RyanIrish
asked on
How to prevent WSUS from taking control of servers
Hello experts,
I'm trying to prevent WSUS from controlling updates on my other servers. I continually delete the machines from WSUS, and then remove the registry entry on the machines I want to control myself. Eventually, the servers end up back under the control of WSUS. Is there any way to keep WSUS from taking update control from these servers?
I'm trying to prevent WSUS from controlling updates on my other servers. I continually delete the machines from WSUS, and then remove the registry entry on the machines I want to control myself. Eventually, the servers end up back under the control of WSUS. Is there any way to keep WSUS from taking update control from these servers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's how it's worked best for my environment:
1. Create a GPO that points all the PCs and other servers in your environment to the WSUS server. (Here's a link to the Microsoft Technet site explaining in greater detail and discusssing which settings to configure: https://technet.microsoft.com/en-us/library/cc708574(v=ws.10).aspx)
2. Create a new OU (ie. Servers) and place the servers you want to make "exempt" from WSUS.
3. Block inheritance of the new GPO to the new OU you created.
Hope this works for you. Let me know if this works or if you have questions.
1. Create a GPO that points all the PCs and other servers in your environment to the WSUS server. (Here's a link to the Microsoft Technet site explaining in greater detail and discusssing which settings to configure: https://technet.microsoft.com/en-us/library/cc708574(v=ws.10).aspx)
2. Create a new OU (ie. Servers) and place the servers you want to make "exempt" from WSUS.
3. Block inheritance of the new GPO to the new OU you created.
Hope this works for you. Let me know if this works or if you have questions.
ASKER
Thanks, mctigue.
We already have the GPO created, so that part is out of the way. I also have an OU containing just our servers.
I don't know how to block the inheritance of the GPO to any OU or computer. I tried to add the OU under delegation in GPO management, but I don't see any options to deny or block.
We already have the GPO created, so that part is out of the way. I also have an OU containing just our servers.
I don't know how to block the inheritance of the GPO to any OU or computer. I tried to add the OU under delegation in GPO management, but I don't see any options to deny or block.
ASKER
Strike that, I don't have an OU created, I have a group created...not sure of the difference.
OUs are Organizational Units. They are meant to organize and separate computers and users for easier management. Computers and Users can only be in one OU at any time.
Groups are admittedly similar, but are meant for controlling permission to resources. Users and Computers can be in as many groups as needed.
GPOs are linked to OUs and the "Permission" to apply the linked GPOs is limited with groups. By default, the "Apply" permission is granted to the Authenticated Users group of the GPO, which includes all users and computers in the Domain. So when you link a GPO to an OU, all objects in the OU will apply the settings based on whether the setting is for computers or users. Computers will apply Computer Settings, users will apply User settings. If you don't want all the objects that exist in the OU to apply the policy, you can remove Authenticated Users group from the security filtering and add another group to it that has fewer objects in it. For instance, if you want a policy to apply to only domain controllers in the domain, you would add the Domain Controllers group to the security filtering of the GPO. If you do that, it doesn't matter how many OUs the GPO is linked to or how many computers are in those OUs, if the computers are not a member of the Domain Controllers group, they won't be able to apply the policy.
Does that make more sense?
Groups are admittedly similar, but are meant for controlling permission to resources. Users and Computers can be in as many groups as needed.
GPOs are linked to OUs and the "Permission" to apply the linked GPOs is limited with groups. By default, the "Apply" permission is granted to the Authenticated Users group of the GPO, which includes all users and computers in the Domain. So when you link a GPO to an OU, all objects in the OU will apply the settings based on whether the setting is for computers or users. Computers will apply Computer Settings, users will apply User settings. If you don't want all the objects that exist in the OU to apply the policy, you can remove Authenticated Users group from the security filtering and add another group to it that has fewer objects in it. For instance, if you want a policy to apply to only domain controllers in the domain, you would add the Domain Controllers group to the security filtering of the GPO. If you do that, it doesn't matter how many OUs the GPO is linked to or how many computers are in those OUs, if the computers are not a member of the Domain Controllers group, they won't be able to apply the policy.
Does that make more sense?
ASKER
Thanks, Adam! That does clear some of the fog in my brain... I'll create a group of only the machines I want controlled by WSUS and replace 'authenticated users' with that group.
RyanIrish,
To block block inheritance, open Group Policy Management. Then expand the domain forest in the left pane until you locate the OU you want. Finish with a right click on the OU and choose Block Inheritance (See attached screenshot)...Additionally
GPO-Management.PNG
To block block inheritance, open Group Policy Management. Then expand the domain forest in the left pane until you locate the OU you want. Finish with a right click on the OU and choose Block Inheritance (See attached screenshot)...Additionally
GPO-Management.PNG
ASKER