Solved

clients not receiving GPO

Posted on 2008-06-18
20
403 Views
Last Modified: 2012-05-05
i Have windows 2003 server sp2 and windows xp sp2 clients.

I have configured GPO to send config for windows updates to clients on my network but for some reason they do not receive it. ( when i go to client gpedit.msc all settings for windows update are "not configured")

but when i change home page on GPO all cients receive updated link after i run gpupdate.

any ideas ?

thanks
0
Comment
Question by:aucklandnz
  • 11
  • 9
20 Comments
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
When you use gpedit.msc you are seeing the local group policy on the client, not the domain policies.

The commands you are looking for associated with domain policies are...

rsop.msc - Resultant Set of Policy (Shows all policies applied to the computer)
gpupdate - updates group policy (command line use /? for usage)
gpresult - shows policies applied but not actual settings (also command line)

Also just an FYI do not edit the "Default Domain Policy" except for the password or audit policy.  This is a MS best practice and a common mistake
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
Common reasons policies are not applied...

1. Improper DNS settings (make sure all clients are pointed at a domain controller for DNS)
2. GPO not linked to correct OU (look in gpmc.msc and make sure your policy is applied to the OU your user/computer is in)
3. Improper permissions on GPO (in gpmc.msc click on GPO, delegations tab then advanced button.  Make sure it is apply policy for Authenticated Users is checked...or if using security group filtering make sure your users/computers are in that group and the apply policy is set for that group in the GPO)
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
thanks for that ,

when i run rsop.msc i cannot find windows update policy there
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
try gpupdate /force and gpresult and look for the policy name
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
gpresult tells me that my group policy + default damin policy is applied
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
sorry my policy and default domain policy is applied to user setting and only default domain policy to computer settings
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
Check your policy to see if the computer settings are disabled.  WSUS is a computer policy.  Also make sure the GPO is linked to the OU with all the Users in it.  If your users are in the default Users container you can move them to their own OU or just link the policy at the domain level
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
all users are in "my company" OU, and my GPO is link to this OU.

how can i check if computer settings are disabled ?  

thanks
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
Are the COMPUTER objects in "my company" OU??

if you are using group policy management console (if not google it and dl it from M$) double click on the policy then click on the details tab and make sure it is set to enabled.
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
GPO status is enabled

Computers folder is uder mydomain.local
in my company OU there are only users and two other OU (2 other OU are for two different departments we have)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
i have moved computer object to my company OU and now rsop shows windows update policy, but not as many policies as on the server ( on the server i have 15 policies and only 5 are shown on client)
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
should i move every computer corresponding to each user to the correct OU ?
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
If you make settings under Computer Settings in the GPO the GPO will have to be linked to the OU where the COMPUTER resides.  And Vice versa for the Users.  This is why it is a good idea to separate User and Computer settings.  Also settings you want to apply to everyone and settings you only want to apply to some.
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
how do you separete User and Computer settings?

in my company every user has its own pc so should i move user's computer object  to OU where the user belongs to ?
0
 
LVL 21

Accepted Solution

by:
mcsween earned 500 total points
Comment Utility
Some settings you apply to a GPO apply to users (User Configuration) and some apply to computers (Computer Configuration).

Examples of Computer Settings
WSUS settings, Power settings, Software Installs, Audit Policies, Security Policicies, IE Branding, etc...

Examples of User settings
Homepage, Wallpaper, Screensaver, Software Restrictions, Logon Times, Control Panel Applets Available, Folder Redirection, etc...

Most of these settings should be put in thier own GPO.  If it is a GPO with only user settings, disable the computer settings (as described above) and it will improve processing time.  Vice versa with Computer setting GPOs.  This allows you to manage your policies much better.  For example, you setup a screensaver policy that automatically locks the computer after 10 minutes.  The CEO calls and complains and wants to be removed immediatly.  If this policy was mixed in with all the other ones you would have to deny all other GPOs to the CEO or create a special one just for him.  If this scrensaver policy is its own GPO then you can just apply a deny permission to that user and be done with it.
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
so what you saying is that i shoud have different GPO for each policy eg different for WSUS , different for Power settings etc .... is it right ?
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
yes
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
so say i have a GPO for WSUS thn i disable User Settings on this one
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
so in a big environment you can end up with hudreds of GPOs
0
 
LVL 21

Expert Comment

by:mcsween
Comment Utility
Not necessarially have hundreds of GPOs.  You would only say have a couple dozen to set all the policies you really need, then link them to the approperiate OUs.  Remember GPOs can be linked to more than one OU and you can filter with security groups
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now