We're running the latest WSUS server 3.0 sp-something-or-other. Add the admin template to domain group policy to get everyone into the pool, so to speak.
Now, for various reasons, I have two servers that I need to remove from the WSUS family. They need to go back to getting their updates from Microsoft.
I created a new OU ("Non WSUS Servers").
I created a new GPO as a copy of the Default Domain Policy ("non WSUS") and removed that wsus admin template.
Deleted the 2 servers from WSUS. Yet they keep getting added back in. Clearly I'm missing a step here — any ideas?
While writing this, I noticed that my "Non WSUS Servers" OU "Group Policy Inheritance" lists my non WSUS GPO and then the Default Domain policy under it. Is that what's tripping me up?
(can you tell I'm not a GPO wizard? 😉 )
Best Answer
With WSUS settings at default domain level and no WSUS policy defined on the new OU, the settings you will be getting on these PCs will be the WSUS settings, and this is correct behaviour according to the rules of GPOs. What you need to do is create a new OU in your AD structure, move all your computers to that (aside from DCs, of course), define your WSUS policy on that OU, and then things should work the way you want them to.