Wsus gpo getting filtering: Denied (security)

[pollardhimself]

The computer is listed in the GPO group. The client computer can reslove the FQDN

WSUS 
Data collected on: 5/3/2010 9:36:14 AM show all 

Generalhide
Detailsshow
Domain chesapeakecontrols.local 
Owner CHESAPEAKE\Enterprise Admins 
Created 4/28/2010 6:55:40 PM 
Modified 4/30/2010 3:49:06 PM 
User Revisions 0 (AD), 0 (sysvol) 
Computer Revisions 19 (AD), 19 (sysvol) 
Unique ID {24624FCB-D46C-4436-B270-D72C005F9EF9} 
GPO Status Enabled 

Linksshow
Location Enforced Link Status Path 
chesapeakecontrols No Enabled chesapeakecontrols.local 

This list only includes links in the domain of the GPO.
Security Filteringshow
The settings in this GPO can only apply to the following groups, users, and computers:Name 
CHESAPEAKE\Domain Computers 

Delegationshow
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited 
CHESAPEAKE\Domain Admins Edit settings, delete, modify security No 
CHESAPEAKE\Domain Computers Read (from Security Filtering) No 
CHESAPEAKE\Enterprise Admins Edit settings, delete, modify security No 
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No 
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No 

Computer Configuration (Enabled)hide
Policieshide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local machine.Windows Components/Windows Updatehide
Policy Setting Comment 
Allow Automatic Updates immediate installation Enabled  
Automatic Updates detection frequency Enabled  
Check for updates at the following 
interval (hours):  20 
 
Policy Setting Comment 
Configure Automatic Updates Enabled  
Configure automatic updating: 4 - Auto download and schedule the install 
The following settings are only required 
and applicable if 4 is selected. 
Scheduled install day:  0 - Every day 
Scheduled install time: 00:00 
 
Policy Setting Comment 
Enable client-side targeting Disabled  
Specify intranet Microsoft update service location Enabled  
Set the intranet update service for detecting updates: http://Per510:8530/selfupdate 
Set the intranet statistics server: http://Per510:8530/selfupdate 
(example: http://IntranetUpd01) 
 

Preferenceshide
Control Panel Settingshide
Serviceshide
Service (Name: BITS)hide
BITS (Order: 1)hide
Generalhide
Service name BITS 
Action Start service 
Startup type: Automatic 
Wait timeout if service is locked: 30 seconds 
Service AccountLog on service as: LocalSystem 
Allow service to interact with the desktop: No 
RecoveryFirst failure: No change 
Second failure: No change 
Subsequent failures: No change 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

Service (Name: Automatic Updates)hide
Automatic Updates (Order: 2)hide
Generalhide
Service name Automatic Updates 
Action Start service 
Startup type: Automatic 
Wait timeout if service is locked: 30 seconds 
Service AccountLog on service as: LocalSystem 
Allow service to interact with the desktop: No 
RecoveryFirst failure: No change 
Second failure: No change 
Subsequent failures: No change 

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No 
Remove this item when it is no longer applied No 
Apply once and do not reapply No 

User Configuration (Enabled)hide
No settings defined.

 

[TheKub]

Does the computer account reside in a OU that has GPO inheritance blocked?

 

[pollardhimself]

No I dont believe its that I tried applying the policy directly to the computer name. The only OU its in is domain computers, and my interactive logon message gpo is being applied

The domain type is a server 2008 r2.
The xp machine is sp3, when i use gpresult it list the domain type as windows 2000


I wanted to you use wsus to push the client side extensions update could not having this update cause my issue

 

[snikt]

Unfortunately we do not use WSUS so I have no experience with it, but have you tried removing the box and re-adding it to the domain?

Failing that, see if this is an option for you:

http://www.wsus.info/index.php?showtopic=7924

 

[pollardhimself]

Yeah I already removed it and rejoined it

 

[stash]

Make sure the domain computers group has read and apply group policy permissions set on the GPO.

 

[pollardhimself]

Make sure the domain computers group has read and apply group policy permissions set on the GPO.

It does.. I am unable to apply and computer gpo

 

[stash]

Can you post what's in the security filtering box on the Scope tab of the GPO in GPMC?

 

[pollardhimself]

Can you post what's in the security filtering box on the Scope tab of the GPO in GPMC?

 

[yinan]

You can not set a GPO on a container. You have to either set it on the domain or an OU.

 

[pollardhimself]

You can not set a GPO on a container. You have to either set it on the domain or an OU.

I also tried applying it directly to the computer,
Ive also created a test group and added the computer to that group then applied the gpo to the test group

 

[yinan]

You cannot apply GPOs directly to a computer. Put the computer in an OU, give authenticated users read access to the GPO and you are good to go.

 

[pollardhimself]

The computer is already in the COMPUTERS OU

So you saying leave the Security filtering blank, and under delegation add Authenticated users to have read access?

 

[pollardhimself]

Just did that and now i getting
Filtering: Not Applied (Empty)

The gpo is not empty

 

[stash]

You can't apply a GPO to a group (despite the name) or a computer. You apply it to an OU. Also, computers is a container, not an OU.

That being said, from the pictures above, you have it linked to the domain which is fine. You shouldn't need to mess around with things on the delegation tab at all. Try changing the scope to authenticated users and then make sure you set the permissions on the delegation tab back so that authenticated users have read and apply group policy permissions.

 

[pollardhimself]

You can't apply a GPO to a group (despite the name) or a computer. You apply it to an OU. Also, computers is a container, not an OU.

That being said, from the pictures above, you have it linked to the domain which is fine. You shouldn't need to mess around with things on the delegation tab at all. Try changing the scope to authenticated users and then make sure you set the permissions on the delegation tab back so that authenticated users have read and apply group policy permissions.

I get what your saying and i have already put authenticated users back in the scope and checked to make sure the delegation was correct but no luck yet. I went threw the event viewer on the client computer i see Windows cannot find the machine account, The clocks on the client and server machines are skewed.. could this be the issue

 

[stash]

Yes, if the client's clock is more than five minutes off from the server, it won't talk to the domain properly.

 

[RebateMonger]

Domain member PCs should normally be synching their clocks with one of the Domain Controllers, which, in turn, normally use the Operations Master DC as their reference.

http://support.microsoft.com/kb/816042

 

[pollardhimself]

Domain member PCs should normally be synching their clocks with one of the Domain Controllers, which, in turn, normally use the Operations Master DC as their reference.

http://support.microsoft.com/kb/816042

Do you have to configure the time sync in the gpo or should it automatically do it once there apart of the domain? I see there's some options for it in group policy management.

I set the time within seconds manually and its still saying its filtered empty. I recreated a wsus policy and left the default authenticated users in the scope

 

[rasczak]

open gpmc

open your domain object right click on the policy and make sure that it is linked. once this is done, go to the computer, open command prompt and type gpupdate /force. this will force the computer to pull down GPO from the domain controller.

If for some reason you see a blue exclamation point next to any OU object, then you have blocked inheritance and that OU will not receive the policy.

as for the time sync issue here is the command you need to resync the workstation with the time master
"C:\>w32tm /resync"

http://social.technet.microsoft.com...S/thread/9f2e0461-9989-419a-ba63-f0a6d1303a23

 

[rasczak]

a quick question for the OP

exactly how are you trying to push out the client side extensions? If you are trying to push form a WSUS 3.0, did you make sure that you setup the correct GPO's so the client knows where to get it's windows updates from?

in case you haven't here's a link to setup an administrative template for WSUS group policy settings.

http://technet.microsoft.com/en-us/library/cc720539%28WS.10).aspx

granted this is windows 2k3, but not much should have changed. the important one is specify intranet microsoft update location.

 

[pollardhimself]

a quick question for the OP

exactly how are you trying to push out the client side extensions? If you are trying to push form a WSUS 3.0, did you make sure that you setup the correct GPO's so the client knows where to get it's windows updates from?

in case you haven't here's a link to setup an administrative template for WSUS group policy settings.

http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx

granted this is windows 2k3, but not much should have changed. the important one is specify intranet microsoft update location.

The gpo is linked and i have forced the update with gpupdate /force on the client and server.


Yes I know the gpo is correct i followed the outline from the 6421A lab for wsus. I had to use a different port so the server is
//per510:8530/selfupdate


I am unable to push anything down from group policy in the computer configuration policies section. I just created a computer config policy called test and told it to disable system restore, applied and linked it ran gpupdate on the server gpupdate /force on the client and i get a gpresult on the client of
test
Filtering: Not Applied (Empty)

and its under users settings why? the scope is authenticated users should it have a computer ou also? how can i apply it to every computer


Windows Update Service policy

Windows Update Services 
Data collected on: 5/4/2010 10:50:53 AM show all 

Generalhide
Detailsshow
Domain chesapeakecontrols.local 
Owner CHESAPEAKE\Domain Admins 
Created 5/3/2010 11:49:58 AM 
Modified 5/4/2010 10:50:46 AM 
User Revisions 0 (AD), 0 (sysvol) 
Computer Revisions 5 (AD), 5 (sysvol) 
Unique ID {CD4A723E-98EE-41F9-92C5-8E903551D42E} 
GPO Status Enabled 

Linksshow
Location Enforced Link Status Path 
chesapeakecontrols No Enabled chesapeakecontrols.local 

This list only includes links in the domain of the GPO.
Security Filteringshow
The settings in this GPO can only apply to the following groups, users, and computers:Name 
NT AUTHORITY\Authenticated Users 

Delegationshow
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited 
CHESAPEAKE\Domain Admins Edit settings, delete, modify security No 
CHESAPEAKE\Enterprise Admins Edit settings, delete, modify security No 
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No 
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No 
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No 

Computer Configuration (Enabled)hide
Policieshide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local machine.Windows Components/Windows Updatehide
Policy Setting Comment 
Allow Automatic Updates immediate installation Enabled  
Automatic Updates detection frequency Enabled  
Check for updates at the following 
interval (hours):  22 
 
Policy Setting Comment 
Configure Automatic Updates Enabled  
Configure automatic updating: 4 - Auto download and schedule the install 
The following settings are only required 
and applicable if 4 is selected. 
Scheduled install day:  0 - Every day 
Scheduled install time: 03:00 
 
Policy Setting Comment 
Specify intranet Microsoft update service location Enabled  
Set the intranet update service for detecting updates: //per510:8530/selfupdate 
Set the intranet statistics server: //per510:8530/selfupdate 
(example: http://IntranetUpd01) 
 

User Configuration (Enabled)hide
No settings defined.

Test Policy

Data collected on: 5/4/2010 10:47:17 AM show all 

Generalhide
Detailsshow
Domain chesapeakecontrols.local 
Owner CHESAPEAKE\Domain Admins 
Created 5/4/2010 10:38:36 AM 
Modified 5/4/2010 10:40:38 AM 
User Revisions 0 (AD), 0 (sysvol) 
Computer Revisions 3 (AD), 3 (sysvol) 
Unique ID {D7353EA7-5D9D-4198-9FED-38BFDCD8B367} 
GPO Status Enabled 

Linksshow
Location Enforced Link Status Path 
chesapeakecontrols No Enabled chesapeakecontrols.local 

This list only includes links in the domain of the GPO.
Security Filteringshow
The settings in this GPO can only apply to the following groups, users, and computers:Name 
NT AUTHORITY\Authenticated Users 

Delegationshow
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited 
CHESAPEAKE\Domain Admins Edit settings, delete, modify security No 
CHESAPEAKE\Enterprise Admins Edit settings, delete, modify security No 
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No 
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No 
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No 

Computer Configuration (Enabled)hide
Policieshide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local machine.System/System Restorehide
Policy Setting Comment 
Turn off System Restore Enabled

 

[pollardhimself]

Server

Server

Client

Client ( after reboot of computer )

 

[rasczak]

why do you have the port listed as

Set the intranet update service for detecting updates: //per510:8530/selfupdate

the site should be //per510:8530, although you really don't need the port number either since this is the default wsus port.

 

[rasczak]

the gpresult was done on the server or the client?