Solved

"Configure Automatic Updates" group policy setting not taking affect on PC

Posted on 2006-06-16
15
417 Views
Last Modified: 2012-05-05
Using group policy on my Windows 2003 server, I want to set the windows update choice on all desktops/laptops to "Auto download and notify for install"    AND I don't want users to be able to override this setting.

I've enabled it in group policy but it's not getting set on the PC's.

0
Comment
Question by:conoverc73
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 16920910
Are you using the GPMC?  If so, so go to Group Policy Results and see if the client is getting policy.  You can also do a GPresult on the client machine to see if the policy is getting applied.
0
 

Author Comment

by:conoverc73
ID: 16921818
No, I am not using GPMC, I'm just using the default group policy editor.  Also, I ran the GPresult command and it's not showing a policy for Windows Update.  The only "Applied Group Polciy Objects" that came back was the one I created for the screen saver policy under "User Settings".

Under "Computer Settings" in the GPresult output, only "Applied Group Polciy Objects" is the default domain policy.
0
 
LVL 26

Expert Comment

by:Pber
ID: 16921893
Does the GPresult show the Group Policy Object not applied?  What are the permissions on that GPO you created?  

Are you getting 1030 events in the application log of the client?  
Are you getting 1704 events in the application log of the client?  This would imply that GPO's are applying properly.

Are you rebooting the clients or just having them logon/logoff or doing a GPupdate /force?  If it is a Computer Setting then that policy is only applied at reboot.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:conoverc73
ID: 16922080
See GPresult output below:

Also, I rebooted the client machines and still no good.

I am not seeing 1704 events.

I AM seeing 1030 and 1058 events in the event log on the client.

The following users/groups have permissons to the GPO I created:

Authenticated Users, CREATED OWNER, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS, SYSTEM.

COMPUTER SETTINGS
------------------
    CN=DL026,OU=Computers,OU=Boston,DC=us,DC=corp,DC=sa
    Last time Group Policy was applied: 6/16/2006 at 1:06:53 PM
    Group Policy was applied from:      usbdcadc.us.corp.sa
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        DL026$
        Domain Computers

0
 
LVL 26

Accepted Solution

by:
Pber earned 125 total points
ID: 16922144
How is the computer time?  Are you having w32time errors in the system log?  

check out these articles:

Group Policy processing does not work and events 1030 and 1058 are logged in the Application log of a domain controller
http://support.microsoft.com/kb/842804/en-us

Group policies are not applied the way you expect; "Event ID 1058" and "Event ID 1030" errors in the application log
http://support.microsoft.com/kb/314494/en-us

 
0
 
LVL 16

Expert Comment

by:craylord
ID: 16923161
You need to add "domain computers" to the permissions group. The computer is not applying it because its member ship of "Domain Computers" is not listed with your applied group.

>The following users/groups have permissons to the GPO I created:
>
>Authenticated Users, CREATED OWNER, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS, >SYSTEM.

*Domain computers not listed in your posting.
0
 
LVL 26

Expert Comment

by:Pber
ID: 16923212


That should have been covered by Authenticated Users as the machine account would be an authenticated user.  I think he has other issues because of the 1030 and 1058 errors.  
0
 
LVL 16

Expert Comment

by:craylord
ID: 16923353
Authenticated user does not include workstations (in my testing and experience). Hence the word users. These update settings are (should) be applied via GPO to workstations not users. It's the same principle for publishing an application with GPO.

You can clearly see why his workstation is not getting the policy. There is no matching security groups from his applied permission list and the workstations membership list.
0
 
LVL 16

Expert Comment

by:craylord
ID: 16923388
err, nvm! its late and im ready to go home. authenticated users is listed. The same principle still applies from pushing an application out, domain computers should be specified.

As a side note, I would highly recommend creating a new GPO for this, not piggybacking on the existing default domain policy.

Is this test workstation pre-SP1? If it is you will need to create a policy to update the client first.
0
 
LVL 26

Expert Comment

by:Pber
ID: 16923436
Interesting.  I'm not sure what is different.  Everyone of my GPO's that are created via the GPMC all have only the Authenticated Users under the Security Filtering.   When I look at the permissions directly at the policy in the sysvol folder, there is no Domain Computers for any of my policies and I have lots of computer policies and don't seem to have GPO issues.

Even in his GPresult dump it says the computer is in the following group:

  The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users  <------
        DL026$
        Domain Computers


Weird, it's worth a shot.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16924568
Hang on a sec...

Your users will NOT be notified unless they are local Admins to their PCs.

Now, with respect to your Userenv errors - your DNS settings should only point to your DNS server, not the ISP.  Remove all ISP DNS entries from every NIC inside your LAN.  Set your DNS server Forwarder to the ISP.  This is the only place to enter the ISP info.

Let us know.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16924577
Oh, and Authenticated Users contains domain-joined workstation accounts.  I don't think it's a permission issue on the Policy.  There might be SYSVOL permission issues, but rather than mess with them let's illiminate the easy stuff.



0
 

Author Comment

by:conoverc73
ID: 16948332
I created a separete policy just for the windows updates.  This got me to the point that it would at least show up in gpresult.  However, it was showing up as "filter, not applied (empty).

I did some searching on google and came accross an experts exhange article (Q_21412022.html).  After reading this, I realized that I was creating the policy on my Users OU and not the Computers OU.

I re-created the policy on the computers OU and it's now applying.

0
 

Author Comment

by:conoverc73
ID: 16955270
Is this the right way to be applying group policy?

I've got all of my user objects in an OU called "Users" and all of my computer objects in an OU called "Computers".

Is the right thing to create the "windows update" GPO and apply it to the computers OU and create a "screen saver" GPO and apply it to the users OU?

0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 125 total points
ID: 16955450
You could do it that way, sure.

If your "Computers" and "Users" OUs are inside a parent OU then you could put all the settings in one GPO and link it to the parent OU.

Parent  <<link GPO here.
    Users
    Computers

You cannot link GPOs to the default containers (Users, Computers, etc) as they are not OUs.

0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question