GPO doesn't take effect on the clients

Discussion in 'Server Networking' started by MSExchangeStudent, Aug 27, 2007.

  1. Hi all

    I have a win2003 DC and XP SP 2 clients. I did install WSUS 3.0 and try to
    change a GP setting through GP on the DC. On the DC i do the following :
    Right click DC OU in AD > Properties > group policy tab > open > under GPO
    disable "automatic update" setting > enable "sepcifiy intranet micrsoft
    update location > put the servername like this in both dialogue boxes
    http://ctt-3rd_server:8530 > OK > file > exit.right click "users" in the top
    window and select "enforce" > in the bottom Security Filtering window i did
    add the domain users group > OK

    IF i ask someone to log off and on again their gpedit still say "not
    configured" under "sepcifiy intranet micrsoft update location" - why is the
    setting not taking effect?

    Pls help urgently - thanks
    MSExchangeStudent, Aug 27, 2007
    1. Advertisements

  2. Howdie!

    You're posting to a whole lot of newsgroups. Do you know that? At least
    you could have set a follow up. Now follow up set to:
    Don't look at gpedit.msc as it only shows the locally configured
    settings. It will NOT show the settings you configured via the domain.
    Try "rsop.msc" from the Run-dialog instead and see whether the policy
    shows up. Can see the policy there? Feel free to post your results in
    order to help us further investigate your problem.


    Florian Frommherz [MVP], Aug 27, 2007
    1. Advertisements

  3. MSExchangeStudent

    Bill Guest

    You won't get an automatic GPO refresh with a logon, you'll need to reboot
    or a specific GPO refresh like this:
    Force a GPO refresh:

    In Windows VistaT or Windows XP, run the following command:
    gpupdate /force

    In Windows 2000, run the following command:
    secedit /refreshpolicy machine_policy /enforce

    Bill, Aug 27, 2007
  4. MSExchangeStudent

    Maddog Guest

    Try assigning your WSUS policy to "Computers" rather than users or user groups.
    Maddog, Aug 27, 2007
  5. Do you mean the Domain Controllers OU? Any group policy set on this OU will
    only affect the domain controllers, not the client machines - unless you've
    moved the client machines into the Domain Controllers OU, which is probably a
    bad idea.

    Also, it is recommended that you install the Group Policy Management Console,
    which provides a much superior interface for managing group policy.
    If this is disabled none of the other settings will have any effect. I don't
    believe you meant to do this.
    This is wrong. You're applying a computer policy, not a user policy, so if you
    must use security filtering you would want to add one or more computers or
    computer groups. However, best practice is not to configure security filtering
    unless you have a specific need for it. Normally you want group policy to apply
    to all users/computers that are in the OU you assign it to.
    Are you using gpedit on the client machines to look at the local policy? This
    doesn't show policy assigned from the domain. If you want to determine what
    group policy is being applied from the domain, use the gpresult command-line tool.

    Harry Johnston, Aug 28, 2007
  6. If you really did set "Configure Automatic Updates" to DISABLED, then
    everything else is dysfunctional.

    This policy must be ENABLED.

    Lawrence Garvin, M.S., MCTS, MCP
    MVP - Software Distribution (2005-2007)
    MS WSUS Website:
    My Websites:;
    My MVP Profile:
    Lawrence Garvin [MVP], Aug 28, 2007
  7. Yes, thanks i am using this option.
    MSExchangeStudent, Aug 28, 2007
  8. Yes, someone told me in the NG that i need to link it to the OU where the
    users are in. So this i did wrong but did rectify it.
    I do have it installed.
    Come again - are you saying my WSUS settings won't take effect if i disable
    "automatic update"? Do i need to leave the option as
    "Not Configured"
    OK, so i will make the security filtering default again by removing the
    domain users that i have added there.
    Yes, i did but someone said i must rather use rsop.msc and currently i am
    using that.
    MSExchangeStudent, Aug 28, 2007
  9. OK, i will change this imediately to enable again. thanks for the help
    MSExchangeStudent, Aug 28, 2007
  10. MSExchangeStudent

    MMASH Guest

    I have a win2003 DC and XP SP2 clients. I did install WSUS 3.0 and try to
    change the GP settings through GP on the DC. I have even enabled the
    "Configure Automatic Updates" and other options too. But the authenticated
    users are not receiving any alerts in status bar that updates are downloaded
    and ready to install. BUT If I login as a local administrator, I am getting
    that alert icon.
    Please suggest, what could be worng.

    MMASH, Sep 14, 2007
  11. Nothing's wrong. That's the normal behaviour.

    If you want non-administrative users to have access to install the updates
    manually, you can set the group policy "Allow non-administrators to receive
    update notifications". Be aware this also allows them to hide updates so they
    will not be installed even when the scheduled time comes along.

    Harry Johnston, Sep 15, 2007
  12. MSExchangeStudent

    MMASH Guest

    Thanks for the reply Harry, but I guess my question was different.
    I am able to receive the alert while shutting down my system "install update
    and shutdown" as I have configured that in my Group policy. But instead of
    that option I would like my all client machines show the alert in task bar
    saying "updates are ready to install". I tried configuring the group plicy in
    that way,,,but it is not working while I am logged in as a domain user (even
    though I am a local administraors gorup member), but if i login as a local
    administraor i get that alert in task bar.
    Any suggestions.....
    MMASH, Sep 16, 2007
  13. That is exactly what this group policy setting does:

    Did you restart the client after applying the group policy change? (Actually
    all you really need to do is refresh group policy with gpupdate and then restart
    the WUA service, but restarting the client is easier.)

    Harry Johnston, Sep 16, 2007
  14. MSExchangeStudent

    MMASH Guest

    I have rebooted the client machines couple of times, even tried the group
    policy refresh did not worked.
    I went through the Group policy for WSUS n number of times, it looks ok.
    Reaaly do not know why that alert is not poping up.

    MMASH, Sep 18, 2007
  15. It might be worth checking that the group policy really has registered correctly
    by looking in the registry. The subkey to look at is


    and the value ElevateNonAdmins should be of the type REG_DWORD and have the value 1.

    ... your users are in the Users security group, I presume?

    You should also make sure the user group policy "Remove access to use all
    Windows Update features" isn't set. I don't know the registry key for this one,
    just look in the group policy: User Configuration, Administrative Templates,
    Windows Components, Windows Update.

    Are there any clues in WindowsUpdate.log?

    Harry Johnston, Sep 18, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.