Problem solve Get help with specific problems with your technologies, process and projects.

Apply Win2k hotfixes via GPOs

Create a group policy object (GPO) to install security hotfixes to multiple servers simultaneously.

This tip was submitted to the SearchWin2000 Tip Exchange by member Joe Keegan. Let other users know how useful...

it is by rating the tip below.

To date, Microsoft has released enough security hotfixes to make your head spin. While the task of applying them can be daunting, they are a necessity if you want to run your Windows environment securely.

There are four or five ABSOLUTELY NECESSARY post Service Pack 2 hotfixes that you should apply to your Windows 2000 servers. This is an easy task if you have only a few servers in your Windows environment. However, multiply these hotfixes by 30 or 40 servers, and it's very easy to get lost. If, in the chaos of applying these hotfixes, you miss one, it could be your job on the line.

Luckily, Microsoft made these hotfixes very easy to apply with a batch file. While scripting the install would make the process much easier, you still would have to log on to each server to run the script...


To make this process MUCH easier and almost automatic, you can create a group policy object (GPO) to do the work for you. Instructions:

Create the batch file
(assumes your domain is named

1. Download the appropriate post SP2 hotfixes. (As of 4/23/2002, I personally recommend Win2k SRP1, Q314147, Q313829, Q311967, Q319733.) Create a directory called "hotfixes" under your domain name in the "sysvol" folder of any domain controller (WINDIRSYSVOLMyDomain.comHOTFIXES,) and copy all of the hotfixes there. (This will automatically replicate the hotfixes to all DCs, preventing a single point of failure if any DC is down.)

2. Create the following batch file and name it: "srp1.bat" (created for SRP1)

  • if exist "%windir%srp1.txt" goto NO_ACTION
  • echo "applied hotfix win2ksp2srp1" > "%windir%srp1.txt" "MyDomain.comsysvolMyDomain.comHotFixessrp1.exe" -u -q -z

  • rem patch already applied, no action necessary
  • :END

    Now save this file in the same place you put the hotfixes. (What this script does is check for the existence of file "srp1.txt" in the WINNT directory. If it exists, the patch has already been applied and no action is taken. If it DOESN'T exist, it writes the file and applies the patch.)

    Creating the GPO (to do the job)

    1. Create a new OU called something like SERVERS at the root of AD.

    2. Move all of your server objects into this container, EXCEPT for domain controllers (They are in a container of their own already, and have special GPO's that apply only to them. DO NOT move your DCs!)

    3. Right click the SERVERS container, and click PROPERTIES. Go to the GPO tab, click NEW, and name your policy a friendly name (i.e. HOTFIX Install GPO). Finally, click EDIT.

    4. Expand Computer Configuration --> Windows Settings --> Scripts, and double-click STARTUP.

    5. Click ADD, and type the following in the window that comes up:

  • MyDomain.comSYSVOLMyDomain.comhotfixessrp1.bat

    Click OK, then close the Group Policy window.

    Now every server that resides in the "SERVERS" OU will automatically run this batch file (thus installing the hotfix) at bootup. So, even if you add new servers, just putting them into this OU will cause all hotfixes to be applied.

    The above script can be changed to apply ANY hotfix at startup by creating the same batch file and changing the filename fields. (Don't forget to tell the GPO to run the other scripts that you create.)

  • This was last published in May 2002

    Dig Deeper on Microsoft Group Policy Management

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.