Solved

Group Policy - W2k8 R2 Server > How To Setup Windows Updates

Posted on 2016-10-25
8
42 Views
Last Modified: 2016-10-25
Overview:
Network, 25 users, Win 7 Pro on desktops, Win 2K8 R2 Server as the Domain Controller, AD, etc...

Need Help With:
I am trying to set up Group Policy to manage the windows updates on both servers and the desktops.
I would like the the desktops to update everyday at 3:00 a.m.
I would like the server to update only on Sunday morning at 3:00 a.m.
I would like to avoid modifying the default domain policy.
( Currently I am just trying to get the desktop policy to work, I will work on the server policy after that)

What has been done so far:
In AD create a security group called = WinUpdateComputers

In AD create an OU called = WinUpdateDesktops

In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Close AD

Open GP Management

Find OU called WinUpdateDesktops

Right Click - >  Create and Link GP Here

Select policy configurations > Computer Config > Policyies > Administrative Templates > Windows Components > Windows Updates

Select the Configure Updates Policy > Set it to use the schedule, Select 0 for everyday, set time as 3 a.m.

Close the policy screen

Select the policy you created Find Security Filtering (Bottom of Right Window)

Add the security group WinUpdateComputers

Run gpupdate /force

Reboot one of the desktops to test.

Problem:
The policy does not seem to be applying to the desktop computers properly.

Comments:
All users are local admins on their computers.
SVA-GP1-SS.jpg
0
Comment
Question by:tech911
  • 4
  • 3
8 Comments
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41858481
0
 
LVL 3

Author Comment

by:tech911
ID: 41858794
Thank you.
I had reviewed that before, does not seem to help.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41858844
In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Did you move the actual computer objects into the OU, or just the security group? If you only moved the security group, that's not going to work; the computers themselves must be in the OU for the GPO to apply to them.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 3

Assisted Solution

by:tech911
tech911 earned 0 total points
ID: 41858911
I only moved the security group.

So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.


Follow up Question:

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

Please confirm/comment..Thank you
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 41858931
So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.

That's correct.

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

The default domain policy will still be applied, unless you've configured the OU to block inheritance (which you generally don't want to do). If there are any settings in the OU-specific policy that conflict with settings in the default domain policy, the OU-specific settings will take precedence - unless the default policy has the "Enforced" option enabled.
0
 
LVL 3

Assisted Solution

by:tech911
tech911 earned 0 total points
ID: 41858940
So to drill down a bit deeper...

Do I still need the security group?  

It seems like I do...so that I can set it up in the security filtering section of the policy... Or am I totally missing it and something else should be in the Security filtering section.
0
 
LVL 26

Assisted Solution

by:DrDave242
DrDave242 earned 500 total points
ID: 41858950
You don't need the security group if all of the machines in the OU will have the policy applied to them. If you want only some of the machines in the OU to have the policy applied, then you can use Security Filtering (and the group) to control which ones will and which ones won't.
0
 
LVL 3

Author Closing Comment

by:tech911
ID: 41859102
You are the Dr...  Nice job, everything you explained makes perfect sense.

Thank you,

Chris
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question