Link to home
Start Free TrialLog in
Avatar of cmp119
cmp119Flag for United States of America

asked on

Active Directory Group Policy Enable Client Auto Updates

I have a AD domain that contains two DCs (Windows 2003 & Windows 2012).  The W2K3 holds all the FSMO roles.  Most all of our domain user's local rights are normal users without local admin rights.  Right now all computers do not automatically apply updates.  When I logon to each computer as an administrator I can manually download and install updates.  

I would like each workstation computer to automatically check for updates nightly @ 3am, and apply all the updates as needed.  I would like to do this via a GPO, but I do not know exactly how to accomplish this.  Meaning I only want this applied to Windows 7 computers and not member servers or domain controllers.  

When I open Group Policy Management on the Windows 2012 DC, I can see the local domain (xxx.local), and then I can see linked group policy objects and see the default domain Policy, and then right click to edit it.  I am reluctant updating the windows update setting at the default domain policy level fearing it will apply these settings for member servers and maybe even DCs.  I simply want to implement a windows update policy for workstations (which all Windows 7 pcs), so that updates are checked and installed and even rebooted on a nightly basis.  This way I will not need to periodically log onto each computer and apply updates manually.  I would also like for regular users to be able to install updates without making them local administrators, but I am not sure if that's a possibility.
ASKER CERTIFIED SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cmp119

ASKER

The weird thing is in active directory users and computers I can see OUs by the name of Computers, Users, and domain controllers, but when opening Group Policy Management I do not see these OUs under the domain container.  I was thinking of leaving all the PCs in the computer container and creating a new OU named Servers to move all member servers, etc.  Since the computers container doesn't show in GP management that plan was shot.  

I would like to know if I could create a new OU called PCs or Workstations and move all workstation computers to this new OU, and hope it will appear as a container in GP Management console.  I would leave all the existing servers in the computer containing leaving GP alone since Windows Update settings are not configured.  I really do not like messing around with GP, so I feel its best asking trivial questions since I want it done right the first time.   Thanks.
Avatar of cmp119

ASKER

One more thing referencing GP Windows Updates settings.  If enabled will it also update IE as well.  I several workstations where they need to use older versions of IE, specifically versions 9 and 10.  I simply hid these update to avoid updating their browsers.  Will enabling auto updates also force IE version updates as well.  I think the answer is yes, but maybe you may know different or of another solution.  I really am not a fan of WSUS and trying to avoid going this route.
Those are default containers. They are *not* OUs. Containers and OUs are different object types and have different properties in active directory. And you cannot link group policies to containers.
IE is updated by default on Win7. Microsoft makes an IE blocker utility that prevents IE version upgrades temporarily.
Avatar of cmp119

ASKER

I see!  However, I believe the domain policy flows down to these containers and policy settings propagate as well. If that is the case then I will go ahead with my plan on creating an OU for workstations and editing the GPO for it as described earlier.  I will leave the servers in the Computers container since the default domain policy propagates down, etc.  Let me know if that's the best approach.  Thanks again.
"Best" is subjective, but yes that is an option.
instead use wmi filtering
namespace:
root\CIMv2
Query
select * from Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3") 

Open in new window


This selects all desktops
Avatar of cmp119

ASKER

Great advice guys.  Sorry for the delay on responding.