Deploying SUS

What is the best way to setup SUS for 300 clients?

We have a mix of 2000 and XP Pro clients, and 90% of our users are NOT local admins on their machines. I am looking for a way to setup the clients so auto updates are enabled and pulling from the SUS server.


LVL 23
Justin DurrantSr. Engineer - Windows Server/VirtualizationAsked:
Who is Participating?
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:

SUS works best with Group Policies.  Install SUS on a server.  Then read over this easy, graphical explanation of what to do next.

Basically it summarizes setting up the GPO settings and the possibly needed .adm file.

Then you put the GPO on an OU - or if you want to be bold, the whole site or domain.  (I recommend start slow by making a GPO for testing it try it out on a few machines so you can see how it's working.  Then move it to domain or site level).
Zaheer IqbalTechnical Assurance & ImplementationCommented:
The documentation on SUS is actually rather good. What's important in your case is that you need to import the wuau.adm file that you can download from the MS SUS site as well into the group policy editor and configure the clients to point to your internal SUS server for the updates. That's the obvious part.
The not so obvious part is that only one of the scheduling options will install the updates completely automatically, the others require an administrator to log on and approve of the updates. The setting you're looking for is number 4, Download automatically and install according to this schedule (or similar, not using an English version).
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Justin DurrantSr. Engineer - Windows Server/VirtualizationAuthor Commented:
we are still on a nt domain
Lee W, MVPTechnology and Business Process AdvisorCommented:
Ah... then I see your problem.  GPOs really are the best way of doing it but you need a 2000 domain.  

I would recommend, especially if you're not the decision maker in these matters, that you use this in part of an argument to move to a 2000 or 2003 domain.  Aside from the fact that Microsoft has essentially stopped supporting NT, an AD domain would make this MUCH easier.

That said, try reading over this site:

You can use the information there to preconfigure your Windows client registries so that they know where the server is and how often to update/etc.  As for getting these settings on the client, you should be able to script them using PSEXEC ( freeware utility - part of PSTOOLS).  The script would be a single file that goes through a list of computer names and remotely runs the registry update.  If you aren't familiar with PSTOOLS you can run the tool with a /? for an explanation of how to use it.  And if you need, I can write the script for you.
You can still deploy the SUS settings with a rgular NT4 system policy. Open the wuau.adm in notepad, save it again as ANSI (the file comes in Unicode format, which the NT4 poledit can't handle). Then import it into poledit, and adjust your ntconfig.pol file accordingly. The one major problem with an NT4 domain and system policies is that you can't group computers, so you'll either have to use SUS on all of your machines by configuring the Default Computer object, or you'll have to add a computer into ntconfig.pol for every machine you want to deploy it on. There's a third possibility as well, though; that involves disabling the system policies or redirecting them to another .pol file on machines you don't want the SUS policies to apply.

Guide to MS Windows NT 4.0 Profiles and Policies

This applies to XP as well:
Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
Justin DurrantSr. Engineer - Windows Server/VirtualizationAuthor Commented:
thanks guys.. will the wuau.reg work witn 2000 and XP machines? Will any client reboots be required?

Justin DurrantSr. Engineer - Windows Server/VirtualizationAuthor Commented:
Ok.. I am trying to call the reg file from a network location, and I get:

C:\>psexec -s \\S_east \\svfile\ittools\wuau.reg

PsExec v1.55 - Execute processes remotely
Copyright (C) 2001-2004 Mark Russinovich
Sysinternals -

PsExec could not start \\svfile\ittools\wuau.reg on S_east:
Access is denied.

any ideas?

Lee W, MVPTechnology and Business Process AdvisorCommented:
My apologies - I didn't mean to abandon the question the way I did:

In regards to your second to last comment, the wuau.reg file should work with both system, but I believe a reboot will be required on the client.

The PSEXEC issue appears to be security related.  Make sure you are either logged in to the computer your executing the command from as a domain admin.  Alternately, specify a user and password with psexec - for more info run PSEXEC /?.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.