Because M$ has such lame documentation in this area i'll hafta do it myself
Create your groups in the WSUS console under All Computers, make a Test group while you are at it; don't waste time moving any pc's yet
If you haven't updated to Group Policy Mgt Console (aka GPMC) do it now [link]
Open GPMC, (start, run type mmc will do it)
File Add/Remove Snapin, click Add
Active Directory Users and computers , Add, Close, Ok....whatever
If you haven't created any OU's (organizational Units) now would be a good time to do it. We group computers by department. Right Click anywhere under your domain name and say New, Orgainizational Unit
Right Click any OU and choose properties, Group Policy Tab, and click Open
If this is the first time you have opened the new GPMC it'll ask for a domain or whatever
Expand you domain and click on Group Policy Objects
All your existing GPO's will appear in the right pane
Right click on Group Policy Objects (left pane) and choose New
Give your GPO a name; I called mine WSUS + IS Group
Right click on your GPO in the right pane and choose Edit; the editor will open
since nothing we are going to change applies to Users; Right click on the Policy name at the very top and choose properties; check off Disable User Configuration Settings. This makes applying the policy faster; it's important when you get a few dozen of them.
Under Computer Configuration/Administrative Templates/Windows Components/Windows Update
in the the right pane find a setting called "Enable client-side targeting" and double click it
change it's configuration to Enabled and under target Group type the group name you created in WSUS console (not the OU name or the Policy name they could be different) my group name is called "IS"; click OK and close down the GP editor (there is no save button, you're doing this all live; tks M$)
In Group Policy Management right click an OU and choose "Link an existing GPO..." and choose the GPO you just created.
I like to separate my WSUS config into 2 pieces for manageabilty the other piece looks like this:
WSUS - Ask Reboot
Computer Configuration/Administrative Templates/Windows Components/Windows Update
Configure Automatic updates = 4, Every day, 00hours
Specify intranet M$ update service...= http://update.mydomain.com
(just call it update and make a dns pointer)
Reschedule Auto = 1
No auto restart = Enabled
Auto Update detect frequency = 4
(expect problems if you go below 3)
Re-promt = 15min
Enable Power management = Enabled
I created another called WSUS - Force Reboot for some PC's that are used like kiosks
so now you don't need to make a hundred custom GPO's
WSUS - Ask reboot holds my base settings and custom pieces are added on with a "WSUS +" policy
Other pieces of the puzzle:
WSUS' natural enemy is Hybernate; make a .bat file like this
PowerCfg.bat
rem this changes the Desktop config but leaves Laptop config as is
POWERCFG.exe /QUERY
POWERCFG.exe /HIBERNATE OFF
POWERCFG.exe /CHANGE 0 /NUMERICAL /monitor-timeout-ac 13
POWERCFG.exe /CHANGE 0 /NUMERICAL /disk-timeout-ac 23
POWERCFG.exe /CHANGE 0 /NUMERICAL /standby-timeout-ac 43
POWERCFG.exe /CHANGE 0 /NUMERICAL /processor-throttle-ac ADAPTIVE
POWERCFG.exe /GLOBALPOWERFLAG ON /OPTION RESUMEPASSWORD
POWERCFG.exe /QUERY
This will need to be run as administrator; check out lsrunase
You may want to change the BIOS settings of your workstations to allow Wake-On-LAN
alternately you may want them to power themselves on at 1am every Monday
Our HP 57xx series desktops can modify the BIOS from withing windows using HP CMI
WakeOnLanEnable.bat
set svr=dc1.mydomain.com
md c:\util
xcopy /d \\%svr%\netlogon\BiosQuery.wsf c:\util
cscript \\%svr%\netlogon\BiosQuery.wsf /setting:"S5 Wake on LAN"
:
xcopy /d \\%svr%\netlogon\ChangeSetting.wsf c:\util
cscript c:\util\ChangeSetting.wsf /setting:"S5 Wake on LAN" /value:Enable .
:
cscript \\%svr%\netlogon\BiosQuery.wsf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment