• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

clients not receiving GPO

i Have windows 2003 server sp2 and windows xp sp2 clients.

I have configured GPO to send config for windows updates to clients on my network but for some reason they do not receive it. ( when i go to client gpedit.msc all settings for windows update are "not configured")

but when i change home page on GPO all cients receive updated link after i run gpupdate.

any ideas ?

thanks
0
aucklandnz
Asked:
aucklandnz
  • 11
  • 9
1 Solution
 
mcsweenSr. Network AdministratorCommented:
When you use gpedit.msc you are seeing the local group policy on the client, not the domain policies.

The commands you are looking for associated with domain policies are...

rsop.msc - Resultant Set of Policy (Shows all policies applied to the computer)
gpupdate - updates group policy (command line use /? for usage)
gpresult - shows policies applied but not actual settings (also command line)

Also just an FYI do not edit the "Default Domain Policy" except for the password or audit policy.  This is a MS best practice and a common mistake
0
 
mcsweenSr. Network AdministratorCommented:
Common reasons policies are not applied...

1. Improper DNS settings (make sure all clients are pointed at a domain controller for DNS)
2. GPO not linked to correct OU (look in gpmc.msc and make sure your policy is applied to the OU your user/computer is in)
3. Improper permissions on GPO (in gpmc.msc click on GPO, delegations tab then advanced button.  Make sure it is apply policy for Authenticated Users is checked...or if using security group filtering make sure your users/computers are in that group and the apply policy is set for that group in the GPO)
0
 
aucklandnzAuthor Commented:
thanks for that ,

when i run rsop.msc i cannot find windows update policy there
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
mcsweenSr. Network AdministratorCommented:
try gpupdate /force and gpresult and look for the policy name
0
 
aucklandnzAuthor Commented:
gpresult tells me that my group policy + default damin policy is applied
0
 
aucklandnzAuthor Commented:
sorry my policy and default domain policy is applied to user setting and only default domain policy to computer settings
0
 
mcsweenSr. Network AdministratorCommented:
Check your policy to see if the computer settings are disabled.  WSUS is a computer policy.  Also make sure the GPO is linked to the OU with all the Users in it.  If your users are in the default Users container you can move them to their own OU or just link the policy at the domain level
0
 
aucklandnzAuthor Commented:
all users are in "my company" OU, and my GPO is link to this OU.

how can i check if computer settings are disabled ?  

thanks
0
 
mcsweenSr. Network AdministratorCommented:
Are the COMPUTER objects in "my company" OU??

if you are using group policy management console (if not google it and dl it from M$) double click on the policy then click on the details tab and make sure it is set to enabled.
0
 
aucklandnzAuthor Commented:
GPO status is enabled

Computers folder is uder mydomain.local
in my company OU there are only users and two other OU (2 other OU are for two different departments we have)
0
 
aucklandnzAuthor Commented:
i have moved computer object to my company OU and now rsop shows windows update policy, but not as many policies as on the server ( on the server i have 15 policies and only 5 are shown on client)
0
 
aucklandnzAuthor Commented:
should i move every computer corresponding to each user to the correct OU ?
0
 
mcsweenSr. Network AdministratorCommented:
If you make settings under Computer Settings in the GPO the GPO will have to be linked to the OU where the COMPUTER resides.  And Vice versa for the Users.  This is why it is a good idea to separate User and Computer settings.  Also settings you want to apply to everyone and settings you only want to apply to some.
0
 
aucklandnzAuthor Commented:
how do you separete User and Computer settings?

in my company every user has its own pc so should i move user's computer object  to OU where the user belongs to ?
0
 
mcsweenSr. Network AdministratorCommented:
Some settings you apply to a GPO apply to users (User Configuration) and some apply to computers (Computer Configuration).

Examples of Computer Settings
WSUS settings, Power settings, Software Installs, Audit Policies, Security Policicies, IE Branding, etc...

Examples of User settings
Homepage, Wallpaper, Screensaver, Software Restrictions, Logon Times, Control Panel Applets Available, Folder Redirection, etc...

Most of these settings should be put in thier own GPO.  If it is a GPO with only user settings, disable the computer settings (as described above) and it will improve processing time.  Vice versa with Computer setting GPOs.  This allows you to manage your policies much better.  For example, you setup a screensaver policy that automatically locks the computer after 10 minutes.  The CEO calls and complains and wants to be removed immediatly.  If this policy was mixed in with all the other ones you would have to deny all other GPOs to the CEO or create a special one just for him.  If this scrensaver policy is its own GPO then you can just apply a deny permission to that user and be done with it.
0
 
aucklandnzAuthor Commented:
so what you saying is that i shoud have different GPO for each policy eg different for WSUS , different for Power settings etc .... is it right ?
0
 
mcsweenSr. Network AdministratorCommented:
yes
0
 
aucklandnzAuthor Commented:
so say i have a GPO for WSUS thn i disable User Settings on this one
0
 
aucklandnzAuthor Commented:
so in a big environment you can end up with hudreds of GPOs
0
 
mcsweenSr. Network AdministratorCommented:
Not necessarially have hundreds of GPOs.  You would only say have a couple dozen to set all the policies you really need, then link them to the approperiate OUs.  Remember GPOs can be linked to more than one OU and you can filter with security groups
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 11
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now