Solved

Group Policy - W2k8 R2 Server > How To Setup Windows Updates

Posted on 2016-10-25
8
27 Views
Last Modified: 2016-10-25
Overview:
Network, 25 users, Win 7 Pro on desktops, Win 2K8 R2 Server as the Domain Controller, AD, etc...

Need Help With:
I am trying to set up Group Policy to manage the windows updates on both servers and the desktops.
I would like the the desktops to update everyday at 3:00 a.m.
I would like the server to update only on Sunday morning at 3:00 a.m.
I would like to avoid modifying the default domain policy.
( Currently I am just trying to get the desktop policy to work, I will work on the server policy after that)

What has been done so far:
In AD create a security group called = WinUpdateComputers

In AD create an OU called = WinUpdateDesktops

In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Close AD

Open GP Management

Find OU called WinUpdateDesktops

Right Click - >  Create and Link GP Here

Select policy configurations > Computer Config > Policyies > Administrative Templates > Windows Components > Windows Updates

Select the Configure Updates Policy > Set it to use the schedule, Select 0 for everyday, set time as 3 a.m.

Close the policy screen

Select the policy you created Find Security Filtering (Bottom of Right Window)

Add the security group WinUpdateComputers

Run gpupdate /force

Reboot one of the desktops to test.

Problem:
The policy does not seem to be applying to the desktop computers properly.

Comments:
All users are local admins on their computers.
SVA-GP1-SS.jpg
0
Comment
Question by:tech911
  • 4
  • 3
8 Comments
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41858481
0
 
LVL 3

Author Comment

by:tech911
ID: 41858794
Thank you.
I had reviewed that before, does not seem to help.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 41858844
In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Did you move the actual computer objects into the OU, or just the security group? If you only moved the security group, that's not going to work; the computers themselves must be in the OU for the GPO to apply to them.
0
 
LVL 3

Assisted Solution

by:tech911
tech911 earned 0 total points
ID: 41858911
I only moved the security group.

So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.


Follow up Question:

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

Please confirm/comment..Thank you
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 41858931
So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.

That's correct.

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

The default domain policy will still be applied, unless you've configured the OU to block inheritance (which you generally don't want to do). If there are any settings in the OU-specific policy that conflict with settings in the default domain policy, the OU-specific settings will take precedence - unless the default policy has the "Enforced" option enabled.
0
 
LVL 3

Assisted Solution

by:tech911
tech911 earned 0 total points
ID: 41858940
So to drill down a bit deeper...

Do I still need the security group?  

It seems like I do...so that I can set it up in the security filtering section of the policy... Or am I totally missing it and something else should be in the Security filtering section.
0
 
LVL 25

Assisted Solution

by:DrDave242
DrDave242 earned 500 total points
ID: 41858950
You don't need the security group if all of the machines in the OU will have the policy applied to them. If you want only some of the machines in the OU to have the policy applied, then you can use Security Filtering (and the group) to control which ones will and which ones won't.
0
 
LVL 3

Author Closing Comment

by:tech911
ID: 41859102
You are the Dr...  Nice job, everything you explained makes perfect sense.

Thank you,

Chris
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now