WSUS dynamic group assignment and updates


  • Hello,

    We have WSUS installed in our organization to manage all our computers.

    Quite an amount of computers are regularly being moved from one OU to another due to internal needs and each OU has its own specificities which are represented in distinct WSUS approval and patch management policy. To consider that, each OU is associated to one parent WSUS group where all computers are stored. Each OU has its own specific GPO to configure WSUS and the location where the computer object should be positionned in WSUS group structure.

    We would like our computers, when being changed from one AD OU to another, to follow automatically the same pattern in WSUS groups structure based on the GPOs applied on the new OUs. Unfortunately, our tests shown that once the computer object is already existing in WSUS and positionned into a group, it never changes whatever the new GPO configuration says.

    Is that a known issue? Isn'nt there any workaround to that and achieve what we try to do?

    Thanks for your inputs.


    Tuesday, June 05, 2012 8:28 PM


  • Hi,

    > Is that a known issue? Isn'nt there any workaround to that and achieve what we try to do?

    No. It’s not a known issue.

    Client-side targeting is when you use Group Policy or registry settings to move computers into target groups. There are a number of reasons why computers might not appear in groups when you are using client-side targeting. Use the following information to try to resolve this problem.

    1.Verify that the WSUS console is set to use client-side targeting

    By default, the WSUS server is set to use server-side targeting. If you are using client-side targeting, you need to set an option on the WSUS server. To enable client-side targeting on your WSUS server, click the Use Group Policy or registry settings on client computers option on the Computers Options page.

    2.Verify that target computer group names match groups on the WSUS server

    3.Reset Automatic Update

    If you make a change to group membership by using client-side targeting, you can reset Automatic Update with the wuauclt utility.

    Run command: wuauclt.exe /resetauthorization /detectnow

    For more information please refer to following MS articles:

    Manage WSUS Client Computers and Computer Groups
    Issues with Client Computer Groups


    TechNet Community Support

    Wednesday, June 06, 2012 5:45 AM