We are running a mixed Windows 2000/2003 network. DC's are Windows 2003, clients are Windows XP SP2. We have about 100 users here, and at the moment there is flat AD structure. The Default Domain Policy is in place for all machines.
We are implementing WSUS to control automatic updates to the machines, and also looking at redisigning the AD structure by implementing OU's for Departments.
In the WSUS literature, it states that 'MS does not recommend editing the Default Domain or Default Domain Controller GPO's to add WSUS settings'. So, what we're going to do is apply WSUS related settings to the OU's beneath the general users or computer group.
I have a few questions -
i) When MS state not to edit the Default Domain GPO, do they mean not to edit the one that already exists with WSUS settings, but it's ok to create a new Default Domain policy and apply WSUS settings to that?
ii) Assuming we weren't going to go with (i), is there anyway to apply WSUS settings to the machines users use, rather than computers?
iii) If the Default Domain Policy has no configuration for something, but a GPO that is applied to an OU has, which one takes precedence?