-1

My company migrated from Windows SBS 2003 to 2011 and there are a quite a few redundant group policies. One policy in particular is the "Update Services Client Computer Policy", it looks like the previous admin or from migration a almost identical copy was made of that policy.

I removed the "copy" and now windows updates aren't being applied. The original policy has "Domain Controllers" in the scope with a blue explanation mark over the folder icon while the "copy" policy had the domain name in the scope. How exactly does the Domain Controllers scope work and should it be there?

I also noticed a similar group policy "Update Services Common Setting Policy" has our domain for the scope instead of "Domain Controllers".

Note. Our company only has one domain.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
payling
  • 235
  • 1
  • 4
  • 16
  • 4
    I think you should read this from start to finish before you do anything else: [Group Policy for Beginners](http://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx) – MDMarra Jun 05 '13 at 13:46
  • Thanks , great article. Think I might have a better grasp on how GPOs work... If I understand Organizational Units correctly, the OU "Domain Controllers" points to "Domain Controllers" in AD. Expanding AD Domain Controllers reveals our server computer.... Thus this group policy only applies to my server computer from what I can tell... – payling Jun 05 '13 at 15:24
  • An OU is an AD object. The Domain Controllers OU doesn't point to Domain Controllers in AD, *it is the same thing*. You link Group Policy objects to OUs. – MDMarra Jun 05 '13 at 15:35
  • Gotcha, linking Group Policies to "Domain Controllers" OU will add whatever computers, users, etc. are defined in the AD for that OU. Currently "Domain Controllers" is the only OU linked to Update Services Client Computer Policy. Shouldn't something like sbs computers (which contains all authorized computers on our domain) be also linked to that policy if I want that policy to apply to all computers in our network? – payling Jun 05 '13 at 15:51
  • Yes. Just a minor terminology correction: the group policy is linked to the OU, not the other way around. So yes, you should like the update policy to the OU that your workstations are in if you would link that policy to apply to those workstations. – MDMarra Jun 05 '13 at 16:06
  • Long story short, I removed "Domain Controllers OU" from scope of Update Client Policy and replaced it with SBSComputers. I tested and so far so good, client computers now have a server administered windows update schedules. Thanks a bunch MDMarra, the dialog we had has been very helpful to me. I realize now the question is terrible, not sure if it could be re worded better or if anyone else would find our chat useful? If not, I'll vote to delete. – payling Jun 05 '13 at 17:01
  • It's discouraged to delete content. I'd leave it, I'm sure it will help someone else down the line! – MDMarra Jun 05 '13 at 17:06

1 Answers1

2

It would depend entirely on what you're trying to accomplish, and what's in the GPO (while friendly names are great, lots of terrible administrators put stuff in GPOs that has nothing to do with the name, don't make assumptions about what it does).

Using WSUS on DCs does make sense, same with all the computer in the organization. But only if you have WSUS configured, and want to apply it to those computers.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • 2
    FWIW, the blue exclamation point typically means that inheritance is blocked at that OU, so that policy probably wasn't actually applying to the DCs. Of course, it's impossible to tell with the way that the question was asked. – MDMarra Jun 05 '13 at 14:23