Group Policy - W2k8 R2 Server > How To Setup Windows Updates

Overview:
Network, 25 users, Win 7 Pro on desktops, Win 2K8 R2 Server as the Domain Controller, AD, etc...

Need Help With:
I am trying to set up Group Policy to manage the windows updates on both servers and the desktops.
I would like the the desktops to update everyday at 3:00 a.m.
I would like the server to update only on Sunday morning at 3:00 a.m.
I would like to avoid modifying the default domain policy.
( Currently I am just trying to get the desktop policy to work, I will work on the server policy after that)

What has been done so far:
In AD create a security group called = WinUpdateComputers

In AD create an OU called = WinUpdateDesktops

In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Close AD

Open GP Management

Find OU called WinUpdateDesktops

Right Click - >  Create and Link GP Here

Select policy configurations > Computer Config > Policyies > Administrative Templates > Windows Components > Windows Updates

Select the Configure Updates Policy > Set it to use the schedule, Select 0 for everyday, set time as 3 a.m.

Close the policy screen

Select the policy you created Find Security Filtering (Bottom of Right Window)

Add the security group WinUpdateComputers

Run gpupdate /force

Reboot one of the desktops to test.

Problem:
The policy does not seem to be applying to the desktop computers properly.

Comments:
All users are local admins on their computers.
SVA-GP1-SS.jpg
LVL 3
tech911Asked:
Who is Participating?
 
DrDave242Commented:
So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.

That's correct.

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

The default domain policy will still be applied, unless you've configured the OU to block inheritance (which you generally don't want to do). If there are any settings in the OU-specific policy that conflict with settings in the default domain policy, the OU-specific settings will take precedence - unless the default policy has the "Enforced" option enabled.
0
 
Niten KumarPrincipal Systems AdministratorCommented:
0
 
tech911Author Commented:
Thank you.
I had reviewed that before, does not seem to help.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
DrDave242Commented:
In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Did you move the actual computer objects into the OU, or just the security group? If you only moved the security group, that's not going to work; the computers themselves must be in the OU for the GPO to apply to them.
0
 
tech911Author Commented:
I only moved the security group.

So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.


Follow up Question:

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

Please confirm/comment..Thank you
0
 
tech911Author Commented:
So to drill down a bit deeper...

Do I still need the security group?  

It seems like I do...so that I can set it up in the security filtering section of the policy... Or am I totally missing it and something else should be in the Security filtering section.
0
 
DrDave242Commented:
You don't need the security group if all of the machines in the OU will have the policy applied to them. If you want only some of the machines in the OU to have the policy applied, then you can use Security Filtering (and the group) to control which ones will and which ones won't.
0
 
tech911Author Commented:
You are the Dr...  Nice job, everything you explained makes perfect sense.

Thank you,

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.