If you are using a Domain security context
 
1. Place the computers that need to be updated in their specific OU
 
2. Extract SP3 onto a server share that has the correct permissions for those to access it. Read access is enough
 
3. Create a GP for that OU and create a GPO that has (for computers) a software installation that maps to the update.msi that is located once you extract all the service pack ... you can use winzip for this.
 
4.Once the Group Policy is in place, have your users reboot their machines, and upon startup the MSI for Service Pack 3 will come down, install on their machines, reboot again, and thats it.
 
5. There is a place to check in the policy to "not uninstall the software" when "management falls out of scope", otherwise when you move the computers to another OU, Service Pack 3 will uninstall itself.
 
HTH

Do the users login under the regular account? And does their account need local admin rights?

Login normally
 
Assigned MSIs run under the context of machine level security. They are installed before a user ever logins.

Just got a couple more questions about this, DS3Circuit...
 
1. Can the PCs be allocated to the same organizational unit as people? (ie. you have a unit called "headoffice" with all the people and PCs there)
 
2. Have you used this approach for any other type of installations such as Office? Is it effective?

Sure thing
 
In response to 1 = Sure, you only deploy service packs to computers anyways, just disable the GPO portion that is for User configurations (a faster load of the GPO) ... in a side note, for managerial and logical administration, I put them in separate OUs, but thats just me.
 
IN response to 2 = Same deal with office, but you can also specify it by machine AND user. Create an MST (configuration file) using the Office Resource Kit to custom your install. Also, this one can be either assigned or published. Personally, its how we do it on my networks.
 
HTH

Would Software Update Services (SUS) work in a similar configuration? I've currently got a test group policy applied to just the IT staff logins, but of course, we need local administrator access to use it (which we do have). Obviously, if the updates are applied regardless of the login name, that'd be great.

SUS doesnt work with Service Pack Deployment
 
Only Hotfixes

Quote:SUS doesnt work with Service Pack Deployment

Only Hotfixes
No, I mean, at the moment, I have a group policy setup to do automatic updates from the SUS server. The policy is applied on users. What I was trying to ask was, could I apply the policy directly to the machines (in a similar fashion to how the policy on the machines is used to install SP3/Office 2000, etc) and still have it work?

Though I havent played with SUS recently, I believe it can be applied to machines as well as users. I should read their ADM file.
 
Try it out on a test machine

Quote:Though I havent played with SUS recently, I believe it can be applied to machines as well as users. I should read their ADM file.

Try it out on a test machine
Just a followup on this - I created an organisational unit last night and assigned a policy to do the SUS up[censored] and moved a test machine into the unit. The user reported it downloaded 80megs of stuff and then asked to reboot. All done. Logs on the SUS server confirmed the up[censored] and when visiting the Windows Update site manually, there was no critical updates that needed installing.