The Official SBS Blog

The official blog for Small Business Server (SBS) support and product group communications.
Search Form
  • Advanced search options...
Tags
SBS Related Links
SBS-Related Links
EPS Team Blogs
Options
Disclaimer
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

How to Manually Create the SBS 2008 and WSUS Group Policies Objects

TechNet Blogs > The Official SBS Blog > How to Manually Create the SBS 2008 and WSUS Group Policies Objects

How to Manually Create the SBS 2008 and WSUS Group Policies Objects

Rate This
3 Sep 2009 6:09 PM
  • Comments 2

[Today's post comes to us courtesy of Ed Walters]

Certain Group Policy Objects (GPOs) are created and configured by default during the installation of SBS 2008. This blog post will cover how to create these GPOs manually in the event that they are missing or have been accidentally deleted without a backup. Note: If one or more of these GPOs are missing as the result of a failed install, you should not follow this procedure. We recommend that you call Microsoft Product Support as other components are likely to be broken. The steps have been broken down into two types of Group Policies:

Update Services Policies:

  • Update Services Client Computers Policy
  • Update Services Common Settings Policy
  • Update Services Server Computers Policy

Windows SBS Policies:

  • Windows SBS Client – Windows Vista Policy
  • Windows SBS Client – Windows XP Policy
  • Windows SBS Client Policy
  • Windows SBS CSE Policy
  • Windows SBS Users Policy
  • Small Business Server Folder Redirection Policy (Optional)

We do not cover the steps to create the Default Domain Controllers Policy or the Default Domain Policy in this post. Either restore these policies from backup or contact Microsoft Product Support Services for assistance.

Create the three Update Services Policies

  1. Open Start > Run and enter gpmc.msc to open the Group Policy Management Console.
  2. Expand Forest: <SBS Forest>\Domains\<SBS Domain>\Group Policy Objects

    image
  3. Right-click the Group Policy Objects key and choose New
  4. Enter Update Services Client Computers Policy as the name
  5. Select OK

    image
    ***The name must be entered exactly as shown, DOUBLE CHECK your spelling before selecting OK
  6. Create the two remaining WSUS policies in this way
  •  
    • Update Services Common Settings Policy
    • Update Services Server Computers Policy

Configure the Update Services Client Computers Policy

  1. Right-click Update Services Client Computers Policy and choose Edit. On the Group Policy Management Editor, open Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
  2. Configure the settings as shown in the report below

image

Configure the Update Services Common Settings Policy

  1. Right-click Update Services Common Settings Policy and choose Edit. On the Group Policy Management Editor, open Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
  2. Configure the settings as shown in the report below

image

Important: The Set the intranet update service for detecting updates and Set the intranet statistics server policies are specific to your server and must be configured with http://<YourServerName>:8530

Note: The above report for this GPO shows the “enabled” and “disabled” policy settings only. Any policy that does not appear in the above report should be set to “Not configured” on your server.

Configure the Update Services Server Computers Policy

  1. Right-click Update Services Server Computers Policy and choose Edit. On the Group Policy Management Editor, open Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
  2. Configure the settings as shown in the report below

image

Configure the scope of the new Update Services Policies

The configuration on the Scope tab for each new Update Services GPO needs to be as follows:

  1. Update Services Client Computers Policy
    • Leave “Links” empty
    • Remove any object under “Security Filtering”
    • Set “WMI Filtering” to <none>
  2. Update Services Server Computers Policy
    • Leave “Links” empty
    • Remove any object under “Security Filtering”
    • Set “WMI Filtering” to <none>
  3. Update Services Common Settings Policy
    • Leave “Links” empty
    • “Authenticated Users” must be listed under “Security Filtering”
    • Set “WMI Filtering” to <none>

Link the new Update Services Policies

  1. In the Group Policy Management Console, right-click on your SBS domain and select Link an Existing GPO

    image
  2. Select the following 3 policies
    • Update Services Client Computer Policy
    • Update Services Common Settings Policy
    • Update Services Server Computer Policy
  3. Click OK

Once the WSUS policies have been updated and applied, Security Filtering on the Client Computers and Server Computers GPOs will begin populating with the machine accounts of your domain joined clients and servers. This is done automatically by SBS every 5 minutes.

Create the Windows SBS Policies

Create the Small Business Server Folder Redirection Policy (Optional):

This is an optional GPO. Follow these steps only if you wish to use folder redirection

  1. On the SBS 2008 Console, select the Shared Folders and Web Sites tab
  2. On the Right hand side, under “Tasks” select Redirect folders for user accounts to the server
  3. Complete the wizard

image

Create the remaining SBS GPOs

These steps will create the following GPOs:

  • Windows SBS Client – Windows Vista Policy
  • Windows SBS Client – Windows XP Policy
  • Windows SBS Client Policy
  • Windows SBS CSE Policy
  • Windows SBS Users Policy
  1. Copy the following file and save it to an easily accessible path, such as c:\windows\temp, on the SBS 2008 server:
    http://cid-d5fe25afb6c3615f.skydrive.live.com/self.aspx/.Public/gpofix.txt
  2. Right-click on the Command Prompt and select Run as Administrator

    image
  3. Run the following command from the Administrator Command prompt, substitute the path to the gpofix.txt file as needed (We recommend that you DO NOT copy & paste the command directly from the blog post):

    “C:\Program Files\Windows Small Business Server\Bin\GPOTask.exe” /config:c:\windows\temp\gpofix.txt
  4. The task will take a few moments to complete, after which it will return to the command prompt


    image
  5. Verify that the GPOs have been created in the Group Policy Management Console
  6. Run and complete the Internet Address Management Wizard from the SBS 2008 Console to complete the configuration.

, , ,
Comments
Comments
  • John
    21 Sep 2009 10:09 AM

    "Once the WSUS policies have been updated and applied, Security Filtering on the Client Computers and Server Computers GPOs will begin populating with the machine accounts of your domain joined clients and servers. This is done automatically by SBS."

    Automatically? Even if we have manually created the GPO and linked them to the domain OU?

    How does the server computer policy know it applies to an object in the SBS Computers - Servers OU (or the client to clients) if they are linked to the domain GPO?

    The instructions on technet are the same as you have here, so I was glad of the opportunity to ask about this.

    Thanks,

    John

  • 22 Sep 2009 10:55 AM

    Hi John,

    The Windows SBS Manager service (DataCollectorSvc) does this for you based on the group membership in WSUS that you have chosen for your machines.  For more info on this, have a look at http://blogs.technet.com/sbs/archive/2009/06/23/update-services-in-sbs-2008.aspx

Page 1 of 1 (2 items)