Solved

clients not receiving GPO

Posted on 2008-06-18
20
410 Views
Last Modified: 2012-05-05
i Have windows 2003 server sp2 and windows xp sp2 clients.

I have configured GPO to send config for windows updates to clients on my network but for some reason they do not receive it. ( when i go to client gpedit.msc all settings for windows update are "not configured")

but when i change home page on GPO all cients receive updated link after i run gpupdate.

any ideas ?

thanks
0
Comment
Question by:aucklandnz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 9
20 Comments
 
LVL 22

Expert Comment

by:mcsween
ID: 21818808
When you use gpedit.msc you are seeing the local group policy on the client, not the domain policies.

The commands you are looking for associated with domain policies are...

rsop.msc - Resultant Set of Policy (Shows all policies applied to the computer)
gpupdate - updates group policy (command line use /? for usage)
gpresult - shows policies applied but not actual settings (also command line)

Also just an FYI do not edit the "Default Domain Policy" except for the password or audit policy.  This is a MS best practice and a common mistake
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21818817
Common reasons policies are not applied...

1. Improper DNS settings (make sure all clients are pointed at a domain controller for DNS)
2. GPO not linked to correct OU (look in gpmc.msc and make sure your policy is applied to the OU your user/computer is in)
3. Improper permissions on GPO (in gpmc.msc click on GPO, delegations tab then advanced button.  Make sure it is apply policy for Authenticated Users is checked...or if using security group filtering make sure your users/computers are in that group and the apply policy is set for that group in the GPO)
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818818
thanks for that ,

when i run rsop.msc i cannot find windows update policy there
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 22

Expert Comment

by:mcsween
ID: 21818821
try gpupdate /force and gpresult and look for the policy name
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818831
gpresult tells me that my group policy + default damin policy is applied
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818838
sorry my policy and default domain policy is applied to user setting and only default domain policy to computer settings
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21818888
Check your policy to see if the computer settings are disabled.  WSUS is a computer policy.  Also make sure the GPO is linked to the OU with all the Users in it.  If your users are in the default Users container you can move them to their own OU or just link the policy at the domain level
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818906
all users are in "my company" OU, and my GPO is link to this OU.

how can i check if computer settings are disabled ?  

thanks
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21818950
Are the COMPUTER objects in "my company" OU??

if you are using group policy management console (if not google it and dl it from M$) double click on the policy then click on the details tab and make sure it is set to enabled.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818962
GPO status is enabled

Computers folder is uder mydomain.local
in my company OU there are only users and two other OU (2 other OU are for two different departments we have)
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818977
i have moved computer object to my company OU and now rsop shows windows update policy, but not as many policies as on the server ( on the server i have 15 policies and only 5 are shown on client)
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21818989
should i move every computer corresponding to each user to the correct OU ?
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21819022
If you make settings under Computer Settings in the GPO the GPO will have to be linked to the OU where the COMPUTER resides.  And Vice versa for the Users.  This is why it is a good idea to separate User and Computer settings.  Also settings you want to apply to everyone and settings you only want to apply to some.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21819048
how do you separete User and Computer settings?

in my company every user has its own pc so should i move user's computer object  to OU where the user belongs to ?
0
 
LVL 22

Accepted Solution

by:
mcsween earned 500 total points
ID: 21819101
Some settings you apply to a GPO apply to users (User Configuration) and some apply to computers (Computer Configuration).

Examples of Computer Settings
WSUS settings, Power settings, Software Installs, Audit Policies, Security Policicies, IE Branding, etc...

Examples of User settings
Homepage, Wallpaper, Screensaver, Software Restrictions, Logon Times, Control Panel Applets Available, Folder Redirection, etc...

Most of these settings should be put in thier own GPO.  If it is a GPO with only user settings, disable the computer settings (as described above) and it will improve processing time.  Vice versa with Computer setting GPOs.  This allows you to manage your policies much better.  For example, you setup a screensaver policy that automatically locks the computer after 10 minutes.  The CEO calls and complains and wants to be removed immediatly.  If this policy was mixed in with all the other ones you would have to deny all other GPOs to the CEO or create a special one just for him.  If this scrensaver policy is its own GPO then you can just apply a deny permission to that user and be done with it.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21819147
so what you saying is that i shoud have different GPO for each policy eg different for WSUS , different for Power settings etc .... is it right ?
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21819167
yes
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21819169
so say i have a GPO for WSUS thn i disable User Settings on this one
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21819174
so in a big environment you can end up with hudreds of GPOs
0
 
LVL 22

Expert Comment

by:mcsween
ID: 21819217
Not necessarially have hundreds of GPOs.  You would only say have a couple dozen to set all the policies you really need, then link them to the approperiate OUs.  Remember GPOs can be linked to more than one OU and you can filter with security groups
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Multiple Errors from DCDIAG 2 21
Windows 2012 R2 DFS Replication 12 47
A question on Active Directory LDS 4 26
Changing email address in Exchange 2010 2 7
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question