I have a AD domain that contains two DCs (Windows 2003 & Windows 2012). The W2K3 holds all the FSMO roles. Most all of our domain user's local rights are normal users without local admin rights. Right now all computers do not automatically apply updates. When I logon to each computer as an administrator I can manually download and install updates.
I would like each workstation computer to automatically check for updates nightly @ 3am, and apply all the updates as needed. I would like to do this via a GPO, but I do not know exactly how to accomplish this. Meaning I only want this applied to Windows 7 computers and not member servers or domain controllers.
When I open Group Policy Management on the Windows 2012 DC, I can see the local domain (xxx.local), and then I can see linked group policy objects and see the default domain Policy, and then right click to edit it. I am reluctant updating the windows update setting at the default domain policy level fearing it will apply these settings for member servers and maybe even DCs. I simply want to implement a windows update policy for workstations (which all Windows 7 pcs), so that updates are checked and installed and even rebooted on a nightly basis. This way I will not need to periodically log onto each computer and apply updates manually. I would also like for regular users to be able to install updates without making them local administrators, but I am not sure if that's a possibility.