WSUS 3.0 won't list computers & gpo not being applied?

aoe · February 2008

I have installed WSUS on my dc.
I have configured a gpo to point to the wsus server and applied it to the correct ou.
I then go to the client computer and run gpupdate /force and then gpresult and the WSUS gpo is not being applied?

Any ideas why this is happening? Is there more to it if the gpo is not being applied correctly?
Thanks for the help.

nazzeem · February 2008

aoe wrote:

I have installed WSUS on my dc.
I have configured a gpo to point to the wsus server and applied it to the correct ou.
I then go to the client computer and run gpupdate /force and then gpresult and the WSUS gpo is not being applied?

Any ideas why this is happening? Is there more to it if the gpo is not being applied correctly?
Thanks for the help.

gpupdate /force should be run on the DC to update / enforce the Policy on the clients if I am not mistaken.

aoe · February 2008

nazzeem wrote:

aoe wrote:

I have installed WSUS on my dc.
I have configured a gpo to point to the wsus server and applied it to the correct ou.
I then go to the client computer and run gpupdate /force and then gpresult and the WSUS gpo is not being applied?

Any ideas why this is happening? Is there more to it if the gpo is not being applied correctly?
Thanks for the help.

gpupdate /force should be run on the DC to update / enforce the Policy on the clients if I am not mistaken.

I have done that multiple times, then run gpresult and the policies are not being applied for some reason?

The reason this is a big issue to me is due to what i have heard about the 291 and wsus questions and if i can't assign a computer through gpo, i don't feel like i have a grasp of it?

Thanks for the help.

nazzeem · February 2008

Check whether other policies is applied to the domain computers e.g "strong password policy" etc. If this works then maybe you could try to rejoin the workstation with the domain. I am also studying WSUS for 291. So I might not have a solution for you.

But I what I would do is:

1.) Make sure the workstation is joined properly with the domain, and rejoin it if required.

2.) Check if other policies is applied to the workstation.

3.) Check if these keys exesits in the workstations registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

4.) Run the command "wuauclt /detectnow" from command prompt to force your workstation to search for WSUS servers.

5.) Check the workstations %windir% for the WindowsUpdate.log file and check in it for * WSUS server: <NULL> and * WSUS status server: <NULL>. Check if it points to your WSUS Server.

There are probably other things you can do as well.

sprkymrk · February 2008

nazzeem wrote:

aoe wrote:

I have installed WSUS on my dc.
I have configured a gpo to point to the wsus server and applied it to the correct ou.
I then go to the client computer and run gpupdate /force and then gpresult and the WSUS gpo is not being applied?

Any ideas why this is happening? Is there more to it if the gpo is not being applied correctly?
Thanks for the help.

gpupdate /force should be run on the DC to update / enforce the Policy on the clients if I am not mistaken.

Although I have seen others state this before, I haven't seen it from a KB or other MS source. Can someone show me where MS states that running gpupdate on the DC actually forces an update on clients? To my knowledge, you must run gpupdate on whatever computer you want the updates to take effect. This means you should run gpupdate on the clients individually, not the server.

Someone correct me if I am wrong, with references please.

nazzeem · February 2008

From my experience. When you make changes to a policy, it will not take effect immediatly. When you run gpupdate /force, the policies is applied immediatly to all clients on the domain. This will have the same efect as rebooting the client PC. I do not agree with your statement that the command has to be run on all the client pc`s. Imagine you have one PDC on the domain and 569 workstations. Which admin will run the command on all the workstations. Not me thank you very much.

Please post the correct solution for this issue when you find it. We might learn something for our 70-290 here.

snadam · February 2008

sprkymrk wrote:

Although I have seen others state this before, I haven't seen it from a KB or other MS source. Can someone show me where MS states that running gpupdate on the DC actually forces an update on clients? To my knowledge, you must run gpupdate on whatever computer you want the updates to take effect. This means you should run gpupdate on the clients individually, not the server.

Someone correct me if I am wrong, with references please.

I am also curious...

sprkymrk · February 2008

nazzeem wrote:

From my experience. When you make changes to a policy, it will not take effect immediatly. When you run gpupdate /force, the policies is applied immediatly to all clients on the domain. This will have the same efect as rebooting the client PC. I do not agree with your statement that the command has to be run on all the client pc`s. Imagine you have one PDC on the domain and 569 workstations. Which admin will run the command on all the workstations. Not me thank you very much..

Running gpupdate updates the policy on the computer on which it is run. Group Policy has automatic update intervals (90 minutes +1-30 minutes unless changed) which is why an admin doesn't need to run gpupdate on 569 clients - he just waits for the automatic update interval. The gpupdate command is for special circumstances. If you have a KB article or something I'd appreciate the reference. So far every KB article I have found states that you run gpupdate on the client you are trouble shooting.

nazzeem · February 2008

Running "gpupdate /force" on the domain controller will download the latest Group Policy settings to client computers.

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgapxb.mspx

Some info on gpupdate with WSUS
http://www.wsus.info/forums/lofiversion/index.php?t7861.html

And heres Google
http://www.google.co.za/search?source=ig&hl=en&rlz=&q=gpupdate+%2Fforce&meta=

nazzeem · February 2008

sprkymrk wrote:

nazzeem wrote:

From my experience. When you make changes to a policy, it will not take effect immediatly. When you run gpupdate /force, the policies is applied immediatly to all clients on the domain. This will have the same efect as rebooting the client PC. I do not agree with your statement that the command has to be run on all the client pc`s. Imagine you have one PDC on the domain and 569 workstations. Which admin will run the command on all the workstations. Not me thank you very much..

Running gpupdate updates the policy on the computer on which it is run. Group Policy has automatic update intervals (90 minutes +1-30 minutes unless changed) which is why an admin doesn't need to run gpupdate on 569 clients - he just waits for the automatic update interval. The gpupdate command is for special circumstances. If you have a KB article or something I'd appreciate the reference. So far every KB article I have found states that you run gpupdate on the client you are trouble shooting.

Sorry for the confusion. This was just from my experience that when I change something in the Domain Default Policy and want it to take effect immediatly, I run the gpupdate /force command. Then I check one or two of the client machines to see if the policy was applied. It normally is and then I assume it was applied to the rest of the client machines as well.

Mishra · February 2008

nazzeem wrote:

Running "gpupdate /force" on the domain controller will download the latest Group Policy settings to client computers.

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgapxb.mspx

Some info on gpupdate with WSUS
http://www.wsus.info/forums/lofiversion/index.php?t7861.html

And heres Google
http://www.google.co.za/search?source=ig&hl=en&rlz=&q=gpupdate+%2Fforce&meta=

I see "7.

Execute gpupdate /force on the domain controller to download the latest Group Policy settings."

In the first link you provided. Which should mean that they are just asking you to update the group policy settings on the domain controller.

I hope you aren't taking this offensively by the way, I am just curious about this as well.

sprkymrk · February 2008

No problem, I am all for learning something new. Your first link is a bit unclear - read it in it's context of having just made changes to the domain structure itself (adding OU's and such) - it doesn't actually say that it updates the clients. Then in the very next chapter it states that you must run gpupdate on the clients.

I am checking your other links now, thanks.

Mishra · February 2008

To the author of the topic, make sure that your policy as been Link Enabled (by seeing a check mark beside the name).

nazzeem · February 2008

Mishra wrote:

nazzeem wrote:

Running "gpupdate /force" on the domain controller will download the latest Group Policy settings to client computers.

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgapxb.mspx

Some info on gpupdate with WSUS
http://www.wsus.info/forums/lofiversion/index.php?t7861.html

And heres Google
http://www.google.co.za/search?source=ig&hl=en&rlz=&q=gpupdate+%2Fforce&meta=

I see "7.

Execute gpupdate /force on the domain controller to download the latest Group Policy settings."

In the first link you provided. Which should mean that they are just asking you to update the group policy settings on the domain controller.

I hope you aren't taking this offensively by the way, I am just curious about this as well.

I am here to learn and I need to pass 70-290 first time. So no offence taken.

aoe · February 2008

nazzeem wrote:

Check whether other policies is applied to the domain computers e.g "strong password policy" etc. If this works then maybe you could try to rejoin the workstation with the domain. I am also studying WSUS for 291. So I might not have a solution for you.

But I what I would do is:

1.) Make sure the workstation is joined properly with the domain, and rejoin it if required.

I demoted and then rejoined the domain yesterday and nothing

2.) Check if other policies is applied to the workstation.

The only one showing applied when gpresult is called is Default Domain Policy

3.) Check if these keys exesits in the workstations registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These keys do not exist.

4.) Run the command "wuauclt /detectnow" from command prompt to force your workstation to search for WSUS servers.

I did that and nothing

5.) Check the workstations %windir% for the WindowsUpdate.log file and check in it for * WSUS server: <NULL> and * WSUS status server: <NULL>. Check if it points to your WSUS Server.

Server is not listed

There are probably other things you can do as well.

Thanks for the replies...

snadam · February 2008

Mishra wrote:

I see "7.

Execute gpupdate /force on the domain controller to download the latest Group Policy settings."

In the first link you provided. Which should mean that they are just asking you to update the group policy settings on the domain controller.

I hope you aren't taking this offensively by the way, I am just curious about this as well.

I also saw that. It clearly states where you run it and what happens...Im really surprised there is very little press on this seeming that its quite a handy piece of time-saving info!

aoe · February 2008

Mishra wrote:

To the author of the topic, make sure that your policy as been Link Enabled (by seeing a check mark beside the name).

Yes link is enabled.
Thanks

sprkymrk · February 2008

A Description of the Group Policy Update Utility

I would think if you could simply execute gpupdate on a DC to initiate updates on all downlevel clients it would say so in the above link. It does not make any mention of such though.

Refresh Group Policy settings with GPUpdate.exe

The gpupdate command refreshes local and Active Directory–based Group Policy settings, including security settings on the computer from where it is run.

Just a couple of many examples I have found. I have still never seen a single article specifically stating that running it on a DC will update clients.

I am still okay with being proven wrong, if someone has a good link.

Mishra · February 2008

aoe wrote:

Mishra wrote:

To the author of the topic, make sure that your policy as been Link Enabled (by seeing a check mark beside the name).

Yes link is enabled.
Thanks

Are you using the GPMC?

A couple of screenshots from the GPMC might help us find a problem quicker if you are willing.

sprkymrk · February 2008

snadam wrote:

Mishra wrote:

I see "7.

Execute gpupdate /force on the domain controller to download the latest Group Policy settings."

In the first link you provided. Which should mean that they are just asking you to update the group policy settings on the domain controller.

I hope you aren't taking this offensively by the way, I am just curious about this as well.

I also saw that. It clearly states where you run it and what happens...Im really surprised there is very little press on this seeming that its quite a handy piece of time-saving info!

I don't think it's clear at all - see my other post.

nazzeem · February 2008

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first.

I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.

aoe · February 2008

nazzeem wrote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first.

I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.

I can try that to see if it fixes the WSUS problem. But then i am left with a problem as to why the GPO settings are not being accepted?

sprkymrk · February 2008

aoe wrote:

nazzeem wrote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first.

I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.

I can try that to see if it fixes the WSUS problem. But then i am left with a problem as to why the GPO settings are not being accepted?

Okay, dumb question - are the computers in question located in the OU to which the GPO is applied? You didn't apply the GPO to the default Computers container, did you?

Can you apply the WSUS settings directly to the Default Domain Policy and see if it works then?

nazzeem · February 2008

aoe wrote:

nazzeem wrote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first.

I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.

I can try that to see if it fixes the WSUS problem. But then i am left with a problem as to why the GPO settings are not being accepted?

Like I said before, check to see if other policies are applied to the workstation? In your Default Domain Policy, change the policy for e.g "Complex Password", do a gpupdate /force on the DC and check the policy is applied to the workstation?

aoe · February 2008

aoe wrote:

nazzeem wrote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first.

I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.

I can try that to see if it fixes the WSUS problem. But then i am left with a problem as to why the GPO settings are not being accepted?

Ok that fixed the WSUS issues. Computer is now listed in unassigned computers. So the issue is why is the gpo not being applied?

aoe · February 2008

sprkymrk wrote:

aoe wrote:

nazzeem wrote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first.

I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.

I can try that to see if it fixes the WSUS problem. But then i am left with a problem as to why the GPO settings are not being accepted?

Okay, dumb question - are the computers in question located in the OU to which the GPO is applied? You didn't apply the GPO to the default Computers container, did you?

Can you apply the WSUS settings directly to the Default Domain Policy and see if it works then?

I have a seperate OU for this account and that is where the gpo is linked to.

I can try doing it to the default domain, is that ok to do?

sprkymrk · February 2008

aoe wrote:

I can try doing it to the default domain, is that ok to do?

It's not considered a "best practice" to modify the default domain policy, but for a minor change like this and for testing it's fine.

aoe · February 2008

i believe i figured it out. I talked to a buddy and he mentioned that the GPO i created and was trying to be applied to a user that had administrative properties.

Is it true that this gpo could not be applied if the user was an administrator?

nazzeem · February 2008

aoe wrote:

i believe i figured it out. I talked to a buddy and he mentioned that the GPO i created and was trying to be applied to a user that had administrative properties.

Is it true that this gpo could not be applied if the user was an administrator?

I dont think so because the WSUS policy is applied on the computer level not user level. So no matter who logs on it will still get updates via WSUS. As per the reg entries which is applied to the Local_Machine and not Current User or Users :

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

undomiel · February 2008

Back to gpupdate topic this: http://technet2.microsoft.com/windowsserver/en/library/6880fef3-76b7-4eb3-b993-fa00799615851033.mspx?mfr=true states that gpupdate refreshes the local policies only. I can also assure you that from real life testing that executing a gpupdate /force on the DC will not force updates out to all the clients. If one wants to update all the clients though without waiting for the standard refresh interval one could use psexec which is at http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Just a bit of scripting magic combined with psexec or even just a plain text list of the computers combined with psexec and you'll be updating all of your clients easily.

As for the GPO not applying I would concur with checking your OU and also any security group filtering going on. Any WMI filters as well if you're applying that. Also check and make sure that nothing is blocking the policy. You can also enable userenv logging and check the logs to see why the policy is not applying. More information on that here: http://technet2.microsoft.com/windowsserver/en/library/0907105e-7856-4c93-b97f-a9a306623af51033.mspx?mfr=true . My experience so far is that it is either a weird security issue or a DNS issue. On a few systems at work here that had 1Gb ethernet cards the network wasn't coming up fast enough so the system would defer applying group policy and then once the user was logged in the computer level policies would not apply. I had to change the timeout values for the computer so that the computer policies would apply. It doesn't sound like you're experiencing the same problem but it could still be something to check into.

aoe · February 2008

nazzeem wrote:

aoe wrote:

i believe i figured it out. I talked to a buddy and he mentioned that the GPO i created and was trying to be applied to a user that had administrative properties.

Is it true that this gpo could not be applied if the user was an administrator?

I dont think so because the WSUS policy is applied on the computer level not user level. So no matter who logs on it will still get updates via WSUS. As per the reg entries which is applied to the Local_Machine and not Current User or Users :

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

Ya you know what, now that i think about it you are right. It is at the computer level not the user level. But the user that the gpo is being applied to is a administrator.

There is no wmi filtering involved.
Weird.

WSUS 3.0 won't list computers & gpo not being applied?

Comments