WSUS question Regarding A second Policy

[Wong]

I have one WSUS policy , the same location as the default GPO policy , I have all my clients reporting to my wsus and are receiving updates etc etc , Is it possible for me to create a second wsus gpo in a different OU eg sales - however in this gpo i want them to update and install at 1am - These clients are already connected/reporting status to the wsus and are receiving updates .

I have tried to Block inheritance on the OU(test ou) itself , as I thought it would then take the GPO within that ou as the default wsus policy , the test pc that I have setup does not restart/install updates at the scheduled time , is this because of the previous settings it has from the previous policy ?

Is there a way I can setup another wsus gpo where I can specify what computers get updated at a cetain time ?

I have had no luck browsing Microsoft forums :?

Thanks in advance for any help

 

[bubbatentoe]

Hey Wong,

Sure you can. (have as many GPO's linked to as many WSUS groups as you want)
The key is having multiple WSUS groups inside WSUS.
Normally guys just use the one single default group in WSUS but this gets a little tricky if you want multiple GPO's because each GPO wants to look at its own unique WSUS group.

Just create more WSUS computer groups and move the computer accounts from one WSUS group to another (within the WSUS console).

GPO 1
wsus server = server1
wsus group = desktops7
with settings XYZ

GPO 2
wsus server = server1
wsus group = desktopsXP
with settings ABC

GPO 3
wsus server = server1
wsus group = servers
with settings EFG

Using this method you can add the computers you want to the specific group and then create a GPO for each of the WSUS groups, each GPO having its own unique settings.
FI: servers, desktops7, desktopsXP, noautorebootXP, etc, etc

I have quite a number of WSUS groups each with its own GPO.
one for each machine type and again one for each WSUS server. (per region)


If you find an old Group policy is still being enforced on a client PC, (happens when you make lots of changes) go into the client registry and delete the WSUS keys.
reboot the PC and run command line "gpupdate /force"
This will force the client to re-negotiate and apply the new policy.

& there are a number of WSUS command line tools you can use on the client PC's to trouble shoot;


wuauclt.exe /TestWSUSServer (tests the connection with the WSUS server)
wuauclt.exe /configlist (lists all WSUS settings being used by the client - a VERY hand tool)
wuauclt.exe /detectnow (shows WSUS server name, number of updates on server, # of required updates)
wuauclt.exe /configlist (lists the windows update automatic update client configuration)
wuauclt.exe /installAUclient (re-installs the automatic update client form the WSUS server)
wuauclt.exe /installAUclientFromMicrosoft (re-installs the automatic update client form MS Update)
wuauclt.exe /downloadnow (initiates an immiate downoad of any requried updates using BITS)
wuauclt.exe /downloanowfast (initiates an initiates an immiate downoad of any requried update using HTTP)


best of luck,

 

[bubbatentoe]

oh yes, regarding WSUS policy inheritance:

Rather link each WSUS GPO directly to its respective OU. = don't inherit WSUS policies from the root OU.

If you place a WSUS GPO in the root OU (and have it cascade down to all child OU's) then it gets tricky if you have a complex directory and/or if you want to have multiple WSUS groups.
Only place GPO's in the root OU that specify things like proxy settings, anti virus server settings, IE home page & security settings, etc.

e.g.: only inherit settings that you definitely want to have cascaded down to all machines.

 

[Wong]

Thanks for the help bubba , I have moved the wsus gpo from the root ou to specific OU's - just need to test the scheduled update gpo - which specific registry settings do i need to delete ? or do i need to delete the following path - > HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate - also im not 100% sure when you say you can link a gpo to a specific wsus group( just need to clear up so I understand ) :GPO 1
wsus server = server1
wsus group = desktops7
with settings XYZ

that wsus group consists of Computers from Active directory Computers? so in the GPO it refers to the computer name's ? and not the group in the WSUS console that you create ?

 

[bubbatentoe]

Creating new WSUS groups

This is a good explanation of why you want to create WSUS groups.
http://technet.microsoft.com/en-us/library/cc708451(WS.10).aspx

and this one shows you how: http://technet.microsoft.com/en-us/library/dd939860(WS.10).aspx
(for WSUS 3.0 SP2).



The registry key (on clients) to look for is: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate


There are two popular (quick) methods of testing new WSUS settings on clients:

a) just delete the above key and reboot
(check your WSUS console to see if the client computer status has changed (new updates etc))

b) goto a command prompt on the client PC and type "gpupdate /force"
This forces the client to check for updated GPO's and execute them.
(check your WSUS console to see if the client computer status has changed (new updates etc))


** remember not to test new WSUS settings on your live environment.

Just create a test OU in AD and dump a PC or two into it.
Assign the test GPO to the test OU and run your tests.
When all is well assign the GPO to the OU's that contain your live/production machines.

PS:
to test I just VNC onto the test client PC and delete the above key and then do a "gpudate /force" - remember to check event viewer, it'll tell you if the policy was loaded successfully.

 

[Wong]

hehe , I was just making sure which groups you were talking about IE the wsus console - I am using a TEST OU - I will delete that key and give my other gpo a try - thanks again for the help bubba

 

[bubbatentoe]

a quick note:
When you approve updates: If you only have one group called "all computers" then WSUS approves any and all updates automatically for that one group (and everything in it).

But when you have multiple WSUS groups, and you click on "approve updates", WSUS then prompts you with a selection window, listing all your groups, you then have to specify which groups, (1 or more) you want the updates to apply to.

= more work