Go Premium for a chance to win a PS4. Enter to Win


Group Policy exclusion - not working right...

Posted on 2004-08-19
Medium Priority
Last Modified: 2012-05-05
Hello -

I have SUS running in our AD. I've configured SUS correctly so far, and
clients are getting their updates successfully.

I have one problem, however - the main servers are getting these updates,
even though I do not want them to. I want to patch them manually.

Here's what I did to exclude them, but it's not working - can anyone tell me

I created a security group and put all the server machines in it. I called
it "No SUS".
I went to the properties of the current GP that uses SUS and added "No SUS"
to it with implicit Deny rights on "Apply Group Policy".

What did I do wrong?

Question by:zeroiq01
  • 2
  • 2
  • 2
  • +1

Expert Comment

ID: 11843501
it looks like absolutely fine.
can you try to deny also rights on the "Read" permission?

I also use SUS but what I do is that I keep servers in one OU and workstations in a different one (only workstations apply that policy)

(and a different one for remote machines, and another for laptops)

If you need to apply a number of policies to both servers and workstations, you only need to add the link to the GPO and modify the policy only once (if need be).

hope that works for you.

Author Comment

ID: 11845201
Thanks for the comment.

Let me follow up on this:

If I remove my servers from the built in "Domain Controllers" OU, will I break any of their functions? I intend to put them in a "Server" OU, and maybe do as you suggest and make one for laptops, too.

Let me know - thanks

Expert Comment

ID: 11846469
Leave the Domain Controllers in the OU. Remove the SUS GPO from the ROOT domain. You should never apply policy to the root. Then create a new group policy and a new OU for your workstations and for you Servers. Do not put Group Policy on the Computers container either. When you want the group policy on the machines, move them to the appropriate container.

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Accepted Solution

ralonso earned 800 total points
ID: 11847228
jdeclue is absolutely right

I leave my DC's in the default (they are applying the Default Domain Controllers Policy)

In my AD structure I have created a whole new hierarchy where I define stuff like
  Domain Controllers
      - Main Site
              - Users
              - Computers
                      - Laptops
      - Second Site (linked via VPN and with no DC's)
              - Users
              - Computers
                      - Laptops

Policies like SUS, or deployment of software (before I used for service packs) like MS Office and patches I apply only in the main site (as you can imagine I don't want SUS to apply patches automatically for servers or machines with a slow link)

Similar things apply to laptops. Surely you don't want your CEO waiting 20 minutes in front of influential people for his laptop to boot up, just because you are deploying Office 2003 SP1

(yes, we are a small organisation and we can't afford SMS)

Policies are very useful but sometimes a bit tricky, but as long as you don't mess about with the domain policy or the domain controllers one, you should be fine.

Another good practice is to create many different policies.
i.e. for my main site OU I have a number of polices: Office 2003 deployment, IE Settings, SUS, ...

Each one of them has only a few settings related to the name. That way if something is not right, it's quite easy to troubleshoot.

Expert Comment

ID: 11851982
Just a quick update, as I really didn't answer it in my email.

If you take the domain controllers out ot the Domain Controllers container, you will break you entire AD infrastructure. The Domain Controllers must remain in the default Domain Controllers OU, this is where the Default Domain Controllers Group Policy is applied.

When a AD root is created there are two default Group Policies, Default Domain Policy and Default Domain Controllers Policy. If you make changes to the Default Domain Policy, the changes will apply to everthing in you network, including the Domain Controllers. Below that policy is the Default Domain Controllers Policy, it is on the Domain Controllers OU. The defaults are required for proper operation of the Domain Controllers. You should never put a workstation or server into the container, when you install a DC it will be in the container by default.

With that said, all Group Policy you create should never be placed at the root, and you should not typically make changes to either of the Default Policies.


Expert Comment

ID: 21689509
Did you add the computer account of the terminal server to the security properties of the GPO being created for the loopback.?

To do this, follow these steps:
1. Select the GPO that is created for the loopback, and then click Properties.
2. Click the Security tab, and then click Add.
3. In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
4. Click the computer account from the Group or user names box.
5. In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
6. Click OK two times to close and save the policy settings.

Another note:
When it is possible, Terminal Services should be installed on member servers instead of on domain controllers because the users need Log on Locally user rights.

When the Log on Locally right is assigned to domain controllers, it is assigned to every domain controller in the domain because of the shared Active Directory database.

By default, member servers are granted Log on Locally user rights in the Local Security Policy when Terminal Services is installed in Application Server mode.

Expert Comment

ID: 21689512
copy/paste error

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Did you know there are services out there that can turn an Instagram feed into an RSS feed? I found some interesting exclusive Instagram content which I wanted to follow without signing up for yet another social media account. RSS to the rescue!
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question