Group Policy exclusion - not working right...

Posted on 2004-08-19
Last Modified: 2012-05-05
Hello -

I have SUS running in our AD. I've configured SUS correctly so far, and
clients are getting their updates successfully.

I have one problem, however - the main servers are getting these updates,
even though I do not want them to. I want to patch them manually.

Here's what I did to exclude them, but it's not working - can anyone tell me

I created a security group and put all the server machines in it. I called
it "No SUS".
I went to the properties of the current GP that uses SUS and added "No SUS"
to it with implicit Deny rights on "Apply Group Policy".

What did I do wrong?

Question by:zeroiq01
  • 2
  • 2
  • 2
  • +1

Expert Comment

ID: 11843501
it looks like absolutely fine.
can you try to deny also rights on the "Read" permission?

I also use SUS but what I do is that I keep servers in one OU and workstations in a different one (only workstations apply that policy)

(and a different one for remote machines, and another for laptops)

If you need to apply a number of policies to both servers and workstations, you only need to add the link to the GPO and modify the policy only once (if need be).

hope that works for you.

Author Comment

ID: 11845201
Thanks for the comment.

Let me follow up on this:

If I remove my servers from the built in "Domain Controllers" OU, will I break any of their functions? I intend to put them in a "Server" OU, and maybe do as you suggest and make one for laptops, too.

Let me know - thanks

Expert Comment

ID: 11846469
Leave the Domain Controllers in the OU. Remove the SUS GPO from the ROOT domain. You should never apply policy to the root. Then create a new group policy and a new OU for your workstations and for you Servers. Do not put Group Policy on the Computers container either. When you want the group policy on the machines, move them to the appropriate container.

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Accepted Solution

ralonso earned 200 total points
ID: 11847228
jdeclue is absolutely right

I leave my DC's in the default (they are applying the Default Domain Controllers Policy)

In my AD structure I have created a whole new hierarchy where I define stuff like
  Domain Controllers
      - Main Site
              - Users
              - Computers
                      - Laptops
      - Second Site (linked via VPN and with no DC's)
              - Users
              - Computers
                      - Laptops

Policies like SUS, or deployment of software (before I used for service packs) like MS Office and patches I apply only in the main site (as you can imagine I don't want SUS to apply patches automatically for servers or machines with a slow link)

Similar things apply to laptops. Surely you don't want your CEO waiting 20 minutes in front of influential people for his laptop to boot up, just because you are deploying Office 2003 SP1

(yes, we are a small organisation and we can't afford SMS)

Policies are very useful but sometimes a bit tricky, but as long as you don't mess about with the domain policy or the domain controllers one, you should be fine.

Another good practice is to create many different policies.
i.e. for my main site OU I have a number of polices: Office 2003 deployment, IE Settings, SUS, ...

Each one of them has only a few settings related to the name. That way if something is not right, it's quite easy to troubleshoot.

Expert Comment

ID: 11851982
Just a quick update, as I really didn't answer it in my email.

If you take the domain controllers out ot the Domain Controllers container, you will break you entire AD infrastructure. The Domain Controllers must remain in the default Domain Controllers OU, this is where the Default Domain Controllers Group Policy is applied.

When a AD root is created there are two default Group Policies, Default Domain Policy and Default Domain Controllers Policy. If you make changes to the Default Domain Policy, the changes will apply to everthing in you network, including the Domain Controllers. Below that policy is the Default Domain Controllers Policy, it is on the Domain Controllers OU. The defaults are required for proper operation of the Domain Controllers. You should never put a workstation or server into the container, when you install a DC it will be in the container by default.

With that said, all Group Policy you create should never be placed at the root, and you should not typically make changes to either of the Default Policies.


Expert Comment

ID: 21689509
Did you add the computer account of the terminal server to the security properties of the GPO being created for the loopback.?

To do this, follow these steps:
1. Select the GPO that is created for the loopback, and then click Properties.
2. Click the Security tab, and then click Add.
3. In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4. Click the computer account from the Group or user names box.
5. In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6. Click OK two times to close and save the policy settings.

Another note:
When it is possible, Terminal Services should be installed on member servers instead of on domain controllers because the users need Log on Locally user rights.

When the Log on Locally right is assigned to domain controllers, it is assigned to every domain controller in the domain because of the shared Active Directory database.

By default, member servers are granted Log on Locally user rights in the Local Security Policy when Terminal Services is installed in Application Server mode.

Expert Comment

ID: 21689512
copy/paste error

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question