What you will find is that the OU design of your organisation will largely mirror your OU Structure.

You might also notice that the names of the target groups are “Workstations ”.

The Workstation prefix is required as you might also want to patch Servers in the same site and therefore due to the unique target group requirement you will need to have a “Workstations Sydney” and “Servers Sydney” group.

Now also take a look at the “Keep the GPO’s name consistent with the OU names” section in my Best Practice: Group Policy Design Guidelines – Part 2 post you can see how the WSUS Target Groups are also very consistent (but not the same) as the OU’s that the computer are located.

The target group on the client is controlled using the “Enable client-side target” group policy setting (more on this later).

If you don’t enable this option you will quickly find that you need to manually categorise even new computer that reports into the WSUS server.

WSUS is also a requirement for the Software Update option in SCCM 2007.

What I hope this post will teach you is how to use Group Policy in your environment to milk the absolute most out of your existing WSUS infrastructure.

One of the first things you should do once you have installed WSUS and performed the first sync is enabled the Group Policy computer group assignment.

This allows the clients that connect to your WSUS server to be automatically configured in the correct targeting group when they connect to the WSUS server.

This is fine if you only have few computers but once you star managing many hundreds or thousands of computers this quickly becomes impractical.

One of the options you can set using Group Policy is called “Specify intranet Microsoft update service location” which allows you to specify the WSUS Server name.

Doing this this is more a discovery process so that you can at least be aware of any un-patched computers on then network that you can then appropriately remediate…

