4 Replies Latest reply on Jan 29, 2015 1:50 PM by vrfa_it

    Computers getting reassigned to the Unassigned Computer Group

    asanti@sciquest.com

      Hi,

       

      I am new to Patch Manager and have a question.

       

      After assigning computers to groups I come back the next day and find that the computers previously assigned to computer groups have been reassigned back the unassigned computers group. How can I stop this from happening? Is there something I am doing wrong?

       

      Thanks,

        • Re: Computers getting reassigned to the Unassigned Computer Group
          Lawrence Garvin

          This is caused by inconsistencies in the settings for group membership management.

           

          There are two methodologies for assigning group memberships.

           

          The default is "Server-Side Targeting". In this methodology the Options->Computers setting is set to "Use the Update Services console", and NEW computers are automatically placed in the "Unassigned Computers" group until they are assigned to a different group.

           

          The option is "Client-Side Targeting" In this methodology the Options->Computers setting is set to "Use Group Policy...", and Target Group membership is declared in Group Policy. If the declared Target Group exists, the client is placed in that group; if the declared Target Group does not exist, the client is placed in "Unassigned Computers".

           

          One of the complicating factors in this process is that the Patch Manager console does not block the use of "Change Group Membership" when Client-Side Targeting is being used, but the results of that action will be ultimately ignored.

           

          Additional complications arise when the Options->Computers setting is inconsistent with the configuration of the GPO "Enable client-side targeting".

           

          If the GPO is enabled and target groups are assigned via GPO, but Options->Computers was never set to "Use Group Policy..", then the ability to change group memberships in the console is active, but because the client is authoritative for group memberships, anything done at the console to change group memberships will be ultimately ignored when the client checks in the next time. If the Target Group assigned to the client does not exist, then the client will be placed in "Unassigned Computers".

           

          If the GPO is not enabled, and its desired to set target groups via the console, but Options->Computers is set to "Use Group Policy..", then in the native WSUS console, changing group memberships is disabled. In the Patch Manager console, the action will be executed (via the API), but because the WSUS server believes the client is authoritative (because of Options->Computers), the client will be put whereever it says it should be put. But if the client is not actually assigned a group via GPO, then the client will simply be placed in "Unassigned Computers" as well.

           

          So, if your intent is to manage group memerships via the console, then ensure that Options->Computers is set to "Use the Update Services console" and you should *DISABLE* the GPO "Enable client-side targeting".

          If your intent is to assign group memberships via policy, then you cannot use the console. Ensure that Options->Computers is set to "Use Group Policy", that the GPO "Enable client-side targeting" is ENABLED, and that any target groups defined in that GPO actually exist on the WSUS server.

            • Re: Computers getting reassigned to the Unassigned Computer Group
              vrfa_it

              This info is helpful. I have a situation where some but not all of my target groups that exist in the native WSUS console and show under "Computer and Groups"  in the Patch Manager console do not show up when I select "Approve" for Third Party Updates. There is no logical difference between the target groups that show and the ones that don't - they are peer target groups. Why would they show under "Computer and Groups" but not in the "Approve Updates" window?

                • Re: Computers getting reassigned to the Unassigned Computer Group
                  Lawrence Garvin
                  I have a situation where some but not all of my target groups that exist in the native WSUS console and show under "Computer and Groups"  in the Patch Manager console do not show up when I select "Approve" for Third Party Updates.


                  The list of WSUS Target Groups is captured and cached from the Server Node of the Patch Manager console. Normally, when you create WSUS Target Groups from the PM console, an automatic refresh is generated; but if you have created Target Groups from the WSUS console, they will not be. But any groups that appear in the "Computers and Groups" node of the Patch Manager console definitely should also appear in the Approval Dialog.  Try running a "Refresh Update Server" from the WSUS node of the PM console and see if that resolves the issue.


                  If not, please open a ticket with Customer Support so we can take a deeper look at what might be happening.