Home > GPO, WSUS > HOWTO: Using GPO Enforcement and GPO Modeling

HOWTO: Using GPO Enforcement and GPO Modeling

We recently had a need to apply one-off GPO settings to all servers in TST to override any other WSUS settings for a one-off force update of all servers.   This seemed like a good time to document this procedure and share it with those learning GPO’s in general.

First, let’s understand the WSUS GPO Structure I have put in place:


What we have here is 4 main WSUS OU’s under the SERVERS OU:

· WSUS-Servers-Automatic = those servers that will be automatically patched

· WSUS-Servers-Manual = those servers that will be manually patched, but need settings configured to point at the WSUS server, pre-download updates, etc.

· WSUS-Servers-PrimaryAutomatic – used for servers in NLB or Clusters where there are 2 or more servers, and they CAN be patched automatically – as long as they are done at alternating times.  In our case, I set the Primary for a Saturday operation.

· WSUS-Servers-SecondaryAutomatic – same as above, but used for the Secondary servers, and set to a Sunday operation – leaving a day between for checks and balances.


When we look at the GPO Management Console, you can see that each of the OU’s has the similar GPO linked.  Also the “WSUS-Servers-Manual” is linked to the parent “Servers” OU, so that all servers at a bare minimum get the “Manual” settings to configure to point at the WSUS server, do reporting, etc.    The important thing to note here is that for this one off event, I have linked “WSUS – Servers – Automatic” to the root of the SERVERS OU, and set it as “ENFORCED”.


This changes the icon on the object to show a padlock. 

To test this operation, what we want to do now, is run a Group Policy Modeling Wizard on any user and any server in the OU.  We do this by right clicking on Group Policy Modeling and choosing Group Policy Modeling Wizard:



Choose the DOMAIN you want to run against as well as the DC and click NEXT.


Choose the simulated user container and server container.  In our case, we can use the root of the domain as we want “any user” and we use the root of the SERVERS OU.  Check the box to Skip to the final page… and click NEXT, and then NEXT and then FINISH.


When the modeling wizard completes, we can see the summary.  If you expand the GROUP POLICY OBJECTS and then the APPLIED GPOs, you can see which GPO’s were applied.  Here we can see that BOTH “WSUS – Servers – Manual” and “WSUS – Servers – Automatic” were applied.  This is great and all, but WHICH settings were applied, as they have conflicting settings?  Click on the SETTINGS tab…



The important thing here is the “WINNING GPO”.  It will TELL you not only which GPO won, but show you the setting(s) that it applied.  So we can confirm that the “WSUS – Servers – Automatic” will apply to all servers in this OU.

If we go back to the GPO where it is linked and uncheck ENFORCED, we can come back to the Group Policy Modeling Wizard.  Because it was previously run, the settings are saved and you can right click on this Model and re-run it with the current settings – very handy if you have to test specific sets of groupings very often.



Here we can see that at least for servers in the SERVERS OU, the “WSUS – Servers – Manual” GPO will apply.  This is normally what we want – the SERVERS OU, unless a server is in one of the sub-OU’s, should only be MANUAL, and be “3 – Auto Download and Notify for install” – which is exactly what we see.

So we have a great way to force these settings, one time, to all SERVERS in the SERVERS or sub-level OU’s.  This is a great time saver.  But what if we were told that one of the servers should NOT be patched?  Now we have a logistical issue.

Right click on the GPO in question, and choose EDIT:


NOTE that in our example, it is STILL set as ENFORCED! 

Right click on the GPO, and not the COMPUTER or USER configuration, and choose PROPERTIES:


(You’ve probably never thought to right click on this object J)

Click on the SECURITY tab:


Click on ADD:




Select COMPUTERS and click OK


Enter the name of the SERVER(S) to be DENIED and click CHECK NAMES which will underline the servers and then click OK.


Ensure you’ve selected the SERVER(S) and in the PERMISSIONS choose APPLY GROUP POLICY and select the DENY option.  Press OK.


The WINDOWS SECURITY message is in fact true – DENY takes precedence.  This is what we want, so click YES.  Close the GPO you’re editing.

Now let’s return to the GROUP POLICY MODELING and let’s create a new model.  Right click and choose GROUP POLICY MODELING WIZARD:



We’re still going to select the root of the domain for the USER, but for the COMPUTER instead of a Container (OU) we’re going to select the SPECIFIC computer object.  You can use the BROWSE button to do so.  Click NEXT after checking the “Skip to the final page” option.


Here you can see:

· Group Policy Modeling clearly shows I’m testing COMPUTER=FSRVTSTDB1 against all users in FOCUSCORPTEST.

· The WSUS-SERVERS-AUTOMATIC GPO linked to the SERVERS OU is in fact still set to ENFORCED – which should make it apply to ALL SERVERS

· The Winning GPO was NOT “WSUS-SERVERS-AUTOMATIC” – because that OU doesn’t allow this server to apply it, based on the security we have set.

This seemed like a really good place to show practical examples of:

· GPO Inheritance

· GPO Conflict Detection

· GPO Enforcement

· Group Policy Modeling usage

· Security filtering on GPO’s to allow/deny them to be applied. 

o This is also a really good way to set settings for USERS but exclude certain members.  Examples could be “All employees, except Managers” or “All employees get these visual settings, except employees requiring visual aids, who can choose their own video settings accordingly”.

Hopefully this helps someone in the future, especially those studying for the 70-680 exam and are presently working on GPO’s in general

Categories: GPO, WSUS
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: