Setting group policy to enforce automatic updates

This is a quick how-to for setting automatic updates using group policies in Windows Server 2003.

Start off by opening up Active Directory Users and Computers from the server.

Hopefully you have got a specific OU that you want to apply this group policy to. In my case, there are about 100 computers listed under the Computers OU in Active Directory. My servers are located in a different OU, which is just as well, because I don’t want this policy to apply to the servers.

Right click on the OU you want to apply the Group policy to, and select Properties. From this properties page, select the Group Policy tab. If you already have the Group policy managment snap-in installed, you will see something similar to the screenshot below – in this case just click “Open” to continue.

active-directory-gp

The group policy management window will open. Right-click the OU (In my case Computers), and select “Create and link a GPO here”

create-gpo1

Give the new GPO a name. I called mine “Install automatic updates”

gpo-name

Now, under the Linked Group Policy Objects tab, right click the new policy name, and select “Edit”

edit-new-gpo1

Now the Group Policy Object Editor will open. Under Computer Configuration, expand Administrative Templates, then Windows Components, then Windows Update.

automatic-update-gpo-settings

On the right panel, right-click “Configure Automatic Updates” and select “Properties” Set the status to “Enabled” and choose your automatic update setting – I used option 4, which will download and install updates on a schedule, which I set to 17h00 every day.

Click Apply, then OK.

configure-automatic-updates

You can optionally set the settings for the option “Delay restart for scheduled installations” otherwise the PCs will be given a count down timer of 5 minutes once updates are installed to auto restart. The user can delay this if they are logged in, otherwise configure this setting to set the count down timer up to a maximum of 30 minutes. The user can always click restart later anyway.

Close the policy editor, and group policy management down once you have set your various options for automatic updates. The GPO will now be linked to the OU “Computers” and any PC listed in this OU will have this policy applied the next time they login, or group policies are applied.

You can manually enforce policies on a PC by typing the following in command prompt, or the run dialog box :

gpupdate /force

Hope this helps anyone looking to achieve a similar result!

Changing Password policies in Server 2008

I have been using Windows 2008 Server Standard as my operating system of choice at home for quite a few months now, and twice I have had to change my password due to the security policy in place by default. This setting forces you to change your password every 42 days. Anyway, up until now I had been too lazy to disable the policy. So for those of you who don’t know where to do this, here is how.

Go to Start – Run, and type in gpedit.msc

Click OK.

Expand the following branches by clicking the little arrow signs next to each one :

Computer Configuration – Windows Settings – Security Settings – Account Policies – and then finally,  Password Policy

Select Password policy, and on the right hand side list double click (or right click – properties) on “Maximum Password Age”

Change this to setting to 0, and then click OK.

Close the Group Policy editor, and from now on you won’t have that annoying mandatory password change every month or so.

password_policies2