Solved

WSUS applied Updates to all groups!

Posted on 2014-04-09
15
256 Views
Last Modified: 2016-02-21
I have just recently configure and installed WSUS on my network. created two groups, Test group and all other PCs. I only approved some updates to the Test-group but later people were calling me and telling me that their PCs are asking them to restart because of the windows update. how this happen?

further more I have created two domain policy for each group in order for PC to join in to the right computer group I have created and that has been working just fine.

please review the images attached.
WSUS-Server.JPG
DC.JPG
0
Comment
Question by:911-SOS
  • 7
  • 4
  • 4
15 Comments
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989322
Hi,

Please Enable  the below group policy.

wsus1
0
 

Author Comment

by:911-SOS
ID: 39989346
sure, i'll check back with you.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39989354
To determine why it applied the wrong settings to the test-group: I think I would start by generating a RSOP for a user and test-group computer, to confirm it assigns the correct group policy updates settings.
Check out the "Group Policy Results" item on the left of the Group Policy screen to do this test.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:911-SOS
ID: 39989472
reply to Guru:

before I enable that policy I wanted to ask you, if I enable it would it automatically restart the PC? if it does I don't want it then.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989490
Hi,

see the policy name "No auto restart with logged on user for scheduled automatic update installation ".

if you will enable it will not reboot your system.

if not then as the default behaviour it will reboot the system.
0
 

Author Comment

by:911-SOS
ID: 39989502
reply to Korbus:

please see attached image if that is what you mean.
RegistrySettings.JPG
0
 

Author Comment

by:911-SOS
ID: 39989535
reply to Santosh Gupta:

Hi,

thank you for that. but even your information was valuable but I think I need to change the update time to night time instead of in the morning and I would the PC to restart so by the time users will come to work their PCs are ready to use.

I'm trying to eliminate any user interaction with updating processes.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39989563
So you leave your PC running in night. if so then ok to set it in night.

if not then you should go with enabling "No auto restart with logged on user for scheduled automatic update installation ".
0
 

Author Comment

by:911-SOS
ID: 39989598
Yeah the PCs are running at night.
0
 

Author Comment

by:911-SOS
ID: 39990051
any ideas guys?....
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39990241
Ok,

That will be good, change settings as per below.

1. No auto-restart for scheduled Automatic Update installation options - Disabled
2. Change Schedule install time -  3:00
3. Delay Restart for scheduled installations- Enabled

http://technet.microsoft.com/en-us/library/cc512630.aspx
0
 
LVL 10

Expert Comment

by:Korbus
ID: 39990456
Looked at that screenshot (registrySettings.jpg):  no, that's not what I meant.

In the group policy window you initially posted (DC.jpg), there is an item in the left pane called: group policy results.
You can use that applet to confirm which group policy settings will be applied to a particular computer & user combination.  This is one of the primary tools I use to determine why group policy isn't working out as expected.
0
 

Author Comment

by:911-SOS
ID: 39991582
reply to Korbus:

thank you for your reply, please find the results on attached image. I couldn't really understand it, maybe you can help make sense out of the Applied GPOs.

1- I have choose one of the PCs which suppose to be in Workstations group. meaning the updates that I approve to test-group shouldn't apply to workstations group until I decide.

2- I have made two different WSUS policy. one called WSUS Update policy for Test PCs which I have linked it to TestWorkStations OU ( you can see it in the image as well) and the second is WSUS Update Policy which it linked to Workstations OU. why there are two of WSUS Update policy and one WSUS Update Policy for Test PCs and a Default Domain Policy added to this computer? I can undrestand the default one

I only need the WSUS Update Policy to be effected to the Workstations OU. should I remove the ones from the top of the domain so it wouldn't effect my OUs?

thank you.
GPResults.JPG
0
 
LVL 10

Accepted Solution

by:
Korbus earned 400 total points
ID: 39997593
Sorry about the delay in reply.  I saw your screen shot:  take a look at the settings tab.
This tab will take all the settings, from all Group Policies applied to this user/computer combination, and show you which ones will be put into effect.  You can then "play around" with your OU's and GPO bindings, and rerun this report until the results out correct.

Yes, I think you will want to create a separate OU for the WSUS update policy you want to apply to machines that are NOT in the Workstations OU. (And remove it from the default domain policy, as you said.)  Note: there may be a better way to do this, and have settings from one of the Update GPs to override the default domain GP-  but honestly, I'm not really sure on how to do this.
0
 
LVL 10

Expert Comment

by:Korbus
ID: 40008983
So you got your policies applying properly now 911?
Did that RSOP page help figure it out?
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question