Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!



How do I exclude servers from WSUS

By ccurry ·
I just installed WSUS on our network, using a GPO on our domain controller to point all of the machines on our network to the WSUS server. I'd like to exclude our servers from the update settings defined in the GPO. Can anyone tell me the most elegant way to exclude a subset of machines on the same domain from the GPO? Do I need to set up a separate GPO and relate it to these machines? Can I disable the acceptance of a GPO on an individual machine? Any help will be very much appreciated.

I'm using Windows Server 2003 (SP2) & WSUS 3.1.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

WSUS and GPO, use different OU's

by Churdoo In reply to How do I exclude servers ...

Did you edit your default domain GPO? If so, one might advise against that.

Generally, you want your Servers in a different OU than your workstations anyway, or at least I do. And if you do have separate OU's, then managing WSUS becomes real easy ... link a newly created GPO with WSUS settings pertinent to workstations to your general workstation OU, and a different GPO pertinent to your desired server WSUS settings to the servers OU. You can't move the Domain Controllers out of the Domain Controllers OU, but you can link your servers GPO also to the Domain Controllers OU.

Collapse -

Moving computers from the default "Computers" OU

by ccurry In reply to WSUS and GPO, use differe ...

Thanks for the quick reply.

I did edit the default domain GPO, but this could easily be undone if it's desirable, as the only changes made so far were under Computer Configuration\Administrative Templates\Windows Components\Windows Update.

Can I move computers to a new "Servers" OU without any unexpected issues? I don't know much about managing OU's.

Currently all servers and workstations are in the default OU, "Computers". The only exceptions are our domain controllers (one primary & 3 backup).

In order to get the desired organizational structure, I would need to nest the "Domain Controllers" OU inside the new "Servers" OU.

What kind of issues can I expect from a reconfiguration like this?

Collapse -

OU -- 812

by Churdoo In reply to Moving computers from the ...

If you're using the default built-in AD OU structure, then chances are you've not implemented anything that would be affected by changing OU membership, therefore the answer is likely "Yes, you can change your workstations OU membership without affecting anything."

No do not touch the built in Domain Controllers OU, nor touch any of the servers listed in there. We'll get back to this later.

And one note -- I don't think you're using Small Business Server, but if you are, or for the benefit of other readers that may come accross this post, don't change the OU structure of SBS.

FOr your case, I suggest the following:
1) Download and install the Group Policy Management Tool (GPMT).
2) Create an OU for "Workstations" and one for "MemberServers" for example. For ease of organization, you can nest these inside of a parent OU called CompanyNameOU (I also create OU's for Users and Groups under my CompanyNameOU).
3) Change your Workstations and Member Servers OU membership accordingly
4) return your Default Domain GPO to its original state
5) With GPMT, create a new GPO linked to your new Workstations OU, adding the desired workstation WSUS settings to this GPO
6) Create a new GPO linked to your new MemberServersOU, adding the desired MemberServers WSUS settings (maybe you want these to install updates only once a week rather than daily for example)
7) if applicable, link the GPO created in Step 6 above, to the built in Domain Controllers OU

last note, in the OU's created above, since you're only implementing settings under Computer Configuration, I will typically disable the User Configuration section of the GPO -- no need to process that section if you know it's empty.

As far as expected issues? None, unless you consider organization and structure, an issue.

Collapse -


by ccurry In reply to OU -- 812

I appreciate the detailed response. I've made these changes and it's had the desired effect. I understand this whole infrastructure better now as well. My next goal is to see which User configurations could be useful for us. Thanks again for your valuable advice and assistance!

Collapse -

Do it at the WSUS admin page

by shasca In reply to Moving computers from the ...

I have a group/s that PC's are in that has one set of approvals, and the servers reside in a seperate group that are set to Detect Only. Log into WSUS, and it will take ten minutes to resolve this


Related Discussions

Related Forums