Search for unique ID in group policy to troubleshoot Group Policy Local Users and Groups warning error in Application Log
Server 2012 R2 Datacenter Edition
I am trying to apply a group policy for WSUS and it is not applying. It is not even showing up as filtered out when I run gpresult /r
I am finding multiple references in the Application event log on the server that point to a specific unique ID in Group Policy. Does anyone have ideas on how to search in group policy to find the policy that is using that unique ID? The error I received is listed below if anyone has suggestions. I know for certain that is not the ID for the policy that I am trying to apply.
The computer 'Administrator (built-in)' preference item in the 'Security Policy {5FA4798C-D7BA-42DC-BD36-C
I am trying to apply a group policy for WSUS and it is not applying. It is not even showing up as filtered out when I run gpresult /r
I am finding multiple references in the Application event log on the server that point to a specific unique ID in Group Policy. Does anyone have ideas on how to search in group policy to find the policy that is using that unique ID? The error I received is listed below if anyone has suggestions. I know for certain that is not the ID for the policy that I am trying to apply.
The computer 'Administrator (built-in)' preference item in the 'Security Policy {5FA4798C-D7BA-42DC-BD36-C
Please explain the gpo you are pushing
ASKER
The GPO is a computer based policy to push WSUS settings. It tells the workstation all the specifics for Windows Update settings. I have separate policies based on the types of machines and the departments that those are in. For example, I have a policied that is set to patch they domain controllers manually rather than scheduled like some of the other servers.
The policy is under Computer Configuration > Policies > Administrative Templates > Windows Components/Windows Update
The policy is under Computer Configuration > Policies > Administrative Templates > Windows Components/Windows Update
Sounds like you should have one blanket WSUS policy and then use groups in WSUS to control who gets what updates when.
ASKER
Within the group policy you can set client side targeting groups. For example, I created a target group in the Windows Components/Windows Update policy called "VM_Hosts_Manual_Install".
I have attached a sample screenshot of one of the policies (with the server name removed)
sample-WSUS-policy.jpg
I have attached a sample screenshot of one of the policies (with the server name removed)
sample-WSUS-policy.jpg
You don't have to manually add computers to groups in wsus. Just enable group policy computer group assignment on wsus and then push enable client side targeting gpo.
Also if you want - you might clear the GPO cache on the affected machines. https://www.experts-exchange.com/questions/22095873/Delete-Cached-Group-Policy-Settings.html
ASKER
h1r0 - I did set up client-side targeting. I put a screenshot in my previous post. The problem is not all the servers are reporting even with the group policy setting and it appears that the policy is not applying.
Did you configure the wsus server to use group policy computer assignment? It's a radio button in the wsus console. You then still need to manually create the groups in wsus and then when you assign a gpo to an ou all the computers that get that gpo will be assigned to the group in wsus using the value in the client side targeting field. They must match exactly. Again if gpo isn't gettin assigned to a node you may want to clear the cache. To check to see if you are getting the gpo run gpresult /r /scope computer
ASKER
The WSUS server is configured to receive assignments through group policy. I ran the gpresult /r /scope computer and the GPO is being applied.
I checked the registry HCLM/Policies/Microsoft/Wi
I'm going to add a rule in the firewall to allow traffic for the DMZ ports from the servers behind the DMZ to the WSUS server. I'll update if that fixes the issue.
I checked the registry HCLM/Policies/Microsoft/Wi
I'm going to add a rule in the firewall to allow traffic for the DMZ ports from the servers behind the DMZ to the WSUS server. I'll update if that fixes the issue.
ASKER
Here is what I found after creating the rule and running a packet capture. The firewall is blocking the traffic from the DMZ server to the WSUS server when I do not have all ports open. I created a rule that only allows ports 8530 and 8531 (the ports I set up for WSUS). It's trying to communicate on a bunch of other ports and the rule is blocking the traffic. Group policy is set up and applying correctly. The problem is with the firewall blocking the traffic.
Question: Does anyone have a best practice for setting up WSUS over a DMZ? Why is the WSUS server trying to communicate over ports other than the ones I set up for WSUS? Why is the firewall blocking all traffic even though I have a rule set up to allow traffic on those specific ports?
Question: Does anyone have a best practice for setting up WSUS over a DMZ? Why is the WSUS server trying to communicate over ports other than the ones I set up for WSUS? Why is the firewall blocking all traffic even though I have a rule set up to allow traffic on those specific ports?
is the wsus server joined to the domain?
ASKER
Yes. The WSUS server is on the domain. All machines on the domain are communicating with it except the ones that are inside the DMZ. I'm sure it is something with the firewall, but as far as I can tell, I have opened up the ports in the firewall that I set during the WSUS install. There must be something I am missing. I don't want to open all ports because that would defeat the purpose of having a DMZ.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all your comments. That makes sense. We'll have to work on figuring out the best way to set up the DMZ and will run updates for now without WSUS.
http://www.ldapadministrator.com/download.htm
How To Identify Group Policy Objects in the Active Directory and SYSVOL
https://support.microsoft.com/en-us/kb/216359