Enterprise Software Thread, Changing WSUS default domain policy in Technical; Hi
Maybe a really silly question
A WSUS policy was set on the default domain policy which encompasses servers and ...
26th March 2012, 05:27 PM #1
Changing WSUS default domain policy
Maybe a really silly question
A WSUS policy was set on the default domain policy which encompasses servers and workstations(not ideal) the server that this policy points to no longer exists and I have already built a brand new WSUS server ready to roll, main goal as well as updates, is to accomodate Forefront AV auto updates.
I want to either remove the entry in default domain policy (and create a new GPO with the new WSUS server to apply to PCs - servers i will rather handle manually for updates)
Or change the existing entry to point to the new WSUS server, however, that does not give me two seperate policies for servers or workstations?
I'm mindful however, if i remove the existing default domian policy WSUS setting my servers might revert to download updates automatically with interesting consequences!
Also am I right in saying even if the GPO points the machines to the correct WSUS server it wont apply updates until I assign these machines to a WSUS group and approve updates in the host WSUS server(this would be ideal, i want some control and only want the workstations updated by WSUS for now. Ie Servers can sty in the unassigned group. For example.
Hope this makes sense but i guess my piority is to get worstations PCs to automatically update forefront definitions from WSUS server for easter, and do windows updates that are approved in seperate WSUS groups. Servers i would rather be manually done for now.
Any advice ould be appreciated.
IDG Tech News
26th March 2012, 05:39 PM #2
Yeah, you're going about it the right way. I would avoid putting anything in the Default Domain Policy that isn't absolutely essential, so a separate GPO for your WSUS settings is the way to go. It gives you more flexibility in future if you want to adjust the settings for different OUs, groups, etc.
I wouldn't worry too much about the computers going "rogue" if you remove the WSUS settings from the Default Domain Policy - just make a new GPO with your WSUS settings and apply it to the appropriate OUs. Settings in GPOs at the OU level take precedent over the Default Domain Policy, so you'll be able to tell there and then if the computers are looking to the new update source, before you even remove the obsolete settings.
Anyway, yes, you are (more or less) correct that until you assign managed computers to a group within WSUS and approve updates for those groups, the computers won't download and install updates. You can approve updates for computers within the "Unassigned" group if you want, but using proper groups within WSUS is a more sensible approach.
Last edited by tigerstar; 26th March 2012 at 05:46 PM.
Thanks to tigerstar from:
By DaveP in forum Windows Server 2008
Last Post: 19th August 2011, 02:41 PM
By pantscat in forum Windows Server 2000/2003
Last Post: 12th May 2011, 10:29 AM
By irsprint84 in forum Windows Server 2008 R2
Last Post: 14th April 2011, 05:59 PM
By jgcracknell in forum Windows Server 2008 R2
Last Post: 26th September 2010, 09:45 PM
By chazzy2501 in forum Windows Server 2000/2003
Last Post: 5th May 2010, 09:21 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)