Group Policy Best Practice for WSUS clients: servers and workstations

Discussion in 'Update Services' started by M. Eteum, Jan 13, 2006.

  1. M. Eteum

    M. Eteum Guest

    I have 2000 or so workstations and 200+ servers. The workstation is either Windows 2000 Professional with SP4 or Windows XP with SP2. And the server is Windows 2000 with SP4 and Windows 2003 Server.

    What would be the best to categorize the workstations in AD and GPO?

    Both workstations and servers, I've created a security groups with the following category:

    AutoUpdateAutoRebootAnytime
    AutoUpdateAutoRebootAfterHour
    AutoUpdateManualReboot

    I'm not really sure if the above is the best practice but I'm willing to hear some advice for the experts.

    Should I categorize by OSes as well?

    Please advise.

    Thanks
     
    M. Eteum, Jan 13, 2006
    #1
    1. Advertisements

  2. You don't mention how many sites these 2000 workstations are spread across,
    but as a starting point, I'd convert those three security groups into
    separate GPOs. The AutoUpdate is kinda redundant, since -everything- is
    going to be AutoUpdate. The "ManualReboot" is, effectively, all of your
    servers (except perhaps a few that aren't affected by when they're restarted
    or whether they actually come back online afterwards). The "AutoReboot
    Anytime/AfterHour" is really something that will be determined by /when/
    updates are installed and /who/ is logged when they install -- but either
    way, is effectively a workstation policy.

    My recommendation would be to create target groups by site and platform for
    workstations (e.g. Site1Win2000, Site2WinXP, Site2Win2000) as they exist
    (don't create groups for combinations that are non-existent and will never
    have members), and by site and/or server function for server. For example,
    I'd have a "DomainControllers" target group. These machines you want to be
    very careful about when you restart them. Another group might be "Exchange"
    and/or "SQLServers". The "FilePrintServers" group, for example, might be
    such that you don't feel risk in autorebooting them.

    The most important key point is considering how you'll manage the computers
    for updating and reporting purposes. Also consider that the more computers
    in a group, the harder it will be to scan through the list, and the longer
    it will take to extract the data to build reports.
     
    Lawrence Garvin \(MVP\), Jan 14, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.