Windows Update Group Policy for DC and SBS Servers

Posted on 2008-10-02
Last Modified: 2012-05-05

I am trying to confirm that what I am doing is correct and if not to ask for some direction.

The default domain policy says that all systems are to update windows and install automatically. This includes the DC and servers. I don't want this for obvious reasons. I want to be able to download but wait for manual installation on the DC and Servers.

To set this up, I did a Block Inheritance at the Domain Controllers and SBSServers OU's and configured their respective poilicies accordingly.
Is this correct?

Thanks in advance.
Question by:cepolly
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 70

Assisted Solution

KCTS earned 100 total points
ID: 22626056
If you do this it will Block ALL policies except those applied directly to the OUs in question - if that what you want then its fine.

Author Comment

ID: 22626080
Yes it is. We don't have too many policies that we have implemented.

However, you bring up a good point.
Are there policies inherent to SBS 2003 that I may be blocking inadvertantly?

LVL 18

Assisted Solution

sk_raja_raja earned 400 total points
ID: 22626173
when i have this same issue,

1.Block inheritance on the DC and server OU and this will block all the policies
2.Create a new policy for updates and link to the DC ans erver OU's
3.Then again link the other policies you need to apply to these ou's

I would suggest linking the GP's is the best way to do this.

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 18

Assisted Solution

sk_raja_raja earned 400 total points
ID: 22626199
in simple you can link the GP's anywhere in the OU...even if you specify block inheritance and say for example it is going to block GP1 and GP2.... then still you can link the GP2 on the same ou and this policy will be applied.

Other workaround you can try is,create a new update policy with settings and link it to the dc and server ou and the enforce the newly create policy....this will work only if your parent policy from top is not enforced.....

Author Comment

ID: 22626346
Looks like the linking was the problem. As soon as I removed the linkage, the policies took.

Now if I relink, will I lose the settings that I want? Will the newly link GPO take precedence?
LVL 18

Accepted Solution

sk_raja_raja earned 400 total points
ID: 22626407
i dont understand your query..can you be more clear.

just relink the policy and dont enforce
link the newly link gpo and enforce it

hence the settings on the new gp will take precedence....

Author Comment

ID: 22626441
You didn't understand what I said exactly but you answered it. :-)

I understand. Thanks for the help.


Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question