Capture all domain computers in AD by applying a WSUS GPO along with the default domain policy under the domain at the top of the Group Policy structure?

king daddy
king daddy used Ask the Experts™
In order to capture all computers in the domain on the new WSUS server, should I place a WSUS GPO just under the domain (like with the default domain policy)? Would that be a bad idea?

To note, I found 145 servers in AD using powershell with only 8 of them being disabled. Since yesterday, 45 have shown up on WSUS but they are in specific OUs where I linked the WSUS GPO. The other servers are in the Computers container and Domain Controllers OU (12 DCs). So, I am about 90 off between AD and WSUS (after I link the WSUS GPO to the Domain Controllers OU).

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It's not a good idea to link a GPO at the domain level because it can have unpredictable results.  For example, if the servers you're trying to manage are in their own OU(s), inheritance may be blocked so that the domain-level policy wouldn't be applied. OTOH, the policy might be applied to OUs containing computers that you don't want to have using that policy.

The ideal situation is to link the WSUS policy to the specific OUs that contain the machines you want to manage.  Do you know what OUs in AD contain all of the servers you're trying to manage?  You really need to have that information in order to apply the policy correctly and in an easily managed way.  

Alternatively, you can use a Security Group to apply the policy instead of doing it by OU membership.  It just depends on how your AD is organized.  In order to do it using a Security Group, you have to be able to find the individual servers in AD and add them to the Security group you've created (i.e., "Server WSUS Group").
kevinhsiehNetwork Engineer

I link GPO to the top of the domain, and then I also link then to any OU where inheritance is blocked.

IMHO, yes you should link the GPO to the domain root. Also link to any OU where inheritance is blocked, but where you want to GPO to apply.

As a reminder, don't modify the default domain policy. I don't think that you did, but we should all be clear that it's bad practice to do so.

Leaving computers in the Computers container is not good practice. Move them to an OU.
Brian MurphySenior Information Technology Consultant

A few dependency questions:

Do you have multiple operating systems that require patching?  

Is WSUS configured to apply these policies to different OS's represented? (Computer Groups) So that you can perform future patches, approve those patches per operating system, schedule the patching and reboots accordingly to match change management window(s).

If so, can like OS servers be moved to separate OU's with different policies with separate update policies?  Comes in handy if you don't want to apply blanket updates and reboot all servers at the same time where it doesn't correspond to some outage window.

Are all the servers located on the same physical LAN?  If you have separate sites, might need separate WSUS Servers.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Thanks Hypercat and kevinhsieh for replying. First, to be clear, I did not modify the default policy. I created WSUS - Servers and WSUS - Workstations policies. Also, I am kinda glad I didn't see these replies until after I did what I did (below) as the two different viewpoints would have made it more challenging to decide (though, I lean toward Hypercat's input - sorry kevinhsieh :-))

I ended up running a powershell script to find the server's DN from AD and piped that to a CSV. I then did a Find in Excel and looked for "CN=Computers" so I could determine which servers were in the Computers container. I went to AD and moved them to pre-existing Server OUs that already have the WSUS - Servers GPO. Though, there were only 25 servers in the Computers Container. Unfortunately, this still leaves 53 servers unaccounted for (at least until I look at that CSV for OUs where these servers reside).


Damn, Brian, you're killing me. One site NV one is TX. I do not have separate policies per OS and I have a mix of 08, 12, and 16 (though 08 will be going away over the next couple of months). I did create one WSUS group named Servers with subgroups named for each location (the server's names are based on their location). When I set up the WSUS - Server policy, I put in the client-side targeting setting the group name (Servers) but none of them went there by default (I did have WSUS set up before the GPO) so I just monitored and as they came in I manually moved them. I could likely redesign AD with OUs based on OS, or at least child OUs based on OS. I will need to think about that as well as how to go about reconfiguring WSUS and GPO after.

I was also planning on a downstream WSUS server at the other site (TX) for those but just started this entire thing last Friday.

This is brand new and can be tweaked / done over if needed.

Thanks for the input
kevinhsiehNetwork Engineer
I have 1 WSUS server that handles 3 states. You don't need more than 1 server if you have enough bandwidth.

I do security filtering for applying different GPO if needed for install/reboot timing, or different client side targeting groups.

 A group of servers get patched any day they become available. Normal servers get patched once a week, with some scheduled staggering managed via GPO.

GPO can also be applied via WMI filtering, so no need to create OU or security group based on OS.
Senior Information Technology Consultant
Well, there is more than one way to accomplish this but just keeping it simple...

Your going to need to create those "Collections" in WSUS for each OS.  That is your Computer Group name essentially.  When you move the computers in to the OU in AD, turn on Enforce relative to the WSUS Policy.... only then will you see them populate under the WSUS Console. (Assuming no Typo's in the targeted name)

Then you can actually apply only patches relative to those Operating Systems and configure your patch and reboot schedules.

If you want to straddle those reboots then your going to need multiple policies per OU but you can use AD Groups and add the computers then apply only permissions to those Groups relative to applying that GPO and now you can properly schedule the updates and reboots and have the correct updates applied to the correct OS.

You can review all the settings that should be set here: 

My comment regarding the client side targeting and name matching, here:

Regarding remote sites and WSUS Replica? Here:
(AND) If your users are "sensitive" to bandwidth issues? I recommend a replica.

Hope this helps.
King Daddy - I think Brian has covered it all in terms of the details of organizing and managing the different OS's and OU's.


Thanks everyone. I am going to go over Brian's links and proceed accordingly. We don't have bandwidth issues so may try one WSUS then add one if needed.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial