locked
Getting WSUS 3.2 to recognize the OU's in AD which each have their own GPO RRS feed

  • Question

  • I used to have a standalone WSUS server. In AD, I have PCs in two different OU's. WSUS1 (where most PCs go) and WSUS2 (IT machines that install the updates first and test them out). A year or so ago the WSUS server died.

    I have installed WSUS on a 2008r2 domain controller instead of as a standalone server. All PCs are "unassigned". How can I get WSUS to recognize those two OU's and categorize them based on those OU's, so I can approve updates for the WSUS2 OU, test them, then approve those updates for the WSUS1 OU like I used to?

    TIA


    Wednesday, December 23, 2015 7:35 PM

Answers

  • The logic behind client-side targeting, is that "if the computer resides in the OU, where this GPO is linked, then the computer belongs to <WSUS computergroup>".
    The GP will apply this computergroup name into the registry of the computers in this OU.
    The computers will then contact your WSUS, and as part of this configuration, will "announce" themselves as being a member of <WSUS computergroup>.
    The WSUS will then build the list of Approvals for that computergroup, and offer those to the client computer.

    This allows you to simply place computers into the OU you wish, and the WSUS computergroups will be applied automatically by GP.

    [conversely, server-side targeting is the default for WSUS, and this requires you to manage group memberships all at the server]


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Proposed as answer by Steven_Lee0510 Thursday, December 24, 2015 6:27 AM
    • Marked as answer by Steven_Lee0510 Thursday, January 7, 2016 12:06 PM
    Thursday, December 24, 2015 3:16 AM
  • It sounds like you want to use client-side-targeting. This is where you create a GPO, configure with the settings you want, and link that GPO to the OU you want to apply those settings onto.

    You will need to enable client-side-targeting at your WSUS server;
    https://technet.microsoft.com/en-us/library/dd939829(v=ws.10).aspx

    For OUname=WSUS1, create a GPO, name the GPO something useful/meaningful to you (maybe: PC-WSUS1), and in that GPO, configure the settings to specify your WUServer, and the computergroup name=PC-WSUS1, and any other settings e.g. when to perform updating day/time etc.

    On your WSUS, create a computergroup with *exactly* the same name you entered into the client-side-targeting setting of GPO.

    Repeat all this, for OUname=WSUS2 / GPOname=PC-WSUS2 / computergroup=PC-WSUS2, etc.

    Here's a guide, not exactly matching your scenario (his is a lot more complicated), but similar, to help you through;
    http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Thursday, December 24, 2015 3:18 AM
    • Proposed as answer by Steven_Lee0510 Thursday, December 24, 2015 6:27 AM
    • Marked as answer by Steven_Lee0510 Thursday, January 7, 2016 12:06 PM
    Thursday, December 24, 2015 3:11 AM

All replies

  • It sounds like you want to use client-side-targeting. This is where you create a GPO, configure with the settings you want, and link that GPO to the OU you want to apply those settings onto.

    You will need to enable client-side-targeting at your WSUS server;
    https://technet.microsoft.com/en-us/library/dd939829(v=ws.10).aspx

    For OUname=WSUS1, create a GPO, name the GPO something useful/meaningful to you (maybe: PC-WSUS1), and in that GPO, configure the settings to specify your WUServer, and the computergroup name=PC-WSUS1, and any other settings e.g. when to perform updating day/time etc.

    On your WSUS, create a computergroup with *exactly* the same name you entered into the client-side-targeting setting of GPO.

    Repeat all this, for OUname=WSUS2 / GPOname=PC-WSUS2 / computergroup=PC-WSUS2, etc.

    Here's a guide, not exactly matching your scenario (his is a lot more complicated), but similar, to help you through;
    http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Thursday, December 24, 2015 3:18 AM
    • Proposed as answer by Steven_Lee0510 Thursday, December 24, 2015 6:27 AM
    • Marked as answer by Steven_Lee0510 Thursday, January 7, 2016 12:06 PM
    Thursday, December 24, 2015 3:11 AM
  • The logic behind client-side targeting, is that "if the computer resides in the OU, where this GPO is linked, then the computer belongs to <WSUS computergroup>".
    The GP will apply this computergroup name into the registry of the computers in this OU.
    The computers will then contact your WSUS, and as part of this configuration, will "announce" themselves as being a member of <WSUS computergroup>.
    The WSUS will then build the list of Approvals for that computergroup, and offer those to the client computer.

    This allows you to simply place computers into the OU you wish, and the WSUS computergroups will be applied automatically by GP.

    [conversely, server-side targeting is the default for WSUS, and this requires you to manage group memberships all at the server]


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Proposed as answer by Steven_Lee0510 Thursday, December 24, 2015 6:27 AM
    • Marked as answer by Steven_Lee0510 Thursday, January 7, 2016 12:06 PM
    Thursday, December 24, 2015 3:16 AM