WSUS 3.0 won't list computers & gpo not being applied?

Mishra

GPOs are applied to all users who are listed in your security listing(delegation), which is authenicated users by default. So even administrators will receive the policies applied. Only way to disable the GPO is to set the "apply group policy: Deny" security setting (which you might have too).


" have a seperate OU for this account and that is where the gpo is linked to. "
You have the computer object in this separate OU? If you only have the user object then it isn't going to apply the WSUS computer settings.

aoe

Mishra wrote:

" have a seperate OU for this account and that is where the gpo is linked to. "
You have the computer object in this separate OU? If you only have the user object then it isn't going to apply the WSUS computer settings.

Why would i put the computer object in the OU. I have all the computer object listed in the "Computers" in active directory users and computers?

I am comfused by what you mean.

undomiel

Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.

aoe

undomiel wrote:

Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.

I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

?????

Silver Bullet

You would put your computers in separate OUs for various reasons. But, to stay on topic, let's say you want to enable Client-Side targeting for your WSUS server to keep from having to manually sort the computers in the WSUS server. Having the PCs in separate OUs here will allow you to set the Group Policy client side targeting for each computer in that OU. You may have a department that you test updates on after having been tested in your lab. By using client-side targeting with computers in separate OUs, you can simply approve the Updates in WSUS for that group of PCs with minimal effort.

That is just one example of why you should have OUs for your PCs and not leave them in the default Computers Container.

gpupdate does have to be ran directly from the PC that you are wanting to update new policy changes on if you want them effective immediately.

Mishra

aoe wrote:

undomiel wrote:

Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.

I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

?????

Are you using the GPMC?

Silver Bullet

aoe wrote:

undomiel wrote:

Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.

I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

?????

Did you mean that you moved the computer into the OU?

aoe

Mishra wrote:

aoe wrote:

undomiel wrote:

Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.

I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

?????

Are you using the GPMC?

Yes

aoe

Silver Bullet wrote:

aoe wrote:

undomiel wrote:

Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.

I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

?????

Did you mean that you moved the computer into the OU?

Yes

sprkymrk

undomiel wrote:

Back to gpupdate topic this: http://technet2.microsoft.com/windowsserver/en/library/6880fef3-76b7-4eb3-b993-fa00799615851033.mspx?mfr=true states that gpupdate refreshes the local policies only. I can also assure you that from real life testing that executing a gpupdate /force on the DC will not force updates out to all the clients. If one wants to update all the clients though without waiting for the standard refresh interval one could use psexec which is at http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Just a bit of scripting magic combined with psexec or even just a plain text list of the computers combined with psexec and you'll be updating all of your clients easily.

Thank you. That's exactly what I have always done (scripting), and as I stated before - in all the technet/kb articles I have seen, nowhere did it ever mention that running gpupdate on a DC forces updates out to clients. It has also been my experience that it doesn't work, but since every environment has it's own variables I wanted to avoid stating that just because it didn't work for me it wouldn't work for anyone. However, that is also why I did request that anyone wanting to prove me wrong show me something official from MS.

Thanks again for your input.

sprkymrk

aoe wrote:

Why would i put the computer object in the OU. I have all the computer object listed in the "Computers" in active directory users and computers?

That's why I asked you earlier:

sprkymrk wrote:

Okay, dumb question - are the computers in question located in the OU to which the GPO is applied? You didn't apply the GPO to the default Computers container, did you?

Now that you have the computer in the OU in which you applied the GPO, it should work. Have you rebooted since running gpupdate /force? Then run gpresult and let us know. Unless something else is messed up (which could be the case once you've been trouble shooting something long enough, settings tend to get changed along the way and forgotten) it should work.

Silver Bullet

While in GPMC, when you click on the OU that you moved the computer to, does the GPO show in the Linked Group Policy Objects tab?

aoe

I fixed it!!!! and learned some stuff while doing it.

So i created a test ou, added a security group to it, assigned the computer and user to the security group, then added the security group to the security filtering on the gpo.

thanks for all the advise in here, this is futher helping me prepare for the dreaded 291

Mishra

aoe wrote:

I fixed it!!!! and learned some stuff while doing it.

So i created a test ou, added a security group to it, assigned the computer and user to the security group, then added the security group to the security filtering on the gpo.

thanks for all the advise in here, this is futher helping me prepare for the dreaded 291

It doesn't have to be a part of a security group for it to work. This is pretty important to understand as most environments don't have users and computers in security groups to apply GPOs.

"Authenticated Users" should be sufficient as your security filtering for the GPO to apply correctly.

If you take the user and computer out of the security group (keep it in the same OU) and remove the security group from your security filtering then it will work fine.

aoe

Mishra wrote:

aoe wrote:

I fixed it!!!! and learned some stuff while doing it.

So i created a test ou, added a security group to it, assigned the computer and user to the security group, then added the security group to the security filtering on the gpo.

thanks for all the advise in here, this is futher helping me prepare for the dreaded 291

It doesn't have to be a part of a security group for it to work. This is pretty important to understand as most environments don't have users and computers in security groups to apply GPOs.

"Authenticated Users" should be sufficient as your security filtering for the GPO to apply correctly.

If you take the user and computer out of the security group (keep it in the same OU) and remove the security group from your security filtering then it will work fine.

Ya i jumped to soon, i thought i had it fixed. it was applied but now its not....hmmm

and doing what mentioned above does not work, gpresult still does not show it applied.

snadam

as most already pointed out, its considered a best practice to place the computer accounts from the "Computers" container in to an OU; so you can apply GPO's to it. Also, dont forget the LSDOU model also when applying GPO's. Might be stating the obvious here, but it almost sounds like an issue is lying within the AD/GPO setup. I'm basing this on the very little that I have read in this thread, so sorry if its off base.

Mishra

aoe wrote:

Ya i jumped to soon, i thought i had it fixed. it was applied but now its not....hmmm

and doing what mentioned above does not work, gpresult still does not show it applied.

Can you post screen shots of your gpresult and GPMC scope,details,and delegation tabs?

sprkymrk

Another lesson:

GPO's never have and never will apply to security groups. They apply only to either the USER or COMPUTER object in the OU, Site, or Domain.

You can filter using ACL's and security groups, but you can never apply a GPO to a Security Group.

Honestly I think you are making this more difficult than it needs to be. Try this (and nothing more, nothing less):

1. Create a GPO called WSUS - apply the appropriate settings.
2. Create an OU called Workstations.
3. Apply the WSUS GPO to the Workstations OU.
4. Move a domain computer account to the Workstations OU.
5. Run gpupdate /force /boot on the workstation. Let it restart.
6. Check with gpresult.

Let us know if this works. Keep it simple, and we can go from there.

aoe

sprkymrk wrote:

Another lesson:

GPO's never have and never will apply to security groups. They apply only to either the USER or COMPUTER object in the OU, Site, or Domain.

You can filter using ACL's and security groups, but you can never apply a GPO to a Security Group.

Honestly I think you are making this more difficult than it needs to be. Try this (and nothing more, nothing less):

1. Create a GPO called WSUS - apply the appropriate settings.
2. Create an OU called Workstations.
3. Apply the WSUS GPO to the Workstations OU.
4. Move a domain computer account to the Workstations OU.
5. Run gpupdate /force /boot on the workstation. Let it restart.
6. Check with gpresult.

Let us know if this works. Keep it simple, and we can go from there.

whats the saying KISS keep.it.simple.stupid.

So what i learned was that i need the computer in the ou that i want computer settings applied to from a gpo. Thanks, and sorry for all the confusion. Something so simple took so long to find a resolution.
Thanks for the help! What a great board this is....

ehamouda

You have to enable CLient side targeting in your GPO.
It's the same as the registery editing Nazeem have wrote above..
Let me know if it works.

sprkymrk

aoe wrote:

So what i learned was that i need the computer in the ou that i want computer settings applied to from a gpo. Thanks, and sorry for all the confusion. Something so simple took so long to find a resolution.
Thanks for the help! What a great board this is....

We're all glad to help. Thanks for posting back.

cacharo

nazzeem wrote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://your-wsus-server"
"WUStatusServer"="http://http://your-wsus-server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first.

I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.

What type of entries do these need to be? I seem to be having similar issues and do not see these keys in the registry.