" So you are saying that members of group 1 (9AM) must be removed from group 4 (All WSUS Members)."
If you do it my way, you don't need to remove them from 'All WSUS'. Just make sure there is no cross memberships between 9am, 10am and 11am. By having 'All WSUS' listed as number 4 that will apply to everyone first, but then your other three will overwrite that and you are golden. -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone Sent: Monday, June 19, 2017 12:31 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence On Mon, Jun 19, 2017 at 3:56 PM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: > Charles and I are saying the same thing, just differently. > > When you say this: "(only certain group members get these settings)" I am > assuming you mean you have security group filtering on these 3 GPO's. Yes, correct. > Are the members of 2, 3 and 4 also members of 'All WSUS Members' in item 1? > If yes, they will all end up getting 1. 2, 3 and 4 will be over written as > item 1 has the highest precedent. I created the 3 new groups, but have not yet populated them. > Here is my answer, assuming 2, 3 and 4 have unique membership on the security > group filtering. So members of 2 are NOT members of 3 and 4. And members of > 3 are not members of 2 and 4...and so on. > > 1. Install-at-9AM (only certain group members get these settings) > 2. Install-at-10AM (only certain group members get these settings) > 3. Install-at-11AM (only certain group members get these settings) > 4. All WSUS Members, notify only, no download (so they all get this > setting, except for the ones who got the setting from above it) > > It will process like this: > > Everyone will get number 4 first. > > Then those that are members of the security group you are using in 3 will get > 3. Then members of security group 2 will get 2. And last members of 1 will > get 1. OK. So you are saying that members of group 1 (9AM) must be removed from group 4 (All WSUS Members). Eventually all servers will (should be) be a member of 1, 2 or 3 only (none of these a member of 4). Eventually Any server not a member of 1,2,3 will be a member of 4 (this will eventually become the "fall through" GPO, as a "just in case". So I need to take those 10 pilot servers, remove them from the "All WSUS Members" group (#4), and add them to "9AM" group (#1). And have the GPO order as above: 9AM 10AM 11AM <current GPO, notify only>
