2

I am trying to use group policy with WSUS to prevent stuff like Silverlight from being installed unless it is requried. I want computer groups for each of the software (so a computer will end up in multiple targeting groups) and these will be assigned by GPOs.

The problem is the client-side targeting settings from multiple GPOs override intead of merge.

Does anyone know any easy way to achieve this without an exponential explosion of GPOs?

billc.cn
  • 444
  • 5
  • 12

3 Answers3

1

As you suspect, there isn't an easy way to achieve this without an exponential explosion of GPOs. Or by manually assigning groups, which probably isn't an option for you, either.

Try looking at your clients from the perspective of roles instead of "what software is installed?" and/or "where is this machine at?" The physical location of the client, after all, probably doesn't matter from the viewpoint of what updates it receives. For example, typically all the accounting workstations have a set of software installed (or could have a standard set) and all the operations workstations have a set of software installed. This becomes two targeting groups in WSUS and updates are applied based on what software you already know is in each group by role.

It'd be great if a merge were possible, but I can't sort out a simple solution to your problem even using WMI filtering.

This isn't a great answer, but I feel like it's better than the two you have here.

Jeremy
  • 129
  • 5
0

Looking at your question I understand you want specific computers to be in multiple WSUS computer groups. If that is the case, you will need one GPO to push multiple computer groups from rather than multiple GPOs to push individual computer groups, otherwise the setting (registry key) gets overwritten.

You can specify multiple computer groups per GPO, they need to be separated by a semicolon. Here's the description I just pulled from the group policy setting:

"If the intranet Microsoft update service supports multiple target groups this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified."

Example:

Workstations;London;London Workstations

Mbond65
  • 166
  • 6
  • Yes, I understand all this, but say I want to distinguish between 10 software suites, then there will be 2^10 = 1024 possible combinations of computer groups. I cannot possible create so many GPOs. I need a way to encode all these possibilities in one GPO. – billc.cn Jul 06 '14 at 15:51
0

In WSUS: Go to Options > Computers.

Select the option to manually assign groups.

This allows you to manually manage the computer assignment with WSUS.

neuralfraud
  • 1