client side targeting WSUS and GPO

I have WSUS SP1 set up on our SBS 2003 SP2 DC.
No computers are appearing and I notice in the GPO that client side targeting is not enabled.
I'm a little baffled by GPOs, so bear with me.
I've created a group under 'Computers' in WSUS.
client side targeting asks you to specify the group name.
Is this the group you created under 'Computers' in WSUS, or the name of the group in GPO ie SBSComputers.
All our PCs except servers are in a group called SBSComputers under MYBusiness in GPO management.
If this is a simple answer, then maybe I've awarded too many points, but I need to sort this and the thread might grow!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It's the group name you created on the WSUS server and specify in the client-side targetting. You'll get there :o)
group name SBSComputers
Client side targetting SBSComputers
Malli BoppeCommented:
In the group name you need to specify computers. 
jasonbourneciaAuthor Commented:
Hi Guys,
I created a group called EYC in the WSUS update console and this is the name I put in client side targeting.
I did a gpupdate and still nothing has appeared.
Should it be the name of the group in AD i.e. SBScomputers instead?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

NO, it should be like yuou've done.
I assume you've created a GPO , setup the Windows update section, and then applied the GPO to an OU that contains your workstations?
If so, it can take a while to populate. You can accelerate things a bit from the client run wuauclt /detectnow from the run command.
See how that goes
jasonbourneciaAuthor Commented:
Bear with me.
I didn't create the GPO.
I changed the settings in the default domain policy.
I'm a little confused, as the default domain policy already contains the settings as they were i.e. Allow updates to install at 1:00 pm, but it was not pointing at our server, so I enabled it to specify our server.
I did a couple of test in IE which did find the server.
I baffled by GPO generally.
In our default domain policy we have our password policy. but this policy is also under SBS domain password policy.
I assume our default domain policy is being used. I ran rsop.msc as someone suggested and default domain policy is mentioned.
Do I need to create a specific GPO just for WSUS? If I did, exactly where would it go?
Updates already exists under default domain policy though
Ive attached an image of our GPO.
No, you should do changes like that to the default domain policy. Always create a new GPO and test it on an OU. Any settings that are domain wide will filter down unless you specify otherwise. THIS IS GOOD ADVICE as it will affect all your active dirctory structure!
Back to your problem...challenge :o) Lets get this sorted out.
1) Remove settings from the default domain policy for Windows updates and select not configured.
2) Right click Group Policy objects and create new GPO. Call it WSUS.
3) In the GPO you've just created WSUS (it will be visible in Group Policy Objects - right click-edit) navigate to the Windows updates settings you've been doing and input all the necessary settings for your updates, http://servername etc, client side name which is the Group you created in WSUS (SBSComputers).
4) In Group policy management (where the Group Policy Objects container can be found) scroll up and expand your mybusiness>Computers containers/OU's and right click the SBSComputers OU and select Link an Existing GPO
5) A dialogue box will appear and you need to select the GPO your created (WSUS)
You can actually drag GPO to OUs, but the above is a good method.
Also, you will notice in the Group Policy Management console that when you click on an OU it will show you what GPO is applied to that OU. Also if you click a GPO from the Group Policy Objects, it will show you what OUs that GPO is applied to.
6) Run the GPdate /force and you're done.
7) Go to a client and run wuauclt /detectnow from the command prompt.
Let me know how you get on.
That should read, No you should NOT do changes like this in the default domain policy :o)
Your settings in the default domain policy should not be there. Now you are creating GPOs specifically for updates on specific machines, remove the settings. I have different settings for my servers and manually do updates as I don't trust auto updates for servers as they should be tested before they go onto the system.
Also good policy for you to make another OU called TestOUforWSUS and put a machine in it and then apply all updates you want to test, test them on that one machine, and then if fine, Apply the updates to the SBSComputers OU.
If you want any more help, just shout!
jasonbourneciaAuthor Commented:
Quick question.
You say "Right click Group Policy objects"
In group policy Management, do I right click on my domain name and choose "Create and link a GPO here"
Thank you for the clarity
No, expand the domain name and at the bottom, you will see a container called Group Policy Objects. R/click on that.
You can see it on your diagram you posted. second from the bottom.
jasonbourneciaAuthor Commented:
Just let me know when you want me to take a hike!
I did as you say, even rebooted server after gpupdate /force.
Nothing happened.
Just to clarify, the group is called EYC in update services and in client side targeting.
Should it be SBSComputers?
or what else could I look at?
Sorry this is dragging on.
I doesn't matter on the name. As long as you have created a group in WSUS and called the client side the same, it will work.
I've been assuming you;re running XP from the clients. Is this right? Should have asked first! Are they running SP2 firewall enabled?
Have you run the detectnow on the clients? Try a reboot.
Also are these cloned/imaged machines in the OU that you're applying the GPO to? (SBSComputers)
jasonbourneciaAuthor Commented:
Virtually all machines are XP Pro SP3; or at least SP2.
Just went and turned on a client machine and have just checked the server; still no PCs showing under computers in Update services.
Most of these machines were installed from XP CDs, a few are new and so had XP pre installed.
Attached pic; is there somewhere else I could be missing something obvious?
On your diagram, under Enable client side targetting, the target group name should be "EYC" NOT "WSUS". In WSUS console you should have a group called EYC too. The computers will go in there.
Change the WSUS to EYC and then gpupdate /force etc and then do the bit on the client wuauclt /detectnow.
Any problems after that, screenshot your compuers page on the wsus console
jasonbourneciaAuthor Commented:
A slight whoops, I did notice that and changed it, but obviously did not do a gpupdate; still no change though.
I've attached screen shot.
Expand the All computers bit and post a shot. Also posta  shot of the revised GPO settings you did previously.
Also when you right click on the GPO itself in Group Policy management, does it have a tick next to enabled? It should have by default. Please check.
jasonbourneciaAuthor Commented:
There is a tick next to link enabled
Are you sure your wsus server address is right? Test it.
You should be able to ping it using it's I as well.
Also can you post the log from a client it's in C:\windows\Windowsupdate.log
jasonbourneciaAuthor Commented:
I can ping the server name
jasonbourneciaAuthor Commented:
I might need to leave soon and continue this tomorrow if you're okay, I'm sorting out someone's hardware problem; much easier!
FYI Under Options in the Update services interface, under Computers, it is set to use group policy, which I assume is correct if I want computers to populate automatically.
Are you sure the client you're trying is in that SBSComputer OU in grouppolicy?
On the client, type gpresult from a command prompt and post findings
Also have a look at thes eregistry setings to see if they have a value

Post back your findings
Don't use Group policy setting and see how that goes.
jasonbourneciaAuthor Commented:
All clients are in SBSComputer, see file
Attached gpresult
Cant see those reg settings, see attached

You say don't use group policy, in the Options section of Update Services, under Computers, I change it to say Use Update Services Console, Still no computers appear and there is no option to search AD.
jasonbourneciaAuthor Commented:
Just out of interest, you mentioned:
"Also, you will notice in the Group Policy Management console that when you click on an OU it will show you what GPO is applied to that OU. Also if you click a GPO from the Group Policy Objects, it will show you what OUs that GPO is applied to."
In group Policy Management, when I click on eyc.local, just beneath 'Domain' it lists the GPOs on the right.
WSUS is not listed there, but is listed against sbscomputers further down.
Is this normal behaviour, see attached
Yeah that is normal behaviour. When you click the EYC doimain, the GPO's on the right as per your diagram is the GPO's that are applied to the domain ie and any sub OU's. When you click on an OU and any GPO's listed there will only apply that that OU and any sub OU's and will also have the domain GPO's applying to it. Hope that makes sense.
Is you server firewalled? Your clients seem to be getting a WSUS SID so that is good.
I would delete the bottom 2 registry values (not defauklt at the top). and then run wuauclt /detectnow on the client.
Keep the settings as you have them on the WSUS console.
jasonbourneciaAuthor Commented:
ISA 2000 is running on the SBS server
I deleted the bottom two entries and ran wuauclt /detectnow
I changed computers back to use Group policy in WSUS console options section.
Still no change

Is the nic firewalled on the server?
There is something not right.
Can you double check using this short document that you are using Client side targetting on the server.
oh ok. When you click on your domain EYC in the Group policy management and all those GPOs appear on the right as per your diagram, you need to go all through those GPOs and set any Windows Update settings to not configured. It may be that at a higher level, something has been set that is confusing things.
You also NEED to look at the firewall GPO at domain level (Small Business server Firewall GPO ) as that may be stopping things as it seems to be applying firewall settings at domain level!
jasonbourneciaAuthor Commented:
Thanks for persevering.
The NIC is controlled by ISA, but everything else works.
I went through that document and its links and all fine.
I went through all the GPOs on the right, all not configured.
But, under Domain Controllers, the Default Domain Controllers Policy does have some settings in Windows Update.
Even though this is a separate group, shall I wipe them?
jasonbourneciaAuthor Commented:
Is it anything to do with 'Wuau.adm' I read about on the technet site?
How do I know if I have the latest?
Does it matter?
Yes wipe them! You don't need a policy like this at domain level. Run GPupdate /force, reboot your client and run wuauclt /detectnow.
Wuau.adm should be fine if you have SP2 or later which you said you have on your clients.
Oops. Just realised your GPO wityh settings is in the Domain controllers OU. Leave them there.
I assume you installed WSUS using the default port 80 and you didn't change the port?
OK, to ensure it's out the equation, copy the wuau.adm from the WSUS server itself (your SBS 2003 server) Copy the file wuau.adm which is on your server c:\windows\inf and copy it to that location on the client.
Add the adm file on the client. You may need to remove previous adm file first or overwrite. The reinput all your settings again in the GPO. Run the wuauclt /detectnow
jasonbourneciaAuthor Commented:
Whoops back at you, I wiped the Update section from the DC
I didn't install WSUS, but under IIS, the default web site is 80 and WSUS admin is showing as 8530
I copied wuau.adm from server to local machine. I ran wuauclt /detectnow on local machine; nothing.
You mentioned inputting GPO back in; are you talking about the server GPO or WSUS gpo, it is already populated.
jasonbourneciaAuthor Commented:
I notice under Update source under options in Update services, it shows port number 8080 under use a proxy server? Should use proxy server even be there?
Does the new adm file show any extra settings at the top that you didn't have before? Like Do not display "Install updates and shutdown"?
Surpirsed the ADM is already populated. Might be worth removing it. Then adding it again. Go to the WSUS GPO and edit it. Expand Computer config>Right click administrative templates>Add/remove templates>Click wuau>click remove>close. close it all down. Run gpupdate /force.
go back to WSUS GPO and add it again. Expand Computer config>Right click administrative templates>Add/remove templates>Click Add>close. close it all down. Run gpupdate /force again.
The proxy server setting should go to the internet to get it's updates from the MS site so if the server needs to go through the p[roxy server to get to the internet as usual, then that should be fine. Nothin to do with your clients seeing WSUS.
 Also look at this:
Default Web site on Windows SBS 2003 must be modified to enable some WSUS client computers to self-update.
The WSUS server setup process installs two IIS v-roots on the server: SelfUpdate and ClientWebService. Setup also places some files under the home directory of the default Web site (on port 80) that enables client computers to self-update through the default Web site. By default, the default Web site is configured to deny access to any IP address other than localhost or specific subnets attached to the server. This means that client computers that are not on localhost or on those specific subnets cannot self-update. To grant access to these client computers, complete the following steps on the default Web sites SelfUpdate and ClientWebService virtual directory.
To grant access to the client computers to self-update:
1.   In Server Management, expand Advanced Management, expand Internet Information Services, expand Web Sites, expand Default Web Site, right-click the Selfupdate virtual directory, and then select Properties.
2.   Click Directory Security.
3.   Under IP address and domain name restrictions, click Edit, and then click Granted Access.
4.   Click OK, right-click the ClientWebService virtual directory, and then select Properties.
5.   Click Directory Security.
6.   Under IP address and domain name restrictions, click Edit, and then click Granted Access.
found above info here

download and run the wsus diagnostic tool for the client
AND - you will need to add an allow inbound rule for port 80 and port 8530 on ISA 2000.
Post back the diagnostic tool from the client
jasonbourneciaAuthor Commented:
As far as I can tell, the adm's are pretty similar.
Removed and re added wuau.
Did a gpupdate force, but decided not to reboot the server at this time; not sure if that's an issue, did do it yesterday though.
Attached diag tool.
Granted access on the other two; I hope taht doesn't affect our security.
Hesitant about allowing port 80 inbound, as that might open up the default web server?
You can probably tell, I'm rapidly climbing out of my depth.
Where's the diag results?
jasonbourneciaAuthor Commented:
jasonbourneciaAuthor Commented:
I've added these rules to ISA.
I hope they're right, because I'm out of my depth
Looks good I reckon it's a ISA issue port blocking.
In the GPO, where you specify the Intranet update server, type http://yourwsusServerName:8530
gpupdate /force on the server and then gpupdate /force on the client and the wuauclt /detectnow commands.
We'll look at the ISA bits in a minute

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jasonbourneciaAuthor Commented:
Hey! We virtually could be there.
I did as above, but did not reboot server; did log off though.
Rebooted my machine, ran detectnow.
In Update services, in the EYC group two PCs of 3 show; neither is mine though.
I'm going to give it a little while and see what happens; I'll let you know their status.
Cool! It can take a couple of days to populate the database and even then you may have some clients not appearing. It would just be a case of deleting their wsus SIDS as you did earlier in the registry and then running detectnow.
You will be there if some can get through. it's when none are appearing you need to look at it more closely.
You've done well as a few searches I've made on SBS being used for ISa 2000 and WSUS3, most people have given up and upgrdaed to ISA 2004 or moved the WSUS to a dedicated server! time will tell
jasonbourneciaAuthor Commented:
We are there leegclystvale, there are 12 PCs showing in EYC :) :) :)
I've added this comment to increase the points.

jasonbourneciaAuthor Commented:
Absolutely brilliant!
Sometimes leegclystvale, thanks is just not enough.
You were like a dog with a bone, you wouldn't let go; I really appreciate that.
You taught me more about GPOs than I knew, you were patient, clear and informative.
You took me out of my comfort zone with ISA; it is somewhere I needed to go anyway; another 18 months before we change servers.
I can't thank you enough.
Now, about those updates....... :)
I know I'll be asking a new question about those.
Good man! Glad you're sorted. Nothing worse than trying everything and things still not working. Yes and now the updates :o) Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.