dwielgosz
asked on
Problems with policies and GPMC in Win2K3 server
I had a tenuous grip on the ways and means of GPOs on Win2K. We have a very limited number of policies in effect and it seemed to do what I wanted it to do. Several months ago I had the bright idea to install the new GPMC on our new win2K3 server (DC) and it's actually quite impressive looking. Gradually I began to run into some problems with some users being unable to update their PCs through the Windows Update site so I downloaded the updates and put them into a directory on a NAS and logged into their machines as administrator to run the updates. I get the same message that they do when they try to update, "you do not have permission to update windows". So, I meticuously went through the Domain policy looking for that control and found reference to "windows Update" but it was not configured. I did the same with the other GPOs as well and found the same thing that I did on the Domain policy..."not configured". I then blocked inheritance of GP for the groups of which the user was a member. Still no appreciable change in the ability, or lack of, to update windows, logged in as the user or as the admin. I guess I'm not very comfortable with the new GPO interface, GPMC, and wish that I had not installed it. I've looked on the MS website for any mention of removing it without having found any mention of removing it and returning to the simple screen that it used to be like on Win2K server. I want to know if anyone has ever removed it and returned to the simple interface and which approach to use to do that. Is it possible to just delete all of the GPOs and start over? I tested the update problem with the user's login. I logged into my PC with his credentials and got the same message that I had gotten on his PC. My PC, when I am logged in, can access and download just about anything so therefore the issue must be with his login credentials. He is a member of 3 groups, Domain Users -a mail distribution List group - and a security group that has access permissions to a secure NAS. I have moved him into the same group that I'm a member of and his login still cannot update windows. Does anyone have any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I mention it because you say you're not happy with the interface of GPMC, and are not able to uninstall it. So that's an alternative until you are. I've never uninstalled GPMC, by the way.
It's better to solve the issue (whatever it is) on the 2003 DC, but Windows XP Pro SP2 can edit GPO's just fine, you need the AD Users and Computer snap in for it without GPMC. Your Windows 2000 DC will do as well, but it requires a few updates to get rid of the "string too long - truncated" messages.
Also, the topic is "problems with policies and GPMC" but your question revolves all about running Windows Update as a user. We need to assume all kinds of things here, for example
- that regular users are a local Administrator at the client, because they've always been able to run WU, but not anymore.
- after making changes, you're using AD sites and services or repadmin/replmon to force synchronization, OR wait five minutes before replication is done
- you run gpupdate on the client or reboot it
My advice is: get the default domain policy sorted (= back to default). If that has all kinds of settings it's more difficult to isolate GP issues. See if that solves your Windows Update problem, if it does, build up the policies again carefully (either with or without GPMC, but the tool's a godsend).
It's better to solve the issue (whatever it is) on the 2003 DC, but Windows XP Pro SP2 can edit GPO's just fine, you need the AD Users and Computer snap in for it without GPMC. Your Windows 2000 DC will do as well, but it requires a few updates to get rid of the "string too long - truncated" messages.
Also, the topic is "problems with policies and GPMC" but your question revolves all about running Windows Update as a user. We need to assume all kinds of things here, for example
- that regular users are a local Administrator at the client, because they've always been able to run WU, but not anymore.
- after making changes, you're using AD sites and services or repadmin/replmon to force synchronization, OR wait five minutes before replication is done
- you run gpupdate on the client or reboot it
My advice is: get the default domain policy sorted (= back to default). If that has all kinds of settings it's more difficult to isolate GP issues. See if that solves your Windows Update problem, if it does, build up the policies again carefully (either with or without GPMC, but the tool's a godsend).
ASKER
Like I said, I've gone through the GPOs, line by line and don't see anything in them that should be interfereing with the ability to update windows. (I just did it agin between posts). It is effecting a certain number of workstations, but not all. It definately is user specific and not PC specific. I have copied users and placed the copied user in the same group that I'm in and tried both logins, mine and theirs, on my workstation with opposite results. I think it is a permissions problem more than I do a GPO problem though, but where would those settings be? I have looked at the Domain Security Policy and the Domain Controller policy without seeing anything either. I will probably end up doing the GPO redo that you posted, however I know better than to try anything drastic late in the day. I've been down that road before. I'll probably try that in the AM as that will give me eight hours to straighten things out afterwards.
You're right there.
If there are any important policies (like Favorites/Links, proxy settings, Office settings, other things users are going to notice) in the default domain policy, prepare them beforehand, nothing happens to other policies than the GPOs being restored.
If there are any important policies (like Favorites/Links, proxy settings, Office settings, other things users are going to notice) in the default domain policy, prepare them beforehand, nothing happens to other policies than the GPOs being restored.
ASKER
It's mostly proxy settings(we force users through a proxy) for the web filtering software and a couple of other minor things as well. I'll post a followup on this.
Great, thanks. Take it easy, and good luck.
My guess is that the Administrator's group is not in this policy on the local PC:
Computer Config>Windows Settings>Security Settings>Local Policies>User Rights Assignment ::
>> Manage Auditing and Security Log.
Computer Config>Windows Settings>Security Settings>Local Policies>User Rights Assignment ::
>> Manage Auditing and Security Log.
ASKER
Another aspect of the problem:
on the user's PC he got the error message when he tried running the updates, I then logged on as the administrator(Domain Admin) and I got the same error when I tried running the updates.
I logged onto my PC with his credentials and could not run the updates
I logged onto my PC with admin credentials and was able to run the updates
I logged onto my PC with my credentials and was able to run the updates.
on the user's PC he got the error message when he tried running the updates, I then logged on as the administrator(Domain Admin) and I got the same error when I tried running the updates.
I logged onto my PC with his credentials and could not run the updates
I logged onto my PC with admin credentials and was able to run the updates
I logged onto my PC with my credentials and was able to run the updates.
Have you checked that Group Policy element on the local machine?
ASKER
How do I do that? I can "connect" to that from the DC, can't I?
I just ran a "modeling" of GPO with the user and it gave me a "Resultant Set Of Policy" in which, near the bottom under "User Configuration">"Windows Settings">"Software Restriction Policy" are two items that are listed under "Software Restriction Policy">"Security Levels". They are "Unrestricted" and "Disallowed". It appears as if the "unrestricted" has a default check mark in it.
I just ran a "modeling" of GPO with the user and it gave me a "Resultant Set Of Policy" in which, near the bottom under "User Configuration">"Windows Settings">"Software Restriction Policy" are two items that are listed under "Software Restriction Policy">"Security Levels". They are "Unrestricted" and "Disallowed". It appears as if the "unrestricted" has a default check mark in it.
On the local PC (or from a Remote Desktop Session) run GPEDIT.MSC
Drill down and check that setting.
I'm not saying this is definite, but I've seen it many times - personally.
Drill down and check that setting.
I'm not saying this is definite, but I've seen it many times - personally.
ASKER
Thanks for the help. very helpfull answer.
ASKER
If you really want the old interface, you can use another XP Pro withouth GPMC to do that
I'm working on a server 2003 DC