WSUS 3.0 Question

Discussion in 'MCSE' started by Hollywood0728, Jun 25, 2008.

  1. I have just implemented a WSUS 3.0 server and had a few questions relating to
    Group policy more of less. All users are administrators of their own PCs,
    the GP for the domain is configured to look at the WSUS server for updates.
    I have noticed that all users can edit their own local GP policy, if they
    disable the option in their own local GP will it effect what the domain GP is
    set to? Also I notice that my users are able to go to the Windows update
    website and get updates, like XP sp3, that I didnt approve on the WSUS
    server? Can i disable users from going to the update site? Or is there a
    setting I am missing. I am brand new to WSUS so be gentle.

    Thanks.
     
    Hollywood0728, Jun 25, 2008
    #1
    1. Advertisements

  2. Hollywood0728

    John R Guest

    First off, you should not implement WSUS in your default domain policy.
    Since this policy applies to all objects in the domain, including domain
    controllers, this is the wrong place to do it. You should break your
    computer accounts into administrative OUs and implement WSUS there.

    Users updating their own local policies will have to do it every 15 minutes,
    as that is how often group policies refresh. Most users will not have that
    kind of fortitude. You can also disable access to gpedit within another
    group policy.

    You can (I believe) disable access to the windows update site by one of the
    settings for WSUS, but off the top of my head, I forget what setting it is.
    Maybe tomorrow if I have time I'll look it up, or maybe someone else will
    chime in with it.

    John R
     
    John R, Jun 26, 2008
    #2
    1. Advertisements

  3. Luckily for you.. I'm here... but this question is really better addressed
    in microsoft.public.windows.server.update_services, or a group policy
    related forum.
    Basic Group Policy 101 question... a good question, and one that (sadly) a
    lot of admins aren't aware of.

    No. LOCAL policy is always superceded by GROUP policy.

    However, that does not prevent a local Administrator from editing the
    registry after boot up. Yet, as a Domain Administrator, you also have the
    choice over how often group policy is refreshed on each system. By default
    it refreshes every 60 minutes +/- 30 minutes (30-90 minutes). So, while a
    local Admin can bypass the settings (for the short term), it's never a
    permanent thing.

    Yes. In User Configuration\Administrative Templates\WIndows
    Components\Windows Update
    you can enable the policy "Remove access to use all Windows Update
    features".

    Note, however, that if you enable this policy, then you will also need to
    use AU Option #4 and =scheduled= installations in order to get those systems
    updated, and the local Admins wll not be able to install updates of any
    type, from anywhere (including WSUS!).



    --
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Senior Data Architect, APQC, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2008)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin, Jun 27, 2008
    #3
  4. They may update every 15 minutes in your network.. but that's not the
    default refresh cycle. :)
    But Local policy is still useless. It's REGEDIT.EXE that needs to be
    blocked.
    Noted elsewhere, but repeated here for convenience. It's in:

    User Configuration\Administrative Templates\Windows Components\Windows
    Update
    and the policy is "Remove access to use all Windows Update features".


    --
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Senior Data Architect, APQC, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2008)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin, Jun 27, 2008
    #4
  5. Hollywood0728

    John R Guest

    DOH! I am confusing GPO refresh with A/D replication, lol.
    Yes, Lawrence is absolutely correct, it is 60 +/- minutes.
    While we have gone that far for certain users, 99.9% of users are not that
    savvy.
    Thanks Lawrence.

    John R
     
    John R, Jun 28, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.