Month: January 2012

Automating Windows Updates via Group Policy

A little bit of background information for this one. In the company I work for, we tend to patch everything, it’s a fine practice but when it comes to Windows Servers which we have close to 80 of, all of them are currently being updated by hand.

Now, other than being tedious and annoying it’s a pretty large overhead and consumes quite some time… never mind those which needed to be done outside of office hours.

So, my solution?

Well, the new year had come, I could see the horrific patch day Tuesday on the horizon (second Tuesday of every month) and decided to stamp my foot down.

First thing first, decide a time when this can happen, I opted for 3-5am where there are no Back-Up jobs going on, it’s outside of AV scans etc. This is now called the Update Window

Secondly, split a domain of servers up into groups based on different things, what ESX host they were on, what services run from them etc. One thing I kept in mind was to reduce any potential strain on our VM setups (Our hosts are a little crowded!) during the machine start ups the machines were distributed evenly between the two security groups.

Next thing was to construct the group policies and as a picture speaks a thousand words, here’s mine


Once this GPO is published and applied the only other step is to exclude your 2 security groups (Romeo & Juliet in this case) from the default/predefined WSUS GPO’s

And that’s about it! 85% of our internal servers are currently auto-updating every Friday (You never know Microsoft and those damn extra hotfixes!)

TL;DR Make 2 security groups, exclude these from default WSUS GPO’s… copy the GPO above, publish, apply and enjoy.

Free Windows Software Deployment – PDQDeploy

Now, this was one of the first issues I ran into during my foray of being a SysAdmin.

We were a small shop, about 80 desktops and most if not all software deployment was done by hand. This meant we had lots of outdated software and a sizeable overhead when an end user would request an updated to X,Y,Z.

Now, as a somewhat of a start up and being new in my role, I wasn’t one to quickly recommend the most expensive solution. Instead, I decided to give PDQDeploy a whirl. It proved a decent hit.

And why not? It ticked every box we needed

  • Simple software deployment
  • Can be scheduled
  • Post-deployment reports

And still to this day for pushing out Firefox, Java, Shockwave, Reader, Flash (Damn you!), iTunes updates and other small little programs.

When this is tied hand in hand with a Secunia mailing list it’ll give you a pretty good head start on when systems will need to be patched.

So if you’ve been tasked with restructuring your software deployment process or just looking to reduce some workload, I’d suggest you give PDQDeploy a whirl.

Damn… This reads like a sales post.

Configuring Tumblr With A Hover Domain

So, you’ve just migrated from GoDaddy or you’re starting your shiny blog as part of the new year (Like Myself!) and you’re trying to get your Hover domain linking to your Tumblr.

Well, let me give you a helping hand as from what I could see there were no guides to it!

Firstly, you need to read up what Tumblr reckon to all of this;

Alrighty, well that seems pretty clear-cut. Now to set it up.

  • Head on over to Hover and log in and click the domain you wish to point to your Tumblr.
  • From here, select the DNS tab
  • Now, here you want to make some A Records. To do this, select Add New
  • Under Local host Enter Tumblr select A Record and enter the IP of 
  • You’ll also want to map and * in the exact same manner

You should end up with 5 DNS records in total for your domain, 2 will be the default mail ones that were created and the other 3 should be Tumblr, @ and * A Records mapped to Tumblr’s IP which is

Now, these changes can take up to 72 hours to propagate. In the meantime you can set up Tumblr so once everything has configured it should work. To do this simply follow the following;

Now log in to Tumblr, click the name of your blog at the top of the Dashboard, and clickSettings. Check off “Use a custom domain name”, and enter your custom domain (ie. “”). Click “Save Changes”,

And that’s that. You should have your custom domain redirecting to your blog ^^

Using PortQry to Test Firewall Rules

Firstly, what is PortQry?

Well, it’s a little program which can be used via command line or through a GUI to test specific ports on an IP.

You can obtain it here.

Now how can it be useful?

Sure, you can use Telnet [Port#] to the same effect (Kind of) but this little program can be scripted to allow you to test rules on both software and hardware firewalls.

I originally used it to module test rules on our Cisco ASA5510, since then I’ve moved on to a more advanced script which I’ll share.

So a little explanation, this script will allow you to enter a server name or IP to test again, you then specify the port and it’ll test that port against the specified IP with some TCP traffic.

Again, this can be built on but there is a more robust Powershell script which I’ll post at a later date for this purpose.

Either way, a cool little program.

Scripting AVG 2012 Removal

So, we’re recently upgrading to Kaspersky from AVG in our environment and came across a stumbling block of where Kaspersky wasn’t removing AVG clients from machines that we deployed to.

After fiddling around with deploying the AVG removal tool I decided to put together this little Powershell/Batch script to remove from selected machines remotely.

This will remove AVG without user interaction and won’t reboot the machine. I’ve found this pretty handy considering the AVG Admin Console appears to lack the uninstall feature.

So simply fire up a Powershell/CMD prompt hammer that in and away you go.