How to perform Windows update by departments rather than company in one go via the update server?

Hi,

We have just created a Windows update server on one of our server so as to reduce the internet traffic once when Windows Update Patches available.  The Windows Update server is installed in a server which run under an OS of Windows server 2003 while our client PCs are consist of Windows 2000 Professional (sp4) and Windows XP Professional (sp2).  In my company, we have Active Directory (AD) and have quite a no. of Group Policies and we would like to use this to help us to deploy this batch update process.

Since we have around 200 client PCs and we found that it is impossible to deploy the patch to all the PCs in one go as this will affect our internal network traffic a lot (even at night when our EOD is in processing).  As a result, I have the following questions that need your advise.

1)  How can I make changes to AD and/or group policies so that we have no need to go to each client PC to alter their group policies and can deploy this company wide Windows update process?
2)  Even point one above can be implement, we would like to make the Windows update on a department basis rather than on company basis.  For example, perform Windows update on ONE department per day (or per 2 hours) once when Windows updates are available from Microsoft.

Kindly please help.

** I have not that much knowledge on AD & group policies, please be specific or I will get loss, thx **

Cheers
Stanley
StanleyLMWAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RubenvdLindenCommented:
You can schedule when to install the patches, but you can't schedule when to download them.
http://support.microsoft.com/kb/328010

If you have a proxy server whichs integrates with AD, you might be able to allow access to your WSUS server at specific time intervals for each department.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ThorSG1Commented:
You can easily break up your computers in Group Policy.  You will want to update/create a policy specific to only your department.  Under Computer Configuration/Administrative Templates/Windows Components/Windows Update.
You want to change Enable client-side targeting.  You can then Create a group name you want to associate with that department.  Example: Accounting
If you want to set the schedule: Enable Configure Automatic Updates.  You can specify what interval you want to apply to this department.

In WSUS you will need to create the group name from above exactly was you created it above.  Example: Accounting
Be aware that this will take time to populate once it is place.  The reasons are each computer has to download the latest GPO that you just applied and then it has to contact the WSUS server.  You can test some computers by doing from a cmd prompt: gpupdate /force  - this will require a reboot.
0
Joseph DalyCommented:
WSUS is definitely your best option for what you want to accomplish. AS was mentioned above ^^^ WSUS gives you the ability to assign computers to update groups based on group policy. Once these users are populated in the WSUS console you have the option to download and deploy patches any way you would like. You can send updates to all machines, individual groups, etc.  Since you control what patches are authorized for release you are in control. There is also an option in the WSUS console to allow certain types of updates to be automatically installed without your interaction.

Another good thing about using WSUS is that it gives you the option to test and the decide which patches YOU want to realease to your clients. Unlike windows updates which just downloads all updates. I will not release any updates to my production environment without testing thoroughly.

WSUS takes a little bit of time to configure depending on how granular you want your groups to be but the extra contol and ease of deployment offered makes it well worth it.

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ThorSG1Commented:
Here is a technet article on setting up groups in WSUS.

http://technet.microsoft.com/en-us/library/cc720433.aspx
0
ThorSG1Commented:
Have you had any luck with setting up the groups in AD and WSUS?
0
StanleyLMWAuthor Commented:
Though a bit late to reply, but I need to certify it to be fully worked and so need time. Thx a lot.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.