Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

clients not receiving GPO

Posted on 2008-06-18
20
Medium Priority
?
416 Views
Last Modified: 2012-05-05
i Have windows 2003 server sp2 and windows xp sp2 clients.

I have configured GPO to send config for windows updates to clients on my network but for some reason they do not receive it. ( when i go to client gpedit.msc all settings for windows update are "not configured")

but when i change home page on GPO all cients receive updated link after i run gpupdate.

any ideas ?

thanks
0
Comment
Question by:aucklandnz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 9
20 Comments
 
LVL 22

Expert Comment

by:mcsween
ID: 21818808
When you use gpedit.msc you are seeing the local group policy on the client, not the domain policies.

The commands you are looking for associated with domain policies are...

rsop.msc - Resultant Set of Policy (Shows all policies applied to the computer)
gpupdate - updates group policy (command line use /? for usage)
gpresult - shows policies applied but not actual settings (also command line)

Also just an FYI do not edit the "Default Domain Policy" except for the password or audit policy.  This is a MS best practice and a common mistake
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21818817
Common reasons policies are not applied...

1. Improper DNS settings (make sure all clients are pointed at a domain controller for DNS)
2. GPO not linked to correct OU (look in gpmc.msc and make sure your policy is applied to the OU your user/computer is in)
3. Improper permissions on GPO (in gpmc.msc click on GPO, delegations tab then advanced button.  Make sure it is apply policy for Authenticated Users is checked...or if using security group filtering make sure your users/computers are in that group and the apply policy is set for that group in the GPO)
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818818
thanks for that ,

when i run rsop.msc i cannot find windows update policy there
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 22

Expert Comment

by:mcsween
ID: 21818821
try gpupdate /force and gpresult and look for the policy name
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818831
gpresult tells me that my group policy + default damin policy is applied
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818838
sorry my policy and default domain policy is applied to user setting and only default domain policy to computer settings
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21818888
Check your policy to see if the computer settings are disabled.  WSUS is a computer policy.  Also make sure the GPO is linked to the OU with all the Users in it.  If your users are in the default Users container you can move them to their own OU or just link the policy at the domain level
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818906
all users are in "my company" OU, and my GPO is link to this OU.

how can i check if computer settings are disabled ?  

thanks
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21818950
Are the COMPUTER objects in "my company" OU??

if you are using group policy management console (if not google it and dl it from M$) double click on the policy then click on the details tab and make sure it is set to enabled.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818962
GPO status is enabled

Computers folder is uder mydomain.local
in my company OU there are only users and two other OU (2 other OU are for two different departments we have)
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818977
i have moved computer object to my company OU and now rsop shows windows update policy, but not as many policies as on the server ( on the server i have 15 policies and only 5 are shown on client)
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818989
should i move every computer corresponding to each user to the correct OU ?
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21819022
If you make settings under Computer Settings in the GPO the GPO will have to be linked to the OU where the COMPUTER resides.  And Vice versa for the Users.  This is why it is a good idea to separate User and Computer settings.  Also settings you want to apply to everyone and settings you only want to apply to some.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21819048
how do you separete User and Computer settings?

in my company every user has its own pc so should i move user's computer object  to OU where the user belongs to ?
0
 
LVL 22

Accepted Solution

by:
mcsween earned 1500 total points
ID: 21819101
Some settings you apply to a GPO apply to users (User Configuration) and some apply to computers (Computer Configuration).

Examples of Computer Settings
WSUS settings, Power settings, Software Installs, Audit Policies, Security Policicies, IE Branding, etc...

Examples of User settings
Homepage, Wallpaper, Screensaver, Software Restrictions, Logon Times, Control Panel Applets Available, Folder Redirection, etc...

Most of these settings should be put in thier own GPO.  If it is a GPO with only user settings, disable the computer settings (as described above) and it will improve processing time.  Vice versa with Computer setting GPOs.  This allows you to manage your policies much better.  For example, you setup a screensaver policy that automatically locks the computer after 10 minutes.  The CEO calls and complains and wants to be removed immediatly.  If this policy was mixed in with all the other ones you would have to deny all other GPOs to the CEO or create a special one just for him.  If this scrensaver policy is its own GPO then you can just apply a deny permission to that user and be done with it.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21819147
so what you saying is that i shoud have different GPO for each policy eg different for WSUS , different for Power settings etc .... is it right ?
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21819167
yes
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21819169
so say i have a GPO for WSUS thn i disable User Settings on this one
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21819174
so in a big environment you can end up with hudreds of GPOs
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21819217
Not necessarially have hundreds of GPOs.  You would only say have a couple dozen to set all the policies you really need, then link them to the approperiate OUs.  Remember GPOs can be linked to more than one OU and you can filter with security groups
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question