Newbie : How to insulate Servers from Workstations in same hierarchy

Hello All,

Our single SCCM 2007 (SP2 R3) hierarchy is operated by 2 vendors for Servers and Workstations respectively.

About once or twice a year someone from Workstation team performs an incorrect software/patch deployment that accidently hits our servers.

I have read in other threads that creating a new hierarchy for servers is not recommended - its not cost effective and special configurations are required, especially regards overlapping boundaries.

The post by Sherry was instructive but I don't think it will help solve the most common type of error we experience : i.e. someone creates/modifies a workstation collection query incorrectly that ends up including servers.

https://social.technet.microsoft.com/forums/systemcenter/en-US/819cf1df-52d1-4335-8697-acd5df68da7b/multiple-sccm-2007-hierarchies-in-same-ad-domain

I was wondering if someone could kindly suggest creative techniques to mitigate this risk. Thanks.

eg. We can monitor to ensure that all workstations packages are specifically updated with "This program can only run on specified Client Platforms

August 24th, 2015 7:32am
This is not a simple task in CM07, however this is a easy task in CM12. If you can moving to CM12, would be the best option for this.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2015 8:03am

Thanks for advice. We do plan to move to CM12 but that would be sometime next year I guess.

For now, the issue we face most commonly, is that someone from the Workstation team accidentally modifies a Collection query that ends up including some servers or even 'All Systems'.

Are there some ways to mitigate this scenario? Please help. Thanks.

I was thinking of ensuring that all workstations packages are specifically updated with "This program can only run on specified Client Platforms" as a line of defence.

Are there better ways?

August 25th, 2015 6:03am

Are there some ways to mitigate this scenario? Please help. Thanks.

I was thinking of ensuring that all workstations packages are specifically updated with "This program can only run on specified Client Platforms" as a line of defence.

Are there better ways?

Honestly it would be a nightmare to setup and maintain, in CM07.

In a nutshell you need to remove The WS team right to Edit/Add anything.

Setting the Client platform works but only if someone sets it that way. If anyone forgets then you are no farther ahead.

If it is a big issue then I would use this as a big reason to start moving forward with CM12 and RBA now instead of waiting until later.

 
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2015 9:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics