SUS

Hi

I had a client in the default OU "Computers" that wasnt getting any updates until i moved it into the correct OU, then i moved it back to the default OU so as not to get any updates for the purpose of making MSI files

It seems that it is still getting updates, is this possible

How can i stop updates getting to the PC

Lee H

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

sprkymrk

I have found that many times more than 1 reboot is necessary for Group Policy to "apply" correctly. You can also manually update some policies on a computer by running gpupdate /force from the run line or cmd prompt. To see if there are policies that need a reboot, use the command gpupdate /force /boot, this will cause the client to automatically reboot if necessary.

Lee H

the question i was asking, the default OU that a client goes into when first joined to the domain has no group policy applied, its only when you move it into an OU that the client gets the group policy

I have done that with a client but now i wish to move it back into the default OU and not get any more updates via the group policy, is there a setting on the client to disable this

Can you help spymark, your usually most helpful

Cheers

Lee H

dtlokee

It would seem you will need to add it to an OU with a group policy set to remove the existing policy, simply moving it to an OU with no policies will leave th existing one in place. When you apply a policy, you have the option to enable the policy (add it) or disable the policy (remove it). I think what you need to do is define a GPO with the policy enabled but hit the radio button to disable the policy so the policy is removed from the computer's registry.

blargoe

Is it really downloading new updates, or is it just the same updates that were downloaded to the computer's hard drive from when the policy was in effect? If the updates are already on your hard drive and then you remove the GPO, the updates are still going to prompt you to install unless you disable updating.

You can easily check which GPOs are actually in effect by running the gpresult command on the computer, it will list all of the user and computer GPOs that are applied and which ones were filtered out.

sprkymrk

dtlokee wrote:

It would seem you will need to add it to an OU with a group policy set to remove the existing policy, simply moving it to an OU with no policies will leave th existing one in place. When you apply a policy, you have the option to enable the policy (add it) or disable the policy (remove it). I think what you need to do is define a GPO with the policy enabled but hit the radio button to disable the policy so the policy is removed from the computer's registry.

Dtlokee is 100% correct. The default OU will have everything set to "Not Defined", so moving them back into it won't change anything that was set in the OU that had policies defined/enabled/disabled.

royal

This is a little off topic, but I'm surprised that nobody has mentioned this yet, but there is no Default OU unless you use something such as the redirusr command. The Computers container is not an OU because it cannot have any Group Policy Objects attached to its container.
You can see this through a simple look at the Distinguished name of the Computers container vs the OU container.
Computers Container = CN=Computers,DC=domain,DC=com
OU Container = OU=OUname,DC=domain,DC=com

Now to the actual point, what others are saying, it's sound information. When you are moved into an OU, GPOs are applied to you. Information is stored in the registry. f you are moved back into the Computers container, this doesn't tell the client to wipe out any registry modifications that previous GPOs applied to you. You essentially have to move it into a different OU that has these settings defined a different way or disabled. I know I'm being redundant as what I have already said others have already explained, but I'm a guy who likes redundancy.

Lee H

Thanks guys you have all been most helpful