SUS and Group Policy

[jdonalds]

I've searched the forums but with no solution that appears to solve my problem. I've recently installed SUS on a windows 2000 server. I've also created the group policy and applied it to the OU that contains the computer accounts I am targeting.

However, the group policy is not successfully being applied to the client machines. I've checked the properties of my computer to find that the Automatic Updates tab is grayed out. However, the local group policy on the computer does not match that of the group policy specified in AD.

The server has been in place for over a week so I've allowed for plenty of time to replicate the policy locally. There are no other group polcies enabled though the default policy resides at the domain level but has no settings.

Thanks,
Jeremy

 

[JCDugas]

If auto updates is greyed out it sounds like the policy is applied. Check the registry to see if the policy is in place.

HKLM\Software\Policies\Microsoft\Windows\Windows\WindowsUpdate

Let us know.

 

[jdonalds]

I checked the registry entry and it contains the following:

(Default) REG_SZ (value not set)
WUServer REG_SZ

http://computername

WUStatusServer REG_SZ

http://computername

This may have been a result of the test I did by going to GPEDIT.msc on the local machine and setting the policy that way. I've since removed that and the group policy has not overriden that.

Help

 

[jdonalds]

Anyone?

Thanks,
Jeremy

 

[markdmac]

The only way to be sure would be for you to first recreate that local policy. Removing a policy does not make its settings go away . You must first reverse the changes made. So, renable to local policy, then disable it. Do not set to not Defined as this leaves the settings ont he PC alone.

Verify that your settings are NOT grayed out.

Now force an update from the Domain.

On win2k run the following:

secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce

On XP just run:

gpupdate /force

Verify that you have added the machine accounts to the security settings of the GPO. If you have not then the policy will not apply.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[minxca]

Hi,

Check

http://www.susserver.com

 

[jkupski]

Check the Windows Update log on the client machines (%systemroot%\Windows Update.log, or \\client\admin$\Windows Update.log) and see if there is any activity.

By any chance, have you used the IISLOCKDOWN/URLSCAN utilities?

 

[jdonalds]

Mark, I've disabled the "Windows Update" setting in both the local policy and the group policy that I have for the OU that this computer is assigned to. No luck, the Windows Update page is still grayed out.

jkupski, I've checked that log file and it show's where it is connecting to the SUS server and doing it's thing. What are the IISLOCKDOWN/URLSCAN utilities?

I've noticed that there is a default group policy object at the domain level. I've added the Administrative template to that policy and is set to not configured. I'm not sure how group policy is read, does the group policy that I'm trying to enforce SUS updates by at the OU level clashing with the default policy at the domain level?

Thanks,
Jeremy

 

[SoxFan67]

Have you rebooted the target machines? Some aspects of Computer GP are only applied at system startup. The GPRESULT.EXE utility will tell you what settings are applied from which policy. (Resource kit, I think)

 

[markdmac]

For Win2K gpresult is a RK tool, it is built into WinXP.

Your policies at the domain level will get applied first, then they will fow down to the OU level.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[markdmac]

That was supposed to be flow. ...

I need spell check! Sorry.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[NickFerrar]

Not sure I understand what the issue is. On the client machines (in the OU you applied the GPO at) what do the aforementioned registry keys display?

In the Automatic Update part of the GPO what value for the SUS server have you put in?

 

[jdonalds]

Here is the latest. I changed the local policy, the domain level default policy and the OU group policy for windows update to be "Not Configured" for the four options. This then released the automatic update setting tab for my XP pro machine.

Then, I tried to set the OU group policy when the computer account for this computer resides and set the options accordingly. I've restarted the machine and have tried to force the GPUPDATE command on that machine with no success?

The aforementioned registry keys do not show up in the registry so they are not currently set to anything. Meaning that the following key:

HKLM\Software\Policies\Microsoft\Windows\Windows\WindowsUpdate

does not exist. With the local policy and the domain default level policy being set to not configured will the OU group policy where I indicate the settings I want not work?

Thanks,
Jeremy

 

[markdmac]

What is the security you now have at the OU Group Policy? Have you applied it to the target machine?

What error do you get when you execute GPUDATE /FORCE?

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[jdonalds]

Thanks to everyone for their assistance. I recently removed the "windows update" template from the domain level group policy and restablished it at the OU level and everything is fine. From what I can gather, is that if the template is enabled at the domain level and is set to "not configured" and you try to apply that same template at the OU level and specify different properties then the domain level will overright that OU policy and ultimately do nothing on the client end.

Thanks,
Jeremy