Login Deployment Lockdown
Hello All,
Long time lurker, first time poster. I have always found my anwsers without having to create an account! Thank You. However I seem to have run into an issue that I am either not searching the proper term or I am crazy.
I would like to start deploying applications on a weekley schedual rather than just deploying at will (How we have been doing) some of our deployments get pretty intense with multiple pieces installing to have a single effect.
What I would like to be able to do is lock down a machine at login (AD 2003, Windows XP SP2/3) so that the applciation can install and reboot (if need be) before the user can gain access to the OS. My packages are being deployed using SMS 2003 SP3 and would like to be able to only use AD or SMS to make this possinble rather than adding another piece to the puzzel that is packaging and deployment. Is that possible? :)
Thanks Again.
Long time lurker, first time poster. I have always found my anwsers without having to create an account! Thank You. However I seem to have run into an issue that I am either not searching the proper term or I am crazy.
I would like to start deploying applications on a weekley schedual rather than just deploying at will (How we have been doing) some of our deployments get pretty intense with multiple pieces installing to have a single effect.
What I would like to be able to do is lock down a machine at login (AD 2003, Windows XP SP2/3) so that the applciation can install and reboot (if need be) before the user can gain access to the OS. My packages are being deployed using SMS 2003 SP3 and would like to be able to only use AD or SMS to make this possinble rather than adding another piece to the puzzel that is packaging and deployment. Is that possible? :)
Thanks Again.
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
anonymous_9363
15 years ago
Group Policy machine-based installs will do exactly what you want, in terms of installing before the user has access to the workstation. Scheduling...not sure, as my current client is the first place I have encountered GP deployments and here we deploy at will.
Doesn't SMS do the above already, though?
Doesn't SMS do the above already, though?
Posted by:
Drpwne
15 years ago
ORIGINAL: VBScab
Group Policy machine-based installs will do exactly what you want, in terms of installing before the user has access to the workstation. Scheduling...not sure, as my current client is the first place I have encountered GP deployments and here we deploy at will.
Doesn't SMS do the above already, though?
Indeed on the Group Policy... Just with SMS we gain all of the management and monitoring tools.
However that is the crap shoot, My team packages the application another advertises and deploys with SMS, I am being told that SMS cannot do this but honestly do not think that is a true statement especially when you can lock down with less than SMS.
Posted by:
anonymous_9363
15 years ago
ORIGINAL: DrpwneIt's always been my understanding that one of SMS's features is the ability to do push installs to workstations.
I am being told that SMS cannot do this but honestly do not think that is a true statement
Is anyone able to enlighten us one way or the other?
Posted by:
dunnpy
15 years ago
Drpwne,
With SMS you can schedule advertisements for specific times/dates.
So you could create a recurring advert for every 1st Monday of the month - for example - so that you populate the collections throughout the month, but they only get actioned on the 1st Monday.
From within the advertisement you can specify that it will run at 'login' or 'logoff' or as 'soon as possible' - I've never used the 'at login' option, but imagine that it wouldn't prevent the machine from being used during the installation.
The only thing I can't help you with is the locking of a machine and reboot before the user gets control of the machine.
OnCommand's CCM (now Symantec I think, but called something else) had the facility to log into the machine, run an installation, reboot, log in again to check nothing else was due, and then log off and return control back to the user - we migrated from that system years ago because it interrupted users whilst they were working.
One of the 'benefits' of SMS is that it handles deployments silently and in the background with minimal interference to the end user.
I'm sure there must be some util out there you could use, I imagine it would be leveraging something either with autoadminlogon, intercepting the logon gina or replacing the shell with something other than explorer.exe.
The other option would be to schedule for a night-time deployment, and force a reboot from SMS. There is a 3rd- party add-in for SMS (SMS Companion) that utilises Wake On Lan.
That's the best my brain can do at this time on a friday [:D]
Hope it helps,
Dunnpy
With SMS you can schedule advertisements for specific times/dates.
So you could create a recurring advert for every 1st Monday of the month - for example - so that you populate the collections throughout the month, but they only get actioned on the 1st Monday.
From within the advertisement you can specify that it will run at 'login' or 'logoff' or as 'soon as possible' - I've never used the 'at login' option, but imagine that it wouldn't prevent the machine from being used during the installation.
The only thing I can't help you with is the locking of a machine and reboot before the user gets control of the machine.
OnCommand's CCM (now Symantec I think, but called something else) had the facility to log into the machine, run an installation, reboot, log in again to check nothing else was due, and then log off and return control back to the user - we migrated from that system years ago because it interrupted users whilst they were working.
One of the 'benefits' of SMS is that it handles deployments silently and in the background with minimal interference to the end user.
I'm sure there must be some util out there you could use, I imagine it would be leveraging something either with autoadminlogon, intercepting the logon gina or replacing the shell with something other than explorer.exe.
The other option would be to schedule for a night-time deployment, and force a reboot from SMS. There is a 3rd- party add-in for SMS (SMS Companion) that utilises Wake On Lan.
That's the best my brain can do at this time on a friday [:D]
Hope it helps,
Dunnpy
Posted by:
turbokitty
15 years ago
SMS can't do a logged-off install? That seems surprising to me. Every other tool I've used can do that.
Posted by:
Drpwne
15 years ago
Thanks dunnpy,
The schedualing we are good with and we have used Wake on LAN as well. My real issue is the install at logon issue. Sorry I should have been a little more detailed in my design explination .
My company has about 3000 employees 90% of which are laptop users so essentially the machine may not be in the office once the advertisement goes out so we also use caching for some apps.
Turbokitty, SMS will do a logged-off install. Essentially a machine just has to be attached to the network and turned on, Wake on LAN can fixed the turned off issue too.
My main issue is wanted to lock the machine down at login as the app installs. [:)]
The schedualing we are good with and we have used Wake on LAN as well. My real issue is the install at logon issue. Sorry I should have been a little more detailed in my design explination .
My company has about 3000 employees 90% of which are laptop users so essentially the machine may not be in the office once the advertisement goes out so we also use caching for some apps.
Turbokitty, SMS will do a logged-off install. Essentially a machine just has to be attached to the network and turned on, Wake on LAN can fixed the turned off issue too.
My main issue is wanted to lock the machine down at login as the app installs. [:)]
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.