5 Replies Latest reply on Sep 12, 2017 2:24 PM by bdwest

    How do I allow server admins to install patches at their discretion?

    bdwest Apprentice

      I need to set up patching so when an admin logs into their server, they can kick off the installation of patches at a time that they know it's safe to do so, and reboot the system.  Is the best way to do this to put a task into the Portal Manager/Workspaces?  I'm not seeing any other standardized way within LDMS/IEM to do this.  I know that I could create a batch file with a command line to feed vulscan the right parameters to install certain patches, and have an admin run that batch file.  But I'd like to keep everything within the LDMS/IEM ecosystem, and not just hack something together freestyle.

       

      Thanks for your help as I continue to get up to speed.

        • 1. Re: How do I allow server admins to install patches at their discretion?
          Motaz ITSMMVPGroup

          I had a similar case couple of days ago and what I did was setting up some scopes for the admins and grant these admins permissions to see their servers only. So we just installed the LDMS console into their machines and using their Domain Accounts they were able to access it and see their servers ONLY.

          • 2. Re: How do I allow server admins to install patches at their discretion?
            phoffmann SupportEmployee

            Yarp - pretty much the above is the thing.

             

            They key here is "make cunning use of scopes".

             

            (And don't give 'em LDMS Admin rights - just the rights they need).

            • 3. Re: How do I allow server admins to install patches at their discretion?
              bdwest Apprentice

              Thanks for the suggestion.  I can see how that would be appropriate in some scenarios.  In this case, the servers I'm thinking of are handled by SMEs who are not IT folk.  I'd rather not have to install consoles on their systems.

               

              What they're used to is a popup from the system tray when they log in.  But if I tell them to check Workspaces when they log in, I think that would work.  Am I misunderstanding Portal Manager/Workspaces?  Is there a reason why that wouldn't work to come closer to what they've done in the past?

              • 4. Re: How do I allow server admins to install patches at their discretion?
                phoffmann SupportEmployee

                Hmm - OK ... opinions about servers being "admined" by people who don't know anything about IT aside (and the bad luck of a situation) ... let's see what we can do about a lowest common denominator factor.

                 

                So ... have you considered enabling Autofix ... you could have a link in the SWD-portal that essentially just runs vulscan (with or without UI) - and with Autofix, it'll pull down everything you want fixed. You can even specify Autofix by scope, so that "Bob Bobsons" set of patches doesn't interfere with "Bill Billington"-s set of servers.

                 

                That aside, you may just trawl around the web / write a simple toast-message thing (I believe it should be possible to be written in powershell) to let people know that "patches are ready". Though since this requires people logging ON to those servers, I'd perhaps recommend sending an e-mail instead (can be automated), which essentially says, "Hey, {name}, Servers A, B and C have patches outstanding. Please click on the thing to have it do the patching & reboot at a convenient time. Love - your admin" or something (maybe not quite those words, but you see where I'm going).

                 

                That leaves people with the illusion of control and much of this stuff could be automated potentially either via Rollout projects and/or Process Manager, depending on how complicated you want things to be, leaving YOU to get on with actual work.

                 

                How's that?

                • 5. Re: How do I allow server admins to install patches at their discretion?
                  bdwest Apprentice

                  I ended up creating a scan task like others I've made, but I just changed the Portal Settings from "Run automatically" to "Recommended".  I showed the target users how to find this in the Workspaces area, and how to start it at a time that made sense for them.  It displayed a UI for them to track the progress, and let me customize the reboot time.  Basically, it met the requirements for what I was looking for. 

                   

                  Thanks for the other ideas you offered.