For this scenario you might consider adding a deny for applying the policy to the policies for the other groups. It's really not necessary as the last policy applied will take precedence but would potentially help with troubleshooting logic in case a system does end up in more than one group.
1. Install-at-9AM (only certain group members get these settings) -denies 10am and 11am groups 2. Install-at-10AM (only certain group members get these settings) - denies 9am and 11am groups 3. Install-at-11AM (only certain group members get these settings) - denies 9am and 10am groups 4. All WSUS Members, notify only, no download (so they all get this - no denies for the catchall In the above scenario, if a server ends up in two or more of the 9am, 10am, and 11am groups it will end up with the policies from #4 applying. -Bonnie -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Monday, June 19, 2017 9:58 AM To: [email protected] Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence On Mon, Jun 19, 2017 at 3:56 PM, Kennedy, Jim <[email protected]> wrote: > " So you are saying that members of group 1 (9AM) must be removed from group > 4 (All WSUS Members)." > > If you do it my way, you don't need to remove them from 'All WSUS'. Just > make sure there is no cross memberships between 9am, 10am and 11am. No cross membership between 9AM, 10AM, 11AM, no. But I was hoping to have all servers in the "All WSUS" group, so that even if I forget to assign a server to one of those 3 groups, they will at least get the default patching. > By having 'All WSUS' listed as number 4 that will apply to everyone first, > but then your other three will overwrite that and you are golden. OK! I will try that out today, and then check the RSOP tomorrow on those 10 servers at 9AM, and spot-check the others .. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Michael Leone > Sent: Monday, June 19, 2017 12:31 PM > To: [email protected] > Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence > > On Mon, Jun 19, 2017 at 3:56 PM, Kennedy, Jim <[email protected]> > wrote: >> Charles and I are saying the same thing, just differently. >> >> When you say this: "(only certain group members get these settings)" I am >> assuming you mean you have security group filtering on these 3 GPO's. > > Yes, correct. > >> Are the members of 2, 3 and 4 also members of 'All WSUS Members' in item 1? >> If yes, they will all end up getting 1. 2, 3 and 4 will be over written as >> item 1 has the highest precedent. > > I created the 3 new groups, but have not yet populated them. > >> Here is my answer, assuming 2, 3 and 4 have unique membership on the >> security group filtering. So members of 2 are NOT members of 3 and 4. And >> members of 3 are not members of 2 and 4...and so on. >> >> 1. Install-at-9AM (only certain group members get these settings) >> 2. Install-at-10AM (only certain group members get these settings) >> 3. Install-at-11AM (only certain group members get these settings) >> 4. All WSUS Members, notify only, no download (so they all get this >> setting, except for the ones who got the setting from above it) >> >> It will process like this: >> >> Everyone will get number 4 first. >> >> Then those that are members of the security group you are using in 3 will >> get 3. Then members of security group 2 will get 2. And last members of 1 >> will get 1. > > OK. > So you are saying that members of group 1 (9AM) must be removed from group 4 > (All WSUS Members). > Eventually all servers will (should be) be a member of 1, 2 or 3 only (none > of these a member of 4). > > Eventually Any server not a member of 1,2,3 will be a member of 4 (this will > eventually become the "fall through" GPO, as a "just in case". > > So I need to take those 10 pilot servers, remove them from the "All WSUS > Members" group (#4), and add them to "9AM" group (#1). And have the GPO order > as above: > > 9AM > 10AM > 11AM > <current GPO, notify only> > >
