This tip was submitted to the SearchWin2000 Tip Exchange by member Joe Keegan. Let other users know how useful it is by rating the tip below.
To date, Microsoft has released enough security hotfixes to make your head spin. While the task of applying them can be daunting, they are a necessity if you want to run your Windows environment securely.
There are four or five ABSOLUTELY NECESSARY post Service Pack 2 hotfixes that you should apply to your Windows 2000 servers. This is an easy task if you have only a few servers in your Windows environment. However, multiply these hotfixes by 30 or 40 servers, and it's very easy to get lost. If, in the chaos of applying these hotfixes, you miss one, it could be your job on the line.
Luckily, Microsoft made these hotfixes very easy to apply with a batch file. While scripting the install would make the process much easier, you still would have to log on to each server to run the script...
To make this process MUCH easier and almost automatic, you can create a group policy object (GPO) to do the work for you. Instructions:
Create the batch file
(assumes your domain is named MyDomain.com):
1. Download the appropriate post SP2 hotfixes. (As of 4/23/2002, I personally recommend Win2k SRP1, Q314147, Q313829, Q311967, Q319733.) Create a directory called "hotfixes" under your domain name in the "sysvol" folder of any domain controller (WINDIRSYSVOLMyDomain.comHOTFIXES,)
2. Create the following batch file and name it: "srp1.bat" (created for SRP1)
Now save this file in the same place you put the hotfixes. (What this script does is check for the existence of file "srp1.txt" in the WINNT directory. If it exists, the patch has already been applied and no action is taken. If it DOESN'T exist, it writes the file and applies the patch.)
Creating the GPO (to do the job)
1. Create a new OU called something like SERVERS at the root of AD.
2. Move all of your server objects into this container, EXCEPT for domain controllers (They are in a container of their own already, and have special GPO's that apply only to them. DO NOT move your DCs!)
3. Right click the SERVERS container, and click PROPERTIES. Go to the GPO tab, click NEW, and name your policy a friendly name (i.e. HOTFIX Install GPO). Finally, click EDIT.
4. Expand Computer Configuration --> Windows Settings --> Scripts, and double-click STARTUP.
5. Click ADD, and type the following in the window that comes up:
Click OK, then close the Group Policy window.
Now every server that resides in the "SERVERS" OU will automatically run this batch file (thus installing the hotfix) at bootup. So, even if you add new servers, just putting them into this OU will cause all hotfixes to be applied.
The above script can be changed to apply ANY hotfix at startup by creating the same batch file and changing the filename fields. (Don't forget to tell the GPO to run the other scripts that you create.)
This was first published in May 2002