On Mon, Jun 19, 2017 at 10:08 AM, Charles F Sullivan < charles.sulliva...@bc.edu> wrote:
> I believe you just need to put the 9 AM GPO at the top. Once you get down > to the OU level, the settings from the GPO listed at the top will prevail. > OK ... I'm not sure how to re-arrange the order of GPOs, when there are multiple GPOs per OU (or when multiple GPOs apply to an OU), but I'll look into it .. Once you add that third GPO, just make sure the non-security-enabled GPO is > at the bottom. Any settings from the non-security-enabled one will apply to > all the servers in the OU, but not any settings that conflict with the GPOs > listed above it (which or course will only apply to the machines in the > applicable groups). > There is no "third" GPO. The OU in question has just 1 GPO (the WSUS setting to notify), and it is set to not inherit the Default Domain Policy. Thanks > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael Leone > *Sent:* Monday, June 19, 2017 9:43 AM > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] Q about GPO Security Filtering precendence > > > > So I finally got the OK to have some of our servers have their patches > automatically installed via GPO. Right now, all applicable servers are in 1 > OU. All are members of a specific AD group ("WSUS Members"). There is a GPO > on that OU that has these WSUS settings: > > > > Computer Configuration/Policies/Administrative Templates/Windows > Components/Windows Update > > - Configure Automatic Updates. Value: 2 (Notify for download and notify > for install > > > > And my WSUS server is set as the intranet MS update service location. > > > > So now I want 10 servers (as a pilot group) to reboot Sun at 9AM (I will > have a WSUS group that has these 10, and the specific patches to install). > > > > So what I want to do is make a new GPO, filtered on a new AD group (with > these 10 servers as members), and the new GPO will have these settings: > > > > Computer Configuration/Policies/Administrative Templates/Windows > Components/Windows Update > > - Always reboot at scheduled time; ENABLED > > - Automatic Updates detection frequency: ENABLED (2 hours) > > - Configure automatic updates. Value: 4(auto download and schedule the > install > > - Install during automatic maintenance: DISABLED > > - Scheduled install day and time: Sunday, 9AM > > - Turn on recommended updates via Automatic Updates: ENABLED > > > > I've been trying some test VMs with a GPO with the above settings, and > they seem to be what I want. > > > > Here's the question (finally!): > > > > On the Servers OU, make a new (second)GPO with the above settings, and > set security filtering to the new AD group. So those 10 servers will be > get the current GPO settings (just notify), AND get the new GPO settings > (install and reboot on Sundays). > > > > So which GPO takes precedence? Or are the settings cumulative (I think so) > > > > Do I just need to make the new GPO, filtered to the new group? Or do I > need to filter on membership in *both* groups ("WSUS Members" and "WSUS 9AM > group")? > > > > (eventually there will be 3 groups - 9AM, 9:30AM and 10AM - so I can > stagger the reboots) > > > > > > >
