• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 220
  • Last Modified:

Using SUS With 2 Group Policies

In addition to our DC/SUS Win2K3 server, we now have a separate server on the network. We now have to create 2 separate GPOs: One for workstations and another for servers for auto restart purposes. Can you advise on how we did this?

1. Created 2 separate OU's (SUS-Workstations & SUS-Servers)
2. Within each OU, created a security group (each named SUS-Workstations & SUS-Servers)
3. For each security group, added the appropriate computer
4. Created new GPO's called SUS-Workstation & SUS-Server
5. In each GPO, applied a security filter. Example: For the SUS-Servers GPO, added the SUS-Servers security group
6. Updated GPO security group permissions to read/write
7. Linked & enabled both GPO's to the domain

What's odd is at first after several restarts, nothing worked on the clients or servers. Then I added the 'Authenticated Users' group to the security filter along with read/write permissions, and it worked. BUT only for the SUS-Servers area. Is this a required group to filter out?

Aalso, why aren't the workstations getting affected. Everything else is consistent.

Thanks
0
leeym
Asked:
leeym
  • 4
  • 3
  • 3
2 Solutions
 
luv2smileCommented:
Well first, you can't apply group policy directly to a security group. If I understand you correctly....in say the workstation OU...you have a security group, not the actual comptuer objects? If so...this is why it doesn't work.

Also,

Where is your first DC located in AD? Best practice is to not move the DC object out of the Domain Controllers container (its default location).

What is the second server...a member or a DC?

I'm still trying to figure out why you now need 2 policies just because you get a new server. The servers should be seperated from workstations in AD so workstation policy shouldn't affect servers at all.
0
 
luv2smileCommented:
Also, when you setup the policy, did you force a policy refresh? If not then this is probably why it didn't work at first and then did.....it takes up to 90 minutes for the policiy to update on its own.

I'd like to have a better picture of your AD structure in order to help you further...I'm not exactly sure where your computer/server objects are located
0
 
leeymAuthor Commented:
All good questions. The reason for splitting out into 2 policies is because the SUS/DC server is the first server on the network, and the the second server is for exchange. Both are on Win2K3. Now if one policy applies to both, then servers will be forced to restart in the middle of the day which isn't good. We'd like to manage this manually, but still have managed via policy. Hope this makes sense.

If you have another workaround, I'd love to hear your feedback.

As for the policy refresh, I performed gpupdate /force on all boxes to no avail. Sounds like I'm missing something. Again, your feedback is welcome. ) What's odd is that in the configuration described above, only the servers are affected by the policy, and not the workstations. Again, the only difference b/w the policies is the members of each security group.

Lastly, all computer objects are located in the AD U&C default location (computers folder). Thoughts?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
luv2smileCommented:
"Now if one policy applies to both"

Well if you have your AD design setup properly, you shouldn't have one policy applying to both workstations and servers and you shouldn't need two policies.

You should have a policy that applies only to your workstations to accomplish what you want. This policy shouldn't apply to your servers so no need to create another policy for your servers.

You can take care of this issue with your AD structure instead of applying 2 different policies.

I always like to move my comptuer objects out of their default computer container. This location is a container and NOT an OU...so you can't apply policy to it.

Plus it helps me in management if my computers are organized into OUs...it creates better organization.

So maybe have an OU for workstations (move your workstation objects into this OU) and you'd apply the workstation policy (I assume this is a computer setting and not a user setting?) to this OU.

Your domain controller shouldn't be in any other OU...it should remain in its default domain controllers location. As long as it is there, it won't recieve any policy applied to any other OU besides the default domain policy.

If your second server is a member server (not a DC) then you can just create an OU for it maybe called "member servers" and move its comptuer object into that OU.
0
 
Dan_JBCommented:
Hi leeym,

Similar to you we have 3 policies here: DCs, member servers and workstations. Using security groups to filter however will not work. This can only be done with user policies. SUS policies are computer policies which is why you are having problems. I would recommend applying a GPO to each OU that your computer objects are in. If necessary, separate servers into one OU and workstations into another OU. Apply a GPO to each OU rather than at the Domain level. This should work with out any issues.

Dan
0
 
leeymAuthor Commented:
luv2smile: What's the process to apply a workstation-based policy to an OU?

Dan_JB: What's the process to apply a GPO to each OU that my computer objects are in??

I think you requests are the same, correct?

BTW, both computer AND user settings apply in the GPO
0
 
leeymAuthor Commented:
OK Guys,

I figured out your reuqests, and now have 2 separate OU's (server & workstations), each linked to their respective server or workstation-based GPO. However, for some reason, after restarting and re-logging in, the machines aren't being affected. Only the DC itself is getting updated.

Quick question: Must any 'Security Filters' be applied here? If so, which ones, and should any 'Advanced Settings' be changed? Thanks

0
 
luv2smileCommented:
Have you changed the default security filtering? Authenticated users should be there by default and they should have read and apply rights.......this is how they get the policy.

"BTW, both computer AND user settings apply in the GPO"

The user settings won't apply if the users are not in the OU.....(unless you setup something called loopback processing).
0
 
Dan_JBCommented:
Depending on what the clients have received from SUS in the past they may not receive updates until the update time is reached. You can use GPRESULT /SCOPE Computer /Z from a command prompt to check if the policy has applied (/? will give you all the options). You can check the status of SUS on the client by looking at these two log files in the Windows folder: "Windows Update.log" and "WindowsUpdate.log". Error "...autoupdatedrivers/getmanifest.asp (Error 0x80190194)" is normal since SUS cannot currently distribute driver updates.

Dan
0
 
Dan_JBCommented:
In the absence of any response from leeym I think we provided enough info to determine the cause.

Thanks,
Dan_JB
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now