Small Business Server 2003 Group Policy and Software Update Services (book excerpt)

Hello everyone – I am Harry Brelsford, publisher of the Advanced Windows Small Business Server 2003 Best Practices book. Periodically I like to post of book passages as a virtual book reading – I blast from the past! Today’s topic is GP and SUS. And did you know – this is exactly the type of thing discussed in our annual fall conference, the 7th Annual SMB Nation event (October 2-4, 2009, Las Vegas).

So let’s rock!

Group Policy and Software Update Services While we are talking about Group Policy, let me mention that you should be using Software Update Services (SUS) to keep your client machines updated with security patches. I only mention it here because it is administered with— you guessed it—a Group Policy. You will need to download SUS or the yet-to­be released (as of this writing) Windows Update Services (WUS) at:

SUS Server-Side 

The initial setup is pretty straightforward. Run the setup executable and provide an installation path. Once SUS is installed, you perform administrative tasks using a Web page with the following URL: //servername/susadmin. You need to configure only a few settings to get the SUS server-side operational. Set these under the “Set options” link on the welcome page, as seen in Figure 4-5.

Figure 4-5 

Configure SUS on the Set options page. 





y SECTIONBrelsford1 1 MBSBS 2003Consuting BestDeploymentPrac

  SUS setup will automatically set the proxy option and put in the SBS 2003 server name. Then you must decide where your server will synchronize SUS content. Some consultants prefer to run a SUS server in their consulting office and have their customer’s SUS servers synchronize from the consultant’s office instead of Microsoft itself. You can also choose to have SUS automatically approve new versions of Microsoft updates or to ask for approval (which is my personal preference). Another option allows you keep a copy of the updates locally or have each client machine pull them down from Microsoft. You can greatly reduce your bandwidth demands by keeping a local copy of the updates on your server. Another option allows you to select which languages you would like to support.If you look closely at Figure 4-5, you will see the Synchronize server link on the left. Here you have the option of a one-time immediate synchronization or configuring a schedule to automatically synchronize. The first synchronization is very time consuming (as of Fall 2004, 239 updates for the English language needed to be downloaded!). After you synchronize your server, you need to select the Approve updates page and select which updates you want to be applied to the clients. There is no “approve all” button, so you will need to select the desired updates one at a time. I found a rapid way to approve these individual updates: Select the first update you want to approach and then hit Tab, Tab, SpaceBar. Keep repeating and if you get to an update you don’t want to apply, hit Tab instead of SpaceBar. That is all there is to setting up the server side of SUS!


SUS Client-Side

And now for Group Policy! The SUS client-side configuration is handled through GPOs. If you are running Windows 2000 Service Pack 2 (SP2) or Windows XP without Service Pack 1 (SP1), you will need to download the new SUS client at the Microsoft download URL ( default.mspx). If your desktops are more current, you already have the new SUS client. When the SUS server was installed, the Administrative Template was added to allow you to create or edit SUS settings.


pter CHAPTER1 ☛4 So You AdvanceWant o Setupan and SMB DeplymentConsultan 

To automatically update the client computers with approved updates, follow this procedure:

  1. Logon to SBS 2003 as the administrator.
  2. 2.     From the Start menu, launch Server Management. 
    1. 3.        Expand Advanced Management, Group Policy Management, For­est, Domain, yourdomain. 
    2. 4.     Right-click on Small Business Server Client Computer and select Edit. 

The Group Policy Object Editor will appear.

  1. 5.        Expand Computer Configuration, Administrative Templates, Win­dows Components and select Windows Update. 

Four options need to be configured for SUS to automatically update the client computers.

  1. 6.        Select Configure Automatic Updates. Check the radio button for Enabled. 

Select the frequency you would like it to check with your server Select the install time

When satisfied click next 

  1. Click Enabled. Complete the URL for your SUS server in the form of http://S ervername.

Populate the Update and Statistics server fields with the same URL since the SBS 2003 server machine will perform all of these roles.

  1. Click Next Setting and configure the client update schedule. The default is five minutes. There is one caveat if your users are running with Local Administrator rights (which Susan Bradley will warn you about in her Security chapter): the updates will not be auto­matically applied. Instead, the updates will generate a system popup message indicating that updates are available. The user has to click OK to download and install the updates. Until these updates are installed, NO FURTHER UPDATES will install!
  2. Click Next Setting, where you will make a decision about client computer automatic reboots after updates are applied.

As much as I would like to tell you to leave this disabled, I have found
it causes a lot of turmoil with the users to have machines unexpectedly
rebooting in the middle of their projects. So it is probably better to



y SECTIONBrelsford1 ☛ MBSBS 2003Consuting BestDeploymentPrac 


  enable this option, which effectively disables the automatic reboot. Remember: if you are confused by any of the choices, just use the Explain tab on each policy settings page to get more information.GPO Exception or Override

As powerful as a GPO can be in the affirmative, an exception GPO can be just as powerful and useful by effectively denying some behavior. I’ll give you an example of an exception or override GPO. One of my clients had his users creating all sorts of local user accounts on the desktops when I arrived as the new SBS consultant. This local user malfeasance caused potential security holes in their SBS network. When I pointed this out to the guy in charge, he asked if I could lock down the system so we could control who logged onto which client computer. I created a neat little GPO that forced everyone to logon with a domain account, which prevented local logons. Note that work was performed in the SBS 2000 timeframe and can’t be exactly replicated in SBS 2003, so kindly accept the above discussion as explanatory in nature.

To create an exception GPO:

  1. Logon to the SBS 2003 server machine as the administrator.
  2. 2.   From the Start menu, launch Server Management.
  3. 3.   Expand Advanced Settings and Group Policy Management.
  4. 4.   Expand Forest, Domains, yourdomain, MyBusiness, Users, SBSUsers.
  5. 5.   Right-click on the new OU you created earlier in this chapter titled LimitThese.
  6. 6.   Select Create and Link a GPO Here and name the new GPO OverRideNoRegeditNoRun.
  7. Right-click on this new GPO and choose Edit from the dropdown list.
    1. 8.   Expand User Configuration, Administrative Templates and click Start Menu and Taskbar.
    2. 9.   Double-click Remove Run menu from the Start Menu. Select the Disabled radio button and click OK.
    3. 10.                    Under Administrative Templates, select System.

11. In the right pane, double-click Don’t run specified Windows appli­cations. Select the Disabled radio button.


Visit for additional SMB and SBS book, newsletter and conference resources.





pter CHAPTER1 ☛4 So You AdvanceWant o Setupan and SMB DeplymentConsultan


  12.  Click OK twice and close the Group Policy Editor.13.  Right-click this newly created GPO and select Enforced.

14. Under Advanced Management in Server Management, Group Policy Management, Forest, Domains, yourdomain, Group Policy Objects, click the OverRideNoRegeditNoRun GPO.

15.  Click the Scope tab in the right pane.

16.Under Security Filtering, click Remove to remove Authenti­cated Users.

This is shown in Figure 4-6.

Figure 4-6

Authenticated Users will be removed in the Security Filtering section.



17. In the Security Filtering section, click Add.

  1. 18.   In the Enter the Object name to select field, type Administrators, click Check Names, and then click OK.

You have now created an exception GPO.



y SECTIONBrelsford1 ☛ SBS 2003Consuting BestDeploymentPrac

  BEST PRACTICE: If all you want to do is keep a specific GPO from being applied to a user or group, the easiest way is to remove the Apply Group Policy permission from the GPO itself. Do this on the Security tab of the GPO property sheet, as seen in Figure 4-7.

Figure 4-7

Select Deny for Apply Group Policy as a permission restriction. You will receive a warning message relating to a Deny selection (the warning is that Deny is very powerful).




Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s