the problem-- running code on the client computers.

You "pay the piper" one way or another. Either you subscribe to a service (KACE, etc) that has people who do the hard work of packaging up third-party updates and maintaining a framework to detect when they're needed and install them or you build the infrastructure yourself.

Personally I get a lot of mileage out of repackaging software as MSIs and using Software Installation Policy to uninstall old versions and install new ones. When I have to, I write startup scripts to perform unattended installations of updates. This isn't really sysadmin work-- it's more "installation developer work", but since so many third-party software companies can't get their act together and just use Windows Installer I'm often forced to be an installation developer for their products.

You can get some gratis help from online communities like AppDeploy.com (now owned by Dell via KACE) or the community surrounding wpkg. You're just leveraging the work that others have done to research the software.

It just comes down to what's cheaper-- your time or somebody else's.

As an aside: This would all be so much easier if developers would just use Windows Installer. All the documentation is freely available from Microsoft and there are a myraid of commercial and free/open source tools to get you started. I'm not even a professional developer and I can turn out MSI's using the open source WiX toolset very quickly. Whining that your installation is complex (and thus requires a custom EXE-based SEUTP) isn't a valid argument since you can incorporate custom code into MSI-based installations and, ultimately, you'd have to write that code for your custom EXE-based SETUP anyway.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

Check out Shavlik. It works pretty good for us.

CarloBaldini
  • 583
  • 2
  • 8
0

Have a look at wpkg. It can operate beside WSUS if you want to deal with these 3rd party apps.

Other than that CFEngine already supports Windows and both Puppet and Chef are working on Windows support. So solid multi-platform solutions are coming.

3dinfluence
  • 12,409
  • 2
  • 27
  • 41
  • That doesn't address the work that needs to be done, though, figuring out how to perform unattended installations and uninstallations for each and every 3rd party app. That's the hard part. Frameworks to perform the installs / uninstalls (Active Directory Group Policy, wpkg, etc) are the easy part. – Evan Anderson Oct 28 '10 at 18:01
  • Yeah no solution comes without some time investment. But I've found that once you're on top of the learning curve managing the frameworks to do what you want isn't too much work. It's easy to find information on how to install most common 3rd party apps with any of these. But the pay off for investing the time in these sorts of tools increases with the number of computers you're managing. – 3dinfluence Oct 28 '10 at 18:11