• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 815
  • Last Modified:

Group Policy exclusion - not working right...

Hello -

I have SUS running in our AD. I've configured SUS correctly so far, and
clients are getting their updates successfully.

I have one problem, however - the main servers are getting these updates,
even though I do not want them to. I want to patch them manually.

Here's what I did to exclude them, but it's not working - can anyone tell me
why?

I created a security group and put all the server machines in it. I called
it "No SUS".
I went to the properties of the current GP that uses SUS and added "No SUS"
to it with implicit Deny rights on "Apply Group Policy".

What did I do wrong?

Thanks,
J
0
zeroiq01
Asked:
zeroiq01
  • 2
  • 2
  • 2
  • +1
1 Solution
 
ralonsoCommented:
it looks like absolutely fine.
can you try to deny also rights on the "Read" permission?

I also use SUS but what I do is that I keep servers in one OU and workstations in a different one (only workstations apply that policy)

(and a different one for remote machines, and another for laptops)

If you need to apply a number of policies to both servers and workstations, you only need to add the link to the GPO and modify the policy only once (if need be).

hope that works for you.
0
 
zeroiq01Author Commented:
Thanks for the comment.

Let me follow up on this:

If I remove my servers from the built in "Domain Controllers" OU, will I break any of their functions? I intend to put them in a "Server" OU, and maybe do as you suggest and make one for laptops, too.

Let me know - thanks
J
0
 
jdeclueCommented:
Leave the Domain Controllers in the OU. Remove the SUS GPO from the ROOT domain. You should never apply policy to the root. Then create a new group policy and a new OU for your workstations and for you Servers. Do not put Group Policy on the Computers container either. When you want the group policy on the machines, move them to the appropriate container.

J
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
ralonsoCommented:
jdeclue is absolutely right

I leave my DC's in the default (they are applying the Default Domain Controllers Policy)

In my AD structure I have created a whole new hierarchy where I define stuff like
Domain
  Domain Controllers
  myOrganisation
      - Main Site
              - Users
              - Computers
                      - Laptops
      - Second Site (linked via VPN and with no DC's)
              - Users
              - Computers
                      - Laptops

Policies like SUS, or deployment of software (before I used for service packs) like MS Office and patches I apply only in the main site (as you can imagine I don't want SUS to apply patches automatically for servers or machines with a slow link)

Similar things apply to laptops. Surely you don't want your CEO waiting 20 minutes in front of influential people for his laptop to boot up, just because you are deploying Office 2003 SP1

(yes, we are a small organisation and we can't afford SMS)

Policies are very useful but sometimes a bit tricky, but as long as you don't mess about with the domain policy or the domain controllers one, you should be fine.

Another good practice is to create many different policies.
i.e. for my main site OU I have a number of polices: Office 2003 deployment, IE Settings, SUS, ...

Each one of them has only a few settings related to the name. That way if something is not right, it's quite easy to troubleshoot.
0
 
jdeclueCommented:
Just a quick update, as I really didn't answer it in my email.

If you take the domain controllers out ot the Domain Controllers container, you will break you entire AD infrastructure. The Domain Controllers must remain in the default Domain Controllers OU, this is where the Default Domain Controllers Group Policy is applied.

When a AD root is created there are two default Group Policies, Default Domain Policy and Default Domain Controllers Policy. If you make changes to the Default Domain Policy, the changes will apply to everthing in you network, including the Domain Controllers. Below that policy is the Default Domain Controllers Policy, it is on the Domain Controllers OU. The defaults are required for proper operation of the Domain Controllers. You should never put a workstation or server into the container, when you install a DC it will be in the container by default.

With that said, all Group Policy you create should never be placed at the root, and you should not typically make changes to either of the Default Policies.

J
0
 
YourReferenceCommented:
Did you add the computer account of the terminal server to the security properties of the GPO being created for the loopback.?

To do this, follow these steps:
1. Select the GPO that is created for the loopback, and then click Properties.
2. Click the Security tab, and then click Add.
3. In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4. Click the computer account from the Group or user names box.
5. In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6. Click OK two times to close and save the policy settings.

Another note:
When it is possible, Terminal Services should be installed on member servers instead of on domain controllers because the users need Log on Locally user rights.

When the Log on Locally right is assigned to domain controllers, it is assigned to every domain controller in the domain because of the shared Active Directory database.

By default, member servers are granted Log on Locally user rights in the Local Security Policy when Terminal Services is installed in Application Server mode.
0
 
YourReferenceCommented:
copy/paste error
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now