Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

WSUS applied Updates to all groups!

Posted on 2014-04-09
15
Medium Priority
?
262 Views
Last Modified: 2016-02-21
I have just recently configure and installed WSUS on my network. created two groups, Test group and all other PCs. I only approved some updates to the Test-group but later people were calling me and telling me that their PCs are asking them to restart because of the windows update. how this happen?

further more I have created two domain policy for each group in order for PC to join in to the right computer group I have created and that has been working just fine.

please review the images attached.
WSUS-Server.JPG
DC.JPG
0
Comment
Question by:911-SOS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 4
15 Comments
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989322
Hi,

Please Enable  the below group policy.

wsus1
0
 

Author Comment

by:911-SOS
ID: 39989346
sure, i'll check back with you.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39989354
To determine why it applied the wrong settings to the test-group: I think I would start by generating a RSOP for a user and test-group computer, to confirm it assigns the correct group policy updates settings.
Check out the "Group Policy Results" item on the left of the Group Policy screen to do this test.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:911-SOS
ID: 39989472
reply to Guru:

before I enable that policy I wanted to ask you, if I enable it would it automatically restart the PC? if it does I don't want it then.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989490
Hi,

see the policy name "No auto restart with logged on user for scheduled automatic update installation ".

if you will enable it will not reboot your system.

if not then as the default behaviour it will reboot the system.
0
 

Author Comment

by:911-SOS
ID: 39989502
reply to Korbus:

please see attached image if that is what you mean.
RegistrySettings.JPG
0
 

Author Comment

by:911-SOS
ID: 39989535
reply to Santosh Gupta:

Hi,

thank you for that. but even your information was valuable but I think I need to change the update time to night time instead of in the morning and I would the PC to restart so by the time users will come to work their PCs are ready to use.

I'm trying to eliminate any user interaction with updating processes.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989563
So you leave your PC running in night. if so then ok to set it in night.

if not then you should go with enabling "No auto restart with logged on user for scheduled automatic update installation ".
0
 

Author Comment

by:911-SOS
ID: 39989598
Yeah the PCs are running at night.
0
 

Author Comment

by:911-SOS
ID: 39990051
any ideas guys?....
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39990241
Ok,

That will be good, change settings as per below.

1. No auto-restart for scheduled Automatic Update installation options - Disabled
2. Change Schedule install time -  3:00
3. Delay Restart for scheduled installations- Enabled

http://technet.microsoft.com/en-us/library/cc512630.aspx
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39990456
Looked at that screenshot (registrySettings.jpg):  no, that's not what I meant.

In the group policy window you initially posted (DC.jpg), there is an item in the left pane called: group policy results.
You can use that applet to confirm which group policy settings will be applied to a particular computer & user combination.  This is one of the primary tools I use to determine why group policy isn't working out as expected.
0
 

Author Comment

by:911-SOS
ID: 39991582
reply to Korbus:

thank you for your reply, please find the results on attached image. I couldn't really understand it, maybe you can help make sense out of the Applied GPOs.

1- I have choose one of the PCs which suppose to be in Workstations group. meaning the updates that I approve to test-group shouldn't apply to workstations group until I decide.

2- I have made two different WSUS policy. one called WSUS Update policy for Test PCs which I have linked it to TestWorkStations OU ( you can see it in the image as well) and the second is WSUS Update Policy which it linked to Workstations OU. why there are two of WSUS Update policy and one WSUS Update Policy for Test PCs and a Default Domain Policy added to this computer? I can undrestand the default one

I only need the WSUS Update Policy to be effected to the Workstations OU. should I remove the ones from the top of the domain so it wouldn't effect my OUs?

thank you.
GPResults.JPG
0
 
LVL 10

Accepted Solution

by:
Korbus earned 800 total points
ID: 39997593
Sorry about the delay in reply.  I saw your screen shot:  take a look at the settings tab.
This tab will take all the settings, from all Group Policies applied to this user/computer combination, and show you which ones will be put into effect.  You can then "play around" with your OU's and GPO bindings, and rerun this report until the results out correct.

Yes, I think you will want to create a separate OU for the WSUS update policy you want to apply to machines that are NOT in the Workstations OU. (And remove it from the default domain policy, as you said.)  Note: there may be a better way to do this, and have settings from one of the Update GPs to override the default domain GP-  but honestly, I'm not really sure on how to do this.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40008983
So you got your policies applying properly now 911?
Did that RSOP page help figure it out?
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question