Delegate Administration via Patch Manager

shocko

Guys, I currently maintain 2 WSUS servers:

• 1 server serves desktop OS
• 1 server serves server OS

I have 2 members of the security team managing each (1 manages desktops and 1 manages servers). The reason we have them split is that we wanted to avoid issues where an admin might approve the wrong patches for the desktops/servers. That said, this introduced more admin work as:

• 2 servers to maintain patch
• 2 servers to allocate disk space to (significant as WUSS content on desktops nearly 900 GB currently)

So, if I was to remove WSUS Administrators access to these, would it be possible to do the following:

1. Merge both systems into one WSUS server with desktops and servers grouped into different computer group trees via GPO assigned groups

         

          All Computers

               All Desktops

               All Servers

    

1. Delegate that admin 1 can only approve updates to All Desktops via Patch Manager Interface
2. Delegate that admin 1 can only approve updates to All Servers via Patch Manager Interface

Essentially, I wish to move all admin into Patch Manager with a Strict Delegaiton model

kellytice

That should work, though of course i would recommend you try it out on a test WSUS before consolidating them to make sure it will work for you. 

Basically, if you're in Patch Manager, you can right-click on one of your WSUS Groups (e.g. All Servers) and choose Approval Delegation:

In the example in the screenshot, i just added one group (my domain's Domain Admins security group) but i could have added different security groups and assigned them different permissions for approving to that WSUS group.