+ Post New Thread
Results 1 to 2 of 2
Enterprise Software Thread, Changing WSUS default domain policy in Technical; Hi Maybe a really silly question A WSUS policy was set on the default domain policy which encompasses servers and ...
  1. #1

    Join Date
    Dec 2011
    Thank Post
    Thanked 45 Times in 33 Posts
    Rep Power

    Changing WSUS default domain policy


    Maybe a really silly question

    A WSUS policy was set on the default domain policy which encompasses servers and workstations(not ideal) the server that this policy points to no longer exists and I have already built a brand new WSUS server ready to roll, main goal as well as updates, is to accomodate Forefront AV auto updates.

    I want to either remove the entry in default domain policy (and create a new GPO with the new WSUS server to apply to PCs - servers i will rather handle manually for updates)

    Or change the existing entry to point to the new WSUS server, however, that does not give me two seperate policies for servers or workstations?

    I'm mindful however, if i remove the existing default domian policy WSUS setting my servers might revert to download updates automatically with interesting consequences!

    Also am I right in saying even if the GPO points the machines to the correct WSUS server it wont apply updates until I assign these machines to a WSUS group and approve updates in the host WSUS server(this would be ideal, i want some control and only want the workstations updated by WSUS for now. Ie Servers can sty in the unassigned group. For example.

    Hope this makes sense but i guess my piority is to get worstations PCs to automatically update forefront definitions from WSUS server for easter, and do windows updates that are approved in seperate WSUS groups. Servers i would rather be manually done for now.

    Any advice ould be appreciated.

  2. #2
    tigerstar's Avatar
    Join Date
    Jun 2009
    Shropshire, UK
    Thank Post
    Thanked 15 Times in 14 Posts
    Rep Power
    Yeah, you're going about it the right way. I would avoid putting anything in the Default Domain Policy that isn't absolutely essential, so a separate GPO for your WSUS settings is the way to go. It gives you more flexibility in future if you want to adjust the settings for different OUs, groups, etc.

    I wouldn't worry too much about the computers going "rogue" if you remove the WSUS settings from the Default Domain Policy - just make a new GPO with your WSUS settings and apply it to the appropriate OUs. Settings in GPOs at the OU level take precedent over the Default Domain Policy, so you'll be able to tell there and then if the computers are looking to the new update source, before you even remove the obsolete settings.

    Anyway, yes, you are (more or less) correct that until you assign managed computers to a group within WSUS and approve updates for those groups, the computers won't download and install updates. You can approve updates for computers within the "Unassigned" group if you want, but using proper groups within WSUS is a more sensible approach.
    Last edited by tigerstar; 26th March 2012 at 05:46 PM.

  3. Thanks to tigerstar from:

    MrWu (26th March 2012)

+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 19th August 2011, 02:41 PM
  2. Windows 2003 - Default Domain Policy - out of the box settings?
    By pantscat in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 12th May 2011, 10:29 AM
  3. Default domain policy
    By irsprint84 in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 14th April 2011, 05:59 PM
  4. Replies: 11
    Last Post: 26th September 2010, 09:45 PM
  5. Default Domain Policy and RIS
    By chazzy2501 in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 5th May 2010, 09:21 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts