Solved

How to perform Windows update by departments rather than company in one go via the update server?

Posted on 2008-10-16
6
219 Views
Last Modified: 2010-04-21
Hi,

We have just created a Windows update server on one of our server so as to reduce the internet traffic once when Windows Update Patches available.  The Windows Update server is installed in a server which run under an OS of Windows server 2003 while our client PCs are consist of Windows 2000 Professional (sp4) and Windows XP Professional (sp2).  In my company, we have Active Directory (AD) and have quite a no. of Group Policies and we would like to use this to help us to deploy this batch update process.

Since we have around 200 client PCs and we found that it is impossible to deploy the patch to all the PCs in one go as this will affect our internal network traffic a lot (even at night when our EOD is in processing).  As a result, I have the following questions that need your advise.

1)  How can I make changes to AD and/or group policies so that we have no need to go to each client PC to alter their group policies and can deploy this company wide Windows update process?
2)  Even point one above can be implement, we would like to make the Windows update on a department basis rather than on company basis.  For example, perform Windows update on ONE department per day (or per 2 hours) once when Windows updates are available from Microsoft.

Kindly please help.

** I have not that much knowledge on AD & group policies, please be specific or I will get loss, thx **

Cheers
Stanley
0
Comment
Question by:StanleyLMW
6 Comments
 
LVL 12

Accepted Solution

by:
RubenvdLinden earned 250 total points
ID: 22738829
You can schedule when to install the patches, but you can't schedule when to download them.
http://support.microsoft.com/kb/328010

If you have a proxy server whichs integrates with AD, you might be able to allow access to your WSUS server at specific time intervals for each department.
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22740326
You can easily break up your computers in Group Policy.  You will want to update/create a policy specific to only your department.  Under Computer Configuration/Administrative Templates/Windows Components/Windows Update.
You want to change Enable client-side targeting.  You can then Create a group name you want to associate with that department.  Example: Accounting
If you want to set the schedule: Enable Configure Automatic Updates.  You can specify what interval you want to apply to this department.

In WSUS you will need to create the group name from above exactly was you created it above.  Example: Accounting
Be aware that this will take time to populate once it is place.  The reasons are each computer has to download the latest GPO that you just applied and then it has to contact the WSUS server.  You can test some computers by doing from a cmd prompt: gpupdate /force  - this will require a reboot.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22764213
WSUS is definitely your best option for what you want to accomplish. AS was mentioned above ^^^ WSUS gives you the ability to assign computers to update groups based on group policy. Once these users are populated in the WSUS console you have the option to download and deploy patches any way you would like. You can send updates to all machines, individual groups, etc.  Since you control what patches are authorized for release you are in control. There is also an option in the WSUS console to allow certain types of updates to be automatically installed without your interaction.

Another good thing about using WSUS is that it gives you the option to test and the decide which patches YOU want to realease to your clients. Unlike windows updates which just downloads all updates. I will not release any updates to my production environment without testing thoroughly.

WSUS takes a little bit of time to configure depending on how granular you want your groups to be but the extra contol and ease of deployment offered makes it well worth it.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Assisted Solution

by:ThorSG1
ThorSG1 earned 250 total points
ID: 22800910
Here is a technet article on setting up groups in WSUS.

http://technet.microsoft.com/en-us/library/cc720433.aspx
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22907610
Have you had any luck with setting up the groups in AD and WSUS?
0
 

Author Closing Comment

by:StanleyLMW
ID: 31507031
Though a bit late to reply, but I need to certify it to be fully worked and so need time. Thx a lot.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
AD FSMO Issues 14 62
PowerShell one liner to pull server names 3 33
Home folder in File server 8 39
Folder NTFS Permissions 14 68
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now