I believe you just need to put the 9 AM GPO at the top. Once you get down to the OU level, the settings from the GPO listed at the top will prevail.
Once you add that third GPO, just make sure the non-security-enabled GPO is at the bottom. Any settings from the non-security-enabled one will apply to all the servers in the OU, but not any settings that conflict with the GPOs listed above it (which or course will only apply to the machines in the applicable groups). *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Michael Leone *Sent:* Monday, June 19, 2017 9:43 AM *To:* ntsysadm@lists.myitforum.com *Subject:* [NTSysADM] Q about GPO Security Filtering precendence So I finally got the OK to have some of our servers have their patches automatically installed via GPO. Right now, all applicable servers are in 1 OU. All are members of a specific AD group ("WSUS Members"). There is a GPO on that OU that has these WSUS settings: Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update - Configure Automatic Updates. Value: 2 (Notify for download and notify for install And my WSUS server is set as the intranet MS update service location. So now I want 10 servers (as a pilot group) to reboot Sun at 9AM (I will have a WSUS group that has these 10, and the specific patches to install). So what I want to do is make a new GPO, filtered on a new AD group (with these 10 servers as members), and the new GPO will have these settings: Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update - Always reboot at scheduled time; ENABLED - Automatic Updates detection frequency: ENABLED (2 hours) - Configure automatic updates. Value: 4(auto download and schedule the install - Install during automatic maintenance: DISABLED - Scheduled install day and time: Sunday, 9AM - Turn on recommended updates via Automatic Updates: ENABLED I've been trying some test VMs with a GPO with the above settings, and they seem to be what I want. Here's the question (finally!): On the Servers OU, make a new (second)GPO with the above settings, and set security filtering to the new AD group. So those 10 servers will be get the current GPO settings (just notify), AND get the new GPO settings (install and reboot on Sundays). So which GPO takes precedence? Or are the settings cumulative (I think so) Do I just need to make the new GPO, filtered to the new group? Or do I need to filter on membership in *both* groups ("WSUS Members" and "WSUS 9AM group")? (eventually there will be 3 groups - 9AM, 9:30AM and 10AM - so I can stagger the reboots)