On Mon, Jun 19, 2017 at 10:14 AM, Brian Desmond <[email protected]> wrote:
> Precedence is controlled by the order of the links which you can see in > GPMC. The settings are cumulative but where there’s a conflict the most > precedent GPO will apply. > > > > Given you have three time windows, I think you’ll need three groups and > three GPOs. > > Ah, yes, of course. My mistake. Of course you're right, eventually I will have 3 GPOs. I'm just so focused on making sure this first group works out, I wasn't thinking ahead. > > > Thanks, > > Brian Desmond > > > > w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 <(312)%20731-3132> > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael Leone > *Sent:* Monday, June 19, 2017 8:43 AM > *To:* [email protected] > *Subject:* [NTSysADM] Q about GPO Security Filtering precendence > > > > So I finally got the OK to have some of our servers have their patches > automatically installed via GPO. Right now, all applicable servers are in 1 > OU. All are members of a specific AD group ("WSUS Members"). There is a GPO > on that OU that has these WSUS settings: > > > > Computer Configuration/Policies/Administrative Templates/Windows > Components/Windows Update > > - Configure Automatic Updates. Value: 2 (Notify for download and notify > for install > > > > And my WSUS server is set as the intranet MS update service location. > > > > So now I want 10 servers (as a pilot group) to reboot Sun at 9AM (I will > have a WSUS group that has these 10, and the specific patches to install). > > > > So what I want to do is make a new GPO, filtered on a new AD group (with > these 10 servers as members), and the new GPO will have these settings: > > > > Computer Configuration/Policies/Administrative Templates/Windows > Components/Windows Update > > - Always reboot at scheduled time; ENABLED > > - Automatic Updates detection frequency: ENABLED (2 hours) > > - Configure automatic updates. Value: 4(auto download and schedule the > install > > - Install during automatic maintenance: DISABLED > > - Scheduled install day and time: Sunday, 9AM > > - Turn on recommended updates via Automatic Updates: ENABLED > > > > I've been trying some test VMs with a GPO with the above settings, and > they seem to be what I want. > > > > Here's the question (finally!): > > > > On the Servers OU, make a new (second)GPO with the above settings, and > set security filtering to the new AD group. So those 10 servers will be > get the current GPO settings (just notify), AND get the new GPO settings > (install and reboot on Sundays). > > > > So which GPO takes precedence? Or are the settings cumulative (I think so) > > > > Do I just need to make the new GPO, filtered to the new group? Or do I > need to filter on membership in *both* groups ("WSUS Members" and "WSUS 9AM > group")? > > > > (eventually there will be 3 groups - 9AM, 9:30AM and 10AM - so I can > stagger the reboots) > > > > > > >
