Search for unique ID in group policy to troubleshoot Group Policy Local Users and Groups warning error in Application Log

Server 2012 R2 Datacenter Edition

I am trying to apply a group policy for WSUS and it is not applying. It is not even showing up as filtered out when I run gpresult /r

I am finding multiple references in the Application event log on the server that point to a specific unique ID in Group Policy. Does anyone have ideas on how to search in group policy to find the policy that is using that unique ID? The error I received is listed below if anyone has suggestions. I know for certain that is not the ID for the policy that I am trying to apply.

The computer 'Administrator (built-in)' preference item in the 'Security Policy {5FA4798C-D7BA-42DC-BD36-C88C777B2EFA}' Group Policy Object did not apply because its targeting item failed with error code '0x80070035 The network path was not found.' This error was suppressed.
Intelli-SeekerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RantCanSr. Systems AdministratorCommented:
Have you tried this? It's an oldy, but you can try the same with a read-only LDAP tool like the one from SOFTERRA at

http://www.ldapadministrator.com/download.htm

How To Identify Group Policy Objects in the Active Directory and SYSVOL

https://support.microsoft.com/en-us/kb/216359
h1r0Commented:
Please explain the gpo you are pushing
Intelli-SeekerAuthor Commented:
The GPO is a computer based policy to push WSUS settings. It tells the workstation all the specifics for Windows Update settings. I have separate policies based on the types of machines and the departments that those are in. For example, I have a policied that is set to patch they domain controllers manually rather than scheduled like some of the other servers.

The policy is under Computer Configuration > Policies > Administrative Templates > Windows Components/Windows Update
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

RantCanSr. Systems AdministratorCommented:
Sounds like you should have one blanket WSUS policy and then use groups in WSUS to control who gets what updates when.
Intelli-SeekerAuthor Commented:
Within the group policy you can set client side targeting groups. For example, I created a target group in the Windows Components/Windows Update policy called "VM_Hosts_Manual_Install". That name matches what is in the WSUS console. Then I don't have to manually move computers around in the WSUS console. They automatically get put in the correct group based on the group policy.

I have attached a sample screenshot of one of the policies (with the server name removed)
sample-WSUS-policy.jpg
h1r0Commented:
You don't have to manually add computers to groups in wsus. Just enable group policy computer group assignment on wsus and then push enable client side targeting gpo.
h1r0Commented:
Also if you want - you might clear the GPO cache on the affected machines.  http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_22095873.html
Intelli-SeekerAuthor Commented:
h1r0 - I did set up client-side targeting. I put a screenshot in my previous post. The problem is not all the servers are reporting even with the group policy setting and it appears that the policy is not applying.
h1r0Commented:
Did you configure the wsus server to use group policy computer assignment?  It's a radio button in the wsus console.   You then still need to manually create the groups in wsus and then when you assign a gpo to an ou all the computers that get that gpo will be assigned to the group in wsus using the value in the client side targeting field.  They must match exactly.  Again if gpo isn't gettin assigned to a node you may want to clear the cache.   To check to see if you are getting the gpo run gpresult /r /scope computer
Intelli-SeekerAuthor Commented:
The WSUS server is configured to receive assignments through group policy. I ran the gpresult /r /scope computer and the GPO is being applied.

I checked the registry HCLM/Policies/Microsoft/Windows/WindowsUpdate and the target group and WUServer are correct.

I'm going to add a rule in the firewall to allow traffic for the DMZ ports from the servers behind the DMZ to the WSUS server. I'll update if that fixes the issue.
Intelli-SeekerAuthor Commented:
Here is what I found after creating the rule and running a packet capture. The firewall is blocking the traffic from the DMZ server to the WSUS server when I do not have all ports open. I created a rule that only allows ports 8530 and 8531 (the ports I set up for WSUS). It's trying to communicate on a bunch of other ports and the rule is blocking the traffic. Group policy is set up and applying correctly. The problem is with the firewall blocking the traffic.

Question: Does anyone have a best practice for setting up WSUS over a DMZ? Why is the WSUS server trying to communicate over ports other than the ones I set up for WSUS? Why is the firewall blocking all traffic even though I have a rule set up to allow traffic on those specific ports?
h1r0Commented:
is the wsus server joined to the domain?
Intelli-SeekerAuthor Commented:
Yes. The WSUS server is on the domain. All machines on the domain are communicating with it except the ones that are inside the DMZ. I'm sure it is something with the firewall, but as far as I can tell,  I have opened up the ports in the firewall that I set during the WSUS install. There must be something I am missing. I don't want to open all ports because that would defeat the purpose of having a DMZ.
h1r0Commented:
Your problem is you don't have all the ports open required for domain communication to function.  you want to move the wsus server to the core network and use a reverse proxy in the DMZ instead (check out ms arr).  You never want a domain joined server in the DMZ because it exposes Active Directory to the WAN and tHe number of ports that are required  are incredible, (everything above 1024 practically).  This effectively makes your DMZ Swiss cheese and most security policies wouldn’t allow it anyway.  Check out KB 179442 and just have a nice chuckle over a glass of port while you take a look at this ridiculous document.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Intelli-SeekerAuthor Commented:
Thanks for all your comments. That makes sense. We'll have to work on figuring out the best way to set up the DMZ and will run updates for now without WSUS.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.