1. open Group Policy Management \ Forest ... \ Domains \ (your domain) \ Group Policy Objects
2. click GPO in question
3. On right pane, look at "Security Filtering" section and select a group
4. Click Properties \ Members
Allow standard (non-admin) user to run Resultant Set of Policy tool (rsop.msc)
Delegate control of RSoP
(related: Use Dsrevoke.exe to undo the changes made by the Delegation of Control Wizard)
or simply add the user to local administrators group (?)
Best Practices with Windows Server Update Services
Microsoft recommends that you create a NEW Group Policy object (GPO) that contains only WSUS settings.
Microsoft recommends that you do NOT edit the Default Domain or Default Domain Controller GPOs.
Group Policy is processed in the following order:
Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
and so on.
GPOs inherited from the Active Directory are always stronger than local policy.
Self-note:
Let say you have configured AU settings using local gpedit.msc but your computer is member of domain which also has AU configuration for your computer, then AU settings from domain will override your local settings.
You can confirmed this by checking registry entries on HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU to see which settings are applied to registry (and are in effect)
No comments:
Post a Comment