Rather than creating OU's, you could have created "Security Groups" with the computer accounts in it, remove the "Authenticated users/Apply Policy" permission, and add the "GroupOfComputers/Apply Policy" permission. People tend to create OU's for the wrong reasons... the only real reason to create a new OU is to create an administrative boundary. My opinion, at least... Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. ________________________________ From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Jensen, Douglas Posted At: Friday, June 04, 2004 2:32 PM Posted To: Windows 2000 Conversation: [windows2000] Re: SV: Re: SUS Subject: [windows2000] Re: SV: Re: SUS I am not sure that is the best way. I tried assigning the SUS Client to computers and got lots of error messages for computers that already had the client because they were SP4 or SP4 saying the install had failed because it did not have SP1 or ?SP2?(not sure about the sp2). So first, I don't think you should use same policy because you will want a bunch of computers in that OU and you probably don't want to group computers based on what service pack it has but more likely on who uses the computer and what their software/security needs are. I ended up trying separate OU's to install the client and then moving them to their proper OU after the client was installed. I did manual installs of SP4 on those clients where the Group Policy install of the client didn't work. I first tried to use Group Policy to install SP4 (which Microsoft does NOT recommend) and found about a 50% success rate there. Now, though, after I have SP4 on all my Win2000 Pro computers, the SUS is working really well. The reporting is less then stellar because the reporting doesn't appear to look at the same list as SUS and may even use different metrics to determine if the patch is installed. Douglas Jensen Douglas.Jensen@xxxxxxxxxxxxx Voice (952) 402-9821 Fax (952) 402-9815 Network Administrator Scott Carver Dakota CAP Agency, Inc. 712 Canterbury Road Shakopee, MN 55379 www.capagency.org -----Original Message----- From: Svein Arild Haugum [mailto:svein@xxxxxxxxxxxxxx] Sent: Friday, June 04, 2004 12:18 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] SV: Re: SUS Only half true. The best way to do is it to assign the SUS klient software to the computers you are going to manage, trough the same AD policy as you configure SUS. (The MSI files are preconfigured and ready for AD deployment. This way a pre-sp3 computer starts up, gets the client and the configuration, and the first download would be the latest servicepack. By doing it like this, you eliminate the need for SP1(XP) and SP3(2000). Mvh Svein Arild -----Opprinnelig melding----- Fra: Phil Smith [mailto:psmith@xxxxxxxxxxxxxx] Sendt: 4. juni 2004 14:14 Til: 'windows2000@xxxxxxxxxxxxx' Emne: [windows2000] Re: SUS Has the policy taken effect on the workstation? You can check by going to the control panel and opening Automatic Updates and seeing if it is grayed out or if you can make modifications to it. If you can modify it then the client has not gotten the policy yet. Win2k clients must have at least SP3 XP clients must have at least SP1 Check this community web page http://www.susserver.com lots of good info for SUS there. -----Original Message----- From: Mark Cook [mailto:mc@xxxxxxxxxx] Sent: Friday, June 04, 2004 7:02 AM To: 'windows2000@xxxxxxxxxxxxx' Subject: [windows2000] SUS Stumbling from bloody RIS to SUS now I'm afraid, life's one big acronym :-) Our SUS seems to have stopped working, or at least part of it. The main SUS server sync's with MS each day no problem, we approve what we want/need to and the Domain Policy is set to apply this to all PC's at 7am. Now here's the strange thing - only some PC's get the updates / others show absolutely no sign of activity in that area - yet all PC's are SP4 Win2K PRO ! The policy is set to tell the clients to locate the SUS server by it's IP address so no resolution issues ? Anyone got any suggestions or seen this before ? Cheers Mark