In light of our discussions of implementation for KACE Patching, I have spent today doing some work on the Windows Updates group policies (On the CVUSD domain for now).
There are a couple of items that I would like to draw your attention to:
There are a couple of items that I would like to draw your attention to:
- The Windows Updates group policy items were embedded in the Default Domain policies of the forest root domain. (This is bad practice anyway), so I moved over those policies into an individual one called "Windows Updates"
- In the process, there were a bunch of other policies, which looked like they were left over from ions ago, because they still pointed to some cvusd-do-sus. These have been deleted.
- I have taken the time to classify all the computers in the "Computers" OU, into their corresponding OUs under each department and/or School.
- I have tied in the Windows Update policies to the individual OUs for each department or School.
- I have disabled the Windows Update policies on the root of chino.k12.ca.us.
What this means: (and this is by design as far as GPOs go):
The original Active Directory provided "Computers" OU will no longer get the "Windows Updates" Policy. I would've implemented differently, but AD simply doesn't allow the application of GPOs specifically on the Computers OU.
So what I need from you, is to make sure to place any computers you join to AD in the corresponding OUs, so that they may get their Windows Updates according to the Windows Updates GPO, until they get configured to get their patching from KACE.
I know this is a bit convoluted, but it had to be done, so that we can be correctly setup to phase in KACE patching without disrupting Windows Updates across the environment.
If you have any questions or concerns, please let me know.
- This change was made on 01/20/2012
No comments:
Post a Comment
Please make your comment. (GMK)
Note: Only a member of this blog may post a comment.