WSUS and Group Policies

WSUS and Group Policies



we have to tell the client machines that we don't want them to go to Microsoft Update we want them to go to our wsus server that way we control yes this is approved yes this is approved nope this doesn't approve this one as an approved it could send it out to the various groups so we have to set up group policies to make it so that our wsus clients know that their wsus clients that they're supposed to go the wsus server and then we have a whole bunch of other options available for them as well so I am going to fire off let's see I'm on the domain controller so let's go ahead and fire off our group policy management wizard so we'll fire off group policy management and you want to have documentation some people have group policies just for wsus other companies have just one group policy that way they only have to pull down one and it's all approved and all this other things whatever it takes but what I have is I have a group policy that I've created and I have self documented calling at the Doug GPO so everybody knows that it's mine and I'm going to edit it and the location that we're going to to go through and look at let me go ahead and bring this up and do this real quick there we go so we have two areas and group policies we have computer configuration we have user configuration or settings for both of them but they're kind of the same settings so what I'm going to do is I'm going to go into computer configuration will go into policies will go into administrative templates we will go into Windows components and then all the way down here just about at the bottom so let me slide this down boom boom oh let's let go of my mouse key too soon there we go we have Windows Update so it's not quite exactly at the bottom but it's quite a ways down there so go ahead and open it up and these are all of our nine hundred billion settings the ones that we need to be aware of is we need to specify where the wsus server is located in fact the author over on page 330 went through and told you about this one and what we want to do is we want to figure out the intranet Microsoft Update service location so we'll click on it and we are going to say it is enabled and then we put in the URL to be able to gain access to this will say HTTP colon double forward slash and then I will say London London DC to our chicken toast on toe so dot-com and you can also have a statistic server this statistic server writes down information about what you have and what you've downloaded what you've uploaded it's part of your reporting and again you would you could also just send it to the same machine if both of these are on the same machine otherwise you're you're gonna have to send it to separate machines which is which is perfectly fine so that is the the first one where you'll specify where the wsus server is another one that we have to worry about is joining groups now I as an administrator I could go in the wsus console find all 10,000 machines and figure out what group they belong to or if my active directory structure set up where I have organizational units configured and user accounts configured and they're all inside of there well with an organizational unit I have the ability to go in and I can set up different group policies per oh you pro you per oh you so that means that if you're underneath an organizational unit let's say we have an organization unit for marketing we have an organizational unit for infrastructure servers I have an organizational unit for exchange servers you know where I'm going through and sorting it I can go in and I can apply a different group policy to either point them to a different wsus server or we can use this for client sites Harding so that they know what group to belong to automatically and let me go ahead and show you this so we'll go back into our system here and what we're doing is we have to enable client side targeting and when you do client side targeting you will specify which group you belong to Eng I in gee and you only specify one it's not like you're going to give them a choice where they can pick this one or this one or this one no we are just going to go through and say client side targeting if you're under this group policy you're going to belong to engineering a cool thing about this is is that you can nest organization units so I can have an oh you that says exchange and then underneath this exchange organization gonna have some exchange servers and then I have a special unity server that we're doing but I don't want to receive necessarily the same updates and service packs so I make another oh you underneath there and then I put a group policy on that sub oh you give it a different client-side target and now even though everybody here goes to engineering the ones down here or I'm sorry exchange the ones down here would go to a group called Cisco unity or something like that so you can make himself populate by using a group policy however this does assume you have your Active Directory structure set up to represent how you go through and do administrative control administrative management and once you have all these pieces in place you know where all the machines are then you can enable client side targeting you

Leave a Reply

Your email address will not be published. Required fields are marked *