Group policy problem

anything I don't mind · 1 Jul 2011 at 10:39

We have a group policy set up for wsus settings, it points the windows update to the wsus server and applies the windows update settings and prevents users from changing it. We are currently moving to windows 7 desktops and I am busy creating a new wsus server. So i wanted to disable the current group policy for the new windows 7 computers/user testing account. Currently the gpo was set up with authenticated users as the security filter. Which was applying to the windows 7 user. So i thought that i could change the authenticated users for domain users and put the windows 7 users in a new domain users group. But what we found was that the group policy stopped working completely on some machines in the network and users that logged in the next day had updates that were not from the wsus. It is almost like the group policy just decided to not work, even though the users in question are in the domain users group.

Did i miss a step?
Is this sort of group policy temperamental nature common?
Is it not advisable to use the authenticated users group for group policy?

What is the solution to my problem?

Little_Crow · 1 Jul 2011 at 11:16

WSUS settings are computer based, not user based.

'Authenticated Users' include computer accounts so by removing it and using a user group you've made it only apply to users, and thus not work.

What you should have done is created a new group with computers in it, not users, and added that to the filter.

#####
I have no formal qualification, just 5 years of experience of this stuff. I'm darn sure this is correct, but feel free to correct me.

anything I don't mind · 1 Jul 2011 at 13:10

ok thanks will try that.

chrislip · 3 Jul 2011 at 21:38

Have you looked into using WMI filters for this? You can then have a GPO for your clients that are running XP, and a different one for clients that are running Windows 7. You then won't need to be remembering to add computers to certain groups when you rebuild them

anything I don't mind · 4 Jul 2011 at 16:07

I Still find GP inconsistent and rubbish.

I have disabled this one GPO that was not in use any longer and did gpupdate /force on all three domains and logged off two of them.

Then i restarted a client and did a gpupdate /force

When i do a gpresult /R it still shows that the disabled GPO is being applied. No matter what I try. Is there something else that I need to do?

I looked in to using WMI but it looked like it would be more hassle than just creating groups.

ashrobbo · 4 Jul 2011 at 16:19

ARe you removing the policy from the OU or just disabling parts of it?

Penguin · 4 Jul 2011 at 16:50

chrislip said:
Have you looked into using WMI filters for this? You can then have a GPO for your clients that are running XP, and a different one for clients that are running Windows 7. You then won't need to be remembering to add computers to certain groups when you rebuild them

This. I've used this method for a number of GPO's whilst we migrated to Windows 7, seemed to have the effect i wanted.

anything I don't mind · 4 Jul 2011 at 20:41

I could use WMI. The group policy is quite a mess, there is a lot of in old non used gpos that are still active. I just created a group called computers old and put all the old pcs in it. Then I created a group called new computers and put the new ones in it. Then i removed authenticated users from the security filter and put the old computers group in it. Is that the incorrect way to do it? For user configuration do you have to use user groups or can you use computer groups?

I guess i am doing it wrong, because it does not work.

Ok i think i have figured out how to use it, nevermind.

Little_Crow · 4 Jul 2011 at 23:42

User configs only apply to users (groups, containers or otherwise) computer configs only to computers (groups, containers or otherwise)

Either by groups, containers or WMI all are acceptable it depends on your situation which is best to use.

For small deplyoments containers are generally your first call, with groups for specific exceptions -we have a group of test computers that are standard except for getting the WSUS patches in advance of everyone else.

I'd say WMI filters are most applicable for enterprise deployments, but there is nothing stopping from using them if needed.