Announcement

Collapse
No announcement yet.

Multiple WSUS for delegation in the same domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple WSUS for delegation in the same domain

    I'm looking at delegating rights to approve patches for workstations separately from servers, and it seems that WSUS3 doesn't have that capability.

    I assume that by installing two totally separate WSUS setups I should find a way to grant access to some people to one server and to some people to the other.

    Is anyone doing this or using other workarounds for delegation? I can't believe this isn't a feature in WSUS...maybe version 4 !

    Thank you
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

  • #2
    Re: Multiple WSUS for delegation in the same domain

    Hi,

    There are two ways I can think of to work around that.
    • Creating a nested WSUS structure with downstream servers

    ...The limitation is that the synch source can be bypassed.

    or..
    • Having two WSUS servers and pointing different clients to different servers
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Multiple WSUS for delegation in the same domain

      I need to make things as independant as I can, so I will go with option 2.

      I'm going to have a bunch of WSUS3 servers for workstations, and two or three for servers. Completely separate.

      Now, I'm going to go and test this today but, if I remember correctly the WSUS Admin groups for WSUS are created on the domain...and both setups will be in the same domain.. hmm
      VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

      Comment


      • #4
        Re: Multiple WSUS for delegation in the same domain

        No, it's actually a local group.
        As long as they are installed in different machines it should be ok I think.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Multiple WSUS for delegation in the same domain

          You're right. I am just too used to see bad setups where WSUS has been installed on a DC I suppose.

          The WSUS Administrators and WSUS Reporters are indeed LOCAL, so it won't be an issue.

          It's only going to be a waste of drive space, windows licenses and RAM on the vmware cluster, but at least I'll be able to give access to desktop update approval to the desktop guys.
          VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

          Comment


          • #6
            Re: Multiple WSUS for delegation in the same domain

            Good luck Gepeto,
            Let us know how you get on and if you hit any probs. I haven't actually tried this in practice myself.

            Cheers
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: Multiple WSUS for delegation in the same domain

              Just tested in some VMs and it does seem to work properly.
              What I'll do is create an OU for my "Server WSUS" servers and one for my "Workstation WSUS" servers, both under the same WSUS Servers ou.

              At the top I'll apply whatever GPOs I will use to harden them, and at the bottom, I will use restricted groups to populate the WSUS Admin and reporter local groups with domain local groups.

              I'll let you know how it goes in the real world, but don't expect any news for quite a while, it'll take some time before it gets done for real. (Priorities !)

              Thanks
              VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

              Comment

              Working...
              X