2012 WSUS Install - Machines disappearing from groups but not from WSUS overall RRS feed

  • Question

  • I have a strange one it seems.

    I'm running Server 2012 with the version of WSUS that's installed through the role. (Version 6.2.9200.16384)

    Our computers target WSUS groups / collections via Group Policy and this is working flawlessly.

    However for more granular control, we've made a set of extra groups. In order to minimize our administrative overhead, we use a powershell script to scan for the members of an Active Directory group, and subsequently tell WSUS to make them a member of the additional WSUS group.

    The script seems to work. As soon as I run it I see computers come in to these WSUS groups, but over the course of the next few hours they start disappearing. But they only disappear from these specific groups and not from the whole WSUS console. In fact, the machines stay in the groups that their GPO's tell them to target, and it's only the additional groups that we put them in that they seem to drop out of.

    Any idea what's going on here?

    Here's the script with some company specific information redacted.

    <# Adds servers that are a member of an AD group to WSUS Computer Groups #>
    $Group = "Silver-Applications"
    $ADGroup = "Silver-Applications"
    ## Script begin
    Import-Module ActiveDirectory
    $Members = Get-ADGroupMember -Identity $ADGroup
    $wsus = Get-WsusServer
    $Groups = $wsus.GetComputerTargetGroups() | where {$_.Name -eq $Group}
    foreach ($line in $Members) { 
    $Name = $Line.Name
    $DNS = $Name + "FQDN"
    write-host $DNS
    $wsuscomputer = Get-WSUSComputer -Nameincludes $DNS
    Add-WSUSComputer -Computer $wsuscomputer -TargetGroupname $Groups.Name -ErrorAction SilentlyContinue

    Tuesday, July 28, 2015 1:26 PM

All replies

  • in the options section of WSUS you choose how the clients will report to the server, either via GPO/registry or controlled manually by the administrator using the WSUS console by moving computers into containers

    you seem to want to leverage both methods and I don't believe WSUS will allow that

    you're adding the computer to a container but then the GPO will take hold after a while and move it "back" or in this case ensure it resides only in its designated container based on the GPO

    I also don't believe (regardless of which method you leverage) that you can have the same computer reside in multiple containers

    what is the driver for all of this anyway?

    • Edited by armin19 Tuesday, July 28, 2015 1:35 PM
    Tuesday, July 28, 2015 1:35 PM
  • WSUS Has allowed computers to be members of multiple computers for as long as it's been around and is a fundamental basic of WSUS administration. Just to add, this item from the TechNet library does indicate that computers can be part of multiple groups.

    I have a couple of servers that are staying in multiple groups, however I have a large number that are dropping out over time, only to successfully re-add when I run the script, stay in there for a bit, and then 'fall out'

    The driver for this, is extremely granular script based update approval. That's the project I was given.

    Tuesday, July 28, 2015 2:52 PM
  • yeah you're right about multiple groups, just not sure how it's working for other computers when mixing both server-side and client-side group targetting
    Tuesday, July 28, 2015 3:03 PM