cwstad2
asked on
WSUS best practice for deployment
Hi Guys, we have limited OU's in our environment and will not be extending this. Therefore would is it possible, and is it best practice to apply the computers to security groups and attach this to a GPO?
thanks
thanks
ASKER
hi brad it's a mix 2003 XP Win7 and 2008
And again, Security Filtering would be the way to go. WMI is more for if you need to target an OU with a GPO but only want Operating System X (where x is the operating system you want to focus on) and not Operating System Y to get the settings.
For what you need, simply add your computers to the groups they need to be in, then apply the GPO to the OU you want, and use Security Filtering to apply or deny whatever you like.
For reference: http://www.techrepublic.com/blog/the-enterprise-cloud/group-policy-object-filtering-by-security-group/
and
http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
For what you need, simply add your computers to the groups they need to be in, then apply the GPO to the OU you want, and use Security Filtering to apply or deny whatever you like.
For reference: http://www.techrepublic.com/blog/the-enterprise-cloud/group-policy-object-filtering-by-security-group/
and
http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
ASKER
Thanks Is it complicated to set up. I'm relatively new to this and wmi
Not at all. Matter of fact, that first link I posted should get you down the right path and I'd be glad to help you in any way possible.
ASKER
Thanks Brad this is a new deployment and would appreciate any expert assistance
This is a simple, but good, place from Microsoft to start: http://technet.microsoft.com/en-us/library/cc752992.aspx
The great thing about security filtering is it is perfectly fit for the problem you described where you only have a certain number of OUs and you can't create more or you can't do a lot of changing things around because it allows you to apply a Group Policy Object to an OU/Container but not have it apply to everything in that container. That's where having your computers/users in the right security groups really helps.
The great thing about security filtering is it is perfectly fit for the problem you described where you only have a certain number of OUs and you can't create more or you can't do a lot of changing things around because it allows you to apply a Group Policy Object to an OU/Container but not have it apply to everything in that container. That's where having your computers/users in the right security groups really helps.
ASKER
Hi Brad, would i be able to attach the GPO to an OU, add the security group to the GPO but have the Computer in a differnt OU?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Brad, thats clarified it for me. So essentailly if i have all the computers in one OU and would like 4 different setting to be applied, i would have to attach all the GPO's to that single OU
Yes, or just simply attach the GPO to the entire domain and in the Security Filtering section only apply it to those 4 computers.
ASKER
I would like 4 different install and reboot times. About 100 desktops. Thanks for your help I really appreciate it.
No problem my friend, any time.
ASKER
One last thing, do you use a reboot script for your clients and servers?
I don't personally, but I'm sure there are many who do.
Also, just so you're aware too there isn't any problem with this question but I did request Administrative Assitance so we could actually mark the answer as my comment (ID: 40008780) instead of the one you marked. More for reference than anything so that if someone else sees this question they know exactly what finally worked.
Glad we could get you a solution, hope to see you around here again soon.
Glad we could get you a solution, hope to see you around here again soon.
ASKER
Thanks have a nice weekend
http://technet.microsoft.com/en-us/library/cc754488(v=ws.10).aspx
(it's for 2008, but still applies to 2012)