Solved

WSUS best practice for deployment

Posted on 2014-04-17
17
396 Views
Last Modified: 2014-04-20
Hi Guys, we have limited OU's in our environment and will not be extending this. Therefore would is it possible, and is it best practice to apply the computers to security groups and attach this to a GPO?

thanks
0
Comment
Question by:cwstad2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 40007266
Therefore would is it possible, and is it best practice to apply the computers to security groups and attach this to a GPO?
It's not best practice, but it isn't looked down on either.  What I would do instead of what you're thinking is to use Security Filtering, and WMI Filtering.  Check this out:

http://technet.microsoft.com/en-us/library/cc754488(v=ws.10).aspx
(it's for 2008, but still applies to 2012)
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40007404
hi brad it's a mix 2003 XP Win7 and 2008
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 40007521
And again, Security Filtering would be the way to go.  WMI is more for if you need to target an OU with a GPO but only want Operating System X (where x is the operating system you want to focus on) and not Operating System Y to get the settings.

For what you need, simply add your computers to the groups they need to be in, then apply the GPO to the OU you want, and use Security Filtering to apply or deny whatever you like.

For reference:  http://www.techrepublic.com/blog/the-enterprise-cloud/group-policy-object-filtering-by-security-group/
and
http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 15

Author Comment

by:cwstad2
ID: 40007695
Thanks Is it complicated to set up. I'm relatively new to this and wmi
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 40007723
Not at all.  Matter of fact, that first link I posted should get you down the right path and I'd be glad to help you in any way possible.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40007877
Thanks Brad this is a new deployment and would appreciate any expert assistance
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 40007889
This is a simple, but good, place from Microsoft to start:  http://technet.microsoft.com/en-us/library/cc752992.aspx

The great thing about security filtering is it is perfectly fit for the problem you described where you only have a certain number of OUs and you can't create more or you can't do a lot of changing things around because it allows you to apply a Group Policy Object to an OU/Container but not have it apply to everything in that container.  That's where having your computers/users in the right security groups really helps.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40008444
Hi Brad, would i be able to attach the GPO to an OU, add the security group to the GPO but have the Computer in a differnt OU?
0
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 500 total points
ID: 40008780
You have to have the users/computers either in the OU where the GPO is applied, or have it applied to the whole domain.  Reference:  http://serverfault.com/questions/178183/group-policy-not-being-applied-unless-user-is-in-ou

If that doesn't make sense here is a screenshot to illustrate where you would put the OU.
gpo
What you would do is create a security group for the computers you want to have your settings applied to and add the computers to it, then you attach/link the GPO to the entire domain at the top of the list (from screenshot above), after that, you would use Security Filtering and only add the Computer Security Group you created to apply it to as described in this link:  http://www.edugeek.net/forums/windows/112614-apply-group-policy-ou-but-exclude-certain-computers.html

If that doesn't make sense let me know and I can elaborate more, but I'm quite certain if you follow those steps you'll see what I mean.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40008791
Thanks Brad, thats clarified it for me. So essentailly if i have all the computers in one OU and would like 4 different setting to be applied, i would have to attach all the GPO's to that single OU
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 40008795
Yes, or just simply attach the GPO to the entire domain and in the Security Filtering section only apply it to those 4 computers.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40008802
I would like 4 different install and reboot times. About 100 desktops. Thanks for your help  I really appreciate it.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 40008805
No problem my friend, any time.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40008868
One last thing, do you use a reboot script for your clients and servers?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 40008884
I don't personally, but I'm sure there are many who do.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 40008897
Also, just so you're aware too there isn't any problem with this question but I did request Administrative Assitance so we could actually mark the answer as my comment (ID: 40008780) instead of the one you marked.  More for reference than anything so that if someone else sees this question they know exactly what finally worked.

Glad we could get you a solution, hope to see you around here again soon.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40008899
Thanks have a nice weekend
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to Have Macro Files Automatically "Edit" 5 48
Microsoft DNS on Windows Server 2012 R2 10 62
windows Server 2003 in 2017 10 74
Run Server 2012 on PowerEdge 2950 13 32
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question