"Configure Automatic Updates" group policy setting not taking affect on PC

Using group policy on my Windows 2003 server, I want to set the windows update choice on all desktops/laptops to "Auto download and notify for install"    AND I don't want users to be able to override this setting.

I've enabled it in group policy but it's not getting set on the PC's.

conoverc73Asked:
Who is Participating?
 
PberSolutions ArchitectCommented:
How is the computer time?  Are you having w32time errors in the system log?  

check out these articles:

Group Policy processing does not work and events 1030 and 1058 are logged in the Application log of a domain controller
http://support.microsoft.com/kb/842804/en-us

Group policies are not applied the way you expect; "Event ID 1058" and "Event ID 1030" errors in the application log
http://support.microsoft.com/kb/314494/en-us

 
0
 
PberSolutions ArchitectCommented:
Are you using the GPMC?  If so, so go to Group Policy Results and see if the client is getting policy.  You can also do a GPresult on the client machine to see if the policy is getting applied.
0
 
conoverc73Author Commented:
No, I am not using GPMC, I'm just using the default group policy editor.  Also, I ran the GPresult command and it's not showing a policy for Windows Update.  The only "Applied Group Polciy Objects" that came back was the one I created for the screen saver policy under "User Settings".

Under "Computer Settings" in the GPresult output, only "Applied Group Polciy Objects" is the default domain policy.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
PberSolutions ArchitectCommented:
Does the GPresult show the Group Policy Object not applied?  What are the permissions on that GPO you created?  

Are you getting 1030 events in the application log of the client?  
Are you getting 1704 events in the application log of the client?  This would imply that GPO's are applying properly.

Are you rebooting the clients or just having them logon/logoff or doing a GPupdate /force?  If it is a Computer Setting then that policy is only applied at reboot.
0
 
conoverc73Author Commented:
See GPresult output below:

Also, I rebooted the client machines and still no good.

I am not seeing 1704 events.

I AM seeing 1030 and 1058 events in the event log on the client.

The following users/groups have permissons to the GPO I created:

Authenticated Users, CREATED OWNER, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS, SYSTEM.

COMPUTER SETTINGS
------------------
    CN=DL026,OU=Computers,OU=Boston,DC=us,DC=corp,DC=sa
    Last time Group Policy was applied: 6/16/2006 at 1:06:53 PM
    Group Policy was applied from:      usbdcadc.us.corp.sa
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        DL026$
        Domain Computers

0
 
craylordCommented:
You need to add "domain computers" to the permissions group. The computer is not applying it because its member ship of "Domain Computers" is not listed with your applied group.

>The following users/groups have permissons to the GPO I created:
>
>Authenticated Users, CREATED OWNER, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS, >SYSTEM.

*Domain computers not listed in your posting.
0
 
PberSolutions ArchitectCommented:


That should have been covered by Authenticated Users as the machine account would be an authenticated user.  I think he has other issues because of the 1030 and 1058 errors.  
0
 
craylordCommented:
Authenticated user does not include workstations (in my testing and experience). Hence the word users. These update settings are (should) be applied via GPO to workstations not users. It's the same principle for publishing an application with GPO.

You can clearly see why his workstation is not getting the policy. There is no matching security groups from his applied permission list and the workstations membership list.
0
 
craylordCommented:
err, nvm! its late and im ready to go home. authenticated users is listed. The same principle still applies from pushing an application out, domain computers should be specified.

As a side note, I would highly recommend creating a new GPO for this, not piggybacking on the existing default domain policy.

Is this test workstation pre-SP1? If it is you will need to create a policy to update the client first.
0
 
PberSolutions ArchitectCommented:
Interesting.  I'm not sure what is different.  Everyone of my GPO's that are created via the GPMC all have only the Authenticated Users under the Security Filtering.   When I look at the permissions directly at the policy in the sysvol folder, there is no Domain Computers for any of my policies and I have lots of computer policies and don't seem to have GPO issues.

Even in his GPresult dump it says the computer is in the following group:

  The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users  <------
        DL026$
        Domain Computers


Weird, it's worth a shot.
0
 
Netman66Commented:
Hang on a sec...

Your users will NOT be notified unless they are local Admins to their PCs.

Now, with respect to your Userenv errors - your DNS settings should only point to your DNS server, not the ISP.  Remove all ISP DNS entries from every NIC inside your LAN.  Set your DNS server Forwarder to the ISP.  This is the only place to enter the ISP info.

Let us know.
0
 
Netman66Commented:
Oh, and Authenticated Users contains domain-joined workstation accounts.  I don't think it's a permission issue on the Policy.  There might be SYSVOL permission issues, but rather than mess with them let's illiminate the easy stuff.



0
 
conoverc73Author Commented:
I created a separete policy just for the windows updates.  This got me to the point that it would at least show up in gpresult.  However, it was showing up as "filter, not applied (empty).

I did some searching on google and came accross an experts exhange article (Q_21412022.html).  After reading this, I realized that I was creating the policy on my Users OU and not the Computers OU.

I re-created the policy on the computers OU and it's now applying.

0
 
conoverc73Author Commented:
Is this the right way to be applying group policy?

I've got all of my user objects in an OU called "Users" and all of my computer objects in an OU called "Computers".

Is the right thing to create the "windows update" GPO and apply it to the computers OU and create a "screen saver" GPO and apply it to the users OU?

0
 
Netman66Commented:
You could do it that way, sure.

If your "Computers" and "Users" OUs are inside a parent OU then you could put all the settings in one GPO and link it to the parent OU.

Parent  <<link GPO here.
    Users
    Computers

You cannot link GPOs to the default containers (Users, Computers, etc) as they are not OUs.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.