Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

WSUS Group Policy question

Posted on 2006-10-24
20
855 Views
Last Modified: 2008-05-30
I have 15 member servers that are updated via group policy from a remote WSUS server. Three of these servers are application servers and have recently had issues due to a Microsoft critical update. I would like to exclude these from receiving updates from WSUS for the moment. What’s the best way? Do I create a new OU move them and change the GP or is there another way? Id prefer to keep them in the same OU as other policies are applied via GP
0
Comment
Question by:boomerbostock
  • 7
  • 4
  • 3
  • +5
20 Comments
 
LVL 1

Expert Comment

by:rmilliard
ID: 17801317
Yes,
- I think you have to make a new OU. Make this OU direct under the current OU. This way the servers will inherit the policies of the OU above.
- Move the servers inquestion to this OU
- Make a new GPO policy and link it to the newly created OU.
- Open the newly created GPO and goto the WSUS policies and disable all WSUS settings. This will override all WSUS settings defined in the policy that is linked to
  the above OU.
- Go to WSUS make a new computer group that is based on the newly created OU

Thats it. When you're don testing just move the servers back to the original OU.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17801839
Why not just leave them where they are and change the Windows Update Service from Automatic to Disabled?

Vic
0
 

Expert Comment

by:blablup
ID: 17801892
If your WSUS sets the group of the Computers automatically by gp you have to do it like rmilliard descript, if not, you can create a new group on the WSUS and put the Server into that group.

Another possibility is to deactivate the update Service on the servers you don't want to update.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 500 total points
ID: 17802923
When you approve updates, you approve them for a group of computers in WSUS.
You need to create another group in WSUS.  Then move all of the servers into that group.  Updates are not approved for the new group therefore servers in that group won't be downloading them.

I created 3 groups in WSUS....Client Workstations, Servers, No Updates.   I actually had to do this, because we have Cisco VOIP servers that are not supposed to get windows updates ever....only Cisco approved updates.

good luck
0
 
LVL 38

Expert Comment

by:younghv
ID: 17802978
I must be missing something here.

If you 'DISABLE' the wuauserv service on those 3 servers - the Update Service will not run - unless you have a GPO (applied) to turn on that service.

Why create extra work when all you have to do is turn it off?


Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17803198
Vic, I thought you were a security man! You do not want to disable the update service on any windows box.


As mentioned above create a new group within WSUS and apply/disable the problematic updates to that group, configure it to not auto install (install post-test). I wouldnt fully disable them as Vic stated, yet if you dont want them recieving any updates (not advised) then proceed as he stated.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17803398
bigjimbo - ya busted me.

The only reason I know about it is that we disable our Exchange 2003 (Exchange Admin does it personally) and a couple of the Servers over on the Finance/Personnel side.

They run some custom-built apps that take special treatment to make sure updates don't break them (I hate those friggin servers).

I do "scan" them for vulnerabilities once a week and bust their humps if they don't have the latest patches.

I resisted putting them in their own little 'special' OU because it is simpler this way (and I don't like them).


Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17804797
No worries, just bustin your balls.

But NO PRODUCTION server should ever have auto-install. I'm a bit anal when it comes to updates, (99% of my network is Windows..wonder why) But all of my production servers are split up depending on their "job". I also have a seperate WSUS servers for those critical systems, and one for workstations. I break workstations up according to mobile, or dt. While servers are broken up into web, application, database ect.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17804877
Roger, over.
Did I see your name on the CISSP list that came out today?

Regarding servers - you're right.
Our 'Applications' servers all have specific admins assigned as 'Owners'.
They are the 'Go-To' guys (or gals) who are charged with the server maintenance and making sure they pass the scans I do.

Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17805170
CISSP? Sadly I dont have the time to study for that (finishing undergrad up this semester as well as just started my masters). Did I mention I work full time at my current job, as well as a part-time unpaid internship, and have been taking a full load at school (3 under, 1 graduate). AND...throw a girlfriend and hobbies in there.


Any one have a solution on how to aquire 36 hour days? I can award as many points as needed!

0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17806227
Umm, I wouldn't do anything in AD!  

This can be entirely handled from within the WSUS mgmt interface, and was designed to help admins pick and choose.  Just go to the computers section and click "create a computer group" from the left.  Label it "Application Servers" and it will appear on the lower left.  Then go to the group that currently holds the servers you want to control and highlight them.  Then choose "move the selected computer" from your options on the left.

Now that the servers are in their own group, when you roll out new updates, set the approval for that group to "detect only."
0
 
LVL 4

Expert Comment

by:Beldoran
ID: 17808919
You could go to the policy that contains the WSUS settings and add the 3 servers with deny rights. This way they would not get the policy settings until you removed those security changes.

On the 3 server machines then ensure that the updates are set to manual not automatic.

Dirty but simple.
0
 
LVL 10

Expert Comment

by:Phadke_hemant
ID: 17809716
yes I think making changes in WSUS is the best way and not to disturb local policies/ settings on servers
0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17812096
No active directory or group policy changes should be made for this!  See my comment 3 posts up.  This is what you need to do.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17812182
expexchuser,
You're right - you were the first with that comment.
That other "poster" has been running around all over the board this morning repeating other people's suggestions.
Maybe he thinks nobody will notice and he'll sneak a few points that way.

Vic
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 17812497
JUST PUT THE SERVERS IN A DIFFERENT GROUP IN WSUS !   it's really that simple.
Just create a new group and move them.

THEN...you can still track their updates in WSUS, and you don't need to make any changes to group policy or the servers...

The solution is literally like 4 mouse clicks ...
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 17812525
PS:  If you do what I said....the servers will still show in WSUS, but they won't ever get any updates unless you approve them for the group they are in.

trust me....this is the best/easiest solution.
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17816095
Vic, were you referring to me?
0
 
LVL 38

Expert Comment

by:younghv
ID: 17816181
Hell no!
You actually know what you're talking about.
This was some newbie copying earlier posts (in the same string) and pasting them in his own post.

Vic
0
 
LVL 38

Expert Comment

by:younghv
ID: 17816189
bigjimbo813,
My email address is in my 'Profile' if you want to drop me a note.
Vic
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question