We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Problems with policies and GPMC in Win2K3 server

dwielgosz asked
Medium Priority
Last Modified: 2008-11-11
I had a tenuous grip on the ways and means of GPOs on Win2K. We have a very limited number of policies in effect and it seemed to do what I wanted it to do. Several months ago I had the bright idea to install the new GPMC on our new win2K3 server (DC) and it's actually quite impressive looking.  Gradually I began to run into some problems with some users being unable to update their PCs through the Windows Update site so I downloaded the updates and put them into a directory on a NAS and logged into their machines as administrator to run the updates. I get the same message that they do when they try to update, "you do not have permission to update windows".  So, I meticuously went through the Domain policy looking for that control and found reference to "windows Update" but it was not configured. I did the same with the other GPOs as well and found the same thing that I did on the Domain policy..."not configured". I then blocked inheritance of GP for the groups of which the user was a member. Still no appreciable change in the ability, or lack of, to update windows, logged in as the user or as the admin. I guess I'm not very comfortable with the new GPO interface, GPMC, and wish that I had not installed it. I've looked on the MS website for any mention of removing it without having found any mention of removing it and returning to the simple screen that it used to be like on Win2K server.  I want to know if anyone has ever removed it and returned to the simple interface and which approach to use to do that. Is it possible to just delete all of the GPOs and start over?   I tested the update problem with the user's login. I logged into my PC with his credentials and got the same message that I had gotten on his PC. My PC, when I am logged in, can access and download just about anything so therefore the issue must be with his login credentials. He is a member of 3 groups, Domain Users -a mail distribution List group - and a security group that has access permissions to a secure NAS. I have moved him into the same group that I'm a member of and his login still cannot update windows. Does anyone have any ideas?
Watch Question

The GPMC SP1 installation is in the Software control panel. If it's not, try re-installing GPMC and then removing it again. If you really want the old interface, you can use another XP Pro withouth GPMC to do that. Just install the Adminpak.msi from the 2003 server on the client.

Best practices:
- always make backups of Group Policy objects before modifying the contents. GPMC is ideal for that, and it's a great program if you know how to use it.
- Never change the contents of the Default Domain Policy and the Domain Controllers policy, EXCEPT for the password policy which should always be defined at the Domain level.
- use separate Organizational Units for testing purposes and do not change production group policies without *exactly* knowing what it does. So, if you want to know if it's security or policy related, create a copy of the user account you're testing and move that copy to an OU that has no policies applied.

Before using these, read http://technet2.microsoft.com/WindowsServer/en/Library/b9db0ae7-3d25-4e5e-9320-e5db0b0c9f8a1033.mspx

To reset the Domain GPO, type
dcgpofix /target:Domain

To reset the Default DC GPO, type
dcgpofix /target:DC

To reset both the Domain and Default DC GPOs, type
dcgpofix /target:both

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


what do you mean by this:

If you really want the old interface, you can use another XP Pro withouth GPMC to do that

I'm working on a server 2003 DC

I mention it because you say you're not happy with the interface of GPMC, and are not able to uninstall it. So that's an alternative until you are. I've never uninstalled GPMC, by the way.

It's better to solve the issue (whatever it is) on the 2003 DC, but Windows XP Pro SP2 can edit GPO's just fine, you need the AD Users and Computer snap in for it without GPMC. Your Windows 2000 DC will do as well, but it requires a few updates to get rid of the "string too long - truncated" messages.

Also, the topic is "problems with policies and GPMC" but your question revolves all about running Windows Update as a user. We need to assume all kinds of things here, for example

- that regular users are a local Administrator at the client, because they've always been able to run WU, but not anymore.
- after making changes, you're using AD sites and services or repadmin/replmon to force synchronization, OR wait five minutes before replication is done
- you run gpupdate on the client or reboot it

My advice is: get the default domain policy sorted (= back to default). If that has all kinds of settings it's more difficult to isolate GP issues. See if that solves your Windows Update problem, if it does, build up the policies again carefully (either with or without GPMC, but the tool's a godsend).


Like I said, I've gone through the GPOs, line by line and don't see anything in them that should be interfereing with the ability to update windows. (I just did it agin between posts). It is effecting a certain number of workstations, but not all. It definately is user specific and not PC specific. I have copied users and placed the copied user in the same group that I'm in and tried both logins, mine and theirs, on my workstation with opposite results. I think it is a permissions problem more than I do a GPO problem though, but where would those settings be? I have looked at the Domain Security Policy and the Domain Controller policy without seeing anything either. I will probably end up doing the GPO redo that you posted, however I know better than to try anything drastic late in the day. I've been down that road before. I'll probably try that in the AM as that will give me eight hours to straighten things out afterwards.

You're right there.

If there are any important policies (like Favorites/Links, proxy settings, Office settings, other things users are going to notice) in the default domain policy, prepare them beforehand, nothing happens to other policies than the GPOs being restored.


It's mostly proxy settings(we force users through a proxy) for the web filtering software and a couple of other minor things as well. I'll post a followup on this.

Great, thanks. Take it easy, and good luck.
Top Expert 2005

My guess is that the Administrator's group is not in this policy on the local PC:

Computer Config>Windows Settings>Security Settings>Local Policies>User Rights Assignment ::

>> Manage Auditing and Security Log.


Another aspect of the problem:

on the user's PC he got the error message when he tried running the updates, I then logged on as the administrator(Domain Admin) and I got the same error when I tried running the updates.

I logged onto my PC with his credentials and could not run the updates
I logged onto my PC with admin credentials and was able to run the updates
I logged onto my PC with my credentials and was able to run the updates.
Top Expert 2005

Have you checked that Group Policy element on the local machine?


How do I do that? I can "connect" to that from the DC, can't I?

I just ran a "modeling" of GPO with the user and it gave me a "Resultant Set Of Policy" in which, near the bottom under "User Configuration">"Windows Settings">"Software Restriction Policy" are two items that are listed under "Software Restriction Policy">"Security Levels". They are "Unrestricted" and "Disallowed". It appears as if the "unrestricted" has a default check mark in it.
Top Expert 2005

On the local PC (or from a Remote Desktop Session) run GPEDIT.MSC

Drill down and check that setting.

I'm not saying this is definite, but I've seen it many times - personally.


Thanks for the help. very helpfull answer.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.