Re: GPO Filtering and WSUS

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Thu, 22 Feb 2007 00:18:48 -0700

"Qafyg" <Qafyg@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3AFF6778-5FF3-4505-B230-A7FD4033AF82@xxxxxxxxxxxxxxxx

This is my current OU Design :

Enterprise Users and Computers
--Brand1
--Brand2
----City1
----City2
------Users
------Computers
Management
--Groups
--Misc
Servers
--Type1
--Type2
--Type3
Restricted Management
--Users (Domain admins)
--Groups
Domain Controllers

It works very well for delegation. The problem I have is filtering GPOs.
For exemple, I'm setting up WSUS and I want to have a production group and
a
test group for patch approval. Of course, in my test group, I want to use
computers from all over the organization to test compatibility with as
many
software as possible.

Would the best way to do that be to :

Create GPO1_WSUS_Test
Remove Read to authenticated Users
Add Read to SecurityGroup_WSUS_Test
Create GPO2_WSUS_Production
Deny Read to SecurityGroup_WSUS_Test
Apply both GPOs to the top-level OU Enterprise Users and Computers.

Is this how people setup test groups in WSUS? Or is there a more simple
solution?

Any input is appreciated. Thanks!

I use something similar, except the baseline WSUS settings (production)
are carried in base GPO for (in your case) Enterprise Users and Computers.
Then, linked to same OU at higher priority is override GPO, such as your
security group filtered GPO1_WSUS_Test that uses WSUS settings to
have computers in the filtering group subscribe with a different WSUS
computer-group string. Result is all machines use production WSUS
computer-group and settings, unless machine is subject to application
of the higher priority GPO1_WSUS_Test GPO's WSUS settings due to
machine's membership in SecurityGroup_WSUS_Test group.
(no deny usage involved)

Roger

.

Prev by Date: RE: Save IE password thorugh group policy
Next by Date: Re: Is this the best NG to post queries re changing settings with Group Policy?
Previous by thread: RE: Save IE password thorugh group policy
Next by thread: PolicyMaker Registry Extension problem
Index(es):
- Date
- Thread

Relevant Pages

RE: Reinstalled WSUS 3.0 SP1 Now Issues
... Follow Up For Microsoft SBS Public Newsgroup Post [Reinstalled ... WSUS 3.0 SP1 Now Issues] with Gary Wang ... Typically I managed the SBS server ... | The Server Computers group was not found: ...
(microsoft.public.windows.server.sbs)
Re: wuauclt + svchost vs CPU issue, need comments.
... Stop and Disable Automatic Updates, ... "According to the feedback from Product Development team, this fix will be ... also indicates that the WSUS 3.0 client may contain this patch if this fix ... computers] affected with the behavior described in KB 932494. ...
(microsoft.public.windowsupdate)
Re: wuauclt + svchost vs CPU issue, need comments.
... additional steps he had to take in two cases to handle the WSUS issue, ... Stop and Disable Automatic Updates, ... "According to the feedback from Product Development team, this fix will ... computers] affected with the behavior described in KB 932494. ...
(microsoft.public.windowsupdate)
Re: wuauclt + svchost vs CPU issue, need comments.
... Stop and Disable Automatic Updates, ... "According to the feedback from Product Development team, this fix will be ... also indicates that the WSUS 3.0 client may contain this patch if this fix ... I have conclusively identified 23 computers [out of 389 total domain ...
(microsoft.public.windowsupdate)
Re: wuauclt + svchost vs CPU issue, need comments.
... additional steps he had to take in two cases to handle the WSUS issue, ... Stop and Disable Automatic Updates, ... "According to the feedback from Product Development team, this fix will ... I have conclusively identified 23 computers [out of 389 total domain ...
(microsoft.public.windowsupdate)