Excluding certain systems from automatic updates block

I have a w2k3 domain with group policy in place and have chosen to totally disable automatic updates on all systems.  (We push tested patches with zenworks, for now).  I have 2 systems that I would like to either allow automatic updates on or allow the user to run the automatic updates for testing purposes.

All domain users are local admins.

How can this be achieved?

Smak
LVL 5
talkinsmakAsked:
Who is Participating?
 
victornegriCommented:
So you want to be able to allow systems to go to Windows Updates but you've disabled all access to Windows Update from the domain level and don't want to block that policy? You need to budge in some way in order to make this change.

One suggestion: If you apply another GPO to the OU closer to the user, it will overwrite the settings from the domain policy. That is, if you don't have No Override enabled on the domain policy. If that is the case, you will have to disable No Override (and make sure there are no Block Inheritances anywhere).

Another option: Don't block access to Windows Updates using GPOs but instead from the firewall and allow access from certain clients to Windows Update from there.
0
 
inbarasanCommented:
Dear talkinsmak,
Which ever system you want to do update you can go to update.microsoft.com and update those patches he requires.

Cheers!
0
 
talkinsmakAuthor Commented:
I have blocked ALL access to windows update, including accessing the web page.
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
inbarasanCommented:
You may put these systems in different OU and don't apply these GPO policy.
0
 
talkinsmakAuthor Commented:
GPO is applied at the domain level.  It flows down from there.  
0
 
inbarasanCommented:
I belive that You may use Block Inheritance so that it doesn't apply GPO on that OU
0
 
talkinsmakAuthor Commented:
Will not block inheritance with a domain policy.
0
 
Francis_BelandCommented:
Since the GPO is only for Computer Configuration, you can put all Computers in an OU and create a GPO with the Windows Update blocked instead of having a Domain Policy. You then put the 2 machines you need in another OU and you can test Automatic Updates. Note that you probably need to link the Block Windows Update to the Domain Controller OU also.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.