Compare cert salaries and plan your next career move
Mishra wrote: " have a seperate OU for this account and that is where the gpo is linked to. " You have the computer object in this separate OU? If you only have the user object then it isn't going to apply the WSUS computer settings.
undomiel wrote: Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.
aoe wrote: undomiel wrote: Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts. I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied. ?????
Mishra wrote: aoe wrote: undomiel wrote: Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts. I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied. ????? Are you using the GPMC?
Silver Bullet wrote: aoe wrote: undomiel wrote: Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts. I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied. ????? Did you mean that you moved the computer into the OU?
undomiel wrote: Back to gpupdate topic this: http://technet2.microsoft.com/windowsserver/en/library/6880fef3-76b7-4eb3-b993-fa00799615851033.mspx?mfr=true states that gpupdate refreshes the local policies only. I can also assure you that from real life testing that executing a gpupdate /force on the DC will not force updates out to all the clients. If one wants to update all the clients though without waiting for the standard refresh interval one could use psexec which is at http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx Just a bit of scripting magic combined with psexec or even just a plain text list of the computers combined with psexec and you'll be updating all of your clients easily.
aoe wrote: Why would i put the computer object in the OU. I have all the computer object listed in the "Computers" in active directory users and computers?
sprkymrk wrote: Okay, dumb question - are the computers in question located in the OU to which the GPO is applied? You didn't apply the GPO to the default Computers container, did you?
aoe wrote: I fixed it!!!! and learned some stuff while doing it. So i created a test ou, added a security group to it, assigned the computer and user to the security group, then added the security group to the security filtering on the gpo. thanks for all the advise in here, this is futher helping me prepare for the dreaded 291
Mishra wrote: aoe wrote: I fixed it!!!! and learned some stuff while doing it. So i created a test ou, added a security group to it, assigned the computer and user to the security group, then added the security group to the security filtering on the gpo. thanks for all the advise in here, this is futher helping me prepare for the dreaded 291 It doesn't have to be a part of a security group for it to work. This is pretty important to understand as most environments don't have users and computers in security groups to apply GPOs. "Authenticated Users" should be sufficient as your security filtering for the GPO to apply correctly. If you take the user and computer out of the security group (keep it in the same OU) and remove the security group from your security filtering then it will work fine.
aoe wrote: Ya i jumped to soon, i thought i had it fixed. it was applied but now its not....hmmm and doing what mentioned above does not work, gpresult still does not show it applied.
sprkymrk wrote: Another lesson: GPO's never have and never will apply to security groups. They apply only to either the USER or COMPUTER object in the OU, Site, or Domain. You can filter using ACL's and security groups, but you can never apply a GPO to a Security Group. Honestly I think you are making this more difficult than it needs to be. Try this (and nothing more, nothing less): 1. Create a GPO called WSUS - apply the appropriate settings. 2. Create an OU called Workstations. 3. Apply the WSUS GPO to the Workstations OU. 4. Move a domain computer account to the Workstations OU. 5. Run gpupdate /force /boot on the workstation. Let it restart. 6. Check with gpresult. Let us know if this works. Keep it simple, and we can go from there.
aoe wrote: So what i learned was that i need the computer in the ou that i want computer settings applied to from a gpo. Thanks, and sorry for all the confusion. Something so simple took so long to find a resolution. Thanks for the help! What a great board this is....
nazzeem wrote: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "WUServer"="http://your-wsus-server" "WUStatusServer"="http://http://your-wsus-server" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] "UseWUServer"=dword:00000001 These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first. I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
