We help IT Professionals succeed at work.

Capture all domain computers in AD by applying a WSUS GPO along with the default domain policy under the domain at the top of the Group Policy structure?

190 Views
Last Modified: 2019-01-16
In order to capture all computers in the domain on the new WSUS server, should I place a WSUS GPO just under the domain (like with the default domain policy)? Would that be a bad idea?

To note, I found 145 servers in AD using powershell with only 8 of them being disabled. Since yesterday, 45 have shown up on WSUS but they are in specific OUs where I linked the WSUS GPO. The other servers are in the Computers container and Domain Controllers OU (12 DCs). So, I am about 90 off between AD and WSUS (after I link the WSUS GPO to the Domain Controllers OU).

Thanks.
Comment
Watch Question

Hypercat (Deb)President
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
I link GPO to the top of the domain, and then I also link then to any OU where inheritance is blocked.

IMHO, yes you should link the GPO to the domain root. Also link to any OU where inheritance is blocked, but where you want to GPO to apply.

As a reminder, don't modify the default domain policy. I don't think that you did, but we should all be clear that it's bad practice to do so.

Leaving computers in the Computers container is not good practice. Move them to an OU.
Brian MurphySenior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
A few dependency questions:

Do you have multiple operating systems that require patching?  

Is WSUS configured to apply these policies to different OS's represented? (Computer Groups) So that you can perform future patches, approve those patches per operating system, schedule the patching and reboots accordingly to match change management window(s).

If so, can like OS servers be moved to separate OU's with different policies with separate update policies?  Comes in handy if you don't want to apply blanket updates and reboot all servers at the same time where it doesn't correspond to some outage window.

Are all the servers located on the same physical LAN?  If you have separate sites, might need separate WSUS Servers.

Author

Commented:
Thanks Hypercat and kevinhsieh for replying. First, to be clear, I did not modify the default policy. I created WSUS - Servers and WSUS - Workstations policies. Also, I am kinda glad I didn't see these replies until after I did what I did (below) as the two different viewpoints would have made it more challenging to decide (though, I lean toward Hypercat's input - sorry kevinhsieh :-))

I ended up running a powershell script to find the server's DN from AD and piped that to a CSV. I then did a Find in Excel and looked for "CN=Computers" so I could determine which servers were in the Computers container. I went to AD and moved them to pre-existing Server OUs that already have the WSUS - Servers GPO. Though, there were only 25 servers in the Computers Container. Unfortunately, this still leaves 53 servers unaccounted for (at least until I look at that CSV for OUs where these servers reside).

Author

Commented:
Damn, Brian, you're killing me. One site NV one is TX. I do not have separate policies per OS and I have a mix of 08, 12, and 16 (though 08 will be going away over the next couple of months). I did create one WSUS group named Servers with subgroups named for each location (the server's names are based on their location). When I set up the WSUS - Server policy, I put in the client-side targeting setting the group name (Servers) but none of them went there by default (I did have WSUS set up before the GPO) so I just monitored and as they came in I manually moved them. I could likely redesign AD with OUs based on OS, or at least child OUs based on OS. I will need to think about that as well as how to go about reconfiguring WSUS and GPO after.

I was also planning on a downstream WSUS server at the other site (TX) for those but just started this entire thing last Friday.

This is brand new and can be tweaked / done over if needed.

Thanks for the input
kevinhsiehNetwork Engineer
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Senior Information Technology Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Hypercat (Deb)President
CERTIFIED EXPERT

Commented:
King Daddy - I think Brian has covered it all in terms of the details of organizing and managing the different OS's and OU's.

Author

Commented:
Thanks everyone. I am going to go over Brian's links and proceed accordingly. We don't have bandwidth issues so may try one WSUS then add one if needed.