Member_2_6492660_1
asked on
Cleint not receivng new GPO
Windows 2003 SP2 DC x2
Windows 7
AD
GPO
recently had this error JRNL_WRAP_ERROR on one domain controller on my DC PDC and we resolved that issue
All replication is working in both directions between my two local domain controllers.
No remote computers or servers here all on local lan
After we fixed the above error I created several new GPO's
All are working except for one.
I created GPOS by computer systems ie Windows 7 WSUS , Windows 8 WSUS, Windows Vista WSUS , Member Servers WSUS.
The Windows 7 WSUS is not working,
My computer abc001 is the only one in this gpo for testing
All other GPO's worked
the only setting in this gpo is for Client side targeting for WSUS same setting as all the other GPO's
I have another GPO named WSUS which has all other WSUS settings defined
That works also
On my Windows 7 computer when I run RSOP I see all the GPO names and WSUS appears but Windows 7 WSUS does not appear.
Checked my event log and do not see any GPO errors just this message
Log Name: System
Source: Microsoft-Windows-GroupPol icy
Date: 3/15/2015 12:07:13 AM
Event ID: 1502
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: comp001.mydomain.com
Description:
The Group Policy settings for the computer were processed successfully. New settings from 5 Group Policy objects were detected and applied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Gr oupPolicy" Guid="{AEA1B4FA-97D1-45F2- A64C-4D69F FFD92C9}" />
<EventID>1502</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x80000000000000 00</Keywor ds>
<TimeCreated SystemTime="2015-03-15T04: 07:13.7726 53000Z" />
<EventRecordID>1938556</Ev entRecordI D>
<Correlation ActivityID="{1A842ACD-9CB8 -4D99-844F -A19502FD9 8B3}" />
<Execution ProcessID="1072" ThreadID="3804" />
<Channel>System</Channel>
<Computer>comp001.mydomain .com</Comp uter>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Dat a>
<Data Name="SupportInfo2">3439</ Data>
<Data Name="ProcessingMode">0</D ata>
<Data Name="ProcessingTimeInMill iseconds"> 2371</Data >
<Data Name="DCName">\\tgcs011.ou r.network. tgcsnet.co m</Data>
<Data Name="NumberOfGroupPolicyO bjects">5< /Data>
</EventData>
</Event>
Windows 7
AD
GPO
recently had this error JRNL_WRAP_ERROR on one domain controller on my DC PDC and we resolved that issue
All replication is working in both directions between my two local domain controllers.
No remote computers or servers here all on local lan
After we fixed the above error I created several new GPO's
All are working except for one.
I created GPOS by computer systems ie Windows 7 WSUS , Windows 8 WSUS, Windows Vista WSUS , Member Servers WSUS.
The Windows 7 WSUS is not working,
My computer abc001 is the only one in this gpo for testing
All other GPO's worked
the only setting in this gpo is for Client side targeting for WSUS same setting as all the other GPO's
I have another GPO named WSUS which has all other WSUS settings defined
That works also
On my Windows 7 computer when I run RSOP I see all the GPO names and WSUS appears but Windows 7 WSUS does not appear.
Checked my event log and do not see any GPO errors just this message
Log Name: System
Source: Microsoft-Windows-GroupPol
Date: 3/15/2015 12:07:13 AM
Event ID: 1502
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: comp001.mydomain.com
Description:
The Group Policy settings for the computer were processed successfully. New settings from 5 Group Policy objects were detected and applied.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Gr
<EventID>1502</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2015-03-15T04:
<EventRecordID>1938556</Ev
<Correlation ActivityID="{1A842ACD-9CB8
<Execution ProcessID="1072" ThreadID="3804" />
<Channel>System</Channel>
<Computer>comp001.mydomain
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Dat
<Data Name="SupportInfo2">3439</
<Data Name="ProcessingMode">0</D
<Data Name="ProcessingTimeInMill
<Data Name="DCName">\\tgcs011.ou
<Data Name="NumberOfGroupPolicyO
</EventData>
</Event>
ASKER
this is all on the same lan network
You mean run GPMC on the server and run a group policy model for this computer and no user settings
Correct?
You mean run GPMC on the server and run a group policy model for this computer and no user settings
Correct?
Yes, look within AD user and computers to see where this computer is versus the others?
i.e. is it in the computers built-in OU with all other computers or is it in a different ou or in the built--in as the only computer there?
i.e. is it in the computers built-in OU with all other computers or is it in a different ou or in the built--in as the only computer there?
ASKER
I ran the GPMC for my computer
See attached
The report shows that all the GPO names are present
But when I run rsop on that same machine it does not show all the GPO names
Not sure why RSOP not showing infor here
checked registry settings still not set either
The report shows the GPO names are enabled for this computer
Thoughts
See attached
The report shows that all the GPO names are present
But when I run rsop on that same machine it does not show all the GPO names
Not sure why RSOP not showing infor here
checked registry settings still not set either
The report shows the GPO names are enabled for this computer
Thoughts
Do the settingd you want set reflected in the settings in GPMC?
While the policies are reflected, they might not apply.,
While the policies are reflected, they might not apply.,
ASKER
Yes I need those setting
This is a working computer
reg query HKLM\SOFTWARE\Policies\Mic rosoft\Win dows\Windo wsUpdate
HKEY_LOCAL_MACHINE\SOFTWAR E\Policies \Microsoft \Windows\W indowsUpda te
TargetGroupEnabled REG_DWORD 0x1
TargetGroup REG_SZ Vista
WUServer REG_SZ http://wsus.our.network.tgcsnet.com
WUStatusServer REG_SZ http://wsus.our.network.tgcsnet.com
HKEY_LOCAL_MACHINE\SOFTWAR E\Policies \Microsoft \Windows\W indowsUpda te\AU
This is from the Windows 7 computer
reg query HKLM\SOFTWARE\Policies\Mic rosoft\Win do
ws\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWAR E\Policies \Microsoft \Windows\W indowsUpda te
WUServer REG_SZ http://wsus.our.network.tgcsnet.com
WUStatusServer REG_SZ http://wsus.our.network.tgcsnet.com
HKEY_LOCAL_MACHINE\SOFTWAR E\Policies \Microsoft \Windows\W indowsUpda te\AU
you can see that
TargetGroupEnabled REG_DWORD 0x1
TargetGroup REG_SZ Windows 7
Is missing and on the vista computer it is working
the same type of GPO work on every other computer Windows 8 Windows Vista Windows 2008 Windows 2003
Only my windows 7 is not working
Thoughts
This is a working computer
reg query HKLM\SOFTWARE\Policies\Mic
HKEY_LOCAL_MACHINE\SOFTWAR
TargetGroupEnabled REG_DWORD 0x1
TargetGroup REG_SZ Vista
WUServer REG_SZ http://wsus.our.network.tgcsnet.com
WUStatusServer REG_SZ http://wsus.our.network.tgcsnet.com
HKEY_LOCAL_MACHINE\SOFTWAR
This is from the Windows 7 computer
reg query HKLM\SOFTWARE\Policies\Mic
ws\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWAR
WUServer REG_SZ http://wsus.our.network.tgcsnet.com
WUStatusServer REG_SZ http://wsus.our.network.tgcsnet.com
HKEY_LOCAL_MACHINE\SOFTWAR
you can see that
TargetGroupEnabled REG_DWORD 0x1
TargetGroup REG_SZ Windows 7
Is missing and on the vista computer it is working
the same type of GPO work on every other computer Windows 8 Windows Vista Windows 2008 Windows 2003
Only my windows 7 is not working
Thoughts
Your multi-homed systems might be the issue. resolve those and see whether that will resolve this.
ASKER
Arnold
I manually entered
TargetGroup and TargetGroupEnabled in my Win 7 Registry for now
I can t see home the multi-homed servers have any effect on this
My DC's are single homed
My Windows 7 is single homed
This is very strange
I created another GPO today to see if that would work No good
NFS is working because both sysvol folders are updating
Another strange thing is the GPMC Report shows all the correct GPO's
Did you get my last post on the Windows 2008 Ping issue?
Thanks
I manually entered
TargetGroup and TargetGroupEnabled in my Win 7 Registry for now
I can t see home the multi-homed servers have any effect on this
My DC's are single homed
My Windows 7 is single homed
This is very strange
I created another GPO today to see if that would work No good
NFS is working because both sysvol folders are updating
Another strange thing is the GPMC Report shows all the correct GPO's
Did you get my last post on the Windows 2008 Ping issue?
Thanks
missing gateway on the 10.1.8.17/22 network adapter 4 versus network adapter 3 10.2.8.17/22 with 10.2.8.1.
DFS has both Ips for the target computer.
Was the 10.1.8..x/22 network a typo?
DFS has both Ips for the target computer.
Was the 10.1.8..x/22 network a typo?
ASKER
Arnold
Do not need gateway on the second nic
My Windows 2003 server with both vlans the second nic does not have a gateway and it works fine
My meraki MX60 SA does all the routing for the vlans
Was the 10.1.8..x/22 network a typo?
yes
10.1.8.x/22 is correct
10.2.8.x/22 is correct
Do not need gateway on the second nic
My Windows 2003 server with both vlans the second nic does not have a gateway and it works fine
My meraki MX60 SA does all the routing for the vlans
Was the 10.1.8..x/22 network a typo?
yes
10.1.8.x/22 is correct
10.2.8.x/22 is correct
Try ,owing this system to a different OU, to have its cached GPos cleared. Then try brining it back. Check whether this system is a member of a different group ?
The registry change might be the one preventing the application of the GPO.
The registry change might be the one preventing the application of the GPO.
ASKER
Arnold,
Try ,owing this system to a different OU, to have its cached GPos cleared. ??? please clarify
Check whether this system is a member of a different group ?
You mean my windows 7 in a different group? if so what group you mean?
Thanks
Try ,owing this system to a different OU, to have its cached GPos cleared. ??? please clarify
Check whether this system is a member of a different group ?
You mean my windows 7 in a different group? if so what group you mean?
Thanks
Does your ad have computer Oys other than the builtin computer?
Look at the properties of the computer within the AD to see which group it is a member of in case of those is denied.
You mentioned that yOU edited registry dealing with wsus update settings to set clienttarget, a GPO often set parameters on not configured or known defaults, a deviation will prevent the GPO from changing the current already customized settings.
Look at the properties of the computer within the AD to see which group it is a member of in case of those is denied.
You mentioned that yOU edited registry dealing with wsus update settings to set clienttarget, a GPO often set parameters on not configured or known defaults, a deviation will prevent the GPO from changing the current already customized settings.
ASKER
Arnold,
I will check that when back on site.
So GPO will not overlay reg settings?
That explains why my NTP GPO is not working
I can remove the settings from the registry as a test t see what happens
Will post results
I will check that when back on site.
So GPO will not overlay reg settings?
That explains why my NTP GPO is not working
I can remove the settings from the registry as a test t see what happens
Will post results
It will supersede entries added as part of local GPO. Manual changes to registry will remain byy the way settings from GPO are set.
ASKER
Arnold
Ok then I will remove them to see what happens.
Leaving to the site in a few be back in a few hours
Thanks for your help
Ok then I will remove them to see what happens.
Leaving to the site in a few be back in a few hours
Thanks for your help
ASKER
Arnold,
I found this
http://stackoverflow.com/questions/1162215/gpo-settings-will-they-overwrite-registry-modifications-on-client-machine
Is this true
I would think it would be the purpose of GPO?
I found this
http://stackoverflow.com/questions/1162215/gpo-settings-will-they-overwrite-registry-modifications-on-client-machine
Is this true
I would think it would be the purpose of GPO?
Generally certain registry settings will be changed by gpo certain ones will not. folder redirection without a setting to revert, will not be reapplied when the account is moved to a different ou with a different storage location. meaning if you manually redirect folders to a separate location, a folder redirect policy will not alter the locally configued redirection.
if the gpo does not assert its changes, something is preventing it.
change the gpo to be enforced to see if that makes a difference.
if the gpo does not assert its changes, something is preventing it.
change the gpo to be enforced to see if that makes a difference.
ASKER
Arnold,
On site now
Does your ad have computer Oys other than the builtin computer?
Look at the properties of the computer within the AD to see which group it is a member of in case of those is denied.
You meant
Does your ad have computer OU other than the builtin computer?
Correct?
My computer is in the folder Computers only
Is a member of Domain Computers NTP Time Settings and Windows 7
The Last two NTP Time Settings and Windows 7 are GPO Names
Compared to my other Windows 8 computer and they are the same Except Windows 8 has Windows 8 GPO Name
For your last post
The NTP Time Settings must be one that do not because none of they computers got my changes.
Just trying to set
HKLM\SYSTEM\CurrentControl Set\Servic es\W32Time \Parameter s
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\W32 Time\Param eters
Type REG_SZ NTP
NtpServer REG_SZ 10.2.8.24
To
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\W32 Time\Param eters
Type REG_SZ NTP
NtpServer REG_SZ ntp.our.network.tgcsnet.co m
Thoughts
On site now
Does your ad have computer Oys other than the builtin computer?
Look at the properties of the computer within the AD to see which group it is a member of in case of those is denied.
You meant
Does your ad have computer OU other than the builtin computer?
Correct?
My computer is in the folder Computers only
Is a member of Domain Computers NTP Time Settings and Windows 7
The Last two NTP Time Settings and Windows 7 are GPO Names
Compared to my other Windows 8 computer and they are the same Except Windows 8 has Windows 8 GPO Name
For your last post
The NTP Time Settings must be one that do not because none of they computers got my changes.
Just trying to set
HKLM\SYSTEM\CurrentControl
HKEY_LOCAL_MACHINE\SYSTEM\
Type REG_SZ NTP
NtpServer REG_SZ 10.2.8.24
To
HKEY_LOCAL_MACHINE\SYSTEM\
Type REG_SZ NTP
NtpServer REG_SZ ntp.our.network.tgcsnet.co
Thoughts
If all your systems are in the built-in computer OU, the GPOs are then added at the top of the domain?
ASKER
Arnold
YEs I believe so.
Take a look at my screen shots
An all of the computers are in the same members of
Remember I have
Security Groups
Member Servers
Windows 7
Windows 8
Windows Vista
builtin-1.png
builtin-dc.png
YEs I believe so.
Take a look at my screen shots
An all of the computers are in the same members of
Remember I have
Security Groups
Member Servers
Windows 7
Windows 8
Windows Vista
builtin-1.png
builtin-dc.png
What about the GPMC display of how the GPOs are applied?
Security groups are used as security filters, they are not the basis on which GPOs are assigned.
GPOs are assigned to OUs and apply based on the security filter.
Security groups are used as security filters, they are not the basis on which GPOs are assigned.
GPOs are assigned to OUs and apply based on the security filter.
ASKER
Arnold
I ran the Group Policy Modeling Repot on three computers including the one in question here
They all show the correct information all GPO listed under Applied GPO's are correct.
See the attached
TGKW001.htm
TGKW002.htm
TGKW006.htm
I ran the Group Policy Modeling Repot on three computers including the one in question here
They all show the correct information all GPO listed under Applied GPO's are correct.
See the attached
TGKW001.htm
TGKW002.htm
TGKW006.htm
Modeling is used to project what will be set if the assumptions/choices are made,
The group policy results wizard reports the current settings as they apply.
I can not currently view the attached.
The group policy results wizard reports the current settings as they apply.
I can not currently view the attached.
ASKER
Arnold
How about if I run gpresult /h report.html
Will that help us?
The modeling shows what will be done I get that now thanks
How about if I run gpresult /h report.html
Will that help us?
The modeling shows what will be done I get that now thanks
The viewing is related to the system I was using not with your upload.
One thing, IMHO the only thing that should be set in the WSUS GPO is the intranet WSUS server
Everything else should be left to more customizable per ou/OS type, etc.
Client settings should be in the wsus <specific> your wsus 8 sets the mode to download and notify.
In your case, you set everything within the WSUS GPO leaving only the client targeting to the WSUS 8 in one example.Also your WSUS sets the install mode as downaload and install, it might not alert the non-administrative user that updates are available nor am I sure whether the user will be allowed to shutdown the system and have the updates applied at that time.
As to your NTP, usually the only thing that queries "external" NTP servers is the Master AD. All the other systems synchronize with the DC. (one of your other questions)
WSUS GPO only sets intranet site
WSUS 8 sets client target, install mode (download and install 4) install immediate (I'd recommend the no auto-restart when a logged in user.. prevent the system from restarting after updates are installed in the morning as this can restart while the user is in the middle of an important task.)
Given you are using modeling, it is not including a security filter as configured on your GPO so it is not clear whether those settings could interfere with the application of the GPO.
rerun the results wizard and see how the settings are applied.
gpresult /Scope Computer /V
Text file upload is fine. When you upload the HTML it is "transmitted" as text when download/view is unavailable.
One thing, IMHO the only thing that should be set in the WSUS GPO is the intranet WSUS server
Everything else should be left to more customizable per ou/OS type, etc.
Client settings should be in the wsus <specific> your wsus 8 sets the mode to download and notify.
In your case, you set everything within the WSUS GPO leaving only the client targeting to the WSUS 8 in one example.Also your WSUS sets the install mode as downaload and install, it might not alert the non-administrative user that updates are available nor am I sure whether the user will be allowed to shutdown the system and have the updates applied at that time.
As to your NTP, usually the only thing that queries "external" NTP servers is the Master AD. All the other systems synchronize with the DC. (one of your other questions)
WSUS GPO only sets intranet site
WSUS 8 sets client target, install mode (download and install 4) install immediate (I'd recommend the no auto-restart when a logged in user.. prevent the system from restarting after updates are installed in the morning as this can restart while the user is in the middle of an important task.)
Given you are using modeling, it is not including a security filter as configured on your GPO so it is not clear whether those settings could interfere with the application of the GPO.
rerun the results wizard and see how the settings are applied.
gpresult /Scope Computer /V
Text file upload is fine. When you upload the HTML it is "transmitted" as text when download/view is unavailable.
ASKER
Arnold,
Got gpresult /scope computer /v results
1. my computer the problem one missing GPO name Windows 7 WSUS
2. my WinSAT computer has GPO Name Windows Vista WSUS
Tired the command on my Windows 8 computer got Access Denied
Thoughts
Note
I will run this on all others to compare later
None are getting my NTP GPO also
Thoughts?
gpresult.txt
gpresult.txt
Got gpresult /scope computer /v results
1. my computer the problem one missing GPO name Windows 7 WSUS
2. my WinSAT computer has GPO Name Windows Vista WSUS
Tired the command on my Windows 8 computer got Access Denied
Thoughts
Note
I will run this on all others to compare later
None are getting my NTP GPO also
Thoughts?
gpresult.txt
gpresult.txt
Look at the security filter you use for each GPO, often authenticated_user is used for these types of GPO.
In your case all client shave all GPOs apply windows vista GPO, windows 7 GPO and windows 8 GPO, and you are using the security filtering to differentiate which systems checking using which client target such that each will have two Other gpos as "available" but denied by security filtering.
In your case all client shave all GPOs apply windows vista GPO, windows 7 GPO and windows 8 GPO, and you are using the security filtering to differentiate which systems checking using which client target such that each will have two Other gpos as "available" but denied by security filtering.
ASKER
Arnold
Yes most of the GPO's I looked at use authenticated_user for the security filter it adds that by default when you create the new gpo.
My security filters only include the security group Windows 7 GPO Vista GPO and Windows 8 GPO
Yes that is how you can differentiate the client target
Yes they showed all the other GPO's as denied.
The problem is that all other computers on the network are working with the correct GPO
Why just my Windows 7 not picking up the Windows 7 GPO is the big question here.
I can not put authenticated user into Windows 7 GPO then every user will get Windows 7
Could it be the added GPO DNS Suffix that security filter is only by my computer name not a group
Thoughts.
PS the access denied on the Windows 8.1 was I need to run cmd prompt as administrator Don't know whey that is not the default way. but it works now
Yes most of the GPO's I looked at use authenticated_user for the security filter it adds that by default when you create the new gpo.
My security filters only include the security group Windows 7 GPO Vista GPO and Windows 8 GPO
Yes that is how you can differentiate the client target
Yes they showed all the other GPO's as denied.
The problem is that all other computers on the network are working with the correct GPO
Why just my Windows 7 not picking up the Windows 7 GPO is the big question here.
I can not put authenticated user into Windows 7 GPO then every user will get Windows 7
Could it be the added GPO DNS Suffix that security filter is only by my computer name not a group
Thoughts.
PS the access denied on the Windows 8.1 was I need to run cmd prompt as administrator Don't know whey that is not the default way. but it works now
Double check to make sure your windows 7 is the member of the computer security group that is used as the security filter in the windows 7 GPO.
Is this a system in a site as branchdc1 see whether it's position on the AD matches the location where it is.
Is this a system in a site as branchdc1 see whether it's position on the AD matches the location where it is.
ASKER
Arnold,
First thanks for the continuous support on this most guys drop off issues I appreciate it.
My Windows 7 TGKW001 is in as a member of the security group Windows 7
Windows 7 is added to the Security Filtering of the scope for Windows 7 WSUS
This is all one Forest One Domain I have two Domain Controllers
This is very strange that my Windows 7 computer is the only one that this GPO does not apply to
Unfortunately I only have one Windows 7 computer to test with here. Hoping to have another one soon
My Windows 7 Computer has full administrator rights that I know of.
Can not figure this one out I have been researching also no luck.
I least this is a good learning process.
Hope we can figure this out.
First thanks for the continuous support on this most guys drop off issues I appreciate it.
My Windows 7 TGKW001 is in as a member of the security group Windows 7
Windows 7 is added to the Security Filtering of the scope for Windows 7 WSUS
This is all one Forest One Domain I have two Domain Controllers
This is very strange that my Windows 7 computer is the only one that this GPO does not apply to
Unfortunately I only have one Windows 7 computer to test with here. Hoping to have another one soon
My Windows 7 Computer has full administrator rights that I know of.
Can not figure this one out I have been researching also no luck.
I least this is a good learning process.
Hope we can figure this out.
What errors if any are reported in GPMC for the GPO? What if any event logs exist on the client dealing with the application of the GPO?
One option could be to use netdom to rejoin the system into the domain just in case something of this nature is at hand.
Does the windows 7 have registry modification to wsus settings directly rather than using a local policy?
It could be something simple that I have not asked or not asked In a way that would clear things up or point you in the right direction.
GMPC group policy results on this system, what is being reported? Are there any errors indicated?
One option could be to use netdom to rejoin the system into the domain just in case something of this nature is at hand.
Does the windows 7 have registry modification to wsus settings directly rather than using a local policy?
It could be something simple that I have not asked or not asked In a way that would clear things up or point you in the right direction.
GMPC group policy results on this system, what is being reported? Are there any errors indicated?
ASKER
Arnold
In GPMC I ran Group Policy result for my computer
It reported this event only
Event ID: 1704 which is a normal process of Group Policy
Then I looked at this
Applied GPOs
Local Group Policy Local AD (1), Sysvol (1)
LogonAsAService our.network.tgcsnet.com AD (2), Sysvol (2)
DNS Suffix our.network.tgcsnet.com AD (3), Sysvol (3)
Default Domain Policy our.network.tgcsnet.com AD (72), Sysvol (72)
WSUS our.network.tgcsnet.com AD (20), Sysvol (20)
Denied GPOs
Name Link Location Reason Denied
{8DFABD80-E9C3-40D6-801C-C 2D3771CB6F 3} our.network.tgcsnet.com Inaccessible
{2E15508A-6585-401C-985F-A FF3A49DD25 F} our.network.tgcsnet.com Inaccessible
{9B5C0FF6-65A7-47B8-AA90-8 14FB286285 4} our.network.tgcsnet.com Inaccessible
{EEA475AB-8ED4-4E77-8B98-A 18744F1CAD 7} our.network.tgcsnet.com Inaccessible
{A7F93F2A-14C0-4494-9D67-2 91779C4514 4} our.network.tgcsnet.com Inaccessible
{DC299B63-10FF-4E0B-A3ED-4 28A976DD02 B} our.network.tgcsnet.com Inaccessible
8D.... is my NTP GPO
EE.... is my Windows 7 GPO
What does inaccessible mean?
Are we getting somewhere now?
Thoughts
In GPMC I ran Group Policy result for my computer
It reported this event only
Event ID: 1704 which is a normal process of Group Policy
Then I looked at this
Applied GPOs
Local Group Policy Local AD (1), Sysvol (1)
LogonAsAService our.network.tgcsnet.com AD (2), Sysvol (2)
DNS Suffix our.network.tgcsnet.com AD (3), Sysvol (3)
Default Domain Policy our.network.tgcsnet.com AD (72), Sysvol (72)
WSUS our.network.tgcsnet.com AD (20), Sysvol (20)
Denied GPOs
Name Link Location Reason Denied
{8DFABD80-E9C3-40D6-801C-C
{2E15508A-6585-401C-985F-A
{9B5C0FF6-65A7-47B8-AA90-8
{EEA475AB-8ED4-4E77-8B98-A
{A7F93F2A-14C0-4494-9D67-2
{DC299B63-10FF-4E0B-A3ED-4
8D.... is my NTP GPO
EE.... is my Windows 7 GPO
What does inaccessible mean?
Are we getting somewhere now?
Thoughts
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Arnold,
Putting the computer account in the security filter worked
did gpupdate /force on the server and my workstation queried the reg and show the target group win7 was added.
So why does the security group Windows 7 WSUS not work that what we need cause I jut want to add to the security group not update the GPO all the time
All the other security groups work
Well all but Windows 7 WSUS and NTP
Thoughts
Putting the computer account in the security filter worked
did gpupdate /force on the server and my workstation queried the reg and show the target group win7 was added.
So why does the security group Windows 7 WSUS not work that what we need cause I jut want to add to the security group not update the GPO all the time
All the other security groups work
Well all but Windows 7 WSUS and NTP
Thoughts
Double check the type of group it is , make sure it is a security group type.
ASKER
Arnold
Security Group Global
Same as Windows 8 and Windows Vista
Security Group Global
Same as Windows 8 and Windows Vista
Look on the GPO delegation tab,security tab to see whether the windows 7 group is included there with appropriate rights. Compare is GPO to the windows 8 configuration dealing with access.
ASKER
Arnold
Looked at both they have the same settings across the board
I was researching this and found this on another posting
"if you are applying to a set of computers, you may need to add them to a group and give this group read and apply, as well as authenticated users."
Also this comment
I have 3 choices for the permissions:
Read
Edit Settings
Edit settings, delete or modify security
What kind of group, Domain Local or Global, then security or distribution?
But that does not explain why my other GPO's are working.
Thoughts
Looked at both they have the same settings across the board
I was researching this and found this on another posting
"if you are applying to a set of computers, you may need to add them to a group and give this group read and apply, as well as authenticated users."
Also this comment
I have 3 choices for the permissions:
Read
Edit Settings
Edit settings, delete or modify security
What kind of group, Domain Local or Global, then security or distribution?
But that does not explain why my other GPO's are working.
Thoughts
ASKER
Arnold,
Thought was researching and came across WMI filtering
select * from Win32_OperatingSystem where (Version like "6.1%" or Version like "6.2%" or Version like "6.3%") and ProductType = "1"
If I use a filter like above then I can use authenticated_users in place of the security group Windows 7
Another task i would not have to do add the new computer to a security group
The above is an example I found
What would you do If I just wanted to select Windows 7 which I believe is "6.1%"
This is all new territory for me
Thanks
Thought was researching and came across WMI filtering
select * from Win32_OperatingSystem where (Version like "6.1%" or Version like "6.2%" or Version like "6.3%") and ProductType = "1"
If I use a filter like above then I can use authenticated_users in place of the security group Windows 7
Another task i would not have to do add the new computer to a security group
The above is an example I found
What would you do If I just wanted to select Windows 7 which I believe is "6.1%"
This is all new territory for me
Thanks
There are different ways to managed that.
Not sure why you would want to differentiate in this manner.
Using OUs
Workstations OU Authenticated_users workstations
Workstations TEST OU authenticated_users workstations_test
1 of each type is in this OU windows vista, 7 and windows 8 and windows 8.1)
auto-apporval for the workstation test OU for Critical and security updates. to install to this client target
once updates are auto-approved, two-three weeks later if no issues arise (those system need to be regularly used) a manual auto-approve for the same criteria, or manually going in approving each .....
Since you have the options, only you can decide which meet your needs.
you can do OUs with Security Groups with WMI filters.....
Glad I could help.
Not sure why you would want to differentiate in this manner.
Using OUs
Workstations OU Authenticated_users workstations
Workstations TEST OU authenticated_users workstations_test
1 of each type is in this OU windows vista, 7 and windows 8 and windows 8.1)
auto-apporval for the workstation test OU for Critical and security updates. to install to this client target
once updates are auto-approved, two-three weeks later if no issues arise (those system need to be regularly used) a manual auto-approve for the same criteria, or manually going in approving each .....
Since you have the options, only you can decide which meet your needs.
you can do OUs with Security Groups with WMI filters.....
Glad I could help.
ASKER
Arnold,
Update
For the NTP GPO that was not working I got a lot further along now.
Created a WMI Filter excluded one Server which is the NTP server
Removed the Security Group NTP and added authenticated_users
ran gpudate /force and amazing all the computer and servers now have the NTP GPO
The WMI Filter works also because I checked by running the GRoup Policy Results on GPMC for that server and the NTP GPO was filtered by WMI
All good so far.
So looks like WMI is the way to go instead of using Security Groups
Going to create more WMI filters to check for the OS version.
The only problem I have with the NTP GPO is the registry setting did not change.
And as I posted earlier that the registry changes will change that is the purpose of GPO
I ran this gpresult /scope computer /v
See attached
The NTPSERVER should be ntp.our.netwrok.tgcsnet.co m but it shows all kind of strange numbers.
Thoughts?
gpresult-NTP.txt
Update
For the NTP GPO that was not working I got a lot further along now.
Created a WMI Filter excluded one Server which is the NTP server
Removed the Security Group NTP and added authenticated_users
ran gpudate /force and amazing all the computer and servers now have the NTP GPO
The WMI Filter works also because I checked by running the GRoup Policy Results on GPMC for that server and the NTP GPO was filtered by WMI
All good so far.
So looks like WMI is the way to go instead of using Security Groups
Going to create more WMI filters to check for the OS version.
The only problem I have with the NTP GPO is the registry setting did not change.
And as I posted earlier that the registry changes will change that is the purpose of GPO
I ran this gpresult /scope computer /v
See attached
The NTPSERVER should be ntp.our.netwrok.tgcsnet.co
Thoughts?
gpresult-NTP.txt
gpresults /V /Scope Computer does not report human readable values, GPO name, and settings name are human readable.
To get the detail/value in human readable form (HTML), you would need to use the /h which is available starting with windows vista or 7 /windows server 2008
see if w32tm /? is available on these systems to see what these systems reports as to the NTP server to which they will synchronize.
IMHO, THE only server that should reference a dedicated NTP server is the AD/DC Master all others should synchronize to the AD DC.
To get the detail/value in human readable form (HTML), you would need to use the /h which is available starting with windows vista or 7 /windows server 2008
see if w32tm /? is available on these systems to see what these systems reports as to the NTP server to which they will synchronize.
IMHO, THE only server that should reference a dedicated NTP server is the AD/DC Master all others should synchronize to the AD DC.
ASKER
Arnold,
gpresult /r report.html showed the correct information that's great. WMI filter works super.
ran w32tm /query /verbose should my GPO settings
Then I figured out why I did not see them in the registry.
I was looking in the wrong place.
All my manual entries of NTP was in this path
hklm\system\currentcontrol set\servic es\w32time \parameter s
The GPO uses this path
hklm\software\polices\Micr osoft\w32t ime\parame ters
Thoughts
gpresult /r report.html showed the correct information that's great. WMI filter works super.
ran w32tm /query /verbose should my GPO settings
Then I figured out why I did not see them in the registry.
I was looking in the wrong place.
All my manual entries of NTP was in this path
hklm\system\currentcontrol
The GPO uses this path
hklm\software\polices\Micr
Thoughts
So you are set?
I have many thoughts, any subject in particular?
I have many thoughts, any subject in particular?
ASKER
Arnold
I am hoping so.
Just curious about the reg settings
Will the GPO settings override the other settings?
I am hoping so.
Just curious about the reg settings
Will the GPO settings override the other settings?
I believe so. You can confirm through the eventlog look for w32tm and see which system it synchronizes with.
ASKER
Arnold,
We got it
Log Name: System
Source: Microsoft-Windows-Time-Ser vice
Date: 3/19/2015 12:40:00 PM
Event ID: 35
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: TGKW001.our.network.tgcsne t.com
Description:
The time service is now synchronizing the system time with the time source ntp.our.network.tgcsnet.co m,0x1 (ntp.m|0x1|0.0.0.0:123->10 .2.8.24:12 3).
That is from my GPO
We are now done
Now on to more WMI Filters
We got it
Log Name: System
Source: Microsoft-Windows-Time-Ser
Date: 3/19/2015 12:40:00 PM
Event ID: 35
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: TGKW001.our.network.tgcsne
Description:
The time service is now synchronizing the system time with the time source ntp.our.network.tgcsnet.co
That is from my GPO
We are now done
Now on to more WMI Filters
ASKER
Arnold
This worked
Thanks for all your help
Now off to WMI Filtering.
This worked
Thanks for all your help
Now off to WMI Filtering.
:)
see which policies are being loaded/seen and the DC from which it gets them.
is it in a separate site or part of HQ ?