Solved

How to perform Windows update by departments rather than company in one go via the update server?

Posted on 2008-10-16
6
224 Views
Last Modified: 2010-04-21
Hi,

We have just created a Windows update server on one of our server so as to reduce the internet traffic once when Windows Update Patches available.  The Windows Update server is installed in a server which run under an OS of Windows server 2003 while our client PCs are consist of Windows 2000 Professional (sp4) and Windows XP Professional (sp2).  In my company, we have Active Directory (AD) and have quite a no. of Group Policies and we would like to use this to help us to deploy this batch update process.

Since we have around 200 client PCs and we found that it is impossible to deploy the patch to all the PCs in one go as this will affect our internal network traffic a lot (even at night when our EOD is in processing).  As a result, I have the following questions that need your advise.

1)  How can I make changes to AD and/or group policies so that we have no need to go to each client PC to alter their group policies and can deploy this company wide Windows update process?
2)  Even point one above can be implement, we would like to make the Windows update on a department basis rather than on company basis.  For example, perform Windows update on ONE department per day (or per 2 hours) once when Windows updates are available from Microsoft.

Kindly please help.

** I have not that much knowledge on AD & group policies, please be specific or I will get loss, thx **

Cheers
Stanley
0
Comment
Question by:StanleyLMW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 12

Accepted Solution

by:
RubenvdLinden earned 250 total points
ID: 22738829
You can schedule when to install the patches, but you can't schedule when to download them.
http://support.microsoft.com/kb/328010

If you have a proxy server whichs integrates with AD, you might be able to allow access to your WSUS server at specific time intervals for each department.
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22740326
You can easily break up your computers in Group Policy.  You will want to update/create a policy specific to only your department.  Under Computer Configuration/Administrative Templates/Windows Components/Windows Update.
You want to change Enable client-side targeting.  You can then Create a group name you want to associate with that department.  Example: Accounting
If you want to set the schedule: Enable Configure Automatic Updates.  You can specify what interval you want to apply to this department.

In WSUS you will need to create the group name from above exactly was you created it above.  Example: Accounting
Be aware that this will take time to populate once it is place.  The reasons are each computer has to download the latest GPO that you just applied and then it has to contact the WSUS server.  You can test some computers by doing from a cmd prompt: gpupdate /force  - this will require a reboot.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22764213
WSUS is definitely your best option for what you want to accomplish. AS was mentioned above ^^^ WSUS gives you the ability to assign computers to update groups based on group policy. Once these users are populated in the WSUS console you have the option to download and deploy patches any way you would like. You can send updates to all machines, individual groups, etc.  Since you control what patches are authorized for release you are in control. There is also an option in the WSUS console to allow certain types of updates to be automatically installed without your interaction.

Another good thing about using WSUS is that it gives you the option to test and the decide which patches YOU want to realease to your clients. Unlike windows updates which just downloads all updates. I will not release any updates to my production environment without testing thoroughly.

WSUS takes a little bit of time to configure depending on how granular you want your groups to be but the extra contol and ease of deployment offered makes it well worth it.

0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 4

Assisted Solution

by:ThorSG1
ThorSG1 earned 250 total points
ID: 22800910
Here is a technet article on setting up groups in WSUS.

http://technet.microsoft.com/en-us/library/cc720433.aspx
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22907610
Have you had any luck with setting up the groups in AD and WSUS?
0
 

Author Closing Comment

by:StanleyLMW
ID: 31507031
Though a bit late to reply, but I need to certify it to be fully worked and so need time. Thx a lot.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question