Not sure why your clients are not getting the policy, but I would suggest
not having the DC involved in the SUS policy.
Some patches have been known to totally mess up a computer. I would manually
apply the patches on a weekend after doing some testing on a non production
server. If you don't have a server you can setup just for testing, at least
wait a week, browse these news group to see what problems others are having
with the patch. If they are having tons of problems, you might be able to
get info on how THEY recovered from them before you begin.
If they are not having any problems, doing it on the weekend would still be
the best way to go. Just plan on Murphy's law coming into play.
I would manually patch the live servers on the weekend when I will have time
(and current backups) to recover if the patch hosed the DC.
hth
DDS W 2k MVP MCSE
