Solved

Group Policy exclusion - not working right...

Posted on 2004-08-19
7
800 Views
Last Modified: 2012-05-05
Hello -

I have SUS running in our AD. I've configured SUS correctly so far, and
clients are getting their updates successfully.

I have one problem, however - the main servers are getting these updates,
even though I do not want them to. I want to patch them manually.

Here's what I did to exclude them, but it's not working - can anyone tell me
why?

I created a security group and put all the server machines in it. I called
it "No SUS".
I went to the properties of the current GP that uses SUS and added "No SUS"
to it with implicit Deny rights on "Apply Group Policy".

What did I do wrong?

Thanks,
J
0
Comment
Question by:zeroiq01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 5

Expert Comment

by:ralonso
ID: 11843501
it looks like absolutely fine.
can you try to deny also rights on the "Read" permission?

I also use SUS but what I do is that I keep servers in one OU and workstations in a different one (only workstations apply that policy)

(and a different one for remote machines, and another for laptops)

If you need to apply a number of policies to both servers and workstations, you only need to add the link to the GPO and modify the policy only once (if need be).

hope that works for you.
0
 

Author Comment

by:zeroiq01
ID: 11845201
Thanks for the comment.

Let me follow up on this:

If I remove my servers from the built in "Domain Controllers" OU, will I break any of their functions? I intend to put them in a "Server" OU, and maybe do as you suggest and make one for laptops, too.

Let me know - thanks
J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11846469
Leave the Domain Controllers in the OU. Remove the SUS GPO from the ROOT domain. You should never apply policy to the root. Then create a new group policy and a new OU for your workstations and for you Servers. Do not put Group Policy on the Computers container either. When you want the group policy on the machines, move them to the appropriate container.

J
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 5

Accepted Solution

by:
ralonso earned 200 total points
ID: 11847228
jdeclue is absolutely right

I leave my DC's in the default (they are applying the Default Domain Controllers Policy)

In my AD structure I have created a whole new hierarchy where I define stuff like
Domain
  Domain Controllers
  myOrganisation
      - Main Site
              - Users
              - Computers
                      - Laptops
      - Second Site (linked via VPN and with no DC's)
              - Users
              - Computers
                      - Laptops

Policies like SUS, or deployment of software (before I used for service packs) like MS Office and patches I apply only in the main site (as you can imagine I don't want SUS to apply patches automatically for servers or machines with a slow link)

Similar things apply to laptops. Surely you don't want your CEO waiting 20 minutes in front of influential people for his laptop to boot up, just because you are deploying Office 2003 SP1

(yes, we are a small organisation and we can't afford SMS)

Policies are very useful but sometimes a bit tricky, but as long as you don't mess about with the domain policy or the domain controllers one, you should be fine.

Another good practice is to create many different policies.
i.e. for my main site OU I have a number of polices: Office 2003 deployment, IE Settings, SUS, ...

Each one of them has only a few settings related to the name. That way if something is not right, it's quite easy to troubleshoot.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11851982
Just a quick update, as I really didn't answer it in my email.

If you take the domain controllers out ot the Domain Controllers container, you will break you entire AD infrastructure. The Domain Controllers must remain in the default Domain Controllers OU, this is where the Default Domain Controllers Group Policy is applied.

When a AD root is created there are two default Group Policies, Default Domain Policy and Default Domain Controllers Policy. If you make changes to the Default Domain Policy, the changes will apply to everthing in you network, including the Domain Controllers. Below that policy is the Default Domain Controllers Policy, it is on the Domain Controllers OU. The defaults are required for proper operation of the Domain Controllers. You should never put a workstation or server into the container, when you install a DC it will be in the container by default.

With that said, all Group Policy you create should never be placed at the root, and you should not typically make changes to either of the Default Policies.

J
0
 
LVL 7

Expert Comment

by:YourReference
ID: 21689509
Did you add the computer account of the terminal server to the security properties of the GPO being created for the loopback.?

To do this, follow these steps:
1. Select the GPO that is created for the loopback, and then click Properties.
2. Click the Security tab, and then click Add.
3. In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4. Click the computer account from the Group or user names box.
5. In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6. Click OK two times to close and save the policy settings.

Another note:
When it is possible, Terminal Services should be installed on member servers instead of on domain controllers because the users need Log on Locally user rights.

When the Log on Locally right is assigned to domain controllers, it is assigned to every domain controller in the domain because of the shared Active Directory database.

By default, member servers are granted Log on Locally user rights in the Local Security Policy when Terminal Services is installed in Application Server mode.
0
 
LVL 7

Expert Comment

by:YourReference
ID: 21689512
copy/paste error
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question