Guest MSExchangeStudent Posted August 27, 2007 Posted August 27, 2007 Hi all I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to change a GP setting through GP on the DC. On the DC i do the following : Right click DC OU in AD > Properties > group policy tab > open > under GPO > right click "new" > give it a name "WSUS 3.0 policy" > right click > edit > computer config > admin templates > windows components > windows update > disable "automatic update" setting > enable "sepcifiy intranet micrsoft update location > put the servername like this in both dialogue boxes http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the top window and select "enforce" > in the bottom Security Filtering window i did add the domain users group > OK IF i ask someone to log off and on again their gpedit still say "not configured" under "sepcifiy intranet micrsoft update location" - why is the setting not taking effect? Pls help urgently - thanks
Guest Florian Frommherz [MVP] Posted August 27, 2007 Posted August 27, 2007 Re: GPO doesn't take effect on the clients Howdie! You're posting to a whole lot of newsgroups. Do you know that? At least you could have set a follow up. Now follow up set to: microsoft.public.windows.group_policy MSExchangeStudent schrieb: > IF i ask someone to log off and on again their gpedit still say "not > configured" under "sepcifiy intranet micrsoft update location" - why is the > setting not taking effect? Don't look at gpedit.msc as it only shows the locally configured settings. It will NOT show the settings you configured via the domain. Try "rsop.msc" from the Run-dialog instead and see whether the policy shows up. Can see the policy there? Feel free to post your results in order to help us further investigate your problem. cheers, Florian -- Microsoft MVP - Windows Server - Group Policy. eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog.
Guest Bill Posted August 27, 2007 Posted August 27, 2007 Re: GPO doesn't take effect on the clients You won't get an automatic GPO refresh with a logon, you'll need to reboot or a specific GPO refresh like this: Force a GPO refresh: In Windows VistaT or Windows XP, run the following command: gpupdate /force In Windows 2000, run the following command: secedit /refreshpolicy machine_policy /enforce -b "MSExchangeStudent" <exchangestudent@newsgroups.com> wrote in message news:uKtnyTJ6HHA.1168@TK2MSFTNGP02.phx.gbl... > Hi all > > I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to > change a GP setting through GP on the DC. On the DC i do the following : > Right click DC OU in AD > Properties > group policy tab > open > under > GPO > > right click "new" > give it a name "WSUS 3.0 policy" > right click > > > edit computer config > admin templates > windows components > windows > > update > > disable "automatic update" setting > enable "sepcifiy intranet micrsoft > update location > put the servername like this in both dialogue boxes > http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the > top window and select "enforce" > in the bottom Security Filtering window > i did add the domain users group > OK > > IF i ask someone to log off and on again their gpedit still say "not > configured" under "sepcifiy intranet micrsoft update location" - why is > the setting not taking effect? > > Pls help urgently - thanks >
Guest Maddog Posted August 27, 2007 Posted August 27, 2007 RE: GPO doesn't take effect on the clients Try assigning your WSUS policy to "Computers" rather than users or user groups. "MSExchangeStudent" wrote: > Hi all > > I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to > change a GP setting through GP on the DC. On the DC i do the following : > Right click DC OU in AD > Properties > group policy tab > open > under GPO > > right click "new" > give it a name "WSUS 3.0 policy" > right click > edit > > computer config > admin templates > windows components > windows update > > disable "automatic update" setting > enable "sepcifiy intranet micrsoft > update location > put the servername like this in both dialogue boxes > http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the top > window and select "enforce" > in the bottom Security Filtering window i did > add the domain users group > OK > > IF i ask someone to log off and on again their gpedit still say "not > configured" under "sepcifiy intranet micrsoft update location" - why is the > setting not taking effect? > > Pls help urgently - thanks > > >
Guest Harry Johnston Posted August 27, 2007 Posted August 27, 2007 Re: GPO doesn't take effect on the clients MSExchangeStudent wrote: > I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to > change a GP setting through GP on the DC. On the DC i do the following : > Right click DC OU in AD > Do you mean the Domain Controllers OU? Any group policy set on this OU will only affect the domain controllers, not the client machines - unless you've moved the client machines into the Domain Controllers OU, which is probably a bad idea. Also, it is recommended that you install the Group Policy Management Console, which provides a much superior interface for managing group policy. > > right click "new" > give it a name "WSUS 3.0 policy" > right click > edit > > computer config > admin templates > windows components > windows update > > disable "automatic update" setting If this is disabled none of the other settings will have any effect. I don't believe you meant to do this. > enable "sepcifiy intranet micrsoft > update location > put the servername like this in both dialogue boxes > http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the top > window and select "enforce" > in the bottom Security Filtering window i did > add the domain users group > OK This is wrong. You're applying a computer policy, not a user policy, so if you must use security filtering you would want to add one or more computers or computer groups. However, best practice is not to configure security filtering unless you have a specific need for it. Normally you want group policy to apply to all users/computers that are in the OU you assign it to. > IF i ask someone to log off and on again their gpedit still say "not > configured" under "sepcifiy intranet micrsoft update location" - why is the > setting not taking effect? Are you using gpedit on the client machines to look at the local policy? This doesn't show policy assigned from the domain. If you want to determine what group policy is being applied from the domain, use the gpresult command-line tool. Harry.
Guest Lawrence Garvin [MVP] Posted August 28, 2007 Posted August 28, 2007 Re: GPO doesn't take effect on the clients "MSExchangeStudent" <exchangestudent@newsgroups.com> wrote in message news:uKtnyTJ6HHA.1168@TK2MSFTNGP02.phx.gbl... > Hi all > > I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to > change a GP setting through GP on the DC. On the DC i do the following : > Right click DC OU in AD > Properties > group policy tab > open > under > GPO > > right click "new" > give it a name "WSUS 3.0 policy" > right click > > > edit computer config > admin templates > windows components > windows > > update > > disable "automatic update" setting If you really did set "Configure Automatic Updates" to DISABLED, then everything else is dysfunctional. This policy must be ENABLED. -- Lawrence Garvin, M.S., MCTS, MCP MVP - Software Distribution (2005-2007) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Guest MSExchangeStudent Posted August 28, 2007 Posted August 28, 2007 Re: GPO doesn't take effect on the clients "Bill" <bpierini@csuchico.edu> wrote in message news:826EC261-9E5A-463B-94F7-F0FA42FADE77@microsoft.com... > You won't get an automatic GPO refresh with a logon, you'll need to reboot > or a specific GPO refresh like this: > Force a GPO refresh: > > In Windows VistaT or Windows XP, run the following command: > gpupdate /force Yes, thanks i am using this option. > > In Windows 2000, run the following command: > secedit /refreshpolicy machine_policy /enforce > > -b > "MSExchangeStudent" <exchangestudent@newsgroups.com> wrote in message > news:uKtnyTJ6HHA.1168@TK2MSFTNGP02.phx.gbl... >> Hi all >> >> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try >> to change a GP setting through GP on the DC. On the DC i do the following >> : Right click DC OU in AD > Properties > group policy tab > open > under >> GPO >> > right click "new" > give it a name "WSUS 3.0 policy" > right click > >> > edit computer config > admin templates > windows components > windows >> > update > >> disable "automatic update" setting > enable "sepcifiy intranet micrsoft >> update location > put the servername like this in both dialogue boxes >> http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the >> top window and select "enforce" > in the bottom Security Filtering window >> i did add the domain users group > OK >> >> IF i ask someone to log off and on again their gpedit still say "not >> configured" under "sepcifiy intranet micrsoft update location" - why is >> the setting not taking effect? >> >> Pls help urgently - thanks >> >
Guest MSExchangeStudent Posted August 28, 2007 Posted August 28, 2007 Re: GPO doesn't take effect on the clients "Harry Johnston" <harry@scms.waikato.ac.nz> wrote in message news:upKJrNQ6HHA.5184@TK2MSFTNGP03.phx.gbl... > MSExchangeStudent wrote: > >> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try >> to change a GP setting through GP on the DC. On the DC i do the following >> : Right click DC OU in AD > > > Do you mean the Domain Controllers OU? Any group policy set on this OU > will only affect the domain controllers, not the client machines - unless > you've moved the client machines into the Domain Controllers OU, which is > probably a bad idea. Yes, someone told me in the NG that i need to link it to the OU where the users are in. So this i did wrong but did rectify it. > > Also, it is recommended that you install the Group Policy Management > Console, which provides a much superior interface for managing group > policy. I do have it installed. > >> > right click "new" > give it a name "WSUS 3.0 policy" > right click > >> edit > computer config > admin templates > windows components > windows >> update > disable "automatic update" setting > > If this is disabled none of the other settings will have any effect. I > don't believe you meant to do this. Come again - are you saying my WSUS settings won't take effect if i disable "automatic update"? Do i need to leave the option as "Not Configured" > >> enable "sepcifiy intranet micrsoft update location > put the servername >> like this in both dialogue boxes http://ctt-3rd_server:8530 > OK > file > >> exit.right click "users" in the top window and select "enforce" > in the >> bottom Security Filtering window i did add the domain users group > OK > > This is wrong. You're applying a computer policy, not a user policy, so > if you must use security filtering you would want to add one or more > computers or computer groups. However, best practice is not to configure > security filtering unless you have a specific need for it. Normally you > want group policy to apply to all users/computers that are in the OU you > assign it to. OK, so i will make the security filtering default again by removing the domain users that i have added there. > >> IF i ask someone to log off and on again their gpedit still say "not >> configured" under "sepcifiy intranet micrsoft update location" - why is >> the setting not taking effect? > > Are you using gpedit on the client machines to look at the local policy? Yes, i did but someone said i must rather use rsop.msc and currently i am using that. >This doesn't show policy assigned from the domain. If you want to >determine what group policy is being applied from the domain, use the >gpresult command-line tool. > > Harry.
Guest MSExchangeStudent Posted August 28, 2007 Posted August 28, 2007 Re: GPO doesn't take effect on the clients OK, i will change this imediately to enable again. thanks for the help "Lawrence Garvin [MVP]" <onsite@news.postalias> wrote in message news:uUuAWrQ6HHA.4880@TK2MSFTNGP03.phx.gbl... > "MSExchangeStudent" <exchangestudent@newsgroups.com> wrote in message > news:uKtnyTJ6HHA.1168@TK2MSFTNGP02.phx.gbl... >> Hi all >> >> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try >> to change a GP setting through GP on the DC. On the DC i do the following >> : Right click DC OU in AD > Properties > group policy tab > open > under >> GPO >> > right click "new" > give it a name "WSUS 3.0 policy" > right click > >> > edit computer config > admin templates > windows components > windows >> > update > >> disable "automatic update" setting > > If you really did set "Configure Automatic Updates" to DISABLED, then > everything else is dysfunctional. > > This policy must be ENABLED. > > -- > Lawrence Garvin, M.S., MCTS, MCP > MVP - Software Distribution (2005-2007) > MS WSUS Website: http://www.microsoft.com/wsus > My Websites: http://www.onsitechsolutions.com; > http://wsusinfo.onsitechsolutions.com > My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin > >
Guest MMASH Posted September 14, 2007 Posted September 14, 2007 Re: GPO doesn't take effect on the clients I have a win2003 DC and XP SP2 clients. I did install WSUS 3.0 and try to change the GP settings through GP on the DC. I have even enabled the "Configure Automatic Updates" and other options too. But the authenticated users are not receiving any alerts in status bar that updates are downloaded and ready to install. BUT If I login as a local administrator, I am getting that alert icon. Please suggest, what could be worng. Thanks, "MSExchangeStudent" wrote: > OK, i will change this imediately to enable again. thanks for the help > > "Lawrence Garvin [MVP]" <onsite@news.postalias> wrote in message > news:uUuAWrQ6HHA.4880@TK2MSFTNGP03.phx.gbl... > > "MSExchangeStudent" <exchangestudent@newsgroups.com> wrote in message > > news:uKtnyTJ6HHA.1168@TK2MSFTNGP02.phx.gbl... > >> Hi all > >> > >> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try > >> to change a GP setting through GP on the DC. On the DC i do the following > >> : Right click DC OU in AD > Properties > group policy tab > open > under > >> GPO > >> > right click "new" > give it a name "WSUS 3.0 policy" > right click > > >> > edit computer config > admin templates > windows components > windows > >> > update > > >> disable "automatic update" setting > > > > If you really did set "Configure Automatic Updates" to DISABLED, then > > everything else is dysfunctional. > > > > This policy must be ENABLED. > > > > -- > > Lawrence Garvin, M.S., MCTS, MCP > > MVP - Software Distribution (2005-2007) > > MS WSUS Website: http://www.microsoft.com/wsus > > My Websites: http://www.onsitechsolutions.com; > > http://wsusinfo.onsitechsolutions.com > > My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin > > > > > > >
Guest Harry Johnston Posted September 15, 2007 Posted September 15, 2007 Re: GPO doesn't take effect on the clients MMASH wrote: > I have a win2003 DC and XP SP2 clients. I did install WSUS 3.0 and try to > change the GP settings through GP on the DC. I have even enabled the > "Configure Automatic Updates" and other options too. But the authenticated > users are not receiving any alerts in status bar that updates are downloaded > and ready to install. BUT If I login as a local administrator, I am getting > that alert icon. > Please suggest, what could be worng. Nothing's wrong. That's the normal behaviour. If you want non-administrative users to have access to install the updates manually, you can set the group policy "Allow non-administrators to receive update notifications". Be aware this also allows them to hide updates so they will not be installed even when the scheduled time comes along. Harry.
Guest MMASH Posted September 16, 2007 Posted September 16, 2007 Re: GPO doesn't take effect on the clients Thanks for the reply Harry, but I guess my question was different. I am able to receive the alert while shutting down my system "install update and shutdown" as I have configured that in my Group policy. But instead of that option I would like my all client machines show the alert in task bar saying "updates are ready to install". I tried configuring the group plicy in that way,,,but it is not working while I am logged in as a domain user (even though I am a local administraors gorup member), but if i login as a local administraor i get that alert in task bar. Any suggestions..... "Harry Johnston" wrote: > MMASH wrote: > > > I have a win2003 DC and XP SP2 clients. I did install WSUS 3.0 and try to > > change the GP settings through GP on the DC. I have even enabled the > > "Configure Automatic Updates" and other options too. But the authenticated > > users are not receiving any alerts in status bar that updates are downloaded > > and ready to install. BUT If I login as a local administrator, I am getting > > that alert icon. > > Please suggest, what could be worng. > > Nothing's wrong. That's the normal behaviour. > > If you want non-administrative users to have access to install the updates > manually, you can set the group policy "Allow non-administrators to receive > update notifications". Be aware this also allows them to hide updates so they > will not be installed even when the scheduled time comes along. > > Harry. >
Guest Harry Johnston Posted September 16, 2007 Posted September 16, 2007 Re: GPO doesn't take effect on the clients MMASH wrote: > [...] I would like my all client machines show the alert in task bar > saying "updates are ready to install". That is exactly what this group policy setting does: >> If you want non-administrative users to have access to install the updates >> manually, you can set the group policy "Allow non-administrators to receive >> update notifications". Be aware this also allows them to hide updates so they >> will not be installed even when the scheduled time comes along. Did you restart the client after applying the group policy change? (Actually all you really need to do is refresh group policy with gpupdate and then restart the WUA service, but restarting the client is easier.) Harry.
Guest MMASH Posted September 17, 2007 Posted September 17, 2007 Re: GPO doesn't take effect on the clients I have rebooted the client machines couple of times, even tried the group policy refresh did not worked. I went through the Group policy for WSUS n number of times, it looks ok. Reaaly do not know why that alert is not poping up. "Harry Johnston" wrote: > MMASH wrote: > > > [...] I would like my all client machines show the alert in task bar > > saying "updates are ready to install". > > That is exactly what this group policy setting does: > > >> If you want non-administrative users to have access to install the updates > >> manually, you can set the group policy "Allow non-administrators to receive > >> update notifications". Be aware this also allows them to hide updates so they > >> will not be installed even when the scheduled time comes along. > > Did you restart the client after applying the group policy change? (Actually > all you really need to do is refresh group policy with gpupdate and then restart > the WUA service, but restarting the client is easier.) > > Harry. >
Guest Harry Johnston Posted September 18, 2007 Posted September 18, 2007 Re: GPO doesn't take effect on the clients MMASH wrote: > I have rebooted the client machines couple of times, even tried the group > policy refresh did not worked. > I went through the Group policy for WSUS n number of times, it looks ok. > Reaaly do not know why that alert is not poping up. It might be worth checking that the group policy really has registered correctly by looking in the registry. The subkey to look at is HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate and the value ElevateNonAdmins should be of the type REG_DWORD and have the value 1. ... your users are in the Users security group, I presume? You should also make sure the user group policy "Remove access to use all Windows Update features" isn't set. I don't know the registry key for this one, just look in the group policy: User Configuration, Administrative Templates, Windows Components, Windows Update. Are there any clues in WindowsUpdate.log? Harry.
Recommended Posts