Solved

"Configure Automatic Updates" group policy setting not taking affect on PC

Posted on 2006-06-16
15
398 Views
Last Modified: 2012-05-05
Using group policy on my Windows 2003 server, I want to set the windows update choice on all desktops/laptops to "Auto download and notify for install"    AND I don't want users to be able to override this setting.

I've enabled it in group policy but it's not getting set on the PC's.

0
Comment
Question by:conoverc73
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Are you using the GPMC?  If so, so go to Group Policy Results and see if the client is getting policy.  You can also do a GPresult on the client machine to see if the policy is getting applied.
0
 

Author Comment

by:conoverc73
Comment Utility
No, I am not using GPMC, I'm just using the default group policy editor.  Also, I ran the GPresult command and it's not showing a policy for Windows Update.  The only "Applied Group Polciy Objects" that came back was the one I created for the screen saver policy under "User Settings".

Under "Computer Settings" in the GPresult output, only "Applied Group Polciy Objects" is the default domain policy.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Does the GPresult show the Group Policy Object not applied?  What are the permissions on that GPO you created?  

Are you getting 1030 events in the application log of the client?  
Are you getting 1704 events in the application log of the client?  This would imply that GPO's are applying properly.

Are you rebooting the clients or just having them logon/logoff or doing a GPupdate /force?  If it is a Computer Setting then that policy is only applied at reboot.
0
 

Author Comment

by:conoverc73
Comment Utility
See GPresult output below:

Also, I rebooted the client machines and still no good.

I am not seeing 1704 events.

I AM seeing 1030 and 1058 events in the event log on the client.

The following users/groups have permissons to the GPO I created:

Authenticated Users, CREATED OWNER, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS, SYSTEM.

COMPUTER SETTINGS
------------------
    CN=DL026,OU=Computers,OU=Boston,DC=us,DC=corp,DC=sa
    Last time Group Policy was applied: 6/16/2006 at 1:06:53 PM
    Group Policy was applied from:      usbdcadc.us.corp.sa
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        DL026$
        Domain Computers

0
 
LVL 26

Accepted Solution

by:
Pber earned 125 total points
Comment Utility
How is the computer time?  Are you having w32time errors in the system log?  

check out these articles:

Group Policy processing does not work and events 1030 and 1058 are logged in the Application log of a domain controller
http://support.microsoft.com/kb/842804/en-us

Group policies are not applied the way you expect; "Event ID 1058" and "Event ID 1030" errors in the application log
http://support.microsoft.com/kb/314494/en-us

 
0
 
LVL 16

Expert Comment

by:craylord
Comment Utility
You need to add "domain computers" to the permissions group. The computer is not applying it because its member ship of "Domain Computers" is not listed with your applied group.

>The following users/groups have permissons to the GPO I created:
>
>Authenticated Users, CREATED OWNER, Domain Admins, Enterprise Admins, ENTERPRISE DOMAIN CONTROLLERS, >SYSTEM.

*Domain computers not listed in your posting.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility


That should have been covered by Authenticated Users as the machine account would be an authenticated user.  I think he has other issues because of the 1030 and 1058 errors.  
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 16

Expert Comment

by:craylord
Comment Utility
Authenticated user does not include workstations (in my testing and experience). Hence the word users. These update settings are (should) be applied via GPO to workstations not users. It's the same principle for publishing an application with GPO.

You can clearly see why his workstation is not getting the policy. There is no matching security groups from his applied permission list and the workstations membership list.
0
 
LVL 16

Expert Comment

by:craylord
Comment Utility
err, nvm! its late and im ready to go home. authenticated users is listed. The same principle still applies from pushing an application out, domain computers should be specified.

As a side note, I would highly recommend creating a new GPO for this, not piggybacking on the existing default domain policy.

Is this test workstation pre-SP1? If it is you will need to create a policy to update the client first.
0
 
LVL 26

Expert Comment

by:Pber
Comment Utility
Interesting.  I'm not sure what is different.  Everyone of my GPO's that are created via the GPMC all have only the Authenticated Users under the Security Filtering.   When I look at the permissions directly at the policy in the sysvol folder, there is no Domain Computers for any of my policies and I have lots of computer policies and don't seem to have GPO issues.

Even in his GPresult dump it says the computer is in the following group:

  The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users  <------
        DL026$
        Domain Computers


Weird, it's worth a shot.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Hang on a sec...

Your users will NOT be notified unless they are local Admins to their PCs.

Now, with respect to your Userenv errors - your DNS settings should only point to your DNS server, not the ISP.  Remove all ISP DNS entries from every NIC inside your LAN.  Set your DNS server Forwarder to the ISP.  This is the only place to enter the ISP info.

Let us know.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Oh, and Authenticated Users contains domain-joined workstation accounts.  I don't think it's a permission issue on the Policy.  There might be SYSVOL permission issues, but rather than mess with them let's illiminate the easy stuff.



0
 

Author Comment

by:conoverc73
Comment Utility
I created a separete policy just for the windows updates.  This got me to the point that it would at least show up in gpresult.  However, it was showing up as "filter, not applied (empty).

I did some searching on google and came accross an experts exhange article (Q_21412022.html).  After reading this, I realized that I was creating the policy on my Users OU and not the Computers OU.

I re-created the policy on the computers OU and it's now applying.

0
 

Author Comment

by:conoverc73
Comment Utility
Is this the right way to be applying group policy?

I've got all of my user objects in an OU called "Users" and all of my computer objects in an OU called "Computers".

Is the right thing to create the "windows update" GPO and apply it to the computers OU and create a "screen saver" GPO and apply it to the users OU?

0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 125 total points
Comment Utility
You could do it that way, sure.

If your "Computers" and "Users" OUs are inside a parent OU then you could put all the settings in one GPO and link it to the parent OU.

Parent  <<link GPO here.
    Users
    Computers

You cannot link GPOs to the default containers (Users, Computers, etc) as they are not OUs.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video discusses moving either the default database or any database to a new volume.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now