GPO for WSUS Precedence and Scope

Question

question

DonohueKevinS-7173 asked Feb 10, '21 DonohueKevinS-7173 commented Feb 12, '21

GPO for WSUS Precedence and Scope

I'm in an enterprise AD (univ) environment where I control our main OU and sub-OUs, where I apply GPOs. I have a standard WSUS GPOs to push auto installs and restarts at night, and then a "no auto restart WSUS GPO I want to apply to one PC in a particular sub OU.

I have a standard WSUS GPO that I apply to all sub GPOs that has "4-Auto download and schedule install" -> for "4-Every Wed" at 22:00, and "Every week" enabled. Also the "allow auto update immediate install" is enabled (description states its for certain updates that neither interrupt windows services nor restart windows), and "No auto-restart with logged on users" disabled. I apply this to all sub OUs (different groups of PCs).

For the one PC, in a particular sub OU, that I don't want to "auto install\restart" with updates, I created another GPO with "allow auto updates immediate install" disabled and "3-Auto download and notify for install" with "No auto-restart with logged on users" enabled and the Scope set via Security Filtering to the particular PCs Name and the Username who will be logged in overnight (is using both PC name and user incorrect?).

I have this latter "no auto restart" GPO as #3 link order and the former "standard WSUS GPO" as #4 link order for the other PCs in this sub OU.

As I understand it, GPOs with a smaller precedence number are processed last and take precedence over GPOs with higher numbers, so the no auto restart GPO should take precedence, correct?

The problem is that the PC in question still keeps auto installing and restarting updates, and it is on Wed mornings at approx 6:30. I don't understand why the precedence is of the two GPOs is not applying, and even so why the seemingly applied standard WSUS GPO installs on Wed morning when it is set as "4-Auto download and schedule install" -> for "4-Every Wed" at 22:00.

windows-group-policy windows-server-update-services

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-02-11T20:58:49.507Z

AJTek-Adam-J-Marshall answered Feb 11, '21 DonohueKevinS-7173 commented Feb 12, '21

B is partly correct - but the Authenticated Users must be done in the Delegation tab and only given the READ permission.

Remove Authenticated Users from the filter scope, add instead a GROUP or COMPUTER or USER

If applying a COMPUTER based policy, add AUTHENTICATED USERS or DOMAIN COMPUTERS in the delegation tab with READ permissions only (but if you only add Domain Computers, Admins will still have trouble seeing the GPO, but when doing a GPResult /h gpo.htm - the computer WILL be able to see it's name.)

Domain Computers is a subset of Authenticated Users.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonohueKevinS-7173 · Feb 12, 2021 at 02:22 PM

Great. Thanks for the Help!

0 ·

Answer 2 · 2021-02-10T15:49:06Z

AJTek-Adam-J-Marshall answered Feb 10, '21 DonohueKevinS-7173 commented Feb 10, '21

Use GPResult to figure out what's going on - it will not only tell you what the end result policy is, but also it will tell you which GPO 'wins'

From an Administrative Command Prompt on an affected client, run the following:
gpresult /h gpo.htm

You can also use gpmc.msc to see - click on an OU, click Group Policy Inheritance tab. The closer the GPO is to #1, the more it will take precedence over others behind it.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonohueKevinS-7173 · Feb 10, 2021 at 04:07 PM

Tnx for the response. So you have confirmed my understanding that the precedence of the link order is set correctly.

Still though the PC in question is auto updating and restarting. Is it how I applied the Scope of the "no auto-restart" GPO (to the PC name AND the username)? Or does something in the GPO configuration settings I listed look off?
Tnx

0 ·

Answer 3 · 2021-02-10T16:13:05.05Z

AJTek-Adam-J-Marshall answered Feb 10, '21 DonohueKevinS-7173 commented Feb 10, '21

Are you suffering from the missing Authenticated Users in the delegation tab of your new GPO? You've removed Authenticated Users from the scope tab (that's fine) but then you have to add the Authenticated users group to your Delegation tab with READ permissions....

It has to do with a Windows Update released in June 2016 - MS16-072 - https://support.microsoft.com/en-us/kb/3163622

Taken from Emin's blog - https://p0w3rsh3ll.wordpress.com/2016/06/16/fix-gpo-permissions-before-applying-ms16-072/

To quickly display GPO names that don't have the Authenticated Users group, you can do:

Powershell

 Get-GPO -All | ForEach-Object {
     # Test if Authenticated Users group have at least read permission on the GPO
     if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
         $_
     }
 } | Select DisplayName

To add back the Authenticated Users group with Read Permissions on the Group Policy Object (GPO), you can do:

Powershell

 Get-GPO -All | ForEach-Object {
     if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
         $_ | Set-GPPermission -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose
     }
 }

Now, every GPO has a permission set for the 'Authenticated Users' group and to check what permission is set for this group, you can do:

 Get-GPO -All | ForEach-Object {
     [PsCustomObject]@{
         DisplayName = $_.DisplayName
         Permission = ($_ | Get-GPPermission -TargetName 'Authenticated Users' -TargetType Group).Permission
     }
 } | Out-GridView -Title 'Authenticated Users permissions'

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonohueKevinS-7173 · Feb 10, 2021 at 07:00 PM

Tnx for the info. In fact, I started to compare GPOs and the one in question, I had deleted the authenticated users w/ read rights as I thought adding just the individual user account and their PC name would be enough. I have now added it back to the GPO in the Filter section (not w/ Powershell), I'd assume both methods to add it work. I'll have to test it out to make sure that is it.
Tnx!

0 ·

DonohueKevinS-7173 DonohueKevinS-7173 · Feb 10, 2021 at 08:14 PM

Btw, adding the Authenticated Users back would include all domain users. To filter on the GPO in question to only affect the one particular PC, i have also added the PC name. Should that suffice or is the a good reason that I should I also add the username of the person who maybe logged into this PC as well? Or will this possibly cause unintended consequences? Actually, not sure if Filtering on the PC and and on a username make sense at all in any situation but I don't have experience with this.
Tnx.

0 ·

Answer 4 · 2021-02-10T21:16:51.177Z

AJTek-Adam-J-Marshall answered Feb 10, '21 DonohueKevinS-7173 commented Feb 11, '21

having READ permission only allows a user to run
gpresult /h gpo.htm
and SEE the name of the GPO that failed to apply. It doesn't apply it during processing, however it allows the visibility for troubleshooting.
I suggest Authenticated Users, but you can also do just Domain Computers (but you may lose the visibility)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonohueKevinS-7173 · Feb 11, 2021 at 02:46 PM

I appreciate your input and help!

I keep reading info about the changes after MS16-072 in regard to filtering and adding required Authenticated Users and Domain Computers (that have "Read from Security Filtering permissions") , but I am unfortunately still confused.

Again, I'd like to use filtering to apply the no auto-restart GPO to one PC.

Must I
a. add the PC name to the filter section AND also add Domain Computers
b. add the PC name to the filter section AND also Authenticated Users
c. add the PC name to the filter section AND both Authenticated Users and Domain Computers

Which choice is the best and most concise and why?

Tnx!

0 ·

Answer 5 · 2021-02-11T15:08:09.613Z

AJTek-Adam-J-Marshall answered Feb 11, '21 DonohueKevinS-7173 commented Feb 11, '21

Watch the first video by Dan Holme, starting at time 15:52

https://www.ajtek.ca/guides/role-based-access-security/

I recommend watching the entire video along with the other videos on that page by Dan Holme.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonohueKevinS-7173 · Feb 11, 2021 at 08:46 PM

I've watched your video and where you speak of filtering GPOs using groups and also WMI filters. This is not what I am interested in. I did not hear anything else in that video that answers my previous question.

I understand there maybe many ways to change this OU, sub-OU configuration, etc., but I am only interested in working with this configuration. I don't want to reinvent the wheel.

Given the changes after MS16-072 in regard to filtering and adding required Authenticated Users and Domain Computers (that have "Read from Security Filtering permissions") ,

Must I
a. add the PC name to the filter section AND also add Domain Computers
b. add the PC name to the filter section AND also Authenticated Users
c. add the PC name to the filter section AND both Authenticated Users and Domain Computers
d. option a, b, c won't work and explanation of why and what might work within this specific scenario

Tnx.

1 ·

question