Newbie - SUS - How to Make Exception for Particular Servers



Ronin
07-09-2005, 10:51 PM
Hi All,

I just have installed a Windows 2003-based SUS SP1 Server.
Using GPO, I want computers within my domain to be configured and pointed to
this SUS Server, except for several application servers, since we just want
to update these application server quite manually.
Unfortunately all computers within my domain are in the default Computer OU
in AD.
How can i make exception to these application servers, so that they will not
be configured or use or pointed to the SUS server?
I also dont want creating a special OU for these application servers.
Please Help. Thanks.

Roger Abell
07-09-2005, 10:51 PM
You best solution is the one you specifically say you do not
want to do - defining an OU structure that fits your admin model.

First, you called the Computers container an OU, which it is not.
It is just a container object and does not have the properties of an
OU, such as being able to have GPOs linked to it.

If you insist on using only GPOs linked at the Domain in order to
do this, then you will need to set the SUS adm policies in a GPO
that uses security group filtering in order to control which machines
in the domain are in that GPO's scope of management. Generally,
I would recommend using OU structuring in favor of security group
filtering - especially since you are not using any OU structure for
machine objects at this time.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Ronin" <Ronin@discussions.microsoft.com> wrote in message
news:59270F8F-38DE-4843-8410-8997E88954F9@microsoft.com...
> Hi All,
>
> I just have installed a Windows 2003-based SUS SP1 Server.
> Using GPO, I want computers within my domain to be configured and pointed
to
> this SUS Server, except for several application servers, since we just
want
> to update these application server quite manually.
> Unfortunately all computers within my domain are in the default Computer
OU
> in AD.
> How can i make exception to these application servers, so that they will
not
> be configured or use or pointed to the SUS server?
> I also dont want creating a special OU for these application servers.
> Please Help. Thanks.
>
>

Roger Abell
07-09-2005, 10:51 PM
I forgot to mention . . .
WSUS the successor to SUS, which is in public beta, allows for
definition of machine groups.
and
If you cripple the autoupdate capability on those machines, then
they will not be impacted, as long as they stay crippled, by being
configured as a SUS client. That is, if the Automatic Updates
service is disabled, then even though configured as SUS clients
they will not get SUS'd.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Ronin" <Ronin@discussions.microsoft.com> wrote in message
news:59270F8F-38DE-4843-8410-8997E88954F9@microsoft.com...
> Hi All,
>
> I just have installed a Windows 2003-based SUS SP1 Server.
> Using GPO, I want computers within my domain to be configured and pointed
to
> this SUS Server, except for several application servers, since we just
want
> to update these application server quite manually.
> Unfortunately all computers within my domain are in the default Computer
OU
> in AD.
> How can i make exception to these application servers, so that they will
not
> be configured or use or pointed to the SUS server?
> I also dont want creating a special OU for these application servers.
> Please Help. Thanks.
>
>

Steven L Umbach
07-09-2005, 10:51 PM
I don't understand the problem with creating more OUs as that is what it
takes to take full advantage of Active Directory and Group Policy. For
instance you could create an OU for the computers that should use the SUS
and then move them into that OU where you would configure the Automatic
Updates client Group Policy. I would consider that the best option to
prevent SUS client settings from not applying to computers not in that OU
[including domain controllers]. Those computers would still inherit all
other Group Policy settings. Another thing you could try is to create a
global group for your application servers and then give that global group
"deny" for apply permission to the Group Policy that is configured for SUS
client. Of course then those computers will not have any computer
configuration applied from that Group Policy. The link below explains more
on filtering of Group Policy and the support tool gpresult can help in
determining what GP is applying to computers an users. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176

"Ronin" <Ronin@discussions.microsoft.com> wrote in message
news:59270F8F-38DE-4843-8410-8997E88954F9@microsoft.com...
> Hi All,
>
> I just have installed a Windows 2003-based SUS SP1 Server.
> Using GPO, I want computers within my domain to be configured and pointed
> to
> this SUS Server, except for several application servers, since we just
> want
> to update these application server quite manually.
> Unfortunately all computers within my domain are in the default Computer
> OU
> in AD.
> How can i make exception to these application servers, so that they will
> not
> be configured or use or pointed to the SUS server?
> I also dont want creating a special OU for these application servers.
> Please Help. Thanks.
>
>


Newbie - SUS - How to Make Exception for Particular Servers