Active Directory Conundrum...

[wnied]

Working for a client and they have a Windows2000 network with Active Directory. OUs for Laptop and Desktop machines, and both are governed by a group policy to draw their updates from Microsoft Security Update Services on a local server. All have registry keys set to download the updates from the specific local server, at 9am. All machines receive any updates first approved by the local admin, then pushed to the machines in the OUs. This one laptop running Windows XP, will not take the updates.

I have done the following with the local admin:

1) Checked the Registry keys, and theyre set correctly.
2) Checked to be sure that specific laptop is in the correct OU.
3) On the local machine from a command line I ran the "GPUPDATE" command. It ran successfully, yet still the machine refuses to accept the updates.
4) Checked the Server to be sure its set correctly to push the updates to the proper OUs.

Can anyone think of anything that I might have missed?

All help is welcome.

Thanks in advance.
~wnied~

 

[wnied]

*UPDATE*

I have since ran the gpupdate /force command from the command line and STILL this damned machine wont pick up the group policy!!!

What the Hell??
~wnied~

Anyone? Anyone? Bueller?

 

[gaidin123]

At a command line, type "set" and see which DC it authenticated against and compare that with the other working machines. There's a slight possibility that the user profile or domain machine account is messed up. You could try deleting the local profile. Also, try pulling the laptop from the domain and re-adding it.

Gaidin

 

[stash]

3) On the local machine from a command line I ran the "GPUPDATE" command. It ran successfully, yet still the machine refuses to accept the updates.

Check your event log, application log. A true successful policy application would throw an event ID 1704. What kind of errors and warnings are you seeing in the logs?

Who is this client pointed to for DNS? Can you ping domain.com from the client?

2) Checked to be sure that specific laptop is in the correct OU.

What kind of policy are you trying to apply? If it is a setting under the user configuration portion of the GPO, you need to put the user object in the OU.

 

[wnied]

Gaiden

You could try deleting the local profile. Also, try pulling the laptop from the domain and re-adding it.

Did that one already. In regards to the policy we are trying to apply, it is a policy where all machines look to a specific server at 9am every morning to see if there are any approved updates available for pulling. Why these few machines havent been doing this is something that has been vexing me for most of the weekend.

~wnied~

 

[stash]

You didn't answer the first part of my question. Do you see 1704s in the app logs, and if not, what kind of errors do you see.

 

[wnied]

Stash

Yes, there are Event 1704s in the machines event log yet it wasnt pulling down the updates at the time alotted.

I have since figured out the problem, and found another glitch with Microsofts SUS program. First off, all the machines were Windows XP, not Windows XP with Service pack 1. Once we installed SP1 on these machines, then typed the " GPUPDATE /FORCE " command at the command line, then looked at the system properties > Automatic Updates tab, there we could see that the policy had been truely updated. Because at the auto updates tab, we could see that all options were grayed out and the time alotted for updating was in the proper area. Whereas before, the automatic updates tab gave the users the full menu of options. From what I read on the white paper regarding the application of group policies, the security updates and patches being pushed down to the client, should contain the service pack within them, yet the few machines within our OU in AD that were Windows XP without service pack 1, wouldnt take the group policy applied to the OUs. So technically, they couldnt be updated without the user actually going outside our network directly to the Windows Update website. Yet when I went around to all these machines, and installed Service Pack 1 for XP then ran the force command at the command line, only then did it pick up the group policy.

Happiness comes in many forms...

...and Microsoft isnt one of them!:|
~wnied~

 

[stash]

See the following link:

http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp

Windows 2000 SP2 and XP Home and Pro without SP1 do not have the updated automatic updates client. SP3 and SP4 for 2000 and SP1 for XP do.