?
Solved

Using SUS With 2 Group Policies

Posted on 2005-03-30
13
Medium Priority
?
219 Views
Last Modified: 2010-04-18
In addition to our DC/SUS Win2K3 server, we now have a separate server on the network. We now have to create 2 separate GPOs: One for workstations and another for servers for auto restart purposes. Can you advise on how we did this?

1. Created 2 separate OU's (SUS-Workstations & SUS-Servers)
2. Within each OU, created a security group (each named SUS-Workstations & SUS-Servers)
3. For each security group, added the appropriate computer
4. Created new GPO's called SUS-Workstation & SUS-Server
5. In each GPO, applied a security filter. Example: For the SUS-Servers GPO, added the SUS-Servers security group
6. Updated GPO security group permissions to read/write
7. Linked & enabled both GPO's to the domain

What's odd is at first after several restarts, nothing worked on the clients or servers. Then I added the 'Authenticated Users' group to the security filter along with read/write permissions, and it worked. BUT only for the SUS-Servers area. Is this a required group to filter out?

Aalso, why aren't the workstations getting affected. Everything else is consistent.

Thanks
0
Comment
Question by:leeym
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
13 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 13664563
Well first, you can't apply group policy directly to a security group. If I understand you correctly....in say the workstation OU...you have a security group, not the actual comptuer objects? If so...this is why it doesn't work.

Also,

Where is your first DC located in AD? Best practice is to not move the DC object out of the Domain Controllers container (its default location).

What is the second server...a member or a DC?

I'm still trying to figure out why you now need 2 policies just because you get a new server. The servers should be seperated from workstations in AD so workstation policy shouldn't affect servers at all.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 13664618
Also, when you setup the policy, did you force a policy refresh? If not then this is probably why it didn't work at first and then did.....it takes up to 90 minutes for the policiy to update on its own.

I'd like to have a better picture of your AD structure in order to help you further...I'm not exactly sure where your computer/server objects are located
0
 

Author Comment

by:leeym
ID: 13665094
All good questions. The reason for splitting out into 2 policies is because the SUS/DC server is the first server on the network, and the the second server is for exchange. Both are on Win2K3. Now if one policy applies to both, then servers will be forced to restart in the middle of the day which isn't good. We'd like to manage this manually, but still have managed via policy. Hope this makes sense.

If you have another workaround, I'd love to hear your feedback.

As for the policy refresh, I performed gpupdate /force on all boxes to no avail. Sounds like I'm missing something. Again, your feedback is welcome. ) What's odd is that in the configuration described above, only the servers are affected by the policy, and not the workstations. Again, the only difference b/w the policies is the members of each security group.

Lastly, all computer objects are located in the AD U&C default location (computers folder). Thoughts?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 18

Accepted Solution

by:
luv2smile earned 252 total points
ID: 13665796
"Now if one policy applies to both"

Well if you have your AD design setup properly, you shouldn't have one policy applying to both workstations and servers and you shouldn't need two policies.

You should have a policy that applies only to your workstations to accomplish what you want. This policy shouldn't apply to your servers so no need to create another policy for your servers.

You can take care of this issue with your AD structure instead of applying 2 different policies.

I always like to move my comptuer objects out of their default computer container. This location is a container and NOT an OU...so you can't apply policy to it.

Plus it helps me in management if my computers are organized into OUs...it creates better organization.

So maybe have an OU for workstations (move your workstation objects into this OU) and you'd apply the workstation policy (I assume this is a computer setting and not a user setting?) to this OU.

Your domain controller shouldn't be in any other OU...it should remain in its default domain controllers location. As long as it is there, it won't recieve any policy applied to any other OU besides the default domain policy.

If your second server is a member server (not a DC) then you can just create an OU for it maybe called "member servers" and move its comptuer object into that OU.
0
 
LVL 4

Expert Comment

by:Dan_JB
ID: 13665817
Hi leeym,

Similar to you we have 3 policies here: DCs, member servers and workstations. Using security groups to filter however will not work. This can only be done with user policies. SUS policies are computer policies which is why you are having problems. I would recommend applying a GPO to each OU that your computer objects are in. If necessary, separate servers into one OU and workstations into another OU. Apply a GPO to each OU rather than at the Domain level. This should work with out any issues.

Dan
0
 

Author Comment

by:leeym
ID: 13666885
luv2smile: What's the process to apply a workstation-based policy to an OU?

Dan_JB: What's the process to apply a GPO to each OU that my computer objects are in??

I think you requests are the same, correct?

BTW, both computer AND user settings apply in the GPO
0
 

Author Comment

by:leeym
ID: 13667429
OK Guys,

I figured out your reuqests, and now have 2 separate OU's (server & workstations), each linked to their respective server or workstation-based GPO. However, for some reason, after restarting and re-logging in, the machines aren't being affected. Only the DC itself is getting updated.

Quick question: Must any 'Security Filters' be applied here? If so, which ones, and should any 'Advanced Settings' be changed? Thanks

0
 
LVL 18

Expert Comment

by:luv2smile
ID: 13671200
Have you changed the default security filtering? Authenticated users should be there by default and they should have read and apply rights.......this is how they get the policy.

"BTW, both computer AND user settings apply in the GPO"

The user settings won't apply if the users are not in the OU.....(unless you setup something called loopback processing).
0
 
LVL 4

Assisted Solution

by:Dan_JB
Dan_JB earned 248 total points
ID: 13671448
Depending on what the clients have received from SUS in the past they may not receive updates until the update time is reached. You can use GPRESULT /SCOPE Computer /Z from a command prompt to check if the policy has applied (/? will give you all the options). You can check the status of SUS on the client by looking at these two log files in the Windows folder: "Windows Update.log" and "WindowsUpdate.log". Error "...autoupdatedrivers/getmanifest.asp (Error 0x80190194)" is normal since SUS cannot currently distribute driver updates.

Dan
0
 
LVL 4

Expert Comment

by:Dan_JB
ID: 15710305
In the absence of any response from leeym I think we provided enough info to determine the cause.

Thanks,
Dan_JB
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question