Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy - W2k8 R2 Server > How To Setup Windows Updates

Posted on 2016-10-25
8
Medium Priority
?
59 Views
Last Modified: 2016-10-25
Overview:
Network, 25 users, Win 7 Pro on desktops, Win 2K8 R2 Server as the Domain Controller, AD, etc...

Need Help With:
I am trying to set up Group Policy to manage the windows updates on both servers and the desktops.
I would like the the desktops to update everyday at 3:00 a.m.
I would like the server to update only on Sunday morning at 3:00 a.m.
I would like to avoid modifying the default domain policy.
( Currently I am just trying to get the desktop policy to work, I will work on the server policy after that)

What has been done so far:
In AD create a security group called = WinUpdateComputers

In AD create an OU called = WinUpdateDesktops

In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Close AD

Open GP Management

Find OU called WinUpdateDesktops

Right Click - >  Create and Link GP Here

Select policy configurations > Computer Config > Policyies > Administrative Templates > Windows Components > Windows Updates

Select the Configure Updates Policy > Set it to use the schedule, Select 0 for everyday, set time as 3 a.m.

Close the policy screen

Select the policy you created Find Security Filtering (Bottom of Right Window)

Add the security group WinUpdateComputers

Run gpupdate /force

Reboot one of the desktops to test.

Problem:
The policy does not seem to be applying to the desktop computers properly.

Comments:
All users are local admins on their computers.
SVA-GP1-SS.jpg
0
Comment
Question by:tech911
  • 4
  • 3
8 Comments
 
LVL 7

Expert Comment

by:Niten Kumar
ID: 41858481
0
 
LVL 3

Author Comment

by:tech911
ID: 41858794
Thank you.
I had reviewed that before, does not seem to help.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 41858844
In AD move the WinUpdateComputers into the WinUpdateDesktops OU

Did you move the actual computer objects into the OU, or just the security group? If you only moved the security group, that's not going to work; the computers themselves must be in the OU for the GPO to apply to them.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 3

Assisted Solution

by:tech911
tech911 earned 0 total points
ID: 41858911
I only moved the security group.

So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.


Follow up Question:

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

Please confirm/comment..Thank you
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 2000 total points
ID: 41858931
So you can't apply a GP to a GROUP that is in an OU, you can only apply the GP only to OBJECTS (computers or users) that are in the OU, not a group, is that correct, I just want to make sure I understand this.

That's correct.

IF I move the computers out of the Computers OU and into WinUpdateDesktops OU will that prevent the default domain policies being applied?  Or will the default domain policy be applied first, then the policy specific to the OU that the computers have been moved to.

The default domain policy will still be applied, unless you've configured the OU to block inheritance (which you generally don't want to do). If there are any settings in the OU-specific policy that conflict with settings in the default domain policy, the OU-specific settings will take precedence - unless the default policy has the "Enforced" option enabled.
0
 
LVL 3

Assisted Solution

by:tech911
tech911 earned 0 total points
ID: 41858940
So to drill down a bit deeper...

Do I still need the security group?  

It seems like I do...so that I can set it up in the security filtering section of the policy... Or am I totally missing it and something else should be in the Security filtering section.
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 2000 total points
ID: 41858950
You don't need the security group if all of the machines in the OU will have the policy applied to them. If you want only some of the machines in the OU to have the policy applied, then you can use Security Filtering (and the group) to control which ones will and which ones won't.
0
 
LVL 3

Author Closing Comment

by:tech911
ID: 41859102
You are the Dr...  Nice job, everything you explained makes perfect sense.

Thank you,

Chris
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question