Solved

"Configure Automatic Updates" group policy setting not taking affect on PC

Posted on 2006-06-16
15
435 Views
Last Modified: 2012-05-05
Using group policy on my Windows 2003 server, I want to set the windows update choice on all desktops/laptops to "Auto download and notify for install"    AND I don't want users to be able to override this setting.

I've enabled it in group policy but it's not getting set on the PC's.

0
Comment
Question by:conoverc73
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 16920910
Are you using the GPMC?  If so, so go to Group Policy Results and see if the client is getting policy.  You can also do a GPresult on the client machine to see if the policy is getting applied.
0
 

Author Comment

by:conoverc73
ID: 16921818
No, I am not using GPMC, I'm just using the default group policy editor.  Also, I ran the GPresult command and it's not showing a policy for Windows Update.  The only "Applied Group Polciy Objects" that came back was the one I created for the screen saver policy under "User Settings".

Under "Computer Settings" in the GPresult output, only "Applied Group Polciy Objects" is the default domain policy.
0
 
LVL 26

Expert Comment

by:Pber
ID: 16921893
Does the GPresult show the Group Policy Object not applied?  What are the permissions on that GPO you created?  

Are you getting 1030 events in the application log of the client?  
Are you getting 1704 events in the application log of the client?  This would imply that GPO's are applying properly.

Are you rebooting the clients or just having them logon/logoff or doing a GPupdate /force?  If it is a Computer Setting then that policy is only applied at reboot.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:conoverc73
ID: 16922080
See GPresult output below:

Also, I rebooted the client machines and still no good.

I am not seeing 1704 events.

I AM seeing 1030 and 1058 events in the event log on the client.

The following users/groups have permissons to the GPO I created:

Authenticated Users, CREATED OWNER, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS, SYSTEM.

COMPUTER SETTINGS
------------------
    CN=DL026,OU=Computers,OU=Boston,DC=us,DC=corp,DC=sa
    Last time Group Policy was applied: 6/16/2006 at 1:06:53 PM
    Group Policy was applied from:      usbdcadc.us.corp.sa
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        DL026$
        Domain Computers

0
 
LVL 26

Accepted Solution

by:
Pber earned 125 total points
ID: 16922144
How is the computer time?  Are you having w32time errors in the system log?  

check out these articles:

Group Policy processing does not work and events 1030 and 1058 are logged in the Application log of a domain controller
http://support.microsoft.com/kb/842804/en-us

Group policies are not applied the way you expect; "Event ID 1058" and "Event ID 1030" errors in the application log
http://support.microsoft.com/kb/314494/en-us

 
0
 
LVL 16

Expert Comment

by:craylord
ID: 16923161
You need to add "domain computers" to the permissions group. The computer is not applying it because its member ship of "Domain Computers" is not listed with your applied group.

>The following users/groups have permissons to the GPO I created:
>
>Authenticated Users, CREATED OWNER, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS, >SYSTEM.

*Domain computers not listed in your posting.
0
 
LVL 26

Expert Comment

by:Pber
ID: 16923212


That should have been covered by Authenticated Users as the machine account would be an authenticated user.  I think he has other issues because of the 1030 and 1058 errors.  
0
 
LVL 16

Expert Comment

by:craylord
ID: 16923353
Authenticated user does not include workstations (in my testing and experience). Hence the word users. These update settings are (should) be applied via GPO to workstations not users. It's the same principle for publishing an application with GPO.

You can clearly see why his workstation is not getting the policy. There is no matching security groups from his applied permission list and the workstations membership list.
0
 
LVL 16

Expert Comment

by:craylord
ID: 16923388
err, nvm! its late and im ready to go home. authenticated users is listed. The same principle still applies from pushing an application out, domain computers should be specified.

As a side note, I would highly recommend creating a new GPO for this, not piggybacking on the existing default domain policy.

Is this test workstation pre-SP1? If it is you will need to create a policy to update the client first.
0
 
LVL 26

Expert Comment

by:Pber
ID: 16923436
Interesting.  I'm not sure what is different.  Everyone of my GPO's that are created via the GPMC all have only the Authenticated Users under the Security Filtering.   When I look at the permissions directly at the policy in the sysvol folder, there is no Domain Computers for any of my policies and I have lots of computer policies and don't seem to have GPO issues.

Even in his GPresult dump it says the computer is in the following group:

  The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users  <------
        DL026$
        Domain Computers


Weird, it's worth a shot.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16924568
Hang on a sec...

Your users will NOT be notified unless they are local Admins to their PCs.

Now, with respect to your Userenv errors - your DNS settings should only point to your DNS server, not the ISP.  Remove all ISP DNS entries from every NIC inside your LAN.  Set your DNS server Forwarder to the ISP.  This is the only place to enter the ISP info.

Let us know.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16924577
Oh, and Authenticated Users contains domain-joined workstation accounts.  I don't think it's a permission issue on the Policy.  There might be SYSVOL permission issues, but rather than mess with them let's illiminate the easy stuff.



0
 

Author Comment

by:conoverc73
ID: 16948332
I created a separete policy just for the windows updates.  This got me to the point that it would at least show up in gpresult.  However, it was showing up as "filter, not applied (empty).

I did some searching on google and came accross an experts exhange article (Q_21412022.html).  After reading this, I realized that I was creating the policy on my Users OU and not the Computers OU.

I re-created the policy on the computers OU and it's now applying.

0
 

Author Comment

by:conoverc73
ID: 16955270
Is this the right way to be applying group policy?

I've got all of my user objects in an OU called "Users" and all of my computer objects in an OU called "Computers".

Is the right thing to create the "windows update" GPO and apply it to the computers OU and create a "screen saver" GPO and apply it to the users OU?

0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 125 total points
ID: 16955450
You could do it that way, sure.

If your "Computers" and "Users" OUs are inside a parent OU then you could put all the settings in one GPO and link it to the parent OU.

Parent  <<link GPO here.
    Users
    Computers

You cannot link GPOs to the default containers (Users, Computers, etc) as they are not OUs.

0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SolarWind and DNS Server 12 107
Auditing domain account logon attempt, failure, lockout 2 192
User wants to log with Username or Email 4 111
Unable to start workstation service 12 438
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question