GPO for WSUS Precedence and Scope

Donohue, Kevin S 26 Reputation points

I'm in an enterprise AD (univ) environment where I control our main OU and sub-OUs, where I apply GPOs. I have a standard WSUS GPOs to push auto installs and restarts at night, and then a "no auto restart WSUS GPO I want to apply to one PC in a particular sub OU.

I have a standard WSUS GPO that I apply to all sub GPOs that has "4-Auto download and schedule install" -> for "4-Every Wed" at 22:00, and "Every week" enabled. Also the "allow auto update immediate install" is enabled (description states its for certain updates that neither interrupt windows services nor restart windows), and "No auto-restart with logged on users" disabled. I apply this to all sub OUs (different groups of PCs).

For the one PC, in a particular sub OU, that I don't want to "auto install\restart" with updates, I created another GPO with "allow auto updates immediate install" disabled and "3-Auto download and notify for install" with "No auto-restart with logged on users" enabled and the Scope set via Security Filtering to the particular PCs Name and the Username who will be logged in overnight (is using both PC name and user incorrect?).

I have this latter "no auto restart" GPO as #3 link order and the former "standard WSUS GPO" as #4 link order for the other PCs in this sub OU.

As I understand it, GPOs with a smaller precedence number are processed last and take precedence over GPOs with higher numbers, so the no auto restart GPO should take precedence, correct?

The problem is that the PC in question still keeps auto installing and restarting updates, and it is on Wed mornings at approx 6:30. I don't understand why the precedence is of the two GPOs is not applying, and even so why the seemingly applied standard WSUS GPO installs on Wed morning when it is set as "4-Auto download and schedule install" -> for "4-Every Wed" at 22:00.

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,920 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,403 questions
0 comments No comments
{count} votes

Accepted answer
  1. Adam J. Marshall 9,041 Reputation points MVP

    B is partly correct - but the Authenticated Users must be done in the Delegation tab and only given the READ permission.

    Remove Authenticated Users from the filter scope, add instead a GROUP or COMPUTER or USER

    If applying a COMPUTER based policy, add AUTHENTICATED USERS or DOMAIN COMPUTERS in the delegation tab with READ permissions only (but if you only add Domain Computers, Admins will still have trouble seeing the GPO, but when doing a GPResult /h gpo.htm - the computer WILL be able to see it's name.)

    Domain Computers is a subset of Authenticated Users.

4 additional answers

Sort by: Most helpful
  1. Adam J. Marshall 9,041 Reputation points MVP

    Use GPResult to figure out what's going on - it will not only tell you what the end result policy is, but also it will tell you which GPO 'wins'

    From an Administrative Command Prompt on an affected client, run the following:
    gpresult /h gpo.htm

    You can also use gpmc.msc to see - click on an OU, click Group Policy Inheritance tab. The closer the GPO is to #1, the more it will take precedence over others behind it.

  2. Adam J. Marshall 9,041 Reputation points MVP

    Are you suffering from the missing Authenticated Users in the delegation tab of your new GPO? You've removed Authenticated Users from the scope tab (that's fine) but then you have to add the Authenticated users group to your Delegation tab with READ permissions....

    It has to do with a Windows Update released in June 2016 - MS16-072 -

    Taken from Emin's blog -

    To quickly display GPO names that don't have the Authenticated Users group, you can do:


    Get-GPO -All | ForEach-Object {
        # Test if Authenticated Users group have at least read permission on the GPO
        if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
    } | Select DisplayName

    To add back the Authenticated Users group with Read Permissions on the Group Policy Object (GPO), you can do:


    Get-GPO -All | ForEach-Object {
        if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
            $_ | Set-GPPermission -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose

    Now, every GPO has a permission set for the 'Authenticated Users' group and to check what permission is set for this group, you can do:

    Get-GPO -All | ForEach-Object {
            DisplayName = $_.DisplayName
            Permission = ($_ | Get-GPPermission -TargetName 'Authenticated Users' -TargetType Group).Permission
    } | Out-GridView -Title 'Authenticated Users permissions'

  3. Adam J. Marshall 9,041 Reputation points MVP

    having READ permission only allows a user to run
    gpresult /h gpo.htm
    and SEE the name of the GPO that failed to apply. It doesn't apply it during processing, however it allows the visibility for troubleshooting.
    I suggest Authenticated Users, but you can also do just Domain Computers (but you may lose the visibility)

  4. Adam J. Marshall 9,041 Reputation points MVP

    Watch the first video by Dan Holme, starting at time 15:52

    I recommend watching the entire video along with the other videos on that page by Dan Holme.