06 September 2012

Overriding GPOs using Organizational Units or Groups

You could specify a GPO to override the WSUS setting and force the Win 8 machines to get their updates direct from Microsoft Servers:
  1. Setup a new Organizational Unit to target with the GPO:  Create a Windows8 group under the Active Directory and move your Win8 machines into it.
  2. Create a new GPO called WSUS Win8 or similar then under Computer Configuration; Policies; Administrative Templates; Windows Components; Windows Updates change:
    • Configure Automatic Updates Properties: Select Enabled and Auto download and schedule the install” then set a time to install. Remember to ensure this is after the WSUS server’s update schedule (see above).
    • Specify intranet Microsoft update service location:  Disabled
  3. Remove the link to the new GPO from the domain level (click on the domain then right click the link and delete).
  4. Right click the Windows8 Organizational Unit and 'Link existing GPO', choose WSUS Win8
  5. Use Group Policy Modeling to test the outcome is as the settings above.
  6. Force the GPO update on the client:  Gpupdate
  7. Try Windows Update again
UPDATE: I found using OUs was too prescriptive e.g. I couldn't move my domain controllers into a new OU from Domain Controllers OU so instead I used Groups to achieve the same result:
  1. In Active Directory Users and computers, [Domain name], Computers: create two new Groups: Win2008 and Win2012
  2. Add the relevant computers to their respective groups.
  3. Setup the GPOs to apply to the relevant groups: In the Scope remove Authenticated Users and add Domain Users and the Win2008 Group
    NB: User Domain Users not Authenticated Users as the latter includes all computers.
Use Group Policy Modelling Wizard to check your results. The applied GPOs are listed under: Summary, Computer Configuration Summary, Group Policy Objects, Applied and Denied GPOs.

No comments:

Post a Comment