Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Active Directory Group Policy Enable Client Auto Updates

Posted on 2014-08-12
10
Medium Priority
?
413 Views
Last Modified: 2014-08-22
I have a AD domain that contains two DCs (Windows 2003 & Windows 2012).  The W2K3 holds all the FSMO roles.  Most all of our domain user's local rights are normal users without local admin rights.  Right now all computers do not automatically apply updates.  When I logon to each computer as an administrator I can manually download and install updates.  

I would like each workstation computer to automatically check for updates nightly @ 3am, and apply all the updates as needed.  I would like to do this via a GPO, but I do not know exactly how to accomplish this.  Meaning I only want this applied to Windows 7 computers and not member servers or domain controllers.  

When I open Group Policy Management on the Windows 2012 DC, I can see the local domain (xxx.local), and then I can see linked group policy objects and see the default domain Policy, and then right click to edit it.  I am reluctant updating the windows update setting at the default domain policy level fearing it will apply these settings for member servers and maybe even DCs.  I simply want to implement a windows update policy for workstations (which all Windows 7 pcs), so that updates are checked and installed and even rebooted on a nightly basis.  This way I will not need to periodically log onto each computer and apply updates manually.  I would also like for regular users to be able to install updates without making them local administrators, but I am not sure if that's a possibility.
0
Comment
Question by:cmp119
10 Comments
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 40257110
Indeed, do *NOT* edit the default domain policy. (for anything, not just this.)

If all of your workstations are nested in an OU separate from your DCs and servers then this is trivially easy. Just create a new group policy, change the windows update settings to what you want, and link it to that OU. The machines will apply the settings. And yes, there are settings to auto-install and reboot. No problem.

If you don't have your machines organized in nice OUs, you can create a new group policy and then create a WMI filter that will make sure the group policy only gets applied to machines that match the filter. There are several examples on the internet on how to filter by specific OS and specific version. This can let you target your win7 machines and exclude your servers. It is slightly less easy than a linked OU, but will do the job. Link the group policy to the domain, set the WMI filter, then change the settings.
0
 
LVL 3

Assisted Solution

by:Waseem Khan
Waseem Khan earned 1000 total points
ID: 40257131
0
 

Author Comment

by:cmp119
ID: 40257174
The weird thing is in active directory users and computers I can see OUs by the name of Computers, Users, and domain controllers, but when opening Group Policy Management I do not see these OUs under the domain container.  I was thinking of leaving all the PCs in the computer container and creating a new OU named Servers to move all member servers, etc.  Since the computers container doesn't show in GP management that plan was shot.  

I would like to know if I could create a new OU called PCs or Workstations and move all workstation computers to this new OU, and hope it will appear as a container in GP Management console.  I would leave all the existing servers in the computer containing leaving GP alone since Windows Update settings are not configured.  I really do not like messing around with GP, so I feel its best asking trivial questions since I want it done right the first time.   Thanks.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:cmp119
ID: 40257181
One more thing referencing GP Windows Updates settings.  If enabled will it also update IE as well.  I several workstations where they need to use older versions of IE, specifically versions 9 and 10.  I simply hid these update to avoid updating their browsers.  Will enabling auto updates also force IE version updates as well.  I think the answer is yes, but maybe you may know different or of another solution.  I really am not a fan of WSUS and trying to avoid going this route.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40257184
Those are default containers. They are *not* OUs. Containers and OUs are different object types and have different properties in active directory. And you cannot link group policies to containers.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40257187
IE is updated by default on Win7. Microsoft makes an IE blocker utility that prevents IE version upgrades temporarily.
0
 

Author Comment

by:cmp119
ID: 40257193
I see!  However, I believe the domain policy flows down to these containers and policy settings propagate as well. If that is the case then I will go ahead with my plan on creating an OU for workstations and editing the GPO for it as described earlier.  I will leave the servers in the Computers container since the default domain policy propagates down, etc.  Let me know if that's the best approach.  Thanks again.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40257198
"Best" is subjective, but yes that is an option.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40257322
instead use wmi filtering
namespace:
root\CIMv2
Query
select * from Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3") 

Open in new window


This selects all desktops
0
 

Author Closing Comment

by:cmp119
ID: 40279388
Great advice guys.  Sorry for the delay on responding.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question