WSUS 3.0 Question

Discussion in 'MCSE' started by Hollywood0728, Jun 25, 2008.

  1. I have just implemented a WSUS 3.0 server and had a few questions relating to
    Group policy more of less. All users are administrators of their own PCs,
    the GP for the domain is configured to look at the WSUS server for updates.
    I have noticed that all users can edit their own local GP policy, if they
    disable the option in their own local GP will it effect what the domain GP is
    set to? Also I notice that my users are able to go to the Windows update
    website and get updates, like XP sp3, that I didnt approve on the WSUS
    server? Can i disable users from going to the update site? Or is there a
    setting I am missing. I am brand new to WSUS so be gentle.

    Thanks.
    Hollywood0728, Jun 25, 2008
    #1
    1. Advertising

  2. Hollywood0728

    John R Guest

    "Hollywood0728" <> wrote in message
    news:...
    >I have just implemented a WSUS 3.0 server and had a few questions relating
    >to
    > Group policy more of less. All users are administrators of their own PCs,
    > the GP for the domain is configured to look at the WSUS server for
    > updates.
    > I have noticed that all users can edit their own local GP policy, if they
    > disable the option in their own local GP will it effect what the domain GP
    > is
    > set to? Also I notice that my users are able to go to the Windows update
    > website and get updates, like XP sp3, that I didnt approve on the WSUS
    > server? Can i disable users from going to the update site? Or is there a
    > setting I am missing. I am brand new to WSUS so be gentle.
    >
    > Thanks.


    First off, you should not implement WSUS in your default domain policy.
    Since this policy applies to all objects in the domain, including domain
    controllers, this is the wrong place to do it. You should break your
    computer accounts into administrative OUs and implement WSUS there.

    Users updating their own local policies will have to do it every 15 minutes,
    as that is how often group policies refresh. Most users will not have that
    kind of fortitude. You can also disable access to gpedit within another
    group policy.

    You can (I believe) disable access to the windows update site by one of the
    settings for WSUS, but off the top of my head, I forget what setting it is.
    Maybe tomorrow if I have time I'll look it up, or maybe someone else will
    chime in with it.

    John R
    John R, Jun 26, 2008
    #2
    1. Advertising

  3. "Hollywood0728" <> wrote in message
    news:...
    >I have just implemented a WSUS 3.0 server and had a few questions relating
    >to
    > Group policy more of less.


    Luckily for you.. I'm here... but this question is really better addressed
    in microsoft.public.windows.server.update_services, or a group policy
    related forum.

    > All users are administrators of their own PCs,
    > the GP for the domain is configured to look at the WSUS server for
    > updates.
    > I have noticed that all users can edit their own local GP policy, if they
    > disable the option in their own local GP will it effect what the domain GP
    > is
    > set to?


    Basic Group Policy 101 question... a good question, and one that (sadly) a
    lot of admins aren't aware of.

    No. LOCAL policy is always superceded by GROUP policy.

    However, that does not prevent a local Administrator from editing the
    registry after boot up. Yet, as a Domain Administrator, you also have the
    choice over how often group policy is refreshed on each system. By default
    it refreshes every 60 minutes +/- 30 minutes (30-90 minutes). So, while a
    local Admin can bypass the settings (for the short term), it's never a
    permanent thing.


    > Also I notice that my users are able to go to the Windows update
    > website and get updates, like XP sp3, that I didnt approve on the WSUS
    > server? Can i disable users from going to the update site?


    Yes. In User Configuration\Administrative Templates\WIndows
    Components\Windows Update
    you can enable the policy "Remove access to use all Windows Update
    features".

    Note, however, that if you enable this policy, then you will also need to
    use AU Option #4 and =scheduled= installations in order to get those systems
    updated, and the local Admins wll not be able to install updates of any
    type, from anywhere (including WSUS!).



    --
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Senior Data Architect, APQC, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2008)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    Lawrence Garvin, Jun 27, 2008
    #3
  4. "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:...

    > Users updating their own local policies will have to do it every 15
    > minutes,


    They may update every 15 minutes in your network.. but that's not the
    default refresh cycle. :)

    > You can also disable access to gpedit within another group policy.


    But Local policy is still useless. It's REGEDIT.EXE that needs to be
    blocked.

    > You can (I believe) disable access to the windows update site by one of
    > the settings for WSUS, but off the top of my head, I forget what setting
    > it is. Maybe tomorrow if I have time I'll look it up, or maybe someone
    > else will chime in with it.


    Noted elsewhere, but repeated here for convenience. It's in:

    User Configuration\Administrative Templates\Windows Components\Windows
    Update
    and the policy is "Remove access to use all Windows Update features".


    --
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Senior Data Architect, APQC, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2008)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    Lawrence Garvin, Jun 27, 2008
    #4
  5. Hollywood0728

    John R Guest

    "Lawrence Garvin" <> wrote in message
    news:...
    > "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    > news:...
    >
    >> Users updating their own local policies will have to do it every 15
    >> minutes,

    >
    > They may update every 15 minutes in your network.. but that's not the
    > default refresh cycle. :)
    >


    DOH! I am confusing GPO refresh with A/D replication, lol.
    Yes, Lawrence is absolutely correct, it is 60 +/- minutes.

    >> You can also disable access to gpedit within another group policy.

    >
    > But Local policy is still useless. It's REGEDIT.EXE that needs to be
    > blocked.
    >


    While we have gone that far for certain users, 99.9% of users are not that
    savvy.

    >> You can (I believe) disable access to the windows update site by one of
    >> the settings for WSUS, but off the top of my head, I forget what setting
    >> it is. Maybe tomorrow if I have time I'll look it up, or maybe someone
    >> else will chime in with it.

    >
    > Noted elsewhere, but repeated here for convenience. It's in:
    >
    > User Configuration\Administrative Templates\Windows Components\Windows
    > Update
    > and the policy is "Remove access to use all Windows Update features".
    >


    Thanks Lawrence.

    John R
    John R, Jun 28, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. drg
    Replies:
    2
    Views:
    423
    catwalker63
    Jul 24, 2005
  2. =?Utf-8?B?RGFuaWVs?=

    70-290 SUS or WSUS?

    =?Utf-8?B?RGFuaWVs?=, Dec 10, 2005, in forum: MCSE
    Replies:
    6
    Views:
    1,806
    Ben Smith
    Dec 13, 2005
  3. Thomas Nielsen

    70-290 sus or wsus??

    Thomas Nielsen, May 21, 2006, in forum: Microsoft Certification
    Replies:
    1
    Views:
    479
    dmnted
    May 21, 2006
  4. =?Utf-8?B?bnRtYW4=?=

    WSUS

    =?Utf-8?B?bnRtYW4=?=, Aug 24, 2005, in forum: Windows 64bit
    Replies:
    1
    Views:
    511
    Andre Da Costa
    Aug 25, 2005
  5. =?Utf-8?B?YnJpYW5oZw==?=

    wsus

    =?Utf-8?B?YnJpYW5oZw==?=, Dec 12, 2005, in forum: Windows 64bit
    Replies:
    2
    Views:
    554
    Charlie Russel - MVP
    Dec 12, 2005
Loading...

Share This Page