New GPO not getting to the clients

[mikehday]

The clients on my GPO that I've created for a WSUS server I'm building don't show that the GPO has been applied when I run gpresults. Even after 1 full day has passed they were not applied.

But ... when I rebooted a couple of clients the GPO showed up in the gpresults. One client was 2000 and the other was 2003.

Any clue as to why it took a reboot? On the 2003 clients I ran gpupdate /force numerous times a few hours after putting them in the GPO and that didn't have any effect. I wasn't sure what to run on the 2000 clients since gpupdate didn't exist.

 

[djtech2k]

For 2000, you can use the command secedit to refresh the gpo. I think this should work:

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

or

SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE

As for why it takes so long, what is your gpo update setting? I believe the native setting is to refresh every 90 minutes. I have also learned that DNS resolution is VERY important for GPO's to work.

 

[monsterjta]

Try running WUAUCLT /DETECTNOW from the local machine. By default, clients only check in every 22 hours with a (I think) 30 minute randomizer.

Also, make sure your WSUS clients have BITS 2.0 and WinHTTP 5.1 installed. This is required to communicate with the WSUS server.

I hope you find this post helpful,

Jonathan Almquist
Minneapolis, MN

 

[mikehday]

I would think that WUAUCLT /DETECTNOW would only work if the server knew it was in the correct OU and GPO. It didn't work here ...

I think it might be the process of moving the computer to the OU that is linked to the GPO. GPUPDATE is supposed to update the GPO information on the client but if the client was moved to a new OU that I created for the GPO what tool can I used to update the OU information on the client?

Either way a reboot refreshes everything ... but I don't want to have to reboot all my servers or apply the auto update GPO to my server OU's.

Also I don't think we have any DNS problems ... but is there a utility I should be running to check to see if there is a DNS issue?

Thanks for your help!

 

[djtech2k]

I would start with dcdiag and netdiag.

 

[mikehday]

I dl'ed and ran them both and no errors were reported. I still need to find the utility that will show my GPO refresh rate settings though.

 

[paulhthomas]

were the settings in the GPO applied to the user or the computer?
If they were applied to the computer sometimes computer settings can take up to 2 reboots before applying.

Paul Thomas
N+, MCP, MCSA

Network+ - Passed
70-210 - Passed
70-290 - Passed
70-291 - Passed
70-293 - Passed
70-294 - Passed
70-284 - Passed
70-297 - Loading...

 

[mikehday]

Thanks Paul but the configuration settings for WSUS need to be applyed to the computer Configuration not the User Configuration. That's what you meant right ... computer vs user configuration (settings) in the GPO?

Mike

 

[paulhthomas]

no. you missed my point. )
If the settings are defined in the Computer Configuration then these can sometimes take up to 2 reboots to take effect.
Running gppudate /force and the like will have no effect on the server (although you'd think it would!)

Paul Thomas
N+, MCP, MCSA

Network+ - Passed
70-210 - Passed
70-290 - Passed
70-291 - Passed
70-293 - Passed
70-294 - Passed
70-284 - Passed
70-297 - Loading...

 

[mikehday]

ok ... thanks for the info!

 

[paulhthomas]

I think it's to do with when the policies are applied. I can't remember exactly why but it's something to do with the forst time it reboots it sets a flag to say what policies should be applied and the second time it actually applies them.

Paul Thomas
N+, MCP, MCSA

Network+ - Passed
70-210 - Passed
70-290 - Passed
70-291 - Passed
70-293 - Passed
70-294 - Passed
70-284 - Passed
70-297 - Loading...

 

[paulhthomas]

I was on an AD workshop at MS last week and it was covered then. I'll see if I can dig out the notes and give you a more precise explanation as to why it can take up to 2 reboots, but I'm positive that that is the problem.

Paul Thomas
N+, MCP, MCSA

Network+ - Passed
70-210 - Passed
70-290 - Passed
70-291 - Passed
70-293 - Passed
70-294 - Passed
70-284 - Passed
70-297 - Loading...

 

[mikehday]

Great thanks ... hope you find it!

 

[paulhthomas]

Hi, i can't for the life of me fin the info in the book I was given, the MS support guy must have talked about it.

I have dug out these 2 articles which are kind of the same problem as you were having, doesn't really explain why it does, but at least you can see it's not just you!

http://support.microsoft.com/kb/886516/en-us

http://support.microsoft.com/kb/305293/en-us

Paul Thomas
N+, MCP, MCSA

Network+ - Passed
70-210 - Passed
70-290 - Passed
70-291 - Passed
70-293 - Passed
70-294 - Passed
70-284 - Passed
70-297 - Loading...

 

[twicki]

If you run gpupdate /force from cmd when your users log off and back on the policy should be enforced

 

[paulhthomas]

twicki, there are certain computer configs that will get applied when you run gpudate/ force. but not all.
I think all user config's with either apply when you run the command and definutely will with a log off /on


Paul Thomas
N+, MCP, MCSA

Network+ - Passed
70-210 - Passed
70-290 - Passed
70-291 - Passed
70-293 - Passed
70-294 - Passed
70-284 - Passed
70-297 - Loading...

 

[mikehday]

I just accidently applied the GPO to the OU that the most of the servers were in and and hour later looked at my WSUS server console and all of those servers were in the WSUS server and gpresults on the clients said they had the GPO's applied!

So it must have been the process of moving the computer to the new OU that caused it to require a reboot before the linked GPO would go into effect!

Mike

 

[paulhthomas]

hmmm, very odd!
ah well, at least it's working for you now.

Thanks for posting back and letting us know.

Paul Thomas
N+, MCP, MCSA

Network+ - Passed
70-210 - Passed
70-290 - Passed
70-291 - Passed
70-293 - Passed
70-294 - Passed
70-284 - Passed
70-297 - Loading...