Avatar of king daddy
king daddy
Flag for United States of America asked on

Capture all domain computers in AD by applying a WSUS GPO along with the default domain policy under the domain at the top of the Group Policy structure?

In order to capture all computers in the domain on the new WSUS server, should I place a WSUS GPO just under the domain (like with the default domain policy)? Would that be a bad idea?

To note, I found 145 servers in AD using powershell with only 8 of them being disabled. Since yesterday, 45 have shown up on WSUS but they are in specific OUs where I linked the WSUS GPO. The other servers are in the Computers container and Domain Controllers OU (12 DCs). So, I am about 90 off between AD and WSUS (after I link the WSUS GPO to the Domain Controllers OU).

Thanks.
Microsoft Server OSWSUSActive Directory

Avatar of undefined
Last Comment
king daddy

8/22/2022 - Mon
SOLUTION
Hypercat (Deb)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
kevinhsieh

I link GPO to the top of the domain, and then I also link then to any OU where inheritance is blocked.

IMHO, yes you should link the GPO to the domain root. Also link to any OU where inheritance is blocked, but where you want to GPO to apply.

As a reminder, don't modify the default domain policy. I don't think that you did, but we should all be clear that it's bad practice to do so.

Leaving computers in the Computers container is not good practice. Move them to an OU.
Brian Murphy

A few dependency questions:

Do you have multiple operating systems that require patching?  

Is WSUS configured to apply these policies to different OS's represented? (Computer Groups) So that you can perform future patches, approve those patches per operating system, schedule the patching and reboots accordingly to match change management window(s).

If so, can like OS servers be moved to separate OU's with different policies with separate update policies?  Comes in handy if you don't want to apply blanket updates and reboot all servers at the same time where it doesn't correspond to some outage window.

Are all the servers located on the same physical LAN?  If you have separate sites, might need separate WSUS Servers.
king daddy

ASKER
Thanks Hypercat and kevinhsieh for replying. First, to be clear, I did not modify the default policy. I created WSUS - Servers and WSUS - Workstations policies. Also, I am kinda glad I didn't see these replies until after I did what I did (below) as the two different viewpoints would have made it more challenging to decide (though, I lean toward Hypercat's input - sorry kevinhsieh :-))

I ended up running a powershell script to find the server's DN from AD and piped that to a CSV. I then did a Find in Excel and looked for "CN=Computers" so I could determine which servers were in the Computers container. I went to AD and moved them to pre-existing Server OUs that already have the WSUS - Servers GPO. Though, there were only 25 servers in the Computers Container. Unfortunately, this still leaves 53 servers unaccounted for (at least until I look at that CSV for OUs where these servers reside).
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
king daddy

ASKER
Damn, Brian, you're killing me. One site NV one is TX. I do not have separate policies per OS and I have a mix of 08, 12, and 16 (though 08 will be going away over the next couple of months). I did create one WSUS group named Servers with subgroups named for each location (the server's names are based on their location). When I set up the WSUS - Server policy, I put in the client-side targeting setting the group name (Servers) but none of them went there by default (I did have WSUS set up before the GPO) so I just monitored and as they came in I manually moved them. I could likely redesign AD with OUs based on OS, or at least child OUs based on OS. I will need to think about that as well as how to go about reconfiguring WSUS and GPO after.

I was also planning on a downstream WSUS server at the other site (TX) for those but just started this entire thing last Friday.

This is brand new and can be tweaked / done over if needed.

Thanks for the input
SOLUTION
kevinhsieh

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Hypercat (Deb)

King Daddy - I think Brian has covered it all in terms of the details of organizing and managing the different OS's and OU's.
king daddy

ASKER
Thanks everyone. I am going to go over Brian's links and proceed accordingly. We don't have bandwidth issues so may try one WSUS then add one if needed.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.