GPO doesn't take effect on the clients

Hi all

I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to
change a GP setting through GP on the DC. On the DC i do the following :
Right click DC OU in AD > Properties > group policy tab > open > under GPO
> right click "new" > give it a name "WSUS 3.0 policy" > right click > edit
> computer config > admin templates > windows components > windows update >
disable "automatic update" setting > enable "sepcifiy intranet micrsoft
update location > put the servername like this in both dialogue boxes
http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the top
window and select "enforce" > in the bottom Security Filtering window i did
add the domain users group > OK

IF i ask someone to log off and on again their gpedit still say "not
configured" under "sepcifiy intranet micrsoft update location" - why is the
setting not taking effect?

Pls help urgently - thanks




MSExchangeStudent

Howdie!

You're posting to a whole lot of newsgroups. Do you know that? At least
you could have set a follow up. Now follow up set to:
microsoft.public.windows.group_policy

MSExchangeStudent schrieb:
> IF i ask someone to log off and on again their gpedit still say "not
> configured" under "sepcifiy intranet micrsoft update location" - why is the
> setting not taking effect?

Don't look at gpedit.msc as it only shows the locally configured
settings. It will NOT show the settings you configured via the domain.
Try "rsop.msc" from the Run-dialog instead and see whether the policy
shows up. Can see the policy there? Feel free to post your results in
order to help us further investigate your problem.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

You won't get an automatic GPO refresh with a logon, you'll need to reboot
or a specific GPO refresh like this:
Force a GPO refresh:

In Windows VistaT or Windows XP, run the following command:
gpupdate /force

In Windows 2000, run the following command:
secedit /refreshpolicy machine_policy /enforce

-b
"MSExchangeStudent" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all
>
> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to
> change a GP setting through GP on the DC. On the DC i do the following :
> Right click DC OU in AD > Properties > group policy tab > open > under
> GPO
> > right click "new" > give it a name "WSUS 3.0 policy" > right click >
> > edit computer config > admin templates > windows components > windows
> > update >
> disable "automatic update" setting > enable "sepcifiy intranet micrsoft
> update location > put the servername like this in both dialogue boxes
> http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the
> top window and select "enforce" > in the bottom Security Filtering window
> i did add the domain users group > OK
>
> IF i ask someone to log off and on again their gpedit still say "not
> configured" under "sepcifiy intranet micrsoft update location" - why is
> the setting not taking effect?
>
> Pls help urgently - thanks
>

Try assigning your WSUS policy to "Computers" rather than users or user groups.

"MSExchangeStudent" wrote:

> Hi all
>
> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to
> change a GP setting through GP on the DC. On the DC i do the following :
> Right click DC OU in AD > Properties > group policy tab > open > under GPO
> > right click "new" > give it a name "WSUS 3.0 policy" > right click > edit
> > computer config > admin templates > windows components > windows update >
> disable "automatic update" setting > enable "sepcifiy intranet micrsoft
> update location > put the servername like this in both dialogue boxes
> http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the top
> window and select "enforce" > in the bottom Security Filtering window i did
> add the domain users group > OK
>
> IF i ask someone to log off and on again their gpedit still say "not
> configured" under "sepcifiy intranet micrsoft update location" - why is the
> setting not taking effect?
>
> Pls help urgently - thanks
>
>
>

MSExchangeStudent wrote:

> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to
> change a GP setting through GP on the DC. On the DC i do the following :
> Right click DC OU in AD >

Do you mean the Domain Controllers OU? Any group policy set on this OU will
only affect the domain controllers, not the client machines - unless you've
moved the client machines into the Domain Controllers OU, which is probably a
bad idea.

Also, it is recommended that you install the Group Policy Management Console,
which provides a much superior interface for managing group policy.

> > right click "new" > give it a name "WSUS 3.0 policy" > right click > edit
> > computer config > admin templates > windows components > windows update >
> disable "automatic update" setting

If this is disabled none of the other settings will have any effect. I don't
believe you meant to do this.

> enable "sepcifiy intranet micrsoft
> update location > put the servername like this in both dialogue boxes
> http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the top
> window and select "enforce" > in the bottom Security Filtering window i did
> add the domain users group > OK

This is wrong. You're applying a computer policy, not a user policy, so if you
must use security filtering you would want to add one or more computers or
computer groups. However, best practice is not to configure security filtering
unless you have a specific need for it. Normally you want group policy to apply
to all users/computers that are in the OU you assign it to.

> IF i ask someone to log off and on again their gpedit still say "not
> configured" under "sepcifiy intranet micrsoft update location" - why is the
> setting not taking effect?

Are you using gpedit on the client machines to look at the local policy? This
doesn't show policy assigned from the domain. If you want to determine what
group policy is being applied from the domain, use the gpresult command-line tool.

Harry.

"MSExchangeStudent" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all
>
> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to
> change a GP setting through GP on the DC. On the DC i do the following :
> Right click DC OU in AD > Properties > group policy tab > open > under
> GPO
> > right click "new" > give it a name "WSUS 3.0 policy" > right click >
> > edit computer config > admin templates > windows components > windows
> > update >
> disable "automatic update" setting

If you really did set "Configure Automatic Updates" to DISABLED, then
everything else is dysfunctional.

This policy must be ENABLED.

--
Lawrence Garvin, M.S., MCTS, MCP
MVP - Software Distribution (2005-2007)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Bill" <(E-Mail Removed)> wrote in message
news:826EC261-9E5A-463B-94F7-(E-Mail Removed)...
> You won't get an automatic GPO refresh with a logon, you'll need to reboot
> or a specific GPO refresh like this:
> Force a GPO refresh:
>
> In Windows VistaT or Windows XP, run the following command:
> gpupdate /force

Yes, thanks i am using this option.
>
> In Windows 2000, run the following command:
> secedit /refreshpolicy machine_policy /enforce
>
> -b
> "MSExchangeStudent" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi all
>>
>> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try
>> to change a GP setting through GP on the DC. On the DC i do the following
>> : Right click DC OU in AD > Properties > group policy tab > open > under
>> GPO
>> > right click "new" > give it a name "WSUS 3.0 policy" > right click >
>> > edit computer config > admin templates > windows components > windows
>> > update >
>> disable "automatic update" setting > enable "sepcifiy intranet micrsoft
>> update location > put the servername like this in both dialogue boxes
>> http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the
>> top window and select "enforce" > in the bottom Security Filtering window
>> i did add the domain users group > OK
>>
>> IF i ask someone to log off and on again their gpedit still say "not
>> configured" under "sepcifiy intranet micrsoft update location" - why is
>> the setting not taking effect?
>>
>> Pls help urgently - thanks
>>
>

"Harry Johnston" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> MSExchangeStudent wrote:
>
>> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try
>> to change a GP setting through GP on the DC. On the DC i do the following
>> : Right click DC OU in AD >
>
> Do you mean the Domain Controllers OU? Any group policy set on this OU
> will only affect the domain controllers, not the client machines - unless
> you've moved the client machines into the Domain Controllers OU, which is
> probably a bad idea.

Yes, someone told me in the NG that i need to link it to the OU where the
users are in. So this i did wrong but did rectify it.
>
> Also, it is recommended that you install the Group Policy Management
> Console, which provides a much superior interface for managing group
> policy.

I do have it installed.
>
>> > right click "new" > give it a name "WSUS 3.0 policy" > right click >
>> edit > computer config > admin templates > windows components > windows
>> update > disable "automatic update" setting
>
> If this is disabled none of the other settings will have any effect. I
> don't believe you meant to do this.

Come again - are you saying my WSUS settings won't take effect if i disable
"automatic update"? Do i need to leave the option as
"Not Configured"
>
>> enable "sepcifiy intranet micrsoft update location > put the servername
>> like this in both dialogue boxes http://ctt-3rd_server:8530 > OK > file >
>> exit.right click "users" in the top window and select "enforce" > in the
>> bottom Security Filtering window i did add the domain users group > OK
>
> This is wrong. You're applying a computer policy, not a user policy, so
> if you must use security filtering you would want to add one or more
> computers or computer groups. However, best practice is not to configure
> security filtering unless you have a specific need for it. Normally you
> want group policy to apply to all users/computers that are in the OU you
> assign it to.
OK, so i will make the security filtering default again by removing the
domain users that i have added there.
>
>> IF i ask someone to log off and on again their gpedit still say "not
>> configured" under "sepcifiy intranet micrsoft update location" - why is
>> the setting not taking effect?
>
> Are you using gpedit on the client machines to look at the local policy?
Yes, i did but someone said i must rather use rsop.msc and currently i am
using that.
>This doesn't show policy assigned from the domain. If you want to
>determine what group policy is being applied from the domain, use the
>gpresult command-line tool.
>
> Harry.

OK, i will change this imediately to enable again. thanks for the help

"Lawrence Garvin [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "MSExchangeStudent" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi all
>>
>> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try
>> to change a GP setting through GP on the DC. On the DC i do the following
>> : Right click DC OU in AD > Properties > group policy tab > open > under
>> GPO
>> > right click "new" > give it a name "WSUS 3.0 policy" > right click >
>> > edit computer config > admin templates > windows components > windows
>> > update >
>> disable "automatic update" setting
>
> If you really did set "Configure Automatic Updates" to DISABLED, then
> everything else is dysfunctional.
>
> This policy must be ENABLED.
>
> --
> Lawrence Garvin, M.S., MCTS, MCP
> MVP - Software Distribution (2005-2007)
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>

I have a win2003 DC and XP SP2 clients. I did install WSUS 3.0 and try to
change the GP settings through GP on the DC. I have even enabled the
"Configure Automatic Updates" and other options too. But the authenticated
users are not receiving any alerts in status bar that updates are downloaded
and ready to install. BUT If I login as a local administrator, I am getting
that alert icon.
Please suggest, what could be worng.

Thanks,


"MSExchangeStudent" wrote:

> OK, i will change this imediately to enable again. thanks for the help
>
> "Lawrence Garvin [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > "MSExchangeStudent" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> Hi all
> >>
> >> I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try
> >> to change a GP setting through GP on the DC. On the DC i do the following
> >> : Right click DC OU in AD > Properties > group policy tab > open > under
> >> GPO
> >> > right click "new" > give it a name "WSUS 3.0 policy" > right click >
> >> > edit computer config > admin templates > windows components > windows
> >> > update >
> >> disable "automatic update" setting
> >
> > If you really did set "Configure Automatic Updates" to DISABLED, then
> > everything else is dysfunctional.
> >
> > This policy must be ENABLED.
> >
> > --
> > Lawrence Garvin, M.S., MCTS, MCP
> > MVP - Software Distribution (2005-2007)
> > MS WSUS Website: http://www.microsoft.com/wsus
> > My Websites: http://www.onsitechsolutions.com;
> > http://wsusinfo.onsitechsolutions.com
> > My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
> >
> >
>
>
>