Solved

GPO will not propigate to XP Clients

Posted on 2013-01-24
36
377 Views
Last Modified: 2013-02-28
This is the extention of this :

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_28003432.html

So even after I tried "Gpupdate /force /boot on the workstations" , the WS's will not update.

The Server is  2008.
0
Comment
Question by:ElegantSolutions
  • 19
  • 7
  • 4
  • +3
36 Comments
 
LVL 21

Expert Comment

by:mcsween
ID: 38814661
In Group Policy Management Console did you link the new GPO to the OU with the workstations in it?

At the workstation run gpresult at the command line and look for the section that says which policies should be applying to make sure it is there.

Can you post a screenshot of your GPMC console with all branches expanded on the left?  You can black out the domain name or other sensitive info.
0
 
LVL 2

Expert Comment

by:Adam Anderson
ID: 38814763
take the machine off the domain reboot the machine and readd it to the domain again.
0
 
LVL 2

Expert Comment

by:CSD-Tech
ID: 38814800
One more question, Did you import or have any of your other GPO from an older server? I have found that 2003 GPO's are not always read correctly by 2008+ Servers and may need to be recreated from scratch.
0
 

Author Comment

by:ElegantSolutions
ID: 38814839
Running out the door to another client, but this was a new build to the best of my knowledge, but I inherited the account and therefor did not build it.

Will try the other ideas later today.
0
 
LVL 5

Expert Comment

by:vin_shooter
ID: 38815618
Hi ElegantSolutions,

The default interval for group policy refresh is 90 mins which is a background process happens on all the workstations in a domain (for both user and computer policies.)

In Common the above setting is pushed through GPO to all workstation in the domain.So most probably the GPO would be linked at Domain level. Because these settings would be common for all workstations in the Domain.

So, check for the list of policies applying to the workstation by executing the command gpresult /v and from the result check the policies which were linked at domain level in GPMC console.

If you want to configure the GPO refresh interval settings manually, use gpedit.msc and navigate as advised below,

Computer Configuration\Administrative Templates\System\Group Policy
User Configuration\Administrative Templates\System\Group Policy

so that GPO would be applied for sure.

After executing the command gpupdate /force check in application log for event ID:1704 for successful refresh of GPO, if not share the alert or event generated in the application log.


Other Possibilities:
Also execute the command set L to get the logon server name and also check is there any time sync issue between workstation and the domain controller.

Expecting your reply...., :)
0
 

Author Comment

by:ElegantSolutions
ID: 38817289
@  mcsween

I did not setup this server and I do not see the WSs in the console. So, they were probably not linked and I do not know how.
GPOconsole.png
0
 

Author Comment

by:ElegantSolutions
ID: 38817314
@ vin shooter

It appears that when this server was built, GP was installed, but it seems that all settings are "not configured".

I just turned on the refresh interval as shown.
0
 

Author Comment

by:ElegantSolutions
ID: 38817316
Gpedit screen
GpeditScreen.png
0
 

Author Comment

by:ElegantSolutions
ID: 38817345
@ vin shooter

The issue at hand is I am trying to get these old XP stations to use Automatic MS updates.

I have 30 of them and don't want to do this one by one. Other changes need to be applied as well.

Here is a shot from the WS.
GpupdateForce.png
0
 

Author Comment

by:ElegantSolutions
ID: 38817400
GPSettings   Could this be whats wrong?
0
 
LVL 21

Expert Comment

by:mcsween
ID: 38818778
Please open a command prompt at the xp client and run gpresult and post the results.  Also, please post a screenshot of the GPMC console with the left pane expanded (not the policy itself)
0
 

Author Comment

by:ElegantSolutions
ID: 38819346
GPMC image is posted 5 comments above.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 38819540
Did you set this in the default domain policy?  That will work but it's not a good idea to mess with that policy unless changing the domain password policy.  I would create a new GPO to service the Windows Updates (though that will not resolve the issue you are having).

I'm sorry I missed the GPMC console post; can you please post the output you get by running gpresult.exe at a command prompt on the XP client?
0
 
LVL 5

Expert Comment

by:vin_shooter
ID: 38819786
@elegant soultions

Kindly check the below path in any one of the WINDOWS XP workstation to check the exact issue and share the error here,

c:\windows\Windowsupdate.log

Expecting your reply...,
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 38824771
I'm late going this discussing but here are some thoughts...

1) Are the XP workstations applying any Group Policies?

2) Have you tried running the following command: gpupdate /v C:\gpresult.txt
(This dump the currently applied GP settings to a text file, which you can then upload for everyone review.)

3)Check the following registry location for any policy applies WU settings: HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate & HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

4) The GP that has the required WU settings, didi you make sure the correct security permissions are applied: For exaple, Authenticated users which covers users and computer needs to have read and Apply GP permissions.


Let me know how you make with these items.
0
 

Author Comment

by:ElegantSolutions
ID: 38837787
GPresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 1/30/2013 at 7:47:50 PM


RSOP results for CJIM\Administrator on CJIM_D3 : Logging Mode
--------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 CJIM
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\administrator.CJIM
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=CJIM_D3,CN=Computers,DC=CJIM
    Last time Group Policy was applied: 1/30/2013 at 5:55:23 PM
    Group Policy was applied from:      xxxxx_svr_001.CJIM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        CJIM_D3$
        Domain Computers


USER SETTINGS
--------------
    CN=Administrator,OU=System Accounts,DC=CJIM
    Last time Group Policy was applied: 1/30/2013 at 7:45:16 PM
    Group Policy was applied from:      xxxxx_svr_001.CJIM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Vpn Users
        Domain Admins
        Group Policy Creator Owners
        Enterprise Admins
        Schema Admins
        Denied RODC Password Replication Group
0
 

Author Comment

by:ElegantSolutions
ID: 38837799
@ compdigit:

gpupdate /v C:\gpresult.txt  does not work on XP

C:\Documents and Settings\administrator.CJIM>gpupdate /?
Microsoftr Windowsr Operating System Group Policy Refresh Utility v5.1
c Microsoft Corporation. All rights reserved.

Description:  Refreshes Group Policies settings.

Syntax:  GPUpdate [/Target:{Computer | User}] [/Force] [/Wait:<value>]
     [/Logoff] [/Boot] [/Sync]

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate &   -- Does not exist

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate = (Default)  (Value not Set)

4) The GP that has the required WU settings, didi you make sure the correct security permissions are applied: For exaple, Authenticated users which covers users and computer needs to have read and Apply GP permissions.

I do not know how to do this.


I inherited this account from another consultant and I no information on what he did other than by looking at the settings you suggest.
0
 
LVL 2

Expert Comment

by:CSD-Tech
ID: 38839763
Considering the fact that you are working with a Server 2008 R2 system and the schema for this is still all the way back to 2000, my first thought would be to recreate the GPO from scratch and verify it against the old one.

Once this is done I would put it on a test OU and verify that it works on machines in the test OU.

If you do not have any 2000 Servers or servers that are older than your 2008 R2, I would consider Raising you domain functionality level to 2008 R2. It may seen like nothing, but it could be affecting how some systems are talking to each other.

D
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 19

Expert Comment

by:compdigit44
ID: 38840291
Sorry I ment to type:    gpresult /v  > c:\gpresults.txt
0
 

Author Comment

by:ElegantSolutions
ID: 38840602
I will recheck.
0
 

Author Comment

by:ElegantSolutions
ID: 38842242
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 1/31/2013 at 9:25:40 PM



RSOP results for CJIM\Administrator on CJIM_D3 : Logging Mode
--------------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 CJIM
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:            
Local Profile:               C:\Documents and Settings\administrator.CJIM
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=CJIM_D3,CN=Computers,DC=CJIM
    Last time Group Policy was applied: 1/31/2013 at 8:30:06 PM
    Group Policy was applied from:      svr_001.CJIM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        CJIM_D3$
        Domain Computers
       
    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            GPO: Default Domain Policy
                Policy:            RemoteInteractiveLogonRight
                Computer Setting:  CJIM\Vpn Users
                                   
        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            LSAAnonymousNameLookup
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=Administrator,OU=System Accounts,DC=CJIM
    Last time Group Policy was applied: 1/31/2013 at 9:24:26 PM
    Group Policy was applied from:      svr_001.CJIM
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Vpn Users
        Domain Admins
        Group Policy Creator Owners
        Enterprise Admins
        Schema Admins
        Denied RODC Password Replication Group
       
    Resultant Set Of Policies for User:
    ------------------------------------

        Software Installations
        ----------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Local Group Policy
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
                State:   Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 38844833
1) Are there any errors on the workstation event logs?
2) Have you tried to log into the workstation using another user account to see if the settings take effect?
3) Have you tried the to create the same local GP settings on another workstation?
4) What Xp Service Pack are your workstation running?
5) Why are you using local GP instead of domain GP?
0
 
LVL 5

Expert Comment

by:vin_shooter
ID: 38846260
Hi,

As you said earlier you're facing issue with MS update to windows XP machine,
Kindly navigate to the below given path in XP workstation and share the results,


c:\windows\Windowsupdate.log

Expecting your reply...,
0
 

Author Comment

by:ElegantSolutions
ID: 38865535
I will try some more of these things tonight after the client office closes.

@ compdigit  -
Yes, I tried other stations, same resullts.

1) Are there any errors on the workstation event logs?
- Will check the logs tonight.

2) Have you tried to log into the workstation using another user account to see if the settings take effect?
- Yes, 2 different administrator accounts.

3) Have you tried the to create the same local GP settings on another workstation?
- Not sure how.

4) What Xp Service Pack are your workstation running?  
- Machines are SP3 by way of network manual update.


5) Why are you using local GP instead of domain GP?
 - As I said previously, I did not setup this system. If this is wromg please tell me how to change it.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 38871681
Idealy on a domain you want to setup group policy at the domain level and not the local workstation level.  The same is true with you Windows Update setup of you clients. instead of having all of your clients download load updates from the internet you would setup an internal WSUS server which all client would connect to to pull their updates from. Not only does this same on network bandwidth but allows you to control what updates for clients download and install.

http://technet.microsoft.com/en-us/library/cc708519(v=ws.10).aspx
http://www.dummies.com/how-to/content/network-administration-creating-group-policy-objec.html

Now back to your local Windows updates issue.
1) On one of your workstations reset all Windows Updates Local Gp settings to " Not Configured" then reboot.

2) Login into the workstation and try to manually run Windows Update (Are you successfully, Yes or No). If not, please send a screen shot of the error message and attach the Windows Updates log located int C:\Windows

3) If this does work and you do not want to install a WSUS server which you should, try setting the following local GP vaule:

Computer Configuration\Admin Templates\Windows Components\Windows Updates\Configure Automatic Updates
0
 

Author Comment

by:ElegantSolutions
ID: 38874464
Ok, I will try that tomorrow.

1 interresting thing I discovered Friday was that the new Windows 7 machines do not have the issue, they work just fine.
0
 
LVL 5

Expert Comment

by:vin_shooter
ID: 38874692
Can you share the below requested log from both WIN XP & WIN 7 Machine,

c:\windows\Windowsupdate.log
0
 

Author Comment

by:ElegantSolutions
ID: 38894197
Sorry, but I am a 1 man show and have been flooded with calls from other clients. I also have to wait for the evenings to get access to the machines because of office usage.

I will try again tonight.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 38894336
thanks for the update...
0
 

Author Comment

by:ElegantSolutions
ID: 38900209
OK

Not there all the way, but getting close. You both have been steering me in the right direction. What tipped me off was a Windows update site error about a network configuration error that led me to this link:

http://support.microsoft.com/?kbid=326686

User Configuration\Admin Templates\Windows Components\Windows Update\Remove access to use all Windows Update features --- was turned on.

Now I need to figure how to control this setting from the Server GPO.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 38901935
Just edit an existing GPO or create a new one and that disables this setting. Depending on your domain / OU structure you could apply the GPO at the domain or OU level. If you apply it at the OU level make sure the user accounts are in that OU... :-)
0
 

Author Comment

by:ElegantSolutions
ID: 38905386
0
 

Author Comment

by:ElegantSolutions
ID: 38907863
Under GP management, I viewed the current policy and it was disabled, so it appears that the issue is it does not propagate to the workstations. The workstation seems to ignore the server policy and use its own.

If you could suggest a description for the propagation question, I will start a new one and award the current points for this question.
0
 
LVL 19

Accepted Solution

by:
compdigit44 earned 500 total points
ID: 38909728
1) Are the workstation in an OU that that is blocked from processing GP? IF so, this would appear as a blue exclamation point in GPMC.

2) For the Server GP, what security groups are configured to process the policy? It default to Authenticated Users by default.

3) In GPMC, use the modeling wizard and target one of the workstations to see what GP's are processing to see if the server GP is being overriden somewhere.

4) The XP clients are running the latest CSE extension correct?
http://www.microsoft.com/en-us/download/details.aspx?id=3628

5) Are the workstation able to process any domain based GP?
0
 

Author Comment

by:ElegantSolutions
ID: 38909988
Catch 22 to #4 because they don't get updates, they probably do not have this.

I will look in to it.
0
 

Author Closing Comment

by:ElegantSolutions
ID: 38940600
Though I still have the second part of the issue to fix, I feel that compdigit44 provided the best suggestions to steer me to this part of the solution.

I appreciate compdigit44's efforts.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now