New GPO's not updating clients
Windows 2003 SP2 DC x 2
Active Directory
Windows 7 Windows 8 Vista Windows 2008 Servers all in the same domain
WSUS 3.0 SP2 runs on Windows 2008 R2 (member server) w/ SQL 2008
Using Group Policy Management Console (GPMC)
Created New Organizational Unit Servers
Created a new GPO Domain Controllers WSUS
Created a new GPO Member Servers WSUS
Created New Organizational Unit Workstations
Created a new GPO Windows 7 WSUS
Created a new GPO Windows 8 WSUS
Created a new GPO Windows Vista WSUS
Then edited each of the newly created GPO's and defined all the settings for WSUS
In AD I created the following Security Groups Member Servers, Windows 7, Windows 8, Windows Vista,
Back to the GPO
On the Scope tab under Security Filtering I added the coorsponding Security Group to the GPO
Windows Vista WSUS I added Security Group Windows Vista
Did the same or the remaing GPO's
From my windows 2003 DC I ran gpupdate /force as I did from my workstations
The WSUS reg settings did not apply.
I found that my Default Domain Policy had WSUS settings I since disabled all those setting reran gpupdate /force
now I get no reg changes.
I use this command to check the reg for wsus
reg query HKLM\SOFTWARE\Policies\Mic
All the entries where empty Note the first four below mydomain are GPO's the others of OU
My GPMC looks like this
Forest: mydomain
Domains
mydomain
Default Domain Policy
DNS Suffix
WSUS ******************* This was removed when I tested my changes now back
Domain controllers
Default Domain Controllers Policy
Microsoft Exchange Security Group
Servers
Domain Controllers WSUS
Member Servers WSUS
SharepointOU
Workstations
Windows 7 WSUS
Windows 8 WSUS
Windows Vista WSUS
Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
DNS Suffix
Domain controllers WSUS
Logon Script
LogonAsAService
Member Servers WSUS
Windows 7 WSUS
Windows 8 WSUS
Windows Vista WSUS
WSUS
WMI Filters
I reverted back to putting the WSUS GPO at the top level and all but one of the computers on the network got back the original settings One Vista machine is picking up very old GPO settings dont know why that is either.
My main concern at this time is to get my GPO's working in my configuration
Other than doing a gpupdate /force or just letting AD update normally is there something I am missing or something I setup incorectly?
Any help will be greatly appreciated
Thanks TOM
Active Directory
Windows 7 Windows 8 Vista Windows 2008 Servers all in the same domain
WSUS 3.0 SP2 runs on Windows 2008 R2 (member server) w/ SQL 2008
Using Group Policy Management Console (GPMC)
Created New Organizational Unit Servers
Created a new GPO Domain Controllers WSUS
Created a new GPO Member Servers WSUS
Created New Organizational Unit Workstations
Created a new GPO Windows 7 WSUS
Created a new GPO Windows 8 WSUS
Created a new GPO Windows Vista WSUS
Then edited each of the newly created GPO's and defined all the settings for WSUS
In AD I created the following Security Groups Member Servers, Windows 7, Windows 8, Windows Vista,
Back to the GPO
On the Scope tab under Security Filtering I added the coorsponding Security Group to the GPO
Windows Vista WSUS I added Security Group Windows Vista
Did the same or the remaing GPO's
From my windows 2003 DC I ran gpupdate /force as I did from my workstations
The WSUS reg settings did not apply.
I found that my Default Domain Policy had WSUS settings I since disabled all those setting reran gpupdate /force
now I get no reg changes.
I use this command to check the reg for wsus
reg query HKLM\SOFTWARE\Policies\Mic
All the entries where empty Note the first four below mydomain are GPO's the others of OU
My GPMC looks like this
Forest: mydomain
Domains
mydomain
Default Domain Policy
DNS Suffix
WSUS ******************* This was removed when I tested my changes now back
Domain controllers
Default Domain Controllers Policy
Microsoft Exchange Security Group
Servers
Domain Controllers WSUS
Member Servers WSUS
SharepointOU
Workstations
Windows 7 WSUS
Windows 8 WSUS
Windows Vista WSUS
Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
DNS Suffix
Domain controllers WSUS
Logon Script
LogonAsAService
Member Servers WSUS
Windows 7 WSUS
Windows 8 WSUS
Windows Vista WSUS
WSUS
WMI Filters
I reverted back to putting the WSUS GPO at the top level and all but one of the computers on the network got back the original settings One Vista machine is picking up very old GPO settings dont know why that is either.
My main concern at this time is to get my GPO's working in my configuration
Other than doing a gpupdate /force or just letting AD update normally is there something I am missing or something I setup incorectly?
Any help will be greatly appreciated
Thanks TOM
You said that you created...
Servers
Domain Controllers WSUS
Member Servers WSUS
IF you move domain controllers out of the standard Container called Domain Controllers and into "SERVERS/DOMAIN CONTROLLERS WSUS" then the domain controllers will break. Domain controllers NEED to be in the container call domain controllers.
a GPO will only apply to computers that in an OU that has a policy applied to it. So if your Domain controllers are in the correct place, having a policy in an OU called "Servers/Domain Controllers" will have no effect.
Servers
Domain Controllers WSUS
Member Servers WSUS
IF you move domain controllers out of the standard Container called Domain Controllers and into "SERVERS/DOMAIN CONTROLLERS WSUS" then the domain controllers will break. Domain controllers NEED to be in the container call domain controllers.
a GPO will only apply to computers that in an OU that has a policy applied to it. So if your Domain controllers are in the correct place, having a policy in an OU called "Servers/Domain Controllers" will have no effect.
ASKER
thanks Guys for responding
Arnold
Ran Group Policy Modeling Found that my new GPO's where listed under the Denied GPO's under Group Objects
Reason Denied Access Denied (Security Filtering)
Any thoughts on this?
Neilsr
I am not planning to move the DC servers out of the Default Domain Controllers OU
I could update the Default Domain Controllers OU with my WSUS info
I would rather yes my method of adding another GPO with just my WSUS settings
I prefer not changing the default GPO's
I can if need be
I hope that name did not confuse anyone I can rename it also to DC WSUS or something
Thoughts
Arnold
Ran Group Policy Modeling Found that my new GPO's where listed under the Denied GPO's under Group Objects
Reason Denied Access Denied (Security Filtering)
Any thoughts on this?
Neilsr
I am not planning to move the DC servers out of the Default Domain Controllers OU
I could update the Default Domain Controllers OU with my WSUS info
I would rather yes my method of adding another GPO with just my WSUS settings
I prefer not changing the default GPO's
I can if need be
I hope that name did not confuse anyone I can rename it also to DC WSUS or something
Thoughts
So just create a GPO at the root and put your settings for WSUS in it. I'm missing something I guess because it really is that simple.
BUT you need to create it in the root and not in some obscure SERVERS/Domain Controllers WSUS OU
BUT you need to create it in the root and not in some obscure SERVERS/Domain Controllers WSUS OU
ASKER
Neilsr
You mean like this
Forest: mydomain
Domains
mydomain
Default Domain Policy
DNS Suffix
WSUS ******************* This was removed when I tested my changes now back
DC WSUS
Member Servers WSUS
Windows 7 WSUS
Windows 8 WSUS
Windows Vista WSUS
Domain controllers
Default Domain Controllers Policy
Microsoft Exchange Security Group
Servers ***********************Del
SharepointOU
Workstations ******************Delete this
That what you mean?
You mean like this
Forest: mydomain
Domains
mydomain
Default Domain Policy
DNS Suffix
WSUS ******************* This was removed when I tested my changes now back
DC WSUS
Member Servers WSUS
Windows 7 WSUS
Windows 8 WSUS
Windows Vista WSUS
Domain controllers
Default Domain Controllers Policy
Microsoft Exchange Security Group
Servers ***********************Del
SharepointOU
Workstations ******************Delete this
That what you mean?
yes and then target your DC's with one and non DC's with the other.
ASKER
Made that change and still not working
Ran Group Policy Modeling again
Denied GPO's Reason Denied Empty also Access Denied Security filtering those I would expect since I do not want those on each individual gpo
But what does empty mean?
Ran Group Policy Modeling again
Denied GPO's Reason Denied Empty also Access Denied Security filtering those I would expect since I do not want those on each individual gpo
But what does empty mean?
ASKER
Guys
Update
I made the above changes and funny thing both my DC's grabbed the DC WSUS GPO just like I wanted
Just my other workstations and member servers not getting the proper GPO
Do I have a permission problem here? If so where to I look
Thanks
Update
I made the above changes and funny thing both my DC's grabbed the DC WSUS GPO just like I wanted
Just my other workstations and member servers not getting the proper GPO
Do I have a permission problem here? If so where to I look
Thanks
So are BOTH of your GPO's created in the ROOT now?
How have you targeted them at DC's and NON DC's ?
Can you past screen shot of the GPO targets you have set?
Have you done a GPUPDATE on workstations and they still dont get the GPO?
How have you targeted them at DC's and NON DC's ?
Can you past screen shot of the GPO targets you have set?
Have you done a GPUPDATE on workstations and they still dont get the GPO?
ASKER
Yes all GPO's in Root
Not sure what you mean? How have you targeted them at DC's and NON DC's ?
I will post screen shots when I get on site later today
Yes I ran gpupdate /force on all of them
And yes they do not get the GPO
Images will be posted soon
Not sure what you mean? How have you targeted them at DC's and NON DC's ?
I will post screen shots when I get on site later today
Yes I ran gpupdate /force on all of them
And yes they do not get the GPO
Images will be posted soon
Just creating a GPO will not magically know where it is expected to run, you need to target them somehow at the correct machines.
ASKER
I think it might be a security issue
I will check the new security groups I created when I get back onsite
Will post after I check them
Reason thinking this way is the DC's worked and I used the Domain Controllers Security Group in AD that was already created I need to compare that security groups permissions first.
I will check the new security groups I created when I get back onsite
Will post after I check them
Reason thinking this way is the DC's worked and I used the Domain Controllers Security Group in AD that was already created I need to compare that security groups permissions first.
ASKER
Checked the security setting on the security groups they look the same
Here are the screen prints
If I add DC WSUS my two DCs get the correct GPO
When I add Windows 7 WSUS my Windows 7 machines get no GPO settings
Hope the screen prints helps
GPO-Enforced.bmp
GPO-Scope.bmp
GPO-Details.bmp
GPO-Settings.bmp
GPO-Delegation.bmp
Here are the screen prints
If I add DC WSUS my two DCs get the correct GPO
When I add Windows 7 WSUS my Windows 7 machines get no GPO settings
Hope the screen prints helps
GPO-Enforced.bmp
GPO-Scope.bmp
GPO-Details.bmp
GPO-Settings.bmp
GPO-Delegation.bmp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Guys
Tonight I had to apply many updates to my network computers.
Now some of my computers are picking up bad GPO information
I have searched thru each GPO to see where this information is and cannot find it anywhere
All I did was make one change to the Default Domain Policy and I removed all the WSUS settings they are all disabled.
I ran RSOP on all the computers and some are showing entries from that GPO Default Domain Policy
On the Computers that are working the GPO name is WSUS for all the Windows update settings
On the ones not working the GPO name is both WSUS and Default Domain Policy
How do I clear this on the bad computers?
I ran gpupdate /force several times no change
This all started when I tried to get these new GPOS working.
Tonight I had to apply many updates to my network computers.
Now some of my computers are picking up bad GPO information
I have searched thru each GPO to see where this information is and cannot find it anywhere
All I did was make one change to the Default Domain Policy and I removed all the WSUS settings they are all disabled.
I ran RSOP on all the computers and some are showing entries from that GPO Default Domain Policy
On the Computers that are working the GPO name is WSUS for all the Windows update settings
On the ones not working the GPO name is both WSUS and Default Domain Policy
How do I clear this on the bad computers?
I ran gpupdate /force several times no change
This all started when I tried to get these new GPOS working.
ASKER
Guys
I created a new question for my last post I should not have started another question on this one
https://www.experts-exchange.com/questions/28636085/Clients-not-Picking-up-Correct-GPO-Names.html
Take a look
Thanks
Still want to resolve this one too
I created a new question for my last post I should not have started another question on this one
https://www.experts-exchange.com/questions/28636085/Clients-not-Picking-up-Correct-GPO-Names.html
Take a look
Thanks
Still want to resolve this one too
ASKER
Arnold
This one is resolved once we fixed the FRS issue
Thanks for all your help
This one is resolved once we fixed the FRS issue
Thanks for all your help
Do you use staggered settings?
1top level GPO sets the intranet WSUS server reference and only Intranet wsus server reference.
In a single site, this will be at the top of the domain.
In a multi-site, you would have one at the top of each site if each site has their own local wsus server that syncs (a replica) of a. Central wsus server.
You then at the computer OU level will have the client targeting, install settings ( servers download notify) while workstations will be download and install but do not auto-restart when a user is logged in)....
Based on your posting if the settings up the chain do not set parameters you hope to control further below.it should work if security/groups of windows 7 wsus only applies to windows 7, the same with the other categories.