Solved

WSUS applied Updates to all groups!

Posted on 2014-04-09
15
246 Views
Last Modified: 2016-02-21
I have just recently configure and installed WSUS on my network. created two groups, Test group and all other PCs. I only approved some updates to the Test-group but later people were calling me and telling me that their PCs are asking them to restart because of the windows update. how this happen?

further more I have created two domain policy for each group in order for PC to join in to the right computer group I have created and that has been working just fine.

please review the images attached.
WSUS-Server.JPG
DC.JPG
0
Comment
Question by:911-SOS
  • 7
  • 4
  • 4
15 Comments
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

Please Enable  the below group policy.

wsus1
0
 

Author Comment

by:911-SOS
Comment Utility
sure, i'll check back with you.
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
To determine why it applied the wrong settings to the test-group: I think I would start by generating a RSOP for a user and test-group computer, to confirm it assigns the correct group policy updates settings.
Check out the "Group Policy Results" item on the left of the Group Policy screen to do this test.
0
 

Author Comment

by:911-SOS
Comment Utility
reply to Guru:

before I enable that policy I wanted to ask you, if I enable it would it automatically restart the PC? if it does I don't want it then.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Hi,

see the policy name "No auto restart with logged on user for scheduled automatic update installation ".

if you will enable it will not reboot your system.

if not then as the default behaviour it will reboot the system.
0
 

Author Comment

by:911-SOS
Comment Utility
reply to Korbus:

please see attached image if that is what you mean.
RegistrySettings.JPG
0
 

Author Comment

by:911-SOS
Comment Utility
reply to Santosh Gupta:

Hi,

thank you for that. but even your information was valuable but I think I need to change the update time to night time instead of in the morning and I would the PC to restart so by the time users will come to work their PCs are ready to use.

I'm trying to eliminate any user interaction with updating processes.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
So you leave your PC running in night. if so then ok to set it in night.

if not then you should go with enabling "No auto restart with logged on user for scheduled automatic update installation ".
0
 

Author Comment

by:911-SOS
Comment Utility
Yeah the PCs are running at night.
0
 

Author Comment

by:911-SOS
Comment Utility
any ideas guys?....
0
 
LVL 13

Expert Comment

by:Santosh Gupta
Comment Utility
Ok,

That will be good, change settings as per below.

1. No auto-restart for scheduled Automatic Update installation options - Disabled
2. Change Schedule install time -  3:00
3. Delay Restart for scheduled installations- Enabled

http://technet.microsoft.com/en-us/library/cc512630.aspx
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
Looked at that screenshot (registrySettings.jpg):  no, that's not what I meant.

In the group policy window you initially posted (DC.jpg), there is an item in the left pane called: group policy results.
You can use that applet to confirm which group policy settings will be applied to a particular computer & user combination.  This is one of the primary tools I use to determine why group policy isn't working out as expected.
0
 

Author Comment

by:911-SOS
Comment Utility
reply to Korbus:

thank you for your reply, please find the results on attached image. I couldn't really understand it, maybe you can help make sense out of the Applied GPOs.

1- I have choose one of the PCs which suppose to be in Workstations group. meaning the updates that I approve to test-group shouldn't apply to workstations group until I decide.

2- I have made two different WSUS policy. one called WSUS Update policy for Test PCs which I have linked it to TestWorkStations OU ( you can see it in the image as well) and the second is WSUS Update Policy which it linked to Workstations OU. why there are two of WSUS Update policy and one WSUS Update Policy for Test PCs and a Default Domain Policy added to this computer? I can undrestand the default one

I only need the WSUS Update Policy to be effected to the Workstations OU. should I remove the ones from the top of the domain so it wouldn't effect my OUs?

thank you.
GPResults.JPG
0
 
LVL 10

Accepted Solution

by:
Korbus earned 400 total points
Comment Utility
Sorry about the delay in reply.  I saw your screen shot:  take a look at the settings tab.
This tab will take all the settings, from all Group Policies applied to this user/computer combination, and show you which ones will be put into effect.  You can then "play around" with your OU's and GPO bindings, and rerun this report until the results out correct.

Yes, I think you will want to create a separate OU for the WSUS update policy you want to apply to machines that are NOT in the Workstations OU. (And remove it from the default domain policy, as you said.)  Note: there may be a better way to do this, and have settings from one of the Update GPs to override the default domain GP-  but honestly, I'm not really sure on how to do this.
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
So you got your policies applying properly now 911?
Did that RSOP page help figure it out?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Convert websphere application server default chained Certificates from 1024 to 2048 keysize or higher size and also you can change signatureAlgorithm . Please make sure Websphere Application Server fixpack 7.0.0.23 or Above. The following steps a…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now