Windows 2000 Server Computer Accounts in Organizational Unit

[cathylb]

I have a Windows 2000 Server SP 4 with about 25 workstations in a
domain - all clients are Win 2000 pro SP4.

I have downloaded and installed SUS on my server. My goal is to have my
server spit out the Windows Updates to my clients.

I realize all my clients have to have Win 2k SP4 to have the
appropriate WU software.

My problem is this:

In creating the Group Policy on my server to force all clients to
download updates automatically, I am trying to create an Organizational
Unit that just contains my domain computers (not my server).

I created the OU for this, but I am unable to add the computer
accounts. Is this because A.D. cannot have the computer accounts listed
twice (both in the Computers folder and in the OU)? Do I have to move
the computer accounts from the Computers folder in A.D. over to my OU.
I created? Will this have any ramifications I should be aware of?

 

[Denis Wong @ Hong Kong]

Hi,

Yes, you should move the computer objects to the OU.

br,
Denis

 

[Shaune]

You are right, users and computers cannot be members of more than one OU.
So, something you might consider doing:

Create a security group called "SUS" or something similar. Apply your SUS
policy (Auto Update Settings) to the entire domain; however, on the GPO link
security settings, only allow the SUS group to apply the policy. Now you
can add computer and user accounts to multiple GPO's without having to worry
so much about the hierarchal structure. Hope that makes sense!

 

[cathylb]

Shaune,

Hmm. I'm sorry - my inexperience with GP is showing, but I don't
understand, so I'll take your suggestions step by step:

I understand about creating a security group.

I understand that I would apply my SUS policy to my already created OU
just for Computer Accounts (all computers except the server).

I don't understand the advantage to allowing only the SUS group to
apply the policy.

I don't understand the part about adding computer and user accounts to
multiple GPO's (does that mean Group Policy Objects?) without have to
worry about hierarchal structure.

I have a very simple domain. Just 25 or so workstations and one Win 2K
server. I am the only I.T. person on staff.

If I just move my computer accounts to the OU I created, would that
work also (as suggested by Denis above)?

Thanks and I apologize for being so obtuse,

Cathy

 

[Shaune]

No problem, Cathy, I realized it was confusing when I wrote it. The simple
answer is yes. Move your computers into the OU as Denis Suggested. My
solution is more of a longer term resolution if you start deploying software
and varying group settings. For instance, I also have a small domain on our
network; it has about 30-35 pc's in it. I have different OU's for location,
departments, desktops, and notebooks etc. I realized that it became hard to
plan out how I would deploy certain settings to certain users while
maintaining a consistent structure. For example, I have an OU for all
desktops and an OU for all notebooks so that I can maintain different policy
settings on each. In order to deploy a package to 2 specific desktops and 1
specific notebook I would have to move them out of the desktop/notebook OU's
and into another OU to single them out for deployment of the package. Using
the "Apply Policy" security setting trick, I would not have to do any of
that. I would simply add them to a new security group, which does not
remove them from the OU.

Ok, as I typed this out I probably stink at explaining it. To solve your
immediate issue, follow Denis's advice! Sorry if I caused more confusion.

 

[cathylb]

Shaune,

OOooooooooh, ding ding ding - I get it now. You know, that will come in
handy for me at some point - I'm printing this out! Thanks to both you
and Denis for your help! Off to set up my SUS! I have another question
about SUS that I will post in another group...

Cathy