WSUS group assignment

Cooky

Golden Member
Apr 2, 2002
1,408
0
76
We're doing group assignment through Group Policy so that depending which group the user/computer is in, they'll be automatically assigned to the correct group in WSUS.

My question is what if the computer and the user belong to 2 different groups?? What happens when someone from accounting logs into a machine from the engineering department? Will that PC get assigned to accounting or engineering??
 

gaidin123

Senior member
May 5, 2000
962
1
0
Why are you determining WSUS policies per user and computer? The WSUS GPOs are Computer policies so I'd think you would typically determing WSUS policy based on the OU a given group of computers is placed in. Like auto apply criticals for all kiosks/workstations, download and notify for servers or laptops or something like that...

Gaidin
 

Cooky

Golden Member
Apr 2, 2002
1,408
0
76
We have different OU's based on departments; each has all the users and computers in that department. Then we have different GPO's applied to those OU/Departments.

So are you saying it's based on computers?
 

gaidin123

Senior member
May 5, 2000
962
1
0
WSUS only cares about computers. However, you could scope a computer GPO based on the group a user account belongs to which would be kind of unusual. Once a machine is added into WSUS it should stay in that group until you delete it or manually move it. I'm really not sure what would happen if a GPO ran that tried to re-add the computer to a different WSUS group.

The main thing is that WSUS only recognizes computers and you need the computer half of a GPO to add the machine to a WSUS server. If you have your OUs based on department with all users and computers of a given department in there then when you link each GPO to each department's OU the machines will add themselves to the specified WSUS group on the first bootup after getting this policy before any user logs in.

If you have a user from dept. A log onto a machine in dept. B the machine will be added to the WSUS group specified in the GPO applied to the computer's OU, NOT the user's. The machine in department B will have added itself on bootup before any user logs in.

Gaidin

Edit: I'm not sure if you're doing this already but it's way easier to figure out what's going on if you keep your User policies and Computer policies separate (ie disabling the other half of the GPO). Also with the GPMC you can run the RSOP (or group policy modeling) wizard to see what the policies would be for a given user who logs on to a given computer and you can see for sure what will happen.
 

Rilex

Senior member
Sep 18, 2005
447
0
0
WSUS uses a GUID to determine a machine. So if you "reassigned" it using a GPO, it would simply move the computer to the new group.

WSUS policies are computer-only. It is not possible to specify them on a user basis.
 

Cooky

Golden Member
Apr 2, 2002
1,408
0
76
From what I've read, WSUS is "computer-oriented" based on Group Policy.
This has been proven after I moved some computers around in the Active Directory; most of them would show up in the assigned groups respectively.
However, a few of them, especially servers, would stay in the original assigned groups and wouldn't go anywhere else.
I used the "gpupdate /force" command to refresh the policy and it didn't do a thing.

Originally those servers were in the "IT" OU and now I can't apply the policy to automatically install and reboot any computers in that group because those servers are still there and I don't want them to reboot themselves.

Any ideas why those servers wouldn't move be removed??