Solved

Group Policy - W2k8 R2 Server > How To Setup Windows Updates

Posted on 2016-10-25
8
46 Views
Last Modified: 2016-10-25
Overview:
Network, 25 users, Win 7 Pro on desktops, Win 2K8 R2 Server as the Domain Controller, AD, etc...

Need Help With:
I am trying to set up Group Policy to manage the windows updates on both servers and the desktops.
I would like the the desktops to update everyday at 3:00 a.m.
I would like the server to update only on Sunday morning at 3:00 a.m.
I would like to avoid modifying the default domain policy.
( Currently I am just trying to get the desktop policy to work, I will work on the server policy after that)

What has been done so far:
In AD create a security group called = WinUpdateComputers

In AD create an OU called = WinUpdateDesktops

In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Close AD

Open GP Management

Find OU called WinUpdateDesktops

Right Click - >  Create and Link GP Here

Select policy configurations > Computer Config > Policyies > Administrative Templates > Windows Components > Windows Updates

Select the Configure Updates Policy > Set it to use the schedule, Select 0 for everyday, set time as 3 a.m.

Close the policy screen

Select the policy you created Find Security Filtering (Bottom of Right Window)

Add the security group WinUpdateComputers

Run gpupdate /force

Reboot one of the desktops to test.

Problem:
The policy does not seem to be applying to the desktop computers properly.

Comments:
All users are local admins on their computers.
SVA-GP1-SS.jpg
0
Comment
Question by:tech911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41858481
0
 
LVL 3

Author Comment

by:tech911
ID: 41858794
Thank you.
I had reviewed that before, does not seem to help.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41858844
In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Did you move the actual computer objects into the OU, or just the security group? If you only moved the security group, that's not going to work; the computers themselves must be in the OU for the GPO to apply to them.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 3

Assisted Solution

by:tech911
tech911 earned 0 total points
ID: 41858911
I only moved the security group.

So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.


Follow up Question:

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

Please confirm/comment..Thank you
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 41858931
So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.

That's correct.

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

The default domain policy will still be applied, unless you've configured the OU to block inheritance (which you generally don't want to do). If there are any settings in the OU-specific policy that conflict with settings in the default domain policy, the OU-specific settings will take precedence - unless the default policy has the "Enforced" option enabled.
0
 
LVL 3

Assisted Solution

by:tech911
tech911 earned 0 total points
ID: 41858940
So to drill down a bit deeper...

Do I still need the security group?  

It seems like I do...so that I can set it up in the security filtering section of the policy... Or am I totally missing it and something else should be in the Security filtering section.
0
 
LVL 26

Assisted Solution

by:DrDave242
DrDave242 earned 500 total points
ID: 41858950
You don't need the security group if all of the machines in the OU will have the policy applied to them. If you want only some of the machines in the OU to have the policy applied, then you can use Security Filtering (and the group) to control which ones will and which ones won't.
0
 
LVL 3

Author Closing Comment

by:tech911
ID: 41859102
You are the Dr...  Nice job, everything you explained makes perfect sense.

Thank you,

Chris
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question