+ Reply to Thread
Page 2 of 3 First 12 3 Last
Results 26 to 50 of 53
  1. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #26

    Default Re: Keys must exist

    Quote Originally Posted by sprkymrk
    Quote Originally Posted by aoe
    Quote Originally Posted by nazzeem
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate]
    "WUServer"="http://your-wsus-server"
    "WUStatusServer"="http://http://your-wsus-server"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU]
    "UseWUServer"=dword:00000001

    These keys must exist in the client machine registry else the pc wil NOT update from WSUS. Just today I updated a machine not belonging to the domain by just adding those registry keys and running the command "wuauclt /detectnow". You will not see anything after running the command. When adding the keys manually, the PC have to be rebooted first.

    I am installing & configurating WSUS 3.0 with SP1 on one of our clients SBS2003 Servers as we speak. Will let you know how it went.
    I can try that to see if it fixes the WSUS problem. But then i am left with a problem as to why the GPO settings are not being accepted?
    Okay, dumb question - are the computers in question located in the OU to which the GPO is applied? You didn't apply the GPO to the default Computers container, did you?

    Can you apply the WSUS settings directly to the Default Domain Policy and see if it works then?
    I have a seperate OU for this account and that is where the gpo is linked to.

    I can try doing it to the default domain, is that ok to do?
    Reply With Quote Quote  

  2. SS -->
  3. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #27

    Default Re: Keys must exist

    Quote Originally Posted by aoe
    I can try doing it to the default domain, is that ok to do?
    It's not considered a "best practice" to modify the default domain policy, but for a minor change like this and for testing it's fine.
    Reply With Quote Quote  

  4. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #28
    i believe i figured it out. I talked to a buddy and he mentioned that the GPO i created and was trying to be applied to a user that had administrative properties.

    Is it true that this gpo could not be applied if the user was an administrator?
    Reply With Quote Quote  

  5. Member
    Join Date
    Feb 2008
    Location
    South Africa
    Posts
    33

    Certifications
    MCP (70-270, 70-290)
    #29

    Default Not sure

    Quote Originally Posted by aoe
    i believe i figured it out. I talked to a buddy and he mentioned that the GPO i created and was trying to be applied to a user that had administrative properties.

    Is it true that this gpo could not be applied if the user was an administrator?

    I dont think so because the WSUS policy is applied on the computer level not user level. So no matter who logs on it will still get updates via WSUS. As per the reg entries which is applied to the Local_Machine and not Current User or Users :

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate]
    "WUServer"="http://your-wsus-server"
    "WUStatusServer"="http://http://your-wsus-server"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU]
    "UseWUServer"=dword:00000001
    Reply With Quote Quote  

  6. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #30
    Back to gpupdate topic this: http://technet2.microsoft.com/window....mspx?mfr=true states that gpupdate refreshes the local policies only. I can also assure you that from real life testing that executing a gpupdate /force on the DC will not force updates out to all the clients. If one wants to update all the clients though without waiting for the standard refresh interval one could use psexec which is at http://technet.microsoft.com/en-us/s.../bb897553.aspx

    Just a bit of scripting magic combined with psexec or even just a plain text list of the computers combined with psexec and you'll be updating all of your clients easily.

    As for the GPO not applying I would concur with checking your OU and also any security group filtering going on. Any WMI filters as well if you're applying that. Also check and make sure that nothing is blocking the policy. You can also enable userenv logging and check the logs to see why the policy is not applying. More information on that here: http://technet2.microsoft.com/window....mspx?mfr=true . My experience so far is that it is either a weird security issue or a DNS issue. On a few systems at work here that had 1Gb ethernet cards the network wasn't coming up fast enough so the system would defer applying group policy and then once the user was logged in the computer level policies would not apply. I had to change the timeout values for the computer so that the computer policies would apply. It doesn't sound like you're experiencing the same problem but it could still be something to check into.
    Reply With Quote Quote  

  7. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #31

    Default Re: Not sure

    Quote Originally Posted by nazzeem
    Quote Originally Posted by aoe
    i believe i figured it out. I talked to a buddy and he mentioned that the GPO i created and was trying to be applied to a user that had administrative properties.

    Is it true that this gpo could not be applied if the user was an administrator?

    I dont think so because the WSUS policy is applied on the computer level not user level. So no matter who logs on it will still get updates via WSUS. As per the reg entries which is applied to the Local_Machine and not Current User or Users :

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate]
    "WUServer"="http://your-wsus-server"
    "WUStatusServer"="http://http://your-wsus-server"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU]
    "UseWUServer"=dword:00000001
    Ya you know what, now that i think about it you are right. It is at the computer level not the user level. But the user that the gpo is being applied to is a administrator.

    There is no wmi filtering involved.
    Weird.
    Reply With Quote Quote  

  8. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #32
    GPOs are applied to all users who are listed in your security listing(delegation), which is authenicated users by default. So even administrators will receive the policies applied. Only way to disable the GPO is to set the "apply group policy: Deny" security setting (which you might have too).


    " have a seperate OU for this account and that is where the gpo is linked to. "
    You have the computer object in this separate OU? If you only have the user object then it isn't going to apply the WSUS computer settings.
    Reply With Quote Quote  

  9. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #33
    Quote Originally Posted by Mishra
    " have a seperate OU for this account and that is where the gpo is linked to. "
    You have the computer object in this separate OU? If you only have the user object then it isn't going to apply the WSUS computer settings.
    Why would i put the computer object in the OU. I have all the computer object listed in the "Computers" in active directory users and computers?

    I am comfused by what you mean.
    Reply With Quote Quote  

  10. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #34
    Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.
    Reply With Quote Quote  

  11. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #35
    Quote Originally Posted by undomiel
    Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.
    I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

    ?????
    Reply With Quote Quote  

  12. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #36
    You would put your computers in separate OUs for various reasons. But, to stay on topic, let's say you want to enable Client-Side targeting for your WSUS server to keep from having to manually sort the computers in the WSUS server. Having the PCs in separate OUs here will allow you to set the Group Policy client side targeting for each computer in that OU. You may have a department that you test updates on after having been tested in your lab. By using client-side targeting with computers in separate OUs, you can simply approve the Updates in WSUS for that group of PCs with minimal effort.

    That is just one example of why you should have OUs for your PCs and not leave them in the default Computers Container.

    gpupdate does have to be ran directly from the PC that you are wanting to update new policy changes on if you want them effective immediately.
    Reply With Quote Quote  

  13. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #37
    Quote Originally Posted by aoe
    Quote Originally Posted by undomiel
    Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.
    I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

    ?????
    Are you using the GPMC?
    Reply With Quote Quote  

  14. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #38
    Quote Originally Posted by aoe
    Quote Originally Posted by undomiel
    Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.
    I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

    ?????
    Did you mean that you moved the computer into the OU?
    Reply With Quote Quote  

  15. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #39
    Quote Originally Posted by Mishra
    Quote Originally Posted by aoe
    Quote Originally Posted by undomiel
    Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.
    I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

    ?????
    Are you using the GPMC?
    Yes
    Reply With Quote Quote  

  16. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #40
    Quote Originally Posted by Silver Bullet
    Quote Originally Posted by aoe
    Quote Originally Posted by undomiel
    Since the GPO applies only to the computers setting and not the user setting you need to have the computer object in the OU that you are applying the settings to. You can only apply a WSUS GPO to computer objects, not user accounts.
    I moved the computer into the gpo for the wsus update. on the client computer did a gpupdate /force, ran gpresult and the gpo is still not applied.

    ?????
    Did you mean that you moved the computer into the OU?
    Yes
    Reply With Quote Quote  

  17. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #41
    Quote Originally Posted by undomiel
    Back to gpupdate topic this: http://technet2.microsoft.com/window....mspx?mfr=true states that gpupdate refreshes the local policies only. I can also assure you that from real life testing that executing a gpupdate /force on the DC will not force updates out to all the clients. If one wants to update all the clients though without waiting for the standard refresh interval one could use psexec which is at http://technet.microsoft.com/en-us/s.../bb897553.aspx

    Just a bit of scripting magic combined with psexec or even just a plain text list of the computers combined with psexec and you'll be updating all of your clients easily.
    Thank you. That's exactly what I have always done (scripting), and as I stated before - in all the technet/kb articles I have seen, nowhere did it ever mention that running gpupdate on a DC forces updates out to clients. It has also been my experience that it doesn't work, but since every environment has it's own variables I wanted to avoid stating that just because it didn't work for me it wouldn't work for anyone. However, that is also why I did request that anyone wanting to prove me wrong show me something official from MS.

    Thanks again for your input.
    Reply With Quote Quote  

  18. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #42
    Quote Originally Posted by aoe
    Why would i put the computer object in the OU. I have all the computer object listed in the "Computers" in active directory users and computers?
    That's why I asked you earlier:

    Quote Originally Posted by sprkymrk
    Okay, dumb question - are the computers in question located in the OU to which the GPO is applied? You didn't apply the GPO to the default Computers container, did you?


    Now that you have the computer in the OU in which you applied the GPO, it should work. Have you rebooted since running gpupdate /force? Then run gpresult and let us know. Unless something else is messed up (which could be the case once you've been trouble shooting something long enough, settings tend to get changed along the way and forgotten) it should work.
    Reply With Quote Quote  

  19. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #43
    While in GPMC, when you click on the OU that you moved the computer to, does the GPO show in the Linked Group Policy Objects tab?
    Reply With Quote Quote  

  20. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #44
    I fixed it!!!! and learned some stuff while doing it.

    So i created a test ou, added a security group to it, assigned the computer and user to the security group, then added the security group to the security filtering on the gpo.

    thanks for all the advise in here, this is futher helping me prepare for the dreaded 291
    Reply With Quote Quote  

  21. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #45
    Quote Originally Posted by aoe
    I fixed it!!!! and learned some stuff while doing it.

    So i created a test ou, added a security group to it, assigned the computer and user to the security group, then added the security group to the security filtering on the gpo.

    thanks for all the advise in here, this is futher helping me prepare for the dreaded 291
    It doesn't have to be a part of a security group for it to work. This is pretty important to understand as most environments don't have users and computers in security groups to apply GPOs.

    "Authenticated Users" should be sufficient as your security filtering for the GPO to apply correctly.

    If you take the user and computer out of the security group (keep it in the same OU) and remove the security group from your security filtering then it will work fine.
    Reply With Quote Quote  

  22. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #46
    Quote Originally Posted by Mishra
    Quote Originally Posted by aoe
    I fixed it!!!! and learned some stuff while doing it.

    So i created a test ou, added a security group to it, assigned the computer and user to the security group, then added the security group to the security filtering on the gpo.

    thanks for all the advise in here, this is futher helping me prepare for the dreaded 291
    It doesn't have to be a part of a security group for it to work. This is pretty important to understand as most environments don't have users and computers in security groups to apply GPOs.

    "Authenticated Users" should be sufficient as your security filtering for the GPO to apply correctly.

    If you take the user and computer out of the security group (keep it in the same OU) and remove the security group from your security filtering then it will work fine.
    Ya i jumped to soon, i thought i had it fixed. it was applied but now its not....hmmm

    and doing what mentioned above does not work, gpresult still does not show it applied.
    Reply With Quote Quote  

  23. ROFL-Copter pilot snadam's Avatar
    Join Date
    Dec 2006
    Location
    AZ
    Posts
    2,235

    Certifications
    JNCIP-SEC, JNCIS-SEC, JNCIA-JunOS, CCNA, CCENT, MCSE 2003, MCSA 2003, MCP, Network+, Security+
    #47
    as most already pointed out, its considered a best practice to place the computer accounts from the "Computers" container in to an OU; so you can apply GPO's to it. Also, dont forget the LSDOU model also when applying GPO's. Might be stating the obvious here, but it almost sounds like an issue is lying within the AD/GPO setup. I'm basing this on the very little that I have read in this thread, so sorry if its off base.
    Reply With Quote Quote  

  24. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #48
    Quote Originally Posted by aoe

    Ya i jumped to soon, i thought i had it fixed. it was applied but now its not....hmmm

    and doing what mentioned above does not work, gpresult still does not show it applied.
    Can you post screen shots of your gpresult and GPMC scope,details,and delegation tabs?
    Reply With Quote Quote  

  25. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #49
    Another lesson:

    GPO's never have and never will apply to security groups. They apply only to either the USER or COMPUTER object in the OU, Site, or Domain.

    You can filter using ACL's and security groups, but you can never apply a GPO to a Security Group.

    Honestly I think you are making this more difficult than it needs to be. Try this (and nothing more, nothing less):

    1. Create a GPO called WSUS - apply the appropriate settings.
    2. Create an OU called Workstations.
    3. Apply the WSUS GPO to the Workstations OU.
    4. Move a domain computer account to the Workstations OU.
    5. Run gpupdate /force /boot on the workstation. Let it restart.
    6. Check with gpresult.

    Let us know if this works. Keep it simple, and we can go from there.
    Reply With Quote Quote  

  26. aoe
    aoe is offline
    Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, MCP
    #50
    Quote Originally Posted by sprkymrk
    Another lesson:

    GPO's never have and never will apply to security groups. They apply only to either the USER or COMPUTER object in the OU, Site, or Domain.

    You can filter using ACL's and security groups, but you can never apply a GPO to a Security Group.

    Honestly I think you are making this more difficult than it needs to be. Try this (and nothing more, nothing less):

    1. Create a GPO called WSUS - apply the appropriate settings.
    2. Create an OU called Workstations.
    3. Apply the WSUS GPO to the Workstations OU.
    4. Move a domain computer account to the Workstations OU.
    5. Run gpupdate /force /boot on the workstation. Let it restart.
    6. Check with gpresult.

    Let us know if this works. Keep it simple, and we can go from there.
    whats the saying KISS keep.it.simple.stupid.

    So what i learned was that i need the computer in the ou that i want computer settings applied to from a gpo. Thanks, and sorry for all the confusion. Something so simple took so long to find a resolution.
    Thanks for the help! What a great board this is....
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 3 First 12 3 Last

Social Networking & Bookmarks