TSI-WLV
asked on
WSUS client questions
We have WSUS running on Windows 2000 Server with 2000 Pro and XP Pro clients.
On a couple of the 2000 clients there is no settings in the registry relating to using WSUS. Normally there are 2 settings I look for:
Under HKEY_LOCAL_MACHINE\SOFTWAR E\Policies \Microsoft \Windows\W indowsUpda te there are 2 keys for WUServer and WUStatusServer
and
Under HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Windo wsUpdate there are 2 keys for AccountDomainSid and SusClient Id
These 2 computer dont have the WindowsUpdate folders from either registry location.
My second question is that there are a couple of the XP clients that will download the updates but not install them unless its done manually. I am using Group Policy on the DC to have it downolad and install the updates automatically.
On a couple of the 2000 clients there is no settings in the registry relating to using WSUS. Normally there are 2 settings I look for:
Under HKEY_LOCAL_MACHINE\SOFTWAR
and
Under HKEY_LOCAL_MACHINE\SOFTWAR
These 2 computer dont have the WindowsUpdate folders from either registry location.
My second question is that there are a couple of the XP clients that will download the updates but not install them unless its done manually. I am using Group Policy on the DC to have it downolad and install the updates automatically.
meant which GPO settings do you have applied, etc...
ASKER
They are not reporting to the WSUS server. They most likely are cloned and Sysprep was not used. What Ive been doing is checking those registry settings on the cloned computers and making sure that they are pointing to the WSUS server and then deleting the AccountDomainSid and SusClient Id and having it recreated using a script I got from someone else. Its worked fine on the other cloned computers but they had the registry settings to begin with and these 2 dont.
For the XP machines one has local admin (mine) and thats why I figured it was prompting me but I just found out another one does it too. His account is a Power User.
For the GPO settings the are set on the DC and point to our WSUS server and have it set to automatically download and install updates daily. Any settings in particular you want to know about?
For the XP machines one has local admin (mine) and thats why I figured it was prompting me but I just found out another one does it too. His account is a Power User.
For the GPO settings the are set on the DC and point to our WSUS server and have it set to automatically download and install updates daily. Any settings in particular you want to know about?
That was the main setting I was concerned about. But would like to see the other settings as well to determine the issue with the power user. Are you using GPMC to manage the settings? If so, highlight your GPO, click the settings tab, then copy and paste the "Windows Components/Windows Update" section.
On those win2000 clients, what Service Pack is on them?
Also, download the client diagnostic tool via and run it on the problem workstations :
http://www.microsoft.com/windowsserversystem/updateservices/downloads/default.mspx
On those win2000 clients, what Service Pack is on them?
Also, download the client diagnostic tool via and run it on the problem workstations :
http://www.microsoft.com/windowsserversystem/updateservices/downloads/default.mspx
answers to your questions:
make sure the windows 2000 clients have the latest service pack installed, also make sure that windows xp clients have sp1 installed - this should fix both your problems...
make sure the windows 2000 clients have the latest service pack installed, also make sure that windows xp clients have sp1 installed - this should fix both your problems...
ASKER
I installed the GPMC and here is the section for WSUS
Windows Components/Windows Update
Policy Setting
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 22
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 09:00
Policy Setting
No auto-restart for scheduled Automatic Updates installations Enabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://qdc1
Set the intranet statistics server: http://qdc1
(example: http://IntranetUpd01)
The 2000 Clients have SP4.
I cant run the tool until they are off of the comptuers and I dont know when that will be.
Windows Components/Windows Update
Policy Setting
Allow non-administrators to receive update notifications Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 22
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 09:00
Policy Setting
No auto-restart for scheduled Automatic Updates installations Enabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://qdc1
Set the intranet statistics server: http://qdc1
(example: http://IntranetUpd01)
The 2000 Clients have SP4.
I cant run the tool until they are off of the comptuers and I dont know when that will be.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To make the 2000 box receive and install the updates make sure they have the latest service pack..
trippleO7 is on track with NewSID tool. Any time you duplicate a system drive (unless it was prepared with sysprep) I would run NewSID. This will save you many headaches down the road.
ASKER
The 2000 and XP clients have the latest service packs.
Are you sure the NewSid will do the trick if there is no area for the SID to be there in the first place? Normally I would run my script that would delete and recreate the SID and restart the update service etc but there is no section in the registry for this information to go. Therefore there is no old SID info.
Are you sure the NewSid will do the trick if there is no area for the SID to be there in the first place? Normally I would run my script that would delete and recreate the SID and restart the update service etc but there is no section in the registry for this information to go. Therefore there is no old SID info.
You were trying to delete and update the SID in the Windows update part of the registry....this is for Security and SAM accounts, which in turn, will uniquely identify those computers so communication between them and the WSUS server can occur.
From http://www.microsoft.com/technet/sysinternals/Utilities/NewSid.mspx:
How it Works
NewSID starts by reading the existing computer SID. A computer's SID is stored in the Registry's SECURITY hive under SECURITY\SAM\Domains\Accou nt. This key has a value named F and a value named V. The V value is a binary value that has the computer SID embedded within it at the end of its data. NewSID ensures that this SID is in a standard format (3 32-bit subauthorities preceded by three 32-bit authority fields).
Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID.
Three phases to the computer SID replacement follow. In the first phase, the SECURITY and SAM Registry hives are scanned for occurrences of the old computer SID in key values, as well as the names of the keys. When the SID is found in a value it is replaced with the new computer SID, and when the SID is found in a name, the key and its subkeys are copied to a new subkey that has the same name except with the new SID replacing the old.
The final two phases involve updating security descriptors. Registry keys and NTFS files have security associated with them. Security descriptors consist of an entry that identifies which account owns the resource, which group is the primary group owner, an optional list of entries that specify actions permitted by users or groups (known as the Discretionary Access Control List - DACL), and an optional list of entries that specify which actions performed by certain users or groups will generate entries in the system Event Log (System Access Control List - SACL). A user or a group is identified in these security descriptors with their SIDs, and as I stated earlier, local user accounts (other than the built-in accounts such as Administrator, Guest, and so on) have their SIDs made up of the computer SID plus a RID.
The first part of security descriptor updates occurs on all NTFS file system files on the computer. Every security descriptor is scanned for occurrences of the computer SID. When NewSID finds one, it replaces it with the new computer SID.
The second part of security descriptor updates is performed on the Registry. First, NewSID must make sure that it scans all hives, not just those that are loaded. Every user account has a Registry hive that is loaded as HKEY_CURRENT_USER when the user is logged in, but remains on disk in the user's profile directory when they are not. NewSID identifies the locations of all user hive locations by enumerating the HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows NT\CurrentVersion\ProfileL ist key, which points at the directories in which they are stored. It then loads them into the Registry using RegLoadKey under HKEY_LOCAL_MACHINE and scans the entire Registry, examining each security descriptor in search of the old computer SID. Updates are performed the same as for files, and when its done NewSID unloads the user hives it loaded. As a final step NewSID scans the HKEY_USERS key, which contains the hive of the currently logged-in user as well as the .Default hive. This is necessary because a hive can't be loaded twice, so the logged-in user hive won't be loaded into HKEY_LOCAL_MACHINE when NewSID is loading other user hives.
Finally, NewSID must update the ProfileList subkeys to refer to the new account SIDs. This step is necessary to have Windows NT correctly associate profiles with the user accounts after the account SIDs are changed to reflect the new computer SID.
NewSID ensures that it can access and modify every file and Registry key in the system by giving itself the following privileges: System, Backup, Restore and Take Ownership.
From http://www.microsoft.com/technet/sysinternals/Utilities/NewSid.mspx:
How it Works
NewSID starts by reading the existing computer SID. A computer's SID is stored in the Registry's SECURITY hive under SECURITY\SAM\Domains\Accou
Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID.
Three phases to the computer SID replacement follow. In the first phase, the SECURITY and SAM Registry hives are scanned for occurrences of the old computer SID in key values, as well as the names of the keys. When the SID is found in a value it is replaced with the new computer SID, and when the SID is found in a name, the key and its subkeys are copied to a new subkey that has the same name except with the new SID replacing the old.
The final two phases involve updating security descriptors. Registry keys and NTFS files have security associated with them. Security descriptors consist of an entry that identifies which account owns the resource, which group is the primary group owner, an optional list of entries that specify actions permitted by users or groups (known as the Discretionary Access Control List - DACL), and an optional list of entries that specify which actions performed by certain users or groups will generate entries in the system Event Log (System Access Control List - SACL). A user or a group is identified in these security descriptors with their SIDs, and as I stated earlier, local user accounts (other than the built-in accounts such as Administrator, Guest, and so on) have their SIDs made up of the computer SID plus a RID.
The first part of security descriptor updates occurs on all NTFS file system files on the computer. Every security descriptor is scanned for occurrences of the computer SID. When NewSID finds one, it replaces it with the new computer SID.
The second part of security descriptor updates is performed on the Registry. First, NewSID must make sure that it scans all hives, not just those that are loaded. Every user account has a Registry hive that is loaded as HKEY_CURRENT_USER when the user is logged in, but remains on disk in the user's profile directory when they are not. NewSID identifies the locations of all user hive locations by enumerating the HKEY_LOCAL_MACHINE\Softwar
Finally, NewSID must update the ProfileList subkeys to refer to the new account SIDs. This step is necessary to have Windows NT correctly associate profiles with the user accounts after the account SIDs are changed to reflect the new computer SID.
NewSID ensures that it can access and modify every file and Registry key in the system by giving itself the following privileges: System, Backup, Restore and Take Ownership.
ASKER
So will this add the Windows Update keys that were missing on these computers?
HKEY_LOCAL_MACHINE\SOFTWAR E\Policies \Microsoft \Windows\W indowsUpda te there are 2 keys for WUServer and WUStatusServer
and
Under HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Windo wsUpdate there are 2 keys for AccountDomainSid and SusClient Id
HKEY_LOCAL_MACHINE\SOFTWAR
and
Under HKEY_LOCAL_MACHINE\SOFTWAR
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, Im going to be able to run all of these checks in a couple of hours so I will report back what I find.
the batch script below is also a combo of registering drivers needed by WSUS. This script also deleted cloned WSUS Sids
rem ***** Fixes problem with client machines not showing up on the server due to imaging method *****
reg delete HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WindowsUp date /v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WindowsUp date /v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WindowsUp date /v SusClientId /f
regsvr32 /s wuapi.dll
regsvr32 /s wups.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wucltui.dll
regsvr32 /s msxml3.dll
regsvr32 /s Mssip32.dll
regsvr32 /s Initpki.dll
NET STOP WUAUSERV
NET STOP BITS
regsvr32 /s cdm.dll
regsvr32 /s bitsprx2.dll
regsvr32 /s bitsprx3.dll
regsvr32 /s iuengine.dll
regsvr32 /s qmgr.dll
regsvr32 /s qmgrprxy.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml2.dll
regsvr32 /s msxml3.dll
regsvr32 /s urlmon.dll
regsvr32 /s wuapi.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wuauserv.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups.dll
regsvr32 /s wuweb.dll
NET START BITS
NET START WUAUSERV
regsvr32 /s softpub.dll
regsvr32 /s initpki.dll
regsvr32 /s mssip32.dll
regsvr32 /s wintrust.dll
regsvr32 /s dssenh.dll
regsvr32 /s rsaenh.dll
regsvr32 /s gpkcsp.dll
regsvr32 /s sccbase.dll
regsvr32 /s slbcsp.dll
regsvr32 /s cryptdlg.dll
regsvr32 /s jscript.dll
wuauclt /resetauthorization /detectnow
rem ***** Fixes problem with client machines not showing up on the server due to imaging method *****
reg delete HKLM\SOFTWARE\Microsoft\Wi
reg delete HKLM\SOFTWARE\Microsoft\Wi
reg delete HKLM\SOFTWARE\Microsoft\Wi
regsvr32 /s wuapi.dll
regsvr32 /s wups.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wucltui.dll
regsvr32 /s msxml3.dll
regsvr32 /s Mssip32.dll
regsvr32 /s Initpki.dll
NET STOP WUAUSERV
NET STOP BITS
regsvr32 /s cdm.dll
regsvr32 /s bitsprx2.dll
regsvr32 /s bitsprx3.dll
regsvr32 /s iuengine.dll
regsvr32 /s qmgr.dll
regsvr32 /s qmgrprxy.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml2.dll
regsvr32 /s msxml3.dll
regsvr32 /s urlmon.dll
regsvr32 /s wuapi.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wuauserv.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups.dll
regsvr32 /s wuweb.dll
NET START BITS
NET START WUAUSERV
regsvr32 /s softpub.dll
regsvr32 /s initpki.dll
regsvr32 /s mssip32.dll
regsvr32 /s wintrust.dll
regsvr32 /s dssenh.dll
regsvr32 /s rsaenh.dll
regsvr32 /s gpkcsp.dll
regsvr32 /s sccbase.dll
regsvr32 /s slbcsp.dll
regsvr32 /s cryptdlg.dll
regsvr32 /s jscript.dll
wuauclt /resetauthorization /detectnow
ASKER
bigjimbo813, I use that script and may have got it from you to begin with.
-------------------------- ---------- ---------- ---------- ---------- ---------- --------
Here is the result from the WSUS Client Diagnostics Tool
Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 5.8.0.2469. . . . . . . . . . . . . PASS
This version is WSUS 2.0
Checking AU Settings
AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
Option is from Control Panel
Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use
Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL
-------------------------- ---------- ---------- ---------- ---------- ---------- --
I ran NewSid as well but it didnt help. I did have to rejoin the computer to the domain though which I wasnt expecting!
--------------------------
Here is the result from the WSUS Client Diagnostics Tool
Checking Machine State
Checking for admin rights to run tool . . . . . . . . . PASS
Automatic Updates Service is running. . . . . . . . . . PASS
Background Intelligent Transfer Service is running. . . PASS
Wuaueng.dll version 5.8.0.2469. . . . . . . . . . . . . PASS
This version is WSUS 2.0
Checking AU Settings
AU Option is 3 : Notify Prior to Install. . . . . . . . PASS
Option is from Control Panel
Checking Proxy Configuration
Checking for winhttp local machine Proxy settings . . . PASS
Winhttp local machine access type
<Direct Connection>
Winhttp local machine Proxy. . . . . . . . . . NONE
Winhttp local machine ProxyBypass. . . . . . . NONE
Checking User IE Proxy settings . . . . . . . . . . . . PASS
User IE Proxy. . . . . . . . . . . . . . . . . NONE
User IE ProxyByPass. . . . . . . . . . . . . . NONE
User IE AutoConfig URL Proxy . . . . . . . . . NONE
User IE AutoDetect
AutoDetect not in use
Checking Connection to WSUS/SUS Server
AU does not have Policy Set
AU does not have Policy Set
UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL
--------------------------
I ran NewSid as well but it didnt help. I did have to rejoin the computer to the domain though which I wasnt expecting!
ASKER
Here is the result from gpresult /s before running NewSid
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\Certi
ficates\6F05ECED792553B71E E9D834DBD1 D28628773D DC
ValueName: Blob
ValueType: REG_BINARY
Value:
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CRLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CTLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate
ValueName: ElevateNonAdmins
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate
ValueName: WUServer
ValueType: REG_SZ
Value: http://qdc1
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate
ValueName: WUStatusServer
ValueType: REG_SZ
Value: http://qdc1
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate\AU
ValueName: NoAutoRebootWithLoggedOnUs ers
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate\AU
ValueName: UseWUServer
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate\AU
ValueName: DetectionFrequencyEnabled
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate\AU
ValueName: DetectionFrequency
ValueType: REG_DWORD
Value: 0x00000016
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate\AU
ValueName: NoAutoUpdate
ValueType: REG_DWORD
Value: 0x00000000
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate\AU
ValueName: AUOptions
ValueType: REG_DWORD
Value: 0x00000004
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate\AU
ValueName: ScheduledInstallDay
ValueType: REG_DWORD
Value: 0x00000000
KeyName: Software\Policies\Microsof t\Windows\ WindowsUpd ate\AU
ValueName: ScheduledInstallTime
ValueType: REG_DWORD
Value: 0x0000000d
========================== ========== ========== ========== =======
The computer received "Security" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Policy
Revision Number: 28 (Active Directory) 28 (Sysvol)
Unique Name: {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
Domain Name: EFS-NLSC.COM
Linked to: Domain (DC=efs-nlsc,DC=com)
Run the Security Configuration Editor for more information.
========================== ========== ========== ========== =======
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Policy
Revision Number: 28 (Active Directory) 28 (Sysvol)
Unique Name: {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
Domain Name: efs-nlsc.com
Linked to: Domain (DC=efs-nlsc,DC=com)
Additional information is not available for this type of policy setting.
KeyName: Software\Policies\Microsof
ficates\6F05ECED792553B71E
ValueName: Blob
ValueType: REG_BINARY
Value:
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof
ValueName: ElevateNonAdmins
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Policies\Microsof
ValueName: WUServer
ValueType: REG_SZ
Value: http://qdc1
KeyName: Software\Policies\Microsof
ValueName: WUStatusServer
ValueType: REG_SZ
Value: http://qdc1
KeyName: Software\Policies\Microsof
ValueName: NoAutoRebootWithLoggedOnUs
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Policies\Microsof
ValueName: UseWUServer
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Policies\Microsof
ValueName: DetectionFrequencyEnabled
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Policies\Microsof
ValueName: DetectionFrequency
ValueType: REG_DWORD
Value: 0x00000016
KeyName: Software\Policies\Microsof
ValueName: NoAutoUpdate
ValueType: REG_DWORD
Value: 0x00000000
KeyName: Software\Policies\Microsof
ValueName: AUOptions
ValueType: REG_DWORD
Value: 0x00000004
KeyName: Software\Policies\Microsof
ValueName: ScheduledInstallDay
ValueType: REG_DWORD
Value: 0x00000000
KeyName: Software\Policies\Microsof
ValueName: ScheduledInstallTime
ValueType: REG_DWORD
Value: 0x0000000d
==========================
The computer received "Security" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Policy
Revision Number: 28 (Active Directory) 28 (Sysvol)
Unique Name: {31B2F340-016D-11D2-945F-0
Domain Name: EFS-NLSC.COM
Linked to: Domain (DC=efs-nlsc,DC=com)
Run the Security Configuration Editor for more information.
==========================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Default Domain Policy
Revision Number: 28 (Active Directory) 28 (Sysvol)
Unique Name: {31B2F340-016D-11D2-945F-0
Domain Name: efs-nlsc.com
Linked to: Domain (DC=efs-nlsc,DC=com)
Additional information is not available for this type of policy setting.
ASKER
Here is the result from gpresult /s before after NewSid and after forcing a policy update on the DC.
Create global objects
########################## ########## ########## ########## #######
Last time Group Policy was applied: Wednesday, November 29, 2006 at 12:14:43 PM
Group Policy was applied from: qdc1.efs-nlsc.com
========================== ========== ========== ========== =======
The user received "Internet Explorer Branding" settings from these GPOs:
Default Domain Policy
Revision Number: 9 (Active Directory) 9 (Sysvol)
Unique Name: {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
Domain Name: efs-nlsc.com
Linked to: Domain (DC=efs-nlsc,DC=com)
Additional information is not available for this type of policy setting.
########################## ########## ########## ########## #######
Computer Group Policy results for:
Domain Name: EFS-NLSC
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
NT AUTHORITY\Authenticated Users
########################## ########## ########## ########## #######
Last time Group Policy was applied: Wednesday, November 29, 2006 at 12:04:48 PM
Group Policy was applied from: qdc1.efs-nlsc.com
========================== ========== ========== ========== =======
The computer received "Registry" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
The following settings were applied from: Local Group Policy
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS
ValueName: EFSBlob
ValueType: REG_BINARY
Value:
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\Certi
ficates\1B0C91C85D800038B9 F6E1301BCD ED1096653B F3
ValueName: Blob
ValueType: REG_BINARY
Value:
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CRLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof t\SystemCe rtificates \EFS\CTLs
ValueName:
ValueType: REG_NONE
Value: This key contains no values
========================== ========== ========== ========== =======
The computer received "Security" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Run the Security Configuration Editor for more information.
========================== ========== ========== ========== =======
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Additional information is not available for this type of policy setting.
Create global objects
##########################
Last time Group Policy was applied: Wednesday, November 29, 2006 at 12:14:43 PM
Group Policy was applied from: qdc1.efs-nlsc.com
==========================
The user received "Internet Explorer Branding" settings from these GPOs:
Default Domain Policy
Revision Number: 9 (Active Directory) 9 (Sysvol)
Unique Name: {31B2F340-016D-11D2-945F-0
Domain Name: efs-nlsc.com
Linked to: Domain (DC=efs-nlsc,DC=com)
Additional information is not available for this type of policy setting.
##########################
Computer Group Policy results for:
Domain Name: EFS-NLSC
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
NT AUTHORITY\Authenticated Users
##########################
Last time Group Policy was applied: Wednesday, November 29, 2006 at 12:04:48 PM
Group Policy was applied from: qdc1.efs-nlsc.com
==========================
The computer received "Registry" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
The following settings were applied from: Local Group Policy
KeyName: Software\Policies\Microsof
ValueName: EFSBlob
ValueType: REG_BINARY
Value:
KeyName: Software\Policies\Microsof
ficates\1B0C91C85D800038B9
ValueName: Blob
ValueType: REG_BINARY
Value:
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
KeyName: Software\Policies\Microsof
ValueName:
ValueType: REG_NONE
Value: This key contains no values
==========================
The computer received "Security" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Run the Security Configuration Editor for more information.
==========================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer
Additional information is not available for this type of policy setting.
ASKER
For the registry edit from DenisCooper I put the text into a file and saved it with .reg and tried to import it and here is what I got.
Cannot import XXXX.reg -- The specified file is not a registry script. You can only import registry files.
I was hoping this was the thing that would fix it too!
The only thing I changed in the text was the server name. Should I have changed anything else?
[HKEY_LOCAL_MACHINE\SOFTWA RE\Policie s\Microsof t\Windows\ WindowsUpd ate]
"WUServer"="qdc1"
"WUStatusServer"="qdc1"
[HKEY_LOCAL_MACHINE\SOFTWA RE\Policie s\Microsof t\Windows\ WindowsUpd ate\AU]
"UseWUServer"=dword:000000 01
"RescheduleWaitTime"=dword :00000005
"NoAutoRebootWithLoggedOnU sers"=dwor d:00000000
"NoAutoUpdate"=dword:00000 000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dwor d:00000000
"ScheduledInstallTime"=dwo rd:0000000 4
Cannot import XXXX.reg -- The specified file is not a registry script. You can only import registry files.
I was hoping this was the thing that would fix it too!
The only thing I changed in the text was the server name. Should I have changed anything else?
[HKEY_LOCAL_MACHINE\SOFTWA
"WUServer"="qdc1"
"WUStatusServer"="qdc1"
[HKEY_LOCAL_MACHINE\SOFTWA
"UseWUServer"=dword:000000
"RescheduleWaitTime"=dword
"NoAutoRebootWithLoggedOnU
"NoAutoUpdate"=dword:00000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dwor
"ScheduledInstallTime"=dwo
ASKER
I just looked at my WSUS server and the computer is there! I wonder what happened?
TSI-WLV,
I believe the technical explanation is "FM".
The "M" stands for magic and you can fill in the rest.
This has been a great string of posts and I've already 'cut and pasted' a bunch of it.
Thanks all.
Vic
I believe the technical explanation is "FM".
The "M" stands for magic and you can fill in the rest.
This has been a great string of posts and I've already 'cut and pasted' a bunch of it.
Thanks all.
Vic
glad its working,
another good source of information can be obtained from -> c:\windows\WindowsUpdate.l og (hence no space).
Usually that file will contain all the errors which WSUS is experiencing. If you haven't deleted it you could revert to the log times before the system appeared for an explanation.
Vic,
This site is wonderful isn't it?
another good source of information can be obtained from -> c:\windows\WindowsUpdate.l
Usually that file will contain all the errors which WSUS is experiencing. If you haven't deleted it you could revert to the log times before the system appeared for an explanation.
Vic,
This site is wonderful isn't it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you just need to double click the .reg file, it should put it in itself, don't need to import it through regedit....
glad it's all working for you now...
glad it's all working for you now...
This is a great site!
TSI-WLV,
Sorry about the re-adding to the Domain. I typically run the tool prior to the machine having been added to a domain and haven't needed to use it in a loooong time but it is a great tool.
Didn't you say there were a couple machines having this problem? Have they both been cleared up? If the other has not try just removing from Domain and re-joining to see if the problem was just GPO application. If not run NewSid on it as well and see what happens.
Cheers,
Krompton
TSI-WLV,
Sorry about the re-adding to the Domain. I typically run the tool prior to the machine having been added to a domain and haven't needed to use it in a loooong time but it is a great tool.
Didn't you say there were a couple machines having this problem? Have they both been cleared up? If the other has not try just removing from Domain and re-joining to see if the problem was just GPO application. If not run NewSid on it as well and see what happens.
Cheers,
Krompton
The simple fix I use is to drop the box into a Workgroup (NO RE-BOOT),
Re-add to the domain (RE-BOOT).
Then run a time synch.
Create a batch command out of the following lines:
cd\
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
Vic
Re-add to the domain (RE-BOOT).
Then run a time synch.
Create a batch command out of the following lines:
cd\
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
Vic
Good posts people! Nice to see it's working for you TSI-WLV.
ASKER
Someone moved a bunch of computer around so I will have to find the other one and see what happens.
Thanks for all the ideas and tips and Ill dish out some points when I have a chance to figure out how Im going to do it!
Thanks for all the ideas and tips and Ill dish out some points when I have a chance to figure out how Im going to do it!
On those XP machines, depends on your GP Settings, etc, but generally, if the users are administrators of those computers, they get prompted to install the updates rather than it being done in the background. Can you verify what permissions those users have?
Also, could you post what your GPO looks like for the Windows update section?