How to have GPO NOT affect server?

[Pat DiPersia]

I've setup a group policy for my workstations to perform a Windows Update
each day at 4am via our Internal SUS server (Which is also the AD server.)
However, I do NOT want the server to get the policy, but I haven't figured
out a way around this.

I tried to edit the local GPO on the server to bypass the WinUpdate GPO, but
that didn't work. I also tried to use the Deny right on the Apply GPO to
the SERVER computer. That didn't work. The only way I can make it work so
far is to specify all of the workstations in the GPO, but that's a pain
every time we add a computer. Any way to make it effect all computers
EXCEPT the server?

 

[David Reed]

Hi there!

My first suggestion would be to put the Servers in a seperate SERVERS
Organizational Unit (OU) and then have your "desktops" in a "Desktops" OU,
and apply the GPO only to the "Desktops" OU...

David Reed

 

[Pat DiPersia]

Makes sense. Question is, will I have to keep manually moving the
workstations in the new OU as they are populated? Or is there a setting
somewhere to specify what OU they are dropped into upon creation?

 

[David Reed]

I have to say I don't know the answer to that. I've kinda wondered that
myself. But for my own peace of mind, I left it that way (defaulting to
COMPUTERS) and move them manually as I create new systems, just to make sure
they end up where I want them.

But someone else may have a better idea (???)

David Reed

 

[GM]

Create a GPO with the SUS update details in it (in any OU
location that applies to the target machines), create a
security group that includes all the machines you want to
apply the GPO, select the GPO's security tab and remove
the read and apply rights to all the Groups that reflect
machines that you don't want to apply the policy then
ensure that the newly created security group has read and
apply rights. Whilst this is flexible it still makes
sense to group machines togther in an OU as described
elsewhere. This OU grouping should be very easy to apply
GPO's to if an administrative approach to OU structure is
adopted but if a geo-political OU design is used you may
be forced to apply a more complex security group design.