Solved

Group Policy exclusion - not working right...

Posted on 2004-08-19
7
790 Views
Last Modified: 2012-05-05
Hello -

I have SUS running in our AD. I've configured SUS correctly so far, and
clients are getting their updates successfully.

I have one problem, however - the main servers are getting these updates,
even though I do not want them to. I want to patch them manually.

Here's what I did to exclude them, but it's not working - can anyone tell me
why?

I created a security group and put all the server machines in it. I called
it "No SUS".
I went to the properties of the current GP that uses SUS and added "No SUS"
to it with implicit Deny rights on "Apply Group Policy".

What did I do wrong?

Thanks,
J
0
Comment
Question by:zeroiq01
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 5

Expert Comment

by:ralonso
ID: 11843501
it looks like absolutely fine.
can you try to deny also rights on the "Read" permission?

I also use SUS but what I do is that I keep servers in one OU and workstations in a different one (only workstations apply that policy)

(and a different one for remote machines, and another for laptops)

If you need to apply a number of policies to both servers and workstations, you only need to add the link to the GPO and modify the policy only once (if need be).

hope that works for you.
0
 

Author Comment

by:zeroiq01
ID: 11845201
Thanks for the comment.

Let me follow up on this:

If I remove my servers from the built in "Domain Controllers" OU, will I break any of their functions? I intend to put them in a "Server" OU, and maybe do as you suggest and make one for laptops, too.

Let me know - thanks
J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11846469
Leave the Domain Controllers in the OU. Remove the SUS GPO from the ROOT domain. You should never apply policy to the root. Then create a new group policy and a new OU for your workstations and for you Servers. Do not put Group Policy on the Computers container either. When you want the group policy on the machines, move them to the appropriate container.

J
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Accepted Solution

by:
ralonso earned 200 total points
ID: 11847228
jdeclue is absolutely right

I leave my DC's in the default (they are applying the Default Domain Controllers Policy)

In my AD structure I have created a whole new hierarchy where I define stuff like
Domain
  Domain Controllers
  myOrganisation
      - Main Site
              - Users
              - Computers
                      - Laptops
      - Second Site (linked via VPN and with no DC's)
              - Users
              - Computers
                      - Laptops

Policies like SUS, or deployment of software (before I used for service packs) like MS Office and patches I apply only in the main site (as you can imagine I don't want SUS to apply patches automatically for servers or machines with a slow link)

Similar things apply to laptops. Surely you don't want your CEO waiting 20 minutes in front of influential people for his laptop to boot up, just because you are deploying Office 2003 SP1

(yes, we are a small organisation and we can't afford SMS)

Policies are very useful but sometimes a bit tricky, but as long as you don't mess about with the domain policy or the domain controllers one, you should be fine.

Another good practice is to create many different policies.
i.e. for my main site OU I have a number of polices: Office 2003 deployment, IE Settings, SUS, ...

Each one of them has only a few settings related to the name. That way if something is not right, it's quite easy to troubleshoot.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11851982
Just a quick update, as I really didn't answer it in my email.

If you take the domain controllers out ot the Domain Controllers container, you will break you entire AD infrastructure. The Domain Controllers must remain in the default Domain Controllers OU, this is where the Default Domain Controllers Group Policy is applied.

When a AD root is created there are two default Group Policies, Default Domain Policy and Default Domain Controllers Policy. If you make changes to the Default Domain Policy, the changes will apply to everthing in you network, including the Domain Controllers. Below that policy is the Default Domain Controllers Policy, it is on the Domain Controllers OU. The defaults are required for proper operation of the Domain Controllers. You should never put a workstation or server into the container, when you install a DC it will be in the container by default.

With that said, all Group Policy you create should never be placed at the root, and you should not typically make changes to either of the Default Policies.

J
0
 
LVL 7

Expert Comment

by:YourReference
ID: 21689509
Did you add the computer account of the terminal server to the security properties of the GPO being created for the loopback.?

To do this, follow these steps:
1. Select the GPO that is created for the loopback, and then click Properties.
2. Click the Security tab, and then click Add.
3. In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4. Click the computer account from the Group or user names box.
5. In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6. Click OK two times to close and save the policy settings.

Another note:
When it is possible, Terminal Services should be installed on member servers instead of on domain controllers because the users need Log on Locally user rights.

When the Log on Locally right is assigned to domain controllers, it is assigned to every domain controller in the domain because of the shared Active Directory database.

By default, member servers are granted Log on Locally user rights in the Local Security Policy when Terminal Services is installed in Application Server mode.
0
 
LVL 7

Expert Comment

by:YourReference
ID: 21689512
copy/paste error
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now