Solved

Omit domain computer from WSUS/AD policy preventing access to windowsupdate.com

Posted on 2007-12-04
5
440 Views
Last Modified: 2010-08-05
I have one user on my network who requires access to windowsupdate.com. Our network policy currently prevents user access to this site as we use WSUS3. This user however does need regular access to windowsupdate.com for testing purposes. I have added the workstation to a ad container with disabled windows update properties and enforced the gpo but the user still cannot access the site? Can anyone offer any advice?
0
Comment
Question by:SimonBrook
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 1

Expert Comment

by:NCSITS
ID: 20410114
Check the order in which the GPO's are being processed. If the policy which disables access to Windows update is being processed AFTER the policy that permits access then the user will be denied access/

You could block inheiritance of GPO's for the container where this particular PC is located, and then apply your policy which allows access
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 20410247
Hi, Thanks for your comment.

The WSUS policy is at the top of the domain tree, unenforced. The policy created/linked for the container in which I have placed his machine has an enforced policy. Therefore I would presume it would take presedence over the previous?
0
 
LVL 1

Accepted Solution

by:
NCSITS earned 100 total points
ID: 20410308
Unfortunately I'm not currently working on a AD system at the moment so I can't confirm your question until I get home. As far as I know , enforcing a policy only means it can;t be blocked, but it doesn't mean it will take precedence over other, non-enforced policies.
If you don't already have it, download the Resultant Set of Policies tool from Microsoft and you will be able to check what setting is being enforced.

Another thought I've had is whether the blocking of access is a user or a computer setting. If it's a user setting then your users account will need to be in the container, not the machine.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 20410370
Hi There,

It is a computer policy and I have replicated and run gpupdate from the client.

I am downloading the tool now. Thanks.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 20410521
I have manged to resolve it. I was using the wrong GPO.

I needed to be using the user GPO and the setting titled "Remove links and access to Windows Update". I created a new container for him and policy and set that to disabled. worked a treat. enforced it to make sure it took presendence over the higher GPO disabling access to the site.

thanks for the nudge in the right direction.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unable to access folder shares on Netapp 1 25
Modifying AD Group Policy Powershell to list unused GPO 5 78
DNS logs 1 32
domain controller shut down question 6 68
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question