WSUS via Group Policy 3

[windowsfan]

I want to push update via WSUS using group policy.
How many different OU should I create?
or
Can I create a GP and link it to policy at domain level? If I do this than how will it affect the network bandwidth, I have 1000 computers all togather. This includes off-site location.

 

[porkchopexpress]

I would avoid setting your policy too high up the AD as any problems could affect allot of PC's, we use WSUS on about 400 desktops and bandwidth isn't really an issue on a LAN. Over slower connections the BITS service should compensate.

 

[monsterjta]

I would suggest creating security groups and adding machines to the group. I wouldn't link the WSUS policies to OU's, in particular. Rather, perform security filtering targeting the security groups. This way, you can configure "client-based targeting" in WSUS and never need to worry about what policies a machine will get. As long as it is in it's respective group, it will receive the desired WSUS policies.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[porkchopexpress]

monsterjta is correct there i'll just point out that you can also use WSUS client targeting by applying the settings to an OU.

 

[windowsfan]

Thanks everyone for your input.

Let's say I create 10 security groups and put computers in individual groups now what I do as far as Group policy is concerned for WSUS. Before I use to create group policy and link it to GPO.

I have around 1000 computers in my network. Do I need to create GP for all 10 groups to push updates on different day and time or is it ok to push out updates on all 1000 computer at same time (Have many offsite location)

Thanks again.

 

[monsterjta]

You would still need to link the policy to an OU, somewhere higher than where your machines reside. The difference is in security filtering. In the GPO scope, remove the Authenticated Users group and add the respective WSUS security group which contains your targeted machines.

You can create as many WSUS policies as you wish, with just as many WSUS security groups containing your machines. One machine can only be a member a a single WSUS policy security group, otherwise there will be issues that may be difficult to troubleshoot.

I would suggest grouping your machines either by role or by whatever stage of testing the releases you want.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[windowsfan]

I understand what you mean to say, now I have good idea on how it works. Let me tell you how my network is and what is my plan for GPO

I have one domain in my network with 15 off-site location connected via 1.5Mbps to 10 Mbps.

I am going to create 15 groups for each site.
I will create Workstation OU and move all computer to that OU.
Question is how many GP do i create, one for each site or just one for all site.
I think one for each site with 50+ computers and one for number of site with less than 10 computers. your suggestion?

 

[monsterjta]

This really does depend on your specific requirements. Workstation or server? File server, application server, Terminal Server, Domain Controller, DNS server, DHCP server? As you can see, there could be a few possibilities as far as which server to target into which group, and at what times they should reboot if necessary.

If you have 2 or more DC's, I would seperate the DC's into 2 groups so that they do not all reboot at the same time. Some admins suggest not to reboot a server automatically. I don't think it makes sense NOT to reboot a server automatically. If you don't reboot, the patch essentially is not applied.

Anyway, then you've got your DNS servers. Your primary and secondary servers should probably be in seperate groups. As you can see, the main thing here is reboot times. If all your network services go down at the same time, then there could be issues if users are trying to access resources.

In addition to what I've already stated, I like to schedule my reboot times every weekend during non-production, scheduled maintenance times. Before I leave on Friday evening, I generate a report from WSUS with all the servers that will require a patch and reboot. I now know exactly which servers to check Sunday morning. I have it a little easier, as I have a monitoring system in place which alerts me in the event a server doesn't come back up.

Keep in mind any non-MS applications you have running. There could be times when you don't want to release a MS update because it could be incompatible with your 3rd-party application. This is another reason to configure your policies to deploy to a test/dev group before releasing to production. This can be a huge, unfulfilling task.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[windowsfan]

I am not going to push update on any server, I use Shavlik for server's.
Help me with below question:
I am going to create 15 groups for each site.
I will create Workstation OU and move all computer to that OU.
Question is how many GP do i create, one for each site or just one for all site.
I think one for each site with 50+ computers and one for number of site with less than 10 computers. your suggestion?

 

[monsterjta]

With only knowing you want to push updates to all workstations in your organization, I suppose I would suggest 2 policies. One for your IT staff and one for your users. Apply and reboot the IT staff prior to releasing to users (at least a few days), so that you may "experience" the updates and monitor for possible unusual behavior before releasing onto the rest of the organization. Then, release to all other users.

This would require 2 security groups to add your computers to...one for IT staff computers and one for all other users computers. Add the corresponding group to the scope of the respective GPO, and link it anywhere above the OU's where your computers reside.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[tfg13]

Great explanations Jonathan! Figured you should get a star!

 

[porkchopexpress]

I'll second that, good explanations.

 

[windowsfan]

If I create two security groups one for IT and one for rest of the users and two GP one for IT and one for rest. Everything else is clear but with one Group for whole network with only one GP for WSUS how is it going to push updates, all devise on network get's updates sametime (besides IT computers)

Thanks for you help.

 

[monsterjta]

I'm not quite sure what your last question is.

Again, each policy will apply to a group of computers. There can only be one WSUS policy applied to a computer, hence a computer can only be a part of one WSUS security group.

Unless you want to push all updates out to all computers at the same time every time, then you must create more than one security group and more than one GPO.

If you want to push all updates to all computers at the same time every time, then just create a single GPO and a single WSUS security group.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN