WSUS AD GPO Question

Scenario:

I have my three main groups in the WSUS console so far (I will probably need
to create more ultimately).
Each group is "fed" by a GPO residing in the OU
Example: Workstation_OU - WSUS_Workstations GPO - Workstations WSUS group.
Now, one of the people within the Workstations_OU has a very finnicky
machine, for example, the user cannot use IE8 for reasons of incompatibility
with some of the sales ordering sites.
So, when I approve updates for Workstations WSUS group, this machine within
Workstations_OU is going to receive the update.
So the real question is, how do I bypass updates for this machine, or do I
really need to move it to a different OU that isn't using WSUS_Workstations
GPO?

Thanks.

"Phil Angus" <> wrote in message
news:...

> Now, one of the people within the Workstations_OU has a very finnicky
> machine, for example, the user cannot use IE8 for reasons of
> incompatibility with some of the sales ordering sites.

> So, when I approve updates for Workstations WSUS group, this machine
> within Workstations_OU is going to receive the update.

> So the real question is, how do I bypass updates for this machine, or do I
> really need to move it to a different OU that isn't using
> WSUS_Workstations GPO?

The best option in this scenario is one of two variations:

1. Create a SUBgroup of the "Workstations" group, such that all update
approvals are automatically inherited, but set the approval for IE8
explicitly to "Not Approved", and then MOVE this finicky machine (and any
others) into that subgroup. Once their issues with IE8 have been resolved,
they can be returned to the "Workstations" group, and once the subgroup is
empty it can be deleted.

2. Create a special group for IE8 authorized installations and approve IE8
for that group only. ADD computers to this group if they should have IE8
installed. (Remember, with WSUS machines can belong to more than one group.)


Which option you choose probably depends on which option involves more
computers. If only a few have issues, then use option #1, if only a few
actually need the update, then use option #2.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Thanks Lawrence. You say machines can belong to more than one group, but
surely that is only if I am using local groups to the WSUS server, not
groups who's machines are occupied via group policy?

Cheers,

Phil


"Lawrence Garvin [MVP]" <> wrote in message
news:...
> "Phil Angus" <> wrote in message
> news:...
>
>> Now, one of the people within the Workstations_OU has a very finnicky
>> machine, for example, the user cannot use IE8 for reasons of
>> incompatibility with some of the sales ordering sites.
>
>> So, when I approve updates for Workstations WSUS group, this machine
>> within Workstations_OU is going to receive the update.
>
>> So the real question is, how do I bypass updates for this machine, or do
>> I really need to move it to a different OU that isn't using
>> WSUS_Workstations GPO?
>
> The best option in this scenario is one of two variations:
>
> 1. Create a SUBgroup of the "Workstations" group, such that all update
> approvals are automatically inherited, but set the approval for IE8
> explicitly to "Not Approved", and then MOVE this finicky machine (and any
> others) into that subgroup. Once their issues with IE8 have been resolved,
> they can be returned to the "Workstations" group, and once the subgroup is
> empty it can be deleted.
>
> 2. Create a special group for IE8 authorized installations and approve IE8
> for that group only. ADD computers to this group if they should have IE8
> installed. (Remember, with WSUS machines can belong to more than one
> group.)
>
>
> Which option you choose probably depends on which option involves more
> computers. If only a few have issues, then use option #1, if only a few
> actually need the update, then use option #2.
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> My Blog: http://onsitechsolutions.spaces.live.com
> Microsoft WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

On Mon, 14 Dec 2009 18:26:49 -0000, "Phil Angus" <> wrote:

>Thanks Lawrence. You say machines can belong to more than one group, but
>surely that is only if I am using local groups to the WSUS server, not
>groups who's machines are occupied via group policy?

The syntax is being kept a dark secret. You separate the groups name in the GPO
with a semi-colon.

Lawrence do you think the Ops Guide should be updated with this info. Maybe you
could get the WSUS team to add a paragraph. There is absolutely nothing on how
to set up multiple groups. There should be at least a sentence and an example.

>
>Cheers,
>
>Phil
>
>
>"Lawrence Garvin [MVP]" <> wrote in message
>news:...
>> "Phil Angus" <> wrote in message
>> news:...
>>
>>> Now, one of the people within the Workstations_OU has a very finnicky
>>> machine, for example, the user cannot use IE8 for reasons of
>>> incompatibility with some of the sales ordering sites.
>>
>>> So, when I approve updates for Workstations WSUS group, this machine
>>> within Workstations_OU is going to receive the update.
>>
>>> So the real question is, how do I bypass updates for this machine, or do
>>> I really need to move it to a different OU that isn't using
>>> WSUS_Workstations GPO?
>>
>> The best option in this scenario is one of two variations:
>>
>> 1. Create a SUBgroup of the "Workstations" group, such that all update
>> approvals are automatically inherited, but set the approval for IE8
>> explicitly to "Not Approved", and then MOVE this finicky machine (and any
>> others) into that subgroup. Once their issues with IE8 have been resolved,
>> they can be returned to the "Workstations" group, and once the subgroup is
>> empty it can be deleted.
>>
>> 2. Create a special group for IE8 authorized installations and approve IE8
>> for that group only. ADD computers to this group if they should have IE8
>> installed. (Remember, with WSUS machines can belong to more than one
>> group.)
>>
>>
>> Which option you choose probably depends on which option involves more
>> computers. If only a few have issues, then use option #1, if only a few
>> actually need the update, then use option #2.
>>
>>
>> --
>> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
>> Principal/CTO, Onsite Technology Solutions, Houston, Texas
>> Microsoft MVP - Software Distribution (2005-2009)
>>
>> My Blog: http://onsitechsolutions.spaces.live.com
>> Microsoft WSUS Website: http://www.microsoft.com/wsus
>> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

"Dave Mills" <> wrote in message
news:...

>>Thanks Lawrence. You say machines can belong to more than one group, but
>>surely that is only if I am using local groups to the WSUS server, not
>>groups who's machines are occupied via group policy?
>
> The syntax is being kept a dark secret. You separate the groups name in
> the GPO
> with a semi-colon.
>
> Lawrence do you think the Ops Guide should be updated with this info.

Arrggghhh... I think the documentation should be updated with a *lot* of
things... ;-)


> Maybe you could get the WSUS team to add a paragraph.

Right after the other dozen things I've asked 'em to fix, most notably the 2
year old API documentation. :-/


> There is absolutely nothing on how
> to set up multiple groups. There should be at least a sentence and an
> example.

Apparently it's considered a "deployment" topic... it's covered in
"Configuring Clients Using Group Policy" in the Deployment Guide.

See the Note in the "Enable client-side targeting" section of
http://technet.microsoft.com/en-us/l...33(WS.10).aspx

================================================== ==
Enable client-side targeting
This policy enables client computers to add themselves to target computer
groups on the WSUS server, when Automatic Updates is redirected to a WSUS
server.

If the status is set to Enabled, this computer will identify itself as a
member of a particular computer group when it sends information to the WSUS
server, which uses it to determine which updates should be deployed to this
computer. This setting indicates to the WSUS server which group the client
computer should use. You must actually create the group on the WSUS server.

If the status is set to Disabled or Not Configured, no computer group
information will be sent to WSUS.

To enable client-side targeting
In the Group Policy Object Editor, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click Windows
Update.

In the details pane, click Enable client-side targeting.

Click Enabled, and then type the name of the computer group to which you
want to add this computer in the Target group name for this computer box.

Click OK.

Note
If you want to assign a client to more than one computer group, you should
separate the computer group names with a semicolon plus a space: Group1;
Group2.
================================================== ==


I also added some "Community Content" to
http://technet.microsoft.com/en-us/l...58(WS.10).aspx
with a reference to the Deployment Guide page.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

On Mon, 14 Dec 2009 15:48:46 -0600, "Lawrence Garvin [MVP]"
<> wrote:

>"Dave Mills" <> wrote in message
>news:.. .
>
>>>Thanks Lawrence. You say machines can belong to more than one group, but
>>>surely that is only if I am using local groups to the WSUS server, not
>>>groups who's machines are occupied via group policy?
>>
>> The syntax is being kept a dark secret. You separate the groups name in
>> the GPO
>> with a semi-colon.
>>
>> Lawrence do you think the Ops Guide should be updated with this info.
>
>Arrggghhh... I think the documentation should be updated with a *lot* of
>things... ;-)
>
>
>> Maybe you could get the WSUS team to add a paragraph.
>
>Right after the other dozen things I've asked 'em to fix, most notably the 2
>year old API documentation. :-/
>
>
>> There is absolutely nothing on how
>> to set up multiple groups. There should be at least a sentence and an
>> example.
>
>Apparently it's considered a "deployment" topic... it's covered in
>"Configuring Clients Using Group Policy" in the Deployment Guide.
>
>See the Note in the "Enable client-side targeting" section of
>http://technet.microsoft.com/en-us/l...33(WS.10).aspx

Thanks Lawrence. I was not aware of this resource. It is not covered in the
downloadable PDF of the deployment guide at
http://technet.microsoft.com/en-gb/wsus/default.aspx which is where I looked as
this is the main reference to documentation on the WSUS home page.
>
>================================================= ===
>Enable client-side targeting
>This policy enables client computers to add themselves to target computer
>groups on the WSUS server, when Automatic Updates is redirected to a WSUS
>server.
>
>If the status is set to Enabled, this computer will identify itself as a
>member of a particular computer group when it sends information to the WSUS
>server, which uses it to determine which updates should be deployed to this
>computer. This setting indicates to the WSUS server which group the client
>computer should use. You must actually create the group on the WSUS server.
>
>If the status is set to Disabled or Not Configured, no computer group
>information will be sent to WSUS.
>
>To enable client-side targeting
>In the Group Policy Object Editor, expand Computer Configuration, expand
>Administrative Templates, expand Windows Components, and then click Windows
>Update.
>
>In the details pane, click Enable client-side targeting.
>
>Click Enabled, and then type the name of the computer group to which you
>want to add this computer in the Target group name for this computer box.
>
>Click OK.
>
>Note
>If you want to assign a client to more than one computer group, you should
>separate the computer group names with a semicolon plus a space: Group1;
>Group2.
>================================================= ===
>
>
>I also added some "Community Content" to
>http://technet.microsoft.com/en-us/l...58(WS.10).aspx
>with a reference to the Deployment Guide page.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Thanks guys for all your help so far. I have to say I am still a little
confused and can't quite get my head around this.

In my example, I enable client side targeting, and within that OU in AD
create a GPO which points the members to two groups:

Workstations;Finicky_Workstations

Now, all members of that OU will occupy both groups? As far as I understand,
once you enable client side targeting and you set WSUS to interact with AD,
you loose the ability to manually move machines from one group to another
(which makes perfect sense).

I can't help feel I am missing something obvious here, but can't quite get
it!

Regards,

Phil

"Phil Angus" <> wrote in message
news:...
> Scenario:
>
> I have my three main groups in the WSUS console so far (I will probably
> need to create more ultimately).
> Each group is "fed" by a GPO residing in the OU
> Example: Workstation_OU - WSUS_Workstations GPO - Workstations WSUS group.
> Now, one of the people within the Workstations_OU has a very finnicky
> machine, for example, the user cannot use IE8 for reasons of
> incompatibility with some of the sales ordering sites.
> So, when I approve updates for Workstations WSUS group, this machine
> within Workstations_OU is going to receive the update.
> So the real question is, how do I bypass updates for this machine, or do I
> really need to move it to a different OU that isn't using
> WSUS_Workstations GPO?
>
> Thanks.
>

"Dave Mills" <> wrote in message
news...

>>See the Note in the "Enable client-side targeting" section of
>>http://technet.microsoft.com/en-us/l...33(WS.10).aspx
>
> Thanks Lawrence. I was not aware of this resource. It is not covered in
> the
> downloadable PDF of the deployment guide at
> http://technet.microsoft.com/en-gb/wsus/default.aspx which is where I
> looked as
> this is the main reference to documentation on the WSUS home page.

Publishing the documentation as a "living document" in the TechNet Library
was supposed to faciliate more rapid maintenance of such things, so it's
entirely likely that the TechNet documents have updates that are not
contained in the documents published and linked into the download center.

I used to be a die-hard user of offline documentation -- in fact, I griped
when the offline downloads weren't available when the SP2 documentation was
originally published -- but lately I've switched over to the online
documentation -- the ability to hyperlink to specific pages of the document
has helped motivate me immensely as well. I still haven't downloaded the
offline documentation.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Phil Angus" <> wrote in message
news:...

> In my example, I enable client side targeting, and within that OU in AD
> create a GPO which points the members to two groups:
>
> Workstations;Finicky_Workstations
>
> Now, all members of that OU will occupy both groups?

Correct. (Not sure if it's required, but the docs say there should be a
space after the semi-colon.)

> As far as I understand, once you enable client side targeting and you set
> WSUS to interact with AD, you loose the ability to manually move machines
> from one group to another

Correct.

> I can't help feel I am missing something obvious here, but can't quite get
> it!

What's to get is the complexity that will be involved in assigning computers
to multiple groups if your WSUS group hierarchy gets too complex. This is
the point at which using server-side targeting becomes, once again, a viable
option, as from the console you can assign memberships on a per-computer
basis, rather than having to clog up AD/GPO with a lot of complexity (using
security filtering or WMI filtering) to accomplish the same thing.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

OK, so final question then. If I want manual groups, I take it I still set
the wsus server in a GPO (and assign the GPO to all OUs), and NOT enable
client side targeting. This will then point all machines to the wsus server
via group policy, put they will all be plonked in the group "Unassigned
Computers", and as long as I select "Use the update services console" on the
wsus options, I can then drop computers in to the relevant groups?

One thing that has been slightly confusing (certainly to me) is that I
thought the options in the console were basically; use the update services
console if non AD and use AD if AD environment. I couldn't decide whether
the first option was viable within an AD environment, but you seem to say it
is and in my case probably the best option.

Thanks once again, and I really appreciate your efforts, not only with this
but the countless other threads you reply to, which are a valuable technical
resource :-)



"Lawrence Garvin [MVP]" <> wrote in message
news:ACFBBFB1-9F98-40A6-A15F-...
> "Phil Angus" <> wrote in message
> news:...
>
>> In my example, I enable client side targeting, and within that OU in AD
>> create a GPO which points the members to two groups:
>>
>> Workstations;Finicky_Workstations
>>
>> Now, all members of that OU will occupy both groups?
>
> Correct. (Not sure if it's required, but the docs say there should be a
> space after the semi-colon.)
>
>> As far as I understand, once you enable client side targeting and you set
>> WSUS to interact with AD, you loose the ability to manually move machines
>> from one group to another
>
> Correct.
>
>> I can't help feel I am missing something obvious here, but can't quite
>> get it!
>
> What's to get is the complexity that will be involved in assigning
> computers to multiple groups if your WSUS group hierarchy gets too
> complex. This is the point at which using server-side targeting becomes,
> once again, a viable option, as from the console you can assign
> memberships on a per-computer basis, rather than having to clog up AD/GPO
> with a lot of complexity (using security filtering or WMI filtering) to
> accomplish the same thing.
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> My Blog: http://onsitechsolutions.spaces.live.com
> Microsoft WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>