Designated administration

(imported topic written by SystemAdmin)


I have an interesting problem and a suggestion of a solution but need some feedback and/or assistance.

We have several servers in our domain, administered across a couple of different IT Business Groups in our organization. Patch management is handled by one Dept - i.e. mine.

The problem we are having, is managing patches across the multiple servers of varying functionality. Its always a juggling game with MS and production servers. You want to make sure that the systems are patched so that you are not vulnerable on the one hand, but applying some patches can “break” or inhibit certain functionality in working production servers.

At this stage we have had a few production servers, that have been a part of an fixlet patch “run” that have had this issue (i.e. I have done a patch “run” of multiple fixlets, and one has caused an issue with a server. “Which” one can also be part of the fun/problem).

The best solution I can come up with at moment is to “lock” the computer from receiving any further patches - but this then means it receives NO patches at all. The type of servers I am talking about are outside my scope of expertise (i.e. My role is in applications, and these are SQL, Payroll or Finance servers).

My plan at this time is to implement a system where we assign additional administrators to the BES console. Then we need to lock these user accounts to be able to fully administer the servers that are relevant and crucial to their business operation (eg Development Dept looks after their own Development servers and patches them according to what they require.) The remaining servers and all desktops would still be administered by my Dept (and if possible, locked from the other Depts being able to administrate these)

Is this possible in the BES console?

Is it easy to do? And how would I go about it?

Further, how do other Businesses deal with the same situation?

(As I we are a medium size company, surely bigger companies have other and and better ways of dealing with this…)

Any help would be greatly appreciated.



(imported comment written by nritchie91)

Hey Mark,

This is easily overcome and is a standard feature within BigFix. I’m assuming at this point that you’ve used the “BigFix Administration Tool” to setup your users with the correct admin rights.

So assuming you have, once inside the BigFix console you can navigate to the “Console Operators” tab and you should see a list of the available operators and whether they are Master operators or not.

To delegate access rights you simply right click on an operator and select “assign user management rights”. What you now see is a window where you can add computers to be managed by that operator. How you delgate what they can manage is upto you, you basically have 3 choices

  1. Choose an AD group

  2. Choose Computers from a particular “retrieved property”

  3. Choose a Manual or Automatic group that you may have created

The nice thing is that you can have as many different groups from all 3 options and you can also drill down and down and so on to decide what that operator can manage. When that operator now logs into his console, they will only be able to see and administer computers as per what you have assigned to them.

Have a search around the forum , I’m sure there are a few topics about this.


(imported comment written by StacyLee)

We use a combination of all 3 options mentioned.

We have 3 site admins and can see everthing and send out patches to all systems in 5-7 days after MS releases their patches. We have 100+ Console operators that we delegate right to based on a retrieved property (custom registry entry written at the time of install). These COs can either push patches before we do or lock their machines then unlock them till they are ready to recieve our patches.

If your AD OU structure is organized so its clear which machines you want to patch and not want to patch then you can create an automatic group based on these OU’s and add them to an Automatic Group and when you push out patches only target this group. (If all your machines are under one OU then you can probably just patch by OU). If you have another group BF automatic groups or OU for the machine you don’t want to patch then you could specify this in your constraints when patching and save your settings just to make sure you don’t patch those machines.