Solved

WSUS Group Policy question

Posted on 2006-10-24
20
857 Views
Last Modified: 2008-05-30
I have 15 member servers that are updated via group policy from a remote WSUS server. Three of these servers are application servers and have recently had issues due to a Microsoft critical update. I would like to exclude these from receiving updates from WSUS for the moment. What’s the best way? Do I create a new OU move them and change the GP or is there another way? Id prefer to keep them in the same OU as other policies are applied via GP
0
Comment
Question by:boomerbostock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +5
20 Comments
 
LVL 1

Expert Comment

by:rmilliard
ID: 17801317
Yes,
- I think you have to make a new OU. Make this OU direct under the current OU. This way the servers will inherit the policies of the OU above.
- Move the servers inquestion to this OU
- Make a new GPO policy and link it to the newly created OU.
- Open the newly created GPO and goto the WSUS policies and disable all WSUS settings. This will override all WSUS settings defined in the policy that is linked to
  the above OU.
- Go to WSUS make a new computer group that is based on the newly created OU

Thats it. When you're don testing just move the servers back to the original OU.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17801839
Why not just leave them where they are and change the Windows Update Service from Automatic to Disabled?

Vic
0
 

Expert Comment

by:blablup
ID: 17801892
If your WSUS sets the group of the Computers automatically by gp you have to do it like rmilliard descript, if not, you can create a new group on the WSUS and put the Server into that group.

Another possibility is to deactivate the update Service on the servers you don't want to update.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 500 total points
ID: 17802923
When you approve updates, you approve them for a group of computers in WSUS.
You need to create another group in WSUS.  Then move all of the servers into that group.  Updates are not approved for the new group therefore servers in that group won't be downloading them.

I created 3 groups in WSUS....Client Workstations, Servers, No Updates.   I actually had to do this, because we have Cisco VOIP servers that are not supposed to get windows updates ever....only Cisco approved updates.

good luck
0
 
LVL 38

Expert Comment

by:younghv
ID: 17802978
I must be missing something here.

If you 'DISABLE' the wuauserv service on those 3 servers - the Update Service will not run - unless you have a GPO (applied) to turn on that service.

Why create extra work when all you have to do is turn it off?


Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17803198
Vic, I thought you were a security man! You do not want to disable the update service on any windows box.


As mentioned above create a new group within WSUS and apply/disable the problematic updates to that group, configure it to not auto install (install post-test). I wouldnt fully disable them as Vic stated, yet if you dont want them recieving any updates (not advised) then proceed as he stated.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17803398
bigjimbo - ya busted me.

The only reason I know about it is that we disable our Exchange 2003 (Exchange Admin does it personally) and a couple of the Servers over on the Finance/Personnel side.

They run some custom-built apps that take special treatment to make sure updates don't break them (I hate those friggin servers).

I do "scan" them for vulnerabilities once a week and bust their humps if they don't have the latest patches.

I resisted putting them in their own little 'special' OU because it is simpler this way (and I don't like them).


Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17804797
No worries, just bustin your balls.

But NO PRODUCTION server should ever have auto-install. I'm a bit anal when it comes to updates, (99% of my network is Windows..wonder why) But all of my production servers are split up depending on their "job". I also have a seperate WSUS servers for those critical systems, and one for workstations. I break workstations up according to mobile, or dt. While servers are broken up into web, application, database ect.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17804877
Roger, over.
Did I see your name on the CISSP list that came out today?

Regarding servers - you're right.
Our 'Applications' servers all have specific admins assigned as 'Owners'.
They are the 'Go-To' guys (or gals) who are charged with the server maintenance and making sure they pass the scans I do.

Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17805170
CISSP? Sadly I dont have the time to study for that (finishing undergrad up this semester as well as just started my masters). Did I mention I work full time at my current job, as well as a part-time unpaid internship, and have been taking a full load at school (3 under, 1 graduate). AND...throw a girlfriend and hobbies in there.


Any one have a solution on how to aquire 36 hour days? I can award as many points as needed!

0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17806227
Umm, I wouldn't do anything in AD!  

This can be entirely handled from within the WSUS mgmt interface, and was designed to help admins pick and choose.  Just go to the computers section and click "create a computer group" from the left.  Label it "Application Servers" and it will appear on the lower left.  Then go to the group that currently holds the servers you want to control and highlight them.  Then choose "move the selected computer" from your options on the left.

Now that the servers are in their own group, when you roll out new updates, set the approval for that group to "detect only."
0
 
LVL 4

Expert Comment

by:Beldoran
ID: 17808919
You could go to the policy that contains the WSUS settings and add the 3 servers with deny rights. This way they would not get the policy settings until you removed those security changes.

On the 3 server machines then ensure that the updates are set to manual not automatic.

Dirty but simple.
0
 
LVL 10

Expert Comment

by:Phadke_hemant
ID: 17809716
yes I think making changes in WSUS is the best way and not to disturb local policies/ settings on servers
0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17812096
No active directory or group policy changes should be made for this!  See my comment 3 posts up.  This is what you need to do.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17812182
expexchuser,
You're right - you were the first with that comment.
That other "poster" has been running around all over the board this morning repeating other people's suggestions.
Maybe he thinks nobody will notice and he'll sneak a few points that way.

Vic
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 17812497
JUST PUT THE SERVERS IN A DIFFERENT GROUP IN WSUS !   it's really that simple.
Just create a new group and move them.

THEN...you can still track their updates in WSUS, and you don't need to make any changes to group policy or the servers...

The solution is literally like 4 mouse clicks ...
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 17812525
PS:  If you do what I said....the servers will still show in WSUS, but they won't ever get any updates unless you approve them for the group they are in.

trust me....this is the best/easiest solution.
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17816095
Vic, were you referring to me?
0
 
LVL 38

Expert Comment

by:younghv
ID: 17816181
Hell no!
You actually know what you're talking about.
This was some newbie copying earlier posts (in the same string) and pasting them in his own post.

Vic
0
 
LVL 38

Expert Comment

by:younghv
ID: 17816189
bigjimbo813,
My email address is in my 'Profile' if you want to drop me a note.
Vic
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question