New GPO's not updating clients

Windows 2003 SP2 DC x 2
Active Directory
Windows 7 Windows 8 Vista Windows 2008 Servers all in the same domain
WSUS 3.0 SP2 runs on Windows 2008 R2 (member server) w/ SQL 2008

Using Group Policy Management Console (GPMC)
Created New Organizational Unit Servers
Created a new GPO Domain Controllers WSUS
Created a new GPO Member Servers WSUS

Created New Organizational Unit Workstations
Created a new GPO  Windows 7 WSUS
Created a new GPO Windows 8 WSUS
Created a new GPO  Windows Vista WSUS

Then edited each of the newly created GPO's and defined all the settings for WSUS

In AD I created the following Security Groups Member Servers, Windows 7, Windows 8, Windows Vista,

Back to the GPO

On the Scope tab under Security Filtering I added the coorsponding Security Group to the GPO
Windows Vista WSUS I added Security Group Windows Vista

Did the same or the remaing GPO's

From my windows 2003 DC I ran gpupdate /force as I did from my workstations

The WSUS reg settings did not apply.

I found that my Default Domain Policy had WSUS settings I since disabled all those setting reran gpupdate /force
now I get no reg changes.

I use this command to check the reg for wsus
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

All the entries where empty Note the first four below mydomain are GPO's the others of OU

My GPMC looks like this
Forest: mydomain
  Domains
      mydomain
         Default Domain Policy
         DNS Suffix
         WSUS ******************* This was removed when I tested my changes now back
         Domain controllers
              Default Domain Controllers Policy
         Microsoft Exchange Security Group
         Servers
             Domain Controllers WSUS
             Member Servers WSUS
         SharepointOU
         Workstations
             Windows 7 WSUS
             Windows 8 WSUS
             Windows Vista WSUS
         Group Policy Objects
           Default Domain Controllers Policy
           Default Domain Policy
           DNS Suffix
           Domain controllers WSUS
           Logon Script
           LogonAsAService
           Member Servers WSUS
           Windows 7 WSUS
           Windows 8 WSUS
           Windows Vista WSUS
           WSUS
         WMI Filters

I reverted back to putting the WSUS GPO at the top level and all but one of the computers on the network got back the original settings One Vista machine is picking up very old GPO settings dont know why that is either.

My main concern at this time is to get my GPO's working in my configuration

Other than doing a gpupdate /force or just letting  AD update normally is there something I am missing or something I setup incorectly?

Any help will be greatly appreciated

Thanks TOM
LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Using GPMC's group policy results wizard, you need to see how the policy is set and which GPO is the winning one.

Do you use staggered settings?
1top level GPO sets the intranet WSUS server reference and only Intranet wsus server reference.
In a single site, this will be at the top of the domain.
In a multi-site, you would have one at the top of each site if each site has their own local wsus server that syncs (a replica) of a. Central  wsus server.

You then at the computer OU level will have the client targeting, install settings ( servers download notify) while workstations will be download and install but do not auto-restart when a user is logged in)....

Based on your posting if the settings up the chain do not set parameters you hope to control further below.it should work if security/groups of windows 7 wsus only applies to windows 7, the same with the other categories.
Neil RussellTechnical Development LeadCommented:
You said that you created...

         Servers
             Domain Controllers WSUS
             Member Servers WSUS

IF you move domain controllers out of the standard Container called Domain Controllers and into "SERVERS/DOMAIN CONTROLLERS WSUS"  then the domain controllers will break.  Domain controllers NEED to be in the container call domain controllers.

a GPO will only apply to computers that in an OU that has a policy applied to it.  So if your Domain controllers are in the correct place, having a policy in an OU called "Servers/Domain Controllers"  will have no effect.
Thomas GrassiSystems AdministratorAuthor Commented:
thanks Guys for responding

Arnold

Ran Group Policy Modeling Found that my new GPO's where listed under the Denied GPO's under Group Objects
Reason Denied Access Denied (Security Filtering)

Any thoughts on this?

Neilsr

I am not planning to move the DC servers out of the Default Domain Controllers OU
I could update the Default Domain Controllers OU with my WSUS info
I would rather yes my method of adding another GPO with just my WSUS settings
I prefer not changing the default GPO's
I can if need be
I hope that name did not confuse anyone I can rename it also to DC WSUS or something

Thoughts
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Neil RussellTechnical Development LeadCommented:
So just create a GPO at the root and put your settings for WSUS in it.  I'm missing something I guess because it really is that simple.

BUT you need to create it in the root and not in some obscure SERVERS/Domain Controllers WSUS  OU
Thomas GrassiSystems AdministratorAuthor Commented:
Neilsr

You mean like this

Forest: mydomain
   Domains
       mydomain
          Default Domain Policy
          DNS Suffix
          WSUS ******************* This was removed when I tested my changes now back
          DC WSUS
          Member Servers WSUS
          Windows 7 WSUS
          Windows 8 WSUS
          Windows Vista WSUS


          Domain controllers
               Default Domain Controllers Policy
          Microsoft Exchange Security Group
          Servers   ***********************Delete this
          SharepointOU
          Workstations ******************Delete this            


That what you mean?
Neil RussellTechnical Development LeadCommented:
yes and then target your DC's with one and non DC's with the other.
Thomas GrassiSystems AdministratorAuthor Commented:
Made that change and still not working

Ran Group Policy Modeling again

Denied GPO's Reason Denied Empty  also Access Denied Security filtering those I would expect since I do not want those on each individual gpo

But what does empty mean?
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

Update

I made the above changes and funny thing both my DC's grabbed the DC WSUS GPO just like I wanted

Just my other workstations and member servers not getting the proper GPO

Do I have a permission problem here? If so where to I look

Thanks
Neil RussellTechnical Development LeadCommented:
So are BOTH of your GPO's created in the ROOT now?
How have you targeted them at DC's and NON DC's ?

Can you past screen shot of the GPO targets you have set?

Have you done a GPUPDATE on workstations and they still dont get the GPO?
Thomas GrassiSystems AdministratorAuthor Commented:
Yes all GPO's in Root

Not sure what you mean?  How have you targeted them at DC's and NON DC's ?

I will post screen shots when I get on site later today

Yes I ran gpupdate /force on all of them
And yes they do not get the GPO

Images will be posted soon
Neil RussellTechnical Development LeadCommented:
Just creating a GPO will not magically know where it is expected to run, you need to target them somehow at the correct machines.
Thomas GrassiSystems AdministratorAuthor Commented:
I think it might be a security issue
I will check the new security groups I created when I get back onsite

Will post after I check them

Reason thinking this way is the DC's worked and I used the Domain Controllers Security Group in AD that was already created I need to compare that security groups permissions first.
Thomas GrassiSystems AdministratorAuthor Commented:
Checked the security setting on the security groups they look the same

Here are the screen prints

If I add DC WSUS my two DCs get the correct GPO

When I add Windows 7 WSUS my Windows 7 machines get no GPO settings


Hope the screen prints helps
GPO-Enforced.bmp
GPO-Scope.bmp
GPO-Details.bmp
GPO-Settings.bmp
GPO-Delegation.bmp
arnoldCommented:
Simplest AD Structures:
Forest
  Domains
-  AD Domain name
     GPOs that apply to all (default domain Policy)
     WSUS GPO that only publishes the intranet site and nothing else to all computers.

-      (builtin) Domain Conrollers OU
                     GPO Default domain controller Policy
                      DC WSUS GPO Only setting the clienttarget, download and notify for update install, etc.

- OU category where you place servers
               GPO settings on how, when, to what WSUS group/client target WSUS affiliation GPO

and repeat for others.

Security error deals with whether you have a computer based GPO, but applying it in a user OU. Or when you apply to a computer OU, the group you used in security filtering is the wrong type i.e. the definition of the group into which you added all the systems is of the wrong type i.e. not a security group but a distribution.
The denial deals with the computer system you used in your modeling, is not part of the security group that you have in the security filtering of the policy.

To see the current effect of the existing policy, you need to use the group results wizard.  The modeling lets you make changes i.e. you define which user/OU as well as how to process things and get what the consequences will be with this type of change.
The results wizard will display the actual processing of the User/Computer GPOs on the computer/user.
Empty means you applied a computer GPO with user disabled or without parameters but active, to a User OU, or a User GPO with computer disabled or empty to a user GPO.

Each GPO includes settings for both computers an users. If you have a GPO for computer settings only (empty user settings) change the GPO processing to disable user through GPO status (User configuration settings disabled) this way when a user logs in, the system will not try to apply computer GPO that has no user parameters.
The Same  applies to user GPOs.

These types are often seen when GPOs exclusive to one side are set at the top of the AD domain, ....

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

Tonight I had to apply many updates to my network computers.

Now some of my computers are picking up bad GPO information

I have searched thru each GPO to see where this information is and cannot find it anywhere

All I did was make one change to the Default Domain Policy and I removed all the WSUS settings they are all disabled.
I ran RSOP on all the computers and some are showing entries from that GPO Default Domain Policy

On the Computers that are working the GPO name is WSUS for all the Windows update settings
On the ones not working the GPO name is both WSUS and Default Domain Policy

How do I clear this on the bad computers?

I ran gpupdate /force several times  no change

This all started when I tried to get these new GPOS working.
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

I created a new question for my last post I should not have started another question on this one

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28636085.html

Take a look

Thanks

Still want to resolve this one too
Thomas GrassiSystems AdministratorAuthor Commented:
Arnold

This one is resolved once we fixed the FRS issue

Thanks for all your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.