Deploying Updates w/ SUS / GP / OUs

  • Thread starter Thread starter David Reed
  • Start date Start date
D

David Reed

Hi There,

I am relatively new to AD, and am interested in doing the following:

Setting up Organizational Units, by department, so that I can push out MS
Patch updates via Group Policies, and have some of the OU's automatically
install and reboot after the patches are installed, and other OU's NOT
automatically reboot, but just push the updates out and hold until they are
manually rebooted.

The reason for this is that we are also a laboratory, and restarting some
computers while testing is going on will cause significant problems,
including damage to some of our proprietary hardware, which we build
in-house.

Can anyone point me to articles or white papers on how to do what I'd like
to do, or, if this is an impractical approach, offer an alternative?

Best Regards,
David
 
David

You're not the only one interested in this. However,
patches are not provided as .msi files so, as far as I can
tell, cannot be pushed out via group policies. I've tried
various means of using this route, including building my
own msi files, and failed. Windows Update requires that
the user has administrative rights, thus blowing your
security on desktop PCs; I assume SUS is the same. That
leaves SMS - a sledgehammer to crack a nut. Group policies
would be my preferred route, but it's going to take a
concerted hranging of Miscrosoft to make this possible.

Ian
 
There is a good PDF along with the SUS 1.0 SP1 download.

Other articles come up with an SUS search on the knowledge
base.

I just installed a SUS and have it close - only hangup is
workstations cannot run update from it - I have server
sync'd and updates approved - just one final piece to get
it 100%

I used group policy to set windows update service on
workstations - there is a MMC snap in along with SUS SP1
download.
 
I've been going through the post; maybe this is the same
thing I'm trying to do? We have been getting hit hard with
viruses because not all our systems are patched (lots of
remote users). I want one server to grab all the patches
from Microsoft (on an hourly basis if necessary) and then
push it out to the clients. We do not use Active Directory
all of our Windows 2000 Servers are stand alone. Is it
possible to build another stand alone Windows 2000 Server
that only grabs patches from microsoft.com and pushes them
out to the clients?

Kind regards,

Erick
 
Create a script that will run the patches at machine
startup.
That way the patches will be deployed using the machine
security rather than the user security.
 
Back
Top