We are considering implamenting WSUS at work. The biggest question is using groups. If a machine is made a member of two different groups, and one group is approved for an update and one is not, will that machine be approved for that update? Most products from microsoft use the philosophy of 'most restrictive', but I can find no evidence of this in WSUS.
Asked
Active
Viewed 314 times
1 Answers
1
WSUS computer groups are not the same as AD groups. In WSUS a computer can only belong to one group at a time. So Group:Computer is 1:M (one-to-many)
This differs from AD where Group:Computer is M:M (Many-to-Many). You can put many computers into a group, and any computer can belong to many groups at any one time.
Caveats:
WSUS groups are, despite the above, in a heirachy. If you approve an update 'up the tree' it will usually inherit to the child groups and end up being approved for all computers underneath. However, this can be controlled in WSUS on a per-update basis, if you wish.
It's possible to configure a system such that : AD group membership results in WSUS Group Policy application which then results in a computer being placed into a particular target group. Only 1 WSUS target group will end up being applied and this is determined by the usual group policy inheritance order.
Chris Thorpe
- 9,903
- 22
- 32