Solved

WSUS applied Updates to all groups!

Posted on 2014-04-09
15
260 Views
Last Modified: 2016-02-21
I have just recently configure and installed WSUS on my network. created two groups, Test group and all other PCs. I only approved some updates to the Test-group but later people were calling me and telling me that their PCs are asking them to restart because of the windows update. how this happen?

further more I have created two domain policy for each group in order for PC to join in to the right computer group I have created and that has been working just fine.

please review the images attached.
WSUS-Server.JPG
DC.JPG
0
Comment
Question by:911-SOS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 4
15 Comments
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989322
Hi,

Please Enable  the below group policy.

wsus1
0
 

Author Comment

by:911-SOS
ID: 39989346
sure, i'll check back with you.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39989354
To determine why it applied the wrong settings to the test-group: I think I would start by generating a RSOP for a user and test-group computer, to confirm it assigns the correct group policy updates settings.
Check out the "Group Policy Results" item on the left of the Group Policy screen to do this test.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:911-SOS
ID: 39989472
reply to Guru:

before I enable that policy I wanted to ask you, if I enable it would it automatically restart the PC? if it does I don't want it then.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989490
Hi,

see the policy name "No auto restart with logged on user for scheduled automatic update installation ".

if you will enable it will not reboot your system.

if not then as the default behaviour it will reboot the system.
0
 

Author Comment

by:911-SOS
ID: 39989502
reply to Korbus:

please see attached image if that is what you mean.
RegistrySettings.JPG
0
 

Author Comment

by:911-SOS
ID: 39989535
reply to Santosh Gupta:

Hi,

thank you for that. but even your information was valuable but I think I need to change the update time to night time instead of in the morning and I would the PC to restart so by the time users will come to work their PCs are ready to use.

I'm trying to eliminate any user interaction with updating processes.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989563
So you leave your PC running in night. if so then ok to set it in night.

if not then you should go with enabling "No auto restart with logged on user for scheduled automatic update installation ".
0
 

Author Comment

by:911-SOS
ID: 39989598
Yeah the PCs are running at night.
0
 

Author Comment

by:911-SOS
ID: 39990051
any ideas guys?....
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39990241
Ok,

That will be good, change settings as per below.

1. No auto-restart for scheduled Automatic Update installation options - Disabled
2. Change Schedule install time -  3:00
3. Delay Restart for scheduled installations- Enabled

http://technet.microsoft.com/en-us/library/cc512630.aspx
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39990456
Looked at that screenshot (registrySettings.jpg):  no, that's not what I meant.

In the group policy window you initially posted (DC.jpg), there is an item in the left pane called: group policy results.
You can use that applet to confirm which group policy settings will be applied to a particular computer & user combination.  This is one of the primary tools I use to determine why group policy isn't working out as expected.
0
 

Author Comment

by:911-SOS
ID: 39991582
reply to Korbus:

thank you for your reply, please find the results on attached image. I couldn't really understand it, maybe you can help make sense out of the Applied GPOs.

1- I have choose one of the PCs which suppose to be in Workstations group. meaning the updates that I approve to test-group shouldn't apply to workstations group until I decide.

2- I have made two different WSUS policy. one called WSUS Update policy for Test PCs which I have linked it to TestWorkStations OU ( you can see it in the image as well) and the second is WSUS Update Policy which it linked to Workstations OU. why there are two of WSUS Update policy and one WSUS Update Policy for Test PCs and a Default Domain Policy added to this computer? I can undrestand the default one

I only need the WSUS Update Policy to be effected to the Workstations OU. should I remove the ones from the top of the domain so it wouldn't effect my OUs?

thank you.
GPResults.JPG
0
 
LVL 10

Accepted Solution

by:
Korbus earned 400 total points
ID: 39997593
Sorry about the delay in reply.  I saw your screen shot:  take a look at the settings tab.
This tab will take all the settings, from all Group Policies applied to this user/computer combination, and show you which ones will be put into effect.  You can then "play around" with your OU's and GPO bindings, and rerun this report until the results out correct.

Yes, I think you will want to create a separate OU for the WSUS update policy you want to apply to machines that are NOT in the Workstations OU. (And remove it from the default domain policy, as you said.)  Note: there may be a better way to do this, and have settings from one of the Update GPs to override the default domain GP-  but honestly, I'm not really sure on how to do this.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40008983
So you got your policies applying properly now 911?
Did that RSOP page help figure it out?
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question