How Not to Do OS Deployment

As you may have seen in the news recently The Commonwealth Bank of Australia got themselves into a bit of a mess by deploying a OSD task sequence to far more clients than expected. You would be surprised how often I hear about this happening at companies when I am out on site. What if (maybe they were anyway) CommBank were using ConfigMgr 2012? How could this disaster have being prevented?

First of all, this could happen to anyone, even the most experienced administrators. It was most probably simple human error, it happens sometimes people don’t notice and sometimes people do. This time obviously a lot of people noticed.

When you see this happen the biggest problem is getting someone to own up, for obvious reasons. However in ConfigMgr 2012 administrative actions in the console are audited and can be reported on much easier than before. It doesn’t end at that though, as part of the new role-based administration you can also scope objects using the Set Security Scopes option which you can see on many objects in the console.

These two methods could help you identify who the culprit was and even prevent it from happening. Why is that? Well the security scopes mean that if you do not have access to objects which are scoped out or you do not have a role to perform actions on those objects then you simply won’t see these objects. This works great especially in this example where you potentially do not want your desktop guys touching your servers, possibly visa-versa as well.

With this method in place, you cannot deploy task sequences, applications or packages to collections which you don’t have access to. Simple, but we can take it a little further as well. The fact that the task sequence just seemed to run indicates that we are looking at a mandatory PXE advertisement, this isn’t generally a good idea (for the reasons this post is about). You can specify a password on PXE advertisements so they may boot up but don’t run until you put in a password. You could also look at making the deployment optional (or non-mandatory/available).

Obviously these last two points were available in ConfigMgr 2007, fingers crossed CommBank are back up and running (says a lot for making sure your backups work) in no time at all.

Advertisements

Tags: , , , ,

About Martyn

Martyn is one of the Senior Cloud Architects and DevOps Team Leader at one of the worlds leading Cloud Transformation Specialists Inframon. Martyn is responsible for the architecture of some of the largest Azure deployments in EMEA and is a advisor to a many businesses on their strategies. Martyn is a regular speaker at Microsoft events and community events on Azure and DevOps, giving his insight to a growing number of audiences.

Trackbacks / Pingbacks

  1. Promotion of Objects Part 1 - Martyn Coupland - January 14, 2014
  2. Promotion of Objects Part 1 | All Things ConfigMgr - February 6, 2013

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: