How Not to Do OS Deployment
As you may have seen in the news recently The Commonwealth Bank of Australia got themselves into a bit of a mess by deploying a OSD task sequence to far more clients than expected. You would be surprised how often I hear about this happening at companies when I am out on site. What if (maybe they were anyway) CommBank were using ConfigMgr 2012? How could this disaster have being prevented?
First of all, this could happen to anyone, even the most experienced administrators. It was most probably simple human error, it happens sometimes people don’t notice and sometimes people do. This time obviously a lot of people noticed.
When you see this happen the biggest problem is getting someone to own up, for obvious reasons. However in ConfigMgr 2012 administrative actions in the console are audited and can be reported on much easier than before. It doesn’t end at that though, as part of the new role-based administration you can also scope objects using the Set Security Scopes option which you can see on many objects in the console.
These two methods could help you identify who the culprit was and even prevent it from happening. Why is that? Well the security scopes mean that if you do not have access to objects which are scoped out or you do not have a role to perform actions on those objects then you simply won’t see these objects. This works great especially in this example where you potentially do not want your desktop guys touching your servers, possibly visa-versa as well.
With this method in place, you cannot deploy task sequences, applications or packages to collections which you don’t have access to. Simple, but we can take it a little further as well. The fact that the task sequence just seemed to run indicates that we are looking at a mandatory PXE advertisement, this isn’t generally a good idea (for the reasons this post is about). You can specify a password on PXE advertisements so they may boot up but don’t run until you put in a password. You could also look at making the deployment optional (or non-mandatory/available).
Obviously these last two points were available in ConfigMgr 2007, fingers crossed CommBank are back up and running (says a lot for making sure your backups work) in no time at all.