+ Post New Thread
Results 1 to 8 of 8
Windows Server 2000/2003 Thread, Should I apply GPO with automatic updates settings to a user scope or computer scope? in Technical; I thought I read somewhere that you need to apply a GPO that deals with automatic updates to a group ...
  1. #1

    Join Date
    Mar 2009
    Location
    Chicago
    Posts
    25
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Should I apply GPO with automatic updates settings to a user scope or computer scope?

    I thought I read somewhere that you need to apply a GPO that deals with automatic updates to a group of computers as opposed to a group of users. Is this true?

    What is the difference in applying it to users as opposed to machines, if any?

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,023
    Thank Post
    887
    Thanked 1,720 Times in 1,486 Posts
    Blog Entries
    12
    Rep Power
    452
    Yes. there are some Windows update settings in the user policy i think. But you want to focus on the Computer Policies because the updates apply to the computer rather than the user.

  3. #3

    Join Date
    Mar 2009
    Location
    Chicago
    Posts
    25
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I know that in the actual GP settings, I need to go under, 'Computer Settings'. But do I apply that GP to machines or users?

    Cause I know lots of time, I will change other 'Computer Settings', but the GPO still gets applied to Authenticated Users

  4. #4

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    In which case, sounds like you have some loopback policies set up, and therefore I suggest you read the docs (the MCSA book on GP is probably best) before you play, because it makes things horribly complicated.

    Not in a negative way, just in the sense that loopbacking adds such a complication that you'll probably end up breaking something if you don't learn the theory first.

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,023
    Thank Post
    887
    Thanked 1,720 Times in 1,486 Posts
    Blog Entries
    12
    Rep Power
    452
    Quote Originally Posted by -Jim View Post
    I know that in the actual GP settings, I need to go under, 'Computer Settings'. But do I apply that GP to machines or users?

    Cause I know lots of time, I will change other 'Computer Settings', but the GPO still gets applied to Authenticated Users
    You need to apply it to an OU with computers in it

    As far as i am aware loopback will only apply user polices to the computer not computer policies to the user.

  6. #6

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Well not quite, loopback doesn't mean that user policies get applied to computers and so forth. It means that when choosing whether a policy object (that is, an object containing both types of policy) is applied, and if so the user portion is applied to the user and the computer portion to the computer. Wheras in normal operation, the user sections that apply to the user get applied to the user, and the computer sections that apply to the computer get applied to the computer.

    With loopback enabled, user policies can be applied to the user based on a computer's location, and computer policies can be applied to the computer based on a user's location. It's the merging that foxes people, because it makes evaluating policies so much more complex.

  7. Thanks to powdarrmonkey from:

    -Jim (31st March 2009)

  8. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,571 Times in 1,251 Posts
    Rep Power
    340
    Alternatively instead of loopback, create a new OU called "Curriculum" and then sub OUs called "Pupils", "ICT Suite", "Classrooms" etc...

    You can then set policies on each of the OUs (if you wished), remembering the last policy in chain always takes precedence.

    So (for example), configure the WSUS policies on the Curriculum OU and you may want to set it so machines update at 10am everyday. You then may decide however, that for machines in the ICT Suite OU that you'd like them to update at 1pm. Tweaking the policy on this OU, would mean all machines in the ICT Suite update at 1pm, instead of other machines which update at 10am.

    You may also find that organising and creating sub OUs is an easier way of managing networks in AD, especially with lots of locations and slightly varying requirements as I described above.

  9. Thanks to Michael from:

    -Jim (31st March 2009)

  10. #8

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,156
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Quote Originally Posted by -Jim View Post
    I know that in the actual GP settings, I need to go under, 'Computer Settings'. But do I apply that GP to machines or users?

    Cause I know lots of time, I will change other 'Computer Settings', but the GPO still gets applied to Authenticated Users
    Not sure if you're mixing up a few things here.

    When you create a group policy object you have to link it to somewhere in your active directory. That can be an OU which includes computers or an OU which includes people or an OU which includes both.

    If your GPO is only going to make changes in the "computer" section then it makes sense to link it at a level where you only have computers but it does no harm if you link it right at the top of the domain (you might want to apply automatic updates to everything, for example)

    The other thing you can do with GPOs is say that they are targeted at a specific security group -
    "authenticated users" is a security group which includes every security object which has got a valid password etc. This includes users (ie people!) and computers and this is the group which is normally present on GPOs

    Sometimes you want to apply your GPO to computers which are scattered throughout AD; it seems like a good idea to link it to the top of your domain but actually you don't want this particular GPO processing by domain controllers or other servers. Updates would be a good example of this - you probably want all your workstations updating as soon as possible but servers only get done at 1600 on a Friday etc. One way of doing this is having an "all computers" OU near the top and all the other computers go under this but the other way is to put every computer except servers into an Auto_update_computers group and then instead of targeting "authenticated users" for the GPO you remove that group and add your auto_update_computers group.

  11. Thanks to srochford from:

    -Jim (31st March 2009)

SHARE:
+ Post New Thread

Similar Threads

  1. GPO does not apply on one model of computer
    By netadmin in forum Windows
    Replies: 14
    Last Post: 15th April 2010, 07:45 PM
  2. DHCP Scope
    By KWestos in forum Windows Server 2000/2003
    Replies: 1
    Last Post: 17th March 2009, 10:05 PM
  3. Changing IP scope
    By Oops_my_bad in forum Windows
    Replies: 3
    Last Post: 9th July 2007, 09:27 PM
  4. Changing IP Scope
    By limbo in forum Wireless Networks
    Replies: 6
    Last Post: 23rd January 2007, 05:34 PM
  5. Replies: 8
    Last Post: 9th October 2006, 10:11 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •