?
Solved

How to perform Windows update by departments rather than company in one go via the update server?

Posted on 2008-10-16
6
Medium Priority
?
229 Views
Last Modified: 2010-04-21
Hi,

We have just created a Windows update server on one of our server so as to reduce the internet traffic once when Windows Update Patches available.  The Windows Update server is installed in a server which run under an OS of Windows server 2003 while our client PCs are consist of Windows 2000 Professional (sp4) and Windows XP Professional (sp2).  In my company, we have Active Directory (AD) and have quite a no. of Group Policies and we would like to use this to help us to deploy this batch update process.

Since we have around 200 client PCs and we found that it is impossible to deploy the patch to all the PCs in one go as this will affect our internal network traffic a lot (even at night when our EOD is in processing).  As a result, I have the following questions that need your advise.

1)  How can I make changes to AD and/or group policies so that we have no need to go to each client PC to alter their group policies and can deploy this company wide Windows update process?
2)  Even point one above can be implement, we would like to make the Windows update on a department basis rather than on company basis.  For example, perform Windows update on ONE department per day (or per 2 hours) once when Windows updates are available from Microsoft.

Kindly please help.

** I have not that much knowledge on AD & group policies, please be specific or I will get loss, thx **

Cheers
Stanley
0
Comment
Question by:StanleyLMW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 12

Accepted Solution

by:
RubenvdLinden earned 1000 total points
ID: 22738829
You can schedule when to install the patches, but you can't schedule when to download them.
http://support.microsoft.com/kb/328010

If you have a proxy server whichs integrates with AD, you might be able to allow access to your WSUS server at specific time intervals for each department.
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22740326
You can easily break up your computers in Group Policy.  You will want to update/create a policy specific to only your department.  Under Computer Configuration/Administrative Templates/Windows Components/Windows Update.
You want to change Enable client-side targeting.  You can then Create a group name you want to associate with that department.  Example: Accounting
If you want to set the schedule: Enable Configure Automatic Updates.  You can specify what interval you want to apply to this department.

In WSUS you will need to create the group name from above exactly was you created it above.  Example: Accounting
Be aware that this will take time to populate once it is place.  The reasons are each computer has to download the latest GPO that you just applied and then it has to contact the WSUS server.  You can test some computers by doing from a cmd prompt: gpupdate /force  - this will require a reboot.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22764213
WSUS is definitely your best option for what you want to accomplish. AS was mentioned above ^^^ WSUS gives you the ability to assign computers to update groups based on group policy. Once these users are populated in the WSUS console you have the option to download and deploy patches any way you would like. You can send updates to all machines, individual groups, etc.  Since you control what patches are authorized for release you are in control. There is also an option in the WSUS console to allow certain types of updates to be automatically installed without your interaction.

Another good thing about using WSUS is that it gives you the option to test and the decide which patches YOU want to realease to your clients. Unlike windows updates which just downloads all updates. I will not release any updates to my production environment without testing thoroughly.

WSUS takes a little bit of time to configure depending on how granular you want your groups to be but the extra contol and ease of deployment offered makes it well worth it.

0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 4

Assisted Solution

by:ThorSG1
ThorSG1 earned 1000 total points
ID: 22800910
Here is a technet article on setting up groups in WSUS.

http://technet.microsoft.com/en-us/library/cc720433.aspx
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22907610
Have you had any luck with setting up the groups in AD and WSUS?
0
 

Author Closing Comment

by:StanleyLMW
ID: 31507031
Though a bit late to reply, but I need to certify it to be fully worked and so need time. Thx a lot.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question