I'm confused. From searching, I thought that the *last* listed GPO takes precedence.
So wouldn't I want my non-rebooting (notify only) GPO *first*, applying to all "WSUS Members", and my rebooting schedule #1 GPO (applying to "WSUS Members" and the new AD group? If I had the order the other way (9AM first, then the non-rebooting), wouldn't the non-rebooting GPO override the settings from the GPO above it? On Mon, Jun 19, 2017 at 10:08 AM, Charles F Sullivan < charles.sulliva...@bc.edu> wrote: > I believe you just need to put the 9 AM GPO at the top. Once you get down > to the OU level, the settings from the GPO listed at the top will prevail. > > > > Once you add that third GPO, just make sure the non-security-enabled GPO > is at the bottom. Any settings from the non-security-enabled one will apply > to all the servers in the OU, but not any settings that conflict with the > GPOs listed above it (which or course will only apply to the machines in > the applicable groups). > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael Leone > *Sent:* Monday, June 19, 2017 9:43 AM > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] Q about GPO Security Filtering precendence > > > > So I finally got the OK to have some of our servers have their patches > automatically installed via GPO. Right now, all applicable servers are in 1 > OU. All are members of a specific AD group ("WSUS Members"). There is a GPO > on that OU that has these WSUS settings: > > > > Computer Configuration/Policies/Administrative Templates/Windows > Components/Windows Update > > - Configure Automatic Updates. Value: 2 (Notify for download and notify > for install > > > > And my WSUS server is set as the intranet MS update service location. > > > > So now I want 10 servers (as a pilot group) to reboot Sun at 9AM (I will > have a WSUS group that has these 10, and the specific patches to install). > > > > So what I want to do is make a new GPO, filtered on a new AD group (with > these 10 servers as members), and the new GPO will have these settings: > > > > Computer Configuration/Policies/Administrative Templates/Windows > Components/Windows Update > > - Always reboot at scheduled time; ENABLED > > - Automatic Updates detection frequency: ENABLED (2 hours) > > - Configure automatic updates. Value: 4(auto download and schedule the > install > > - Install during automatic maintenance: DISABLED > > - Scheduled install day and time: Sunday, 9AM > > - Turn on recommended updates via Automatic Updates: ENABLED > > > > I've been trying some test VMs with a GPO with the above settings, and > they seem to be what I want. > > > > Here's the question (finally!): > > > > On the Servers OU, make a new (second)GPO with the above settings, and > set security filtering to the new AD group. So those 10 servers will be > get the current GPO settings (just notify), AND get the new GPO settings > (install and reboot on Sundays). > > > > So which GPO takes precedence? Or are the settings cumulative (I think so) > > > > Do I just need to make the new GPO, filtered to the new group? Or do I > need to filter on membership in *both* groups ("WSUS Members" and "WSUS 9AM > group")? > > > > (eventually there will be 3 groups - 9AM, 9:30AM and 10AM - so I can > stagger the reboots) > > > > > > >