I believe you just need to put the 9 AM GPO at the top. Once you get down
to the OU level, the settings from the GPO listed at the top will prevail.
Once you add that third GPO, just make sure the non-security-enabled GPO is
at the bottom. Any settings from the non-security-enabled one will apply to
all the servers in the OU, but not any settings that conflict with the GPOs
listed above it (which or course will only apply to the machines in the
applicable groups).
*From:* listsad...@lists.myitforum.com [mailto:
listsad...@lists.myitforum.com] *On Behalf Of *Michael Leone
*Sent:* Monday, June 19, 2017 9:43 AM
*To:* ntsysadm@lists.myitforum.com
*Subject:* [NTSysADM] Q about GPO Security Filtering precendence
So I finally got the OK to have some of our servers have their patches
automatically installed via GPO. Right now, all applicable servers are in 1
OU. All are members of a specific AD group ("WSUS Members"). There is a GPO
on that OU that has these WSUS settings:
Computer Configuration/Policies/Administrative Templates/Windows
Components/Windows Update
- Configure Automatic Updates. Value: 2 (Notify for download and notify for
install
And my WSUS server is set as the intranet MS update service location.
So now I want 10 servers (as a pilot group) to reboot Sun at 9AM (I will
have a WSUS group that has these 10, and the specific patches to install).
So what I want to do is make a new GPO, filtered on a new AD group (with
these 10 servers as members), and the new GPO will have these settings:
Computer Configuration/Policies/Administrative Templates/Windows
Components/Windows Update
- Always reboot at scheduled time; ENABLED
- Automatic Updates detection frequency: ENABLED (2 hours)
- Configure automatic updates. Value: 4(auto download and schedule the
install
- Install during automatic maintenance: DISABLED
- Scheduled install day and time: Sunday, 9AM
- Turn on recommended updates via Automatic Updates: ENABLED
I've been trying some test VMs with a GPO with the above settings, and they
seem to be what I want.
Here's the question (finally!):
On the Servers OU, make a new (second)GPO with the above settings, and set
security filtering to the new AD group. So those 10 servers will be get
the current GPO settings (just notify), AND get the new GPO settings
(install and reboot on Sundays).
So which GPO takes precedence? Or are the settings cumulative (I think so)
Do I just need to make the new GPO, filtered to the new group? Or do I need
to filter on membership in *both* groups ("WSUS Members" and "WSUS 9AM
group")?
(eventually there will be 3 groups - 9AM, 9:30AM and 10AM - so I can
stagger the reboots)
