Solved

WSUS Group Policy question

Posted on 2006-10-24
20
846 Views
Last Modified: 2008-05-30
I have 15 member servers that are updated via group policy from a remote WSUS server. Three of these servers are application servers and have recently had issues due to a Microsoft critical update. I would like to exclude these from receiving updates from WSUS for the moment. What’s the best way? Do I create a new OU move them and change the GP or is there another way? Id prefer to keep them in the same OU as other policies are applied via GP
0
Comment
Question by:boomerbostock
  • 7
  • 4
  • 3
  • +5
20 Comments
 
LVL 1

Expert Comment

by:rmilliard
Comment Utility
Yes,
- I think you have to make a new OU. Make this OU direct under the current OU. This way the servers will inherit the policies of the OU above.
- Move the servers inquestion to this OU
- Make a new GPO policy and link it to the newly created OU.
- Open the newly created GPO and goto the WSUS policies and disable all WSUS settings. This will override all WSUS settings defined in the policy that is linked to
  the above OU.
- Go to WSUS make a new computer group that is based on the newly created OU

Thats it. When you're don testing just move the servers back to the original OU.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Why not just leave them where they are and change the Windows Update Service from Automatic to Disabled?

Vic
0
 

Expert Comment

by:blablup
Comment Utility
If your WSUS sets the group of the Computers automatically by gp you have to do it like rmilliard descript, if not, you can create a new group on the WSUS and put the Server into that group.

Another possibility is to deactivate the update Service on the servers you don't want to update.
0
 
LVL 25

Accepted Solution

by:
Ron M earned 500 total points
Comment Utility
When you approve updates, you approve them for a group of computers in WSUS.
You need to create another group in WSUS.  Then move all of the servers into that group.  Updates are not approved for the new group therefore servers in that group won't be downloading them.

I created 3 groups in WSUS....Client Workstations, Servers, No Updates.   I actually had to do this, because we have Cisco VOIP servers that are not supposed to get windows updates ever....only Cisco approved updates.

good luck
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I must be missing something here.

If you 'DISABLE' the wuauserv service on those 3 servers - the Update Service will not run - unless you have a GPO (applied) to turn on that service.

Why create extra work when all you have to do is turn it off?


Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
Comment Utility
Vic, I thought you were a security man! You do not want to disable the update service on any windows box.


As mentioned above create a new group within WSUS and apply/disable the problematic updates to that group, configure it to not auto install (install post-test). I wouldnt fully disable them as Vic stated, yet if you dont want them recieving any updates (not advised) then proceed as he stated.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
bigjimbo - ya busted me.

The only reason I know about it is that we disable our Exchange 2003 (Exchange Admin does it personally) and a couple of the Servers over on the Finance/Personnel side.

They run some custom-built apps that take special treatment to make sure updates don't break them (I hate those friggin servers).

I do "scan" them for vulnerabilities once a week and bust their humps if they don't have the latest patches.

I resisted putting them in their own little 'special' OU because it is simpler this way (and I don't like them).


Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
Comment Utility
No worries, just bustin your balls.

But NO PRODUCTION server should ever have auto-install. I'm a bit anal when it comes to updates, (99% of my network is Windows..wonder why) But all of my production servers are split up depending on their "job". I also have a seperate WSUS servers for those critical systems, and one for workstations. I break workstations up according to mobile, or dt. While servers are broken up into web, application, database ect.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Roger, over.
Did I see your name on the CISSP list that came out today?

Regarding servers - you're right.
Our 'Applications' servers all have specific admins assigned as 'Owners'.
They are the 'Go-To' guys (or gals) who are charged with the server maintenance and making sure they pass the scans I do.

Vic
0
 
LVL 9

Expert Comment

by:bigjimbo813
Comment Utility
CISSP? Sadly I dont have the time to study for that (finishing undergrad up this semester as well as just started my masters). Did I mention I work full time at my current job, as well as a part-time unpaid internship, and have been taking a full load at school (3 under, 1 graduate). AND...throw a girlfriend and hobbies in there.


Any one have a solution on how to aquire 36 hour days? I can award as many points as needed!

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 4

Expert Comment

by:expexchuser
Comment Utility
Umm, I wouldn't do anything in AD!  

This can be entirely handled from within the WSUS mgmt interface, and was designed to help admins pick and choose.  Just go to the computers section and click "create a computer group" from the left.  Label it "Application Servers" and it will appear on the lower left.  Then go to the group that currently holds the servers you want to control and highlight them.  Then choose "move the selected computer" from your options on the left.

Now that the servers are in their own group, when you roll out new updates, set the approval for that group to "detect only."
0
 
LVL 4

Expert Comment

by:Beldoran
Comment Utility
You could go to the policy that contains the WSUS settings and add the 3 servers with deny rights. This way they would not get the policy settings until you removed those security changes.

On the 3 server machines then ensure that the updates are set to manual not automatic.

Dirty but simple.
0
 
LVL 10

Expert Comment

by:Phadke_hemant
Comment Utility
yes I think making changes in WSUS is the best way and not to disturb local policies/ settings on servers
0
 
LVL 4

Expert Comment

by:expexchuser
Comment Utility
No active directory or group policy changes should be made for this!  See my comment 3 posts up.  This is what you need to do.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
expexchuser,
You're right - you were the first with that comment.
That other "poster" has been running around all over the board this morning repeating other people's suggestions.
Maybe he thinks nobody will notice and he'll sneak a few points that way.

Vic
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
JUST PUT THE SERVERS IN A DIFFERENT GROUP IN WSUS !   it's really that simple.
Just create a new group and move them.

THEN...you can still track their updates in WSUS, and you don't need to make any changes to group policy or the servers...

The solution is literally like 4 mouse clicks ...
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
PS:  If you do what I said....the servers will still show in WSUS, but they won't ever get any updates unless you approve them for the group they are in.

trust me....this is the best/easiest solution.
0
 
LVL 9

Expert Comment

by:bigjimbo813
Comment Utility
Vic, were you referring to me?
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Hell no!
You actually know what you're talking about.
This was some newbie copying earlier posts (in the same string) and pasting them in his own post.

Vic
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
bigjimbo813,
My email address is in my 'Profile' if you want to drop me a note.
Vic
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now