Remove machines from WSUS
Solution 1
With WSUS settings at default domain level and no WSUS policy defined on the new OU, the settings you will be getting on these PCs will be the WSUS settings, and this is correct behaviour according to the rules of GPOs. What you need to do is create a new OU in your AD structure, move all your computers to that (aside from DCs, of course), define your WSUS policy on that OU, and then things should work the way you want them to.
Solution 2
I would use the Group Policy Modeling Wizard to determine exactly what policy is being applied to the OU. Also, it sounds like you are linking the Default Domain policy to an OU...you should NOT need to do this (policies flow down through AD and the "closest" policies have highest priority).
Also, remember that policy processing takes some time. You may want to run gpupdate /force on your servers.
Related videos on Youtube
03 : 57
16 : 37
10 : 53
04 : 11
02 : 02
Chris_K
I dabble. A lot. https://about.me/chris.kasten for more
Updated on September 17, 2022Comments
-
Chris_K over 1 year
We're running the latest WSUS server 3.0 sp-something-or-other. Add the admin template to domain group policy to get everyone into the pool, so to speak.
Now, for various reasons, I have two servers that I need to remove from the WSUS family. They need to go back to getting their updates from Microsoft.
I created a new OU ("Non WSUS Servers"). I created a new GPO as a copy of the Default Domain Policy ("non WSUS") and removed that wsus admin template.
Deleted the 2 servers from WSUS. Yet they keep getting added back in. Clearly I'm missing a step here -- any ideas?
While writing this, I noticed that my "Non WSUS Servers" OU "Group Policy Inheritance" lists my non WSUS GPO and then the Default Domain policy under it. Is that what's tripping me up?
(can you tell I'm not a GPO wizard? ;-) )
-
Chris_K over 14 years"Also, it sounds like you are linking the Default Domain policy to an OU...you should NOT need to do this" Well, as soon as I create a new OU it gets "Default Domain Policy" under the Group Policy Inheritance. Are you saying I should Block Inheritance?
-
Chris_K over 14 yearsOK. Modeling shows me that even though my "non wsus" policy is there, the default GPO with the wsus stuff is there too -- via inheritance. Clearly I'm doing this wrong. Looks like mh's approach (no wsus in the default GPO) is the direction I should be headed.
-
Chris_K over 14 yearsI believe this is the direction I should be headed. New OU with a new GPO with the wsus template added. Then I should remove the wsus template from my default GPO. Sound about right?
-
Maximus Minimus over 14 yearsYup, that's the way! :) -
Chris_K over 14 yearsOne last question: Since my new OU has a new policy that only has WSUS stuff do I add that same policy to the Domain Controllers OU as well?
-
Chris_K over 14 yearsOK, that was a dumb question. Of course I should add that wsus policy. Think I'm all squared away now :-)