Separate Group policy and separate OU's for Servers

Discussion in 'Update Services' started by ANDY, Oct 5, 2005.

  1. ANDY

    ANDY Guest

    This is for WSUS updates for Servers.
    I have created separate OU for my Server Group and also this points to
    group in WSUS for getting windows updates.
    In Active directory group policy I have enabled under user configuration the
    option "
    Remove access to use all windows update features" which works fine for all my
    clients on the Network and they cannot see the windows update button.
    But the problem is because of this I cannot update on the Servers and it
    gives me error when I run windows update on servers. I have made sure that
    server OU is not overriding with any other group policy. Please let me know
    what is the best solution.
    ANDY, Oct 5, 2005
    1. Advertisements

  2. Andy, the "Remove access to use all windows update features" is a User
    Configuration policy, and you probably have it configured to apply to all
    users. Perhaps you applied it at the domain level?

    The best way to fix this would be to remove the policy from the domain, and
    apply it only to the OUs that contain /user/ accounts. This should exclude
    your Local Admin and Domain Admin accounts, as they should not be in the
    same OUs that regular user accounts are held.

    Another way to fix this is to use security filtering to /deny/ access to
    this policy to Domain Administrators, which will allow Domain Administrators
    to have full access to AU/WU/MU features.
    Lawrence Garvin, Oct 5, 2005
    1. Advertisements

  3. ANDY

    ANDY Guest

    Hi Lawrence,

    Could you please let me know how would I do only for servers.I created new
    OU for servers and created new policy in Group policy and still it does not
    Also the second method which you are talking abouu i found that article
    in Microsoft and below is the link and I tried that too still did not
    work(security filtering) option.I am not sure why this is so complicated..
    Any other thoughts please let me know
    ANDY, Oct 5, 2005
  4. ANDY

    Asher_N Guest

    Download and use the 'Group Policy managemnent Console' from Microsoft.
    Thaere is an option there to see wich policies are applied to a user on a
    given system. Use that to find out where the "Remove access to use all
    windows update features" is coming from. Edit that policy and under the
    list of users, usually 'Authenticated Users' is set to apply the policy.
    Add a check mark under the 'Deny' comlumn for ther admin group. Deny
    always take precedence over apply.
    Asher_N, Oct 6, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.