Group Policy WSUS - Security Filtering tab - workstations missing from list
SBS2003 Premium R2.
I am attempting to turn off Windows Auto updates on a few workstations which are giving me grief. In particular svchost issues. As the recommended solution is to turn off auto updates and perform manually then reset. (the theory being that there are uncompleted updates that cause this particular issue.
At first I could not get the workstations to respond to the existing WSUS Client Computer GP that I modified.
I figured this was because the workstations were not appearing in the security filtering list. Rather I had three entries that all started with a ? ........... Sort of like you get on the security permissions tab when a domain user is not recognised. As such I added the computer names back to the tab. Ran GPupdate on the clients and hey presto I could manually turn the Auto updates off. ( I did this on only one of the workstations as I am performing this remotely after hours).
So this morning I logged back in to complete the process on the other two workstations without success. I open GP and look at the policy in question and note again these same three workstations no longer appear in the Security Filtering tab.
Sure I could add them back again but why is this happening?
All other workstations on the network are displayed in the tab.
I am attempting to turn off Windows Auto updates on a few workstations which are giving me grief. In particular svchost issues. As the recommended solution is to turn off auto updates and perform manually then reset. (the theory being that there are uncompleted updates that cause this particular issue.
At first I could not get the workstations to respond to the existing WSUS Client Computer GP that I modified.
I figured this was because the workstations were not appearing in the security filtering list. Rather I had three entries that all started with a ? ........... Sort of like you get on the security permissions tab when a domain user is not recognised. As such I added the computer names back to the tab. Ran GPupdate on the clients and hey presto I could manually turn the Auto updates off. ( I did this on only one of the workstations as I am performing this remotely after hours).
So this morning I logged back in to complete the process on the other two workstations without success. I open GP and look at the policy in question and note again these same three workstations no longer appear in the Security Filtering tab.
Sure I could add them back again but why is this happening?
All other workstations on the network are displayed in the tab.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gidday Jeff, as usual thanks for the response. I am working remotely on this client (they are 300km's away) and I think I would be more comfortable performing the above onsite. However this morning I logged into the server, I again checked the GPO SBS Update Services Client Computers and in the Security Tab filter the workstations are again missing. FYI I ONLY use the wizard to join PC's to the domain. I know better than not too. Nor for that matter have I modified the GPO it is the standard GPO as set after installing WSUS. All clients run dynamic IP's and the get their DNS from the SBS server. All other functions, internal website, exchange, security groups work ok. In fact my only issue is that the clients are not listed in the security tab, which of course prevents the standard WSUS GPO from completing.
Note: I am happy using WSUS GPO to manager upate services. Turning it off is only a temporary issue to resolve my svchost error. It is as a result of attempting to fix this error that I came across this.
I am nervous about disconnecting from the domain and rejoining as I don't wish to lose profiles.
Originally this was a workgroup client so when using the original server/connectcomputer I was able to keep the users existing profile.
I also checked the AD OU (I have not modified from original) All workstations are present including the three not present in the WSUS default GPO.
Thanks for your help to date.
Note: I am happy using WSUS GPO to manager upate services. Turning it off is only a temporary issue to resolve my svchost error. It is as a result of attempting to fix this error that I came across this.
I am nervous about disconnecting from the domain and rejoining as I don't wish to lose profiles.
Originally this was a workgroup client so when using the original server/connectcomputer I was able to keep the users existing profile.
I also checked the AD OU (I have not modified from original) All workstations are present including the three not present in the WSUS default GPO.
Thanks for your help to date.
ASKER
Update. I have been able to resolve my original svchost error on the client. Good.
But the WSUS GPO is still worrying me. I have held back making the changes as suggested hoping for more feedback. As I suggested in my last post I have three workstations that do not appear in the security filtering tab despite having manually added them back twice. Server Manager, Client Computers looking at the properties tab of each workstation they appear identical to those that are in the security filtering tab. All workstations are in the same OU (default install).
Its not a pressing issue as all other operational features of the PC's work and as I wont be on site for two weeks would rather wait until then before removing from domain and rejoining. Thanks.
But the WSUS GPO is still worrying me. I have held back making the changes as suggested hoping for more feedback. As I suggested in my last post I have three workstations that do not appear in the security filtering tab despite having manually added them back twice. Server Manager, Client Computers looking at the properties tab of each workstation they appear identical to those that are in the security filtering tab. All workstations are in the same OU (default install).
Its not a pressing issue as all other operational features of the PC's work and as I wont be on site for two weeks would rather wait until then before removing from domain and rejoining. Thanks.
Sorry I didn't get back to you earlier, I've been swamped.
Regarding rejoining the workstations, you should ONLY do this onsite... you will not lose profiles during this procedure, but as a safety precaution you should always back them up. I do this by running XP's file and settings transfer wizard.
However, if you did not join them via connectcomputer to begin with then the items listed in this blog post have not been done: http://sbsurl.com/connect
Although... you from what you are saying, ("Originally this was a workgroup client so when using the original server/connectcomputer I was able to keep the users existing profile") it sounds as if you DID originally use connectcomputer, so there would be no reason to follow the above procedure anyhow.
Regarding your GPO though... do you have a backup of the original before you modified the default? Because modifying it was not really the right thing to do. There is a known issue about client computers not applying the WSUS GPO, and it's covered in the documentation under "troubleshooting":
http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/documentation/4ad3c8c0-f794-4507-af7a-cef10c49c4f5.mspx?mfr=true
Jeff
TechSoEasy
Regarding rejoining the workstations, you should ONLY do this onsite... you will not lose profiles during this procedure, but as a safety precaution you should always back them up. I do this by running XP's file and settings transfer wizard.
However, if you did not join them via connectcomputer to begin with then the items listed in this blog post have not been done: http://sbsurl.com/connect
Although... you from what you are saying, ("Originally this was a workgroup client so when using the original server/connectcomputer I was able to keep the users existing profile") it sounds as if you DID originally use connectcomputer, so there would be no reason to follow the above procedure anyhow.
Regarding your GPO though... do you have a backup of the original before you modified the default? Because modifying it was not really the right thing to do. There is a known issue about client computers not applying the WSUS GPO, and it's covered in the documentation under "troubleshooting":
http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/documentation/4ad3c8c0-f794-4507-af7a-cef10c49c4f5.mspx?mfr=true
Jeff
TechSoEasy
Make sure that you haven't renamed any AD OU, and that all Computers are in the default OU of Domain.local\MyBusiness\Co
Jeff
TechSoEasy