WSUS and Group policy

Discussion:

(too old to reply)

Conall

2006-08-03 14:10:02 UTC

Hi,
Background:

I have installed WSUS. We currently use SUS and use G. Policy to advertise
to clients the name of the SUS server and the download/install options and
schedule.

My question is:

When using WSUS to deploy updates do we need to do anything differently in
G. Policy. I am particulary confused as to how WSUS computer groups and G.
Policy relate to one another when targeting clients in WSUS. If we use WSUS
computer groups to target updates do we only need to use the windows update
G. Policy setting that specifies the name of the WSUS server to clients in an
OU.

Thanks in advance

Lawrence Garvin (MVP)

2006-08-03 22:32:08 UTC

Permalink

Post by Conall
When using WSUS to deploy updates do we need to do anything differently in
G. Policy.

Functionally, no. But the WSUS/WUA policy definition contains a number of
new policy settings that can enhance your WSUS experience over SUS.

Post by Conall
I am particulary confused as to how WSUS computer groups and G.
Policy relate to one another when targeting clients in WSUS. If we use WSUS
computer groups to target updates do we only need to use the windows update
G. Policy setting that specifies the name of the WSUS server to clients in an
OU.

Typically OUs and Target Groups have a one-to-one correspondence, but this
is not required. You might have multiple OUs reporting to the same Target
Group, or you could even assign multiple policies to the same OU, using
security filtering, and have a single OU split between more than one target
group.

Targeting comes in two flavors. Server-Side (the default), and Client-Side.
Server-Side targeting gives full control over target group assignment to the
server console operator, but it's a fully manual process. When a client
system registers with the server, the client system will first appear in
"Unassigned Computers". The WSUS Admin must then 'move' the computer from
"Unassigned Computers" to the desired target group, before the client system
will detect approved updates (unless you've approved an update for "All
Computers" or explicitly for the "Unassigned Computers" group).

When using Client-Side targeting, the desired target group name is
configured via Group Policy, and the client system is aware of the intended
target group prior to initiating the detection. The target group must still
be created at the WSUS console, but no further administrative action is
required. The client system will execute the detection, register directly to
the assigned target group, and detect any updates approved for the assigned
target group.

--
Lawrence Garvin, M.S., MVP-Software Distribution
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, everything else is at
http://wsusinfo.onsitechsolutions.com
....

Dave Mills

2006-08-03 22:50:56 UTC

Permalink

WSUS Computer Groups are not related to AD OUs the WSUS groups are simply a
registry setting saying "I am in the xxxx WSUS group". G Policy can be used to
make this registry setting. This the end of the relationship really. Of course
in practice there is a good alignment of WSUS groups with OUs e.g workstation
will tend to be in the same OU and also in the same WSUS group but there will be
exceptions.

For me I have many OUs in AD for computers. I create WSUS GPOs to create the
WSUS Group registry settings, e.g. Workstations, Laptops, Server, DCs. I then
apply these GPOs to whichever OUs are appropriate.

In WSUS I then deploy to Workstation, Server etc.

Post by Conall
Hi,
I have installed WSUS. We currently use SUS and use G. Policy to advertise
to clients the name of the SUS server and the download/install options and
schedule.
When using WSUS to deploy updates do we need to do anything differently in
G. Policy. I am particulary confused as to how WSUS computer groups and G.
Policy relate to one another when targeting clients in WSUS. If we use WSUS
computer groups to target updates do we only need to use the windows update
G. Policy setting that specifies the name of the WSUS server to clients in an
OU.
Thanks in advance

--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.

Bryan

2006-08-14 03:11:01 UTC

Permalink

Hi Dave,

I am quite new to WSUS.

I have an OU called HQ, and under this OU there are several OUs grouped
under their respective dept. name (e.g. Sales, Accounts, IT).

Under the OU named IT, all domain user IDs of IT are present. In my case, I
created GPO linked to IT and specify the WSUS setting. However, it is not
reflected in any of the IT users (all Windows XP SP2 clients) as I inspect
their computer registry.

It is later learned that WSUS GPO setting is only applicable to computer
groups instead of users. Question is where should I create the computer
group? Shoud I create new OU under IT and move all IT computers into it OR
should I just create a new OU under my root domain and move all IT computer s
into it?

Thanks in advance.

Post by Dave Mills
WSUS Computer Groups are not related to AD OUs the WSUS groups are simply a
registry setting saying "I am in the xxxx WSUS group". G Policy can be used to
make this registry setting. This the end of the relationship really. Of course
in practice there is a good alignment of WSUS groups with OUs e.g workstation
will tend to be in the same OU and also in the same WSUS group but there will be
exceptions.
For me I have many OUs in AD for computers. I create WSUS GPOs to create the
WSUS Group registry settings, e.g. Workstations, Laptops, Server, DCs. I then
apply these GPOs to whichever OUs are appropriate.
In WSUS I then deploy to Workstation, Server etc.

--
Dave Mills
There are 10 type of people, those that understand binary and those that don't.