System Center Configuration Manager TechCenter >
System Center Configuration Manager Forums
>
Configuration Manager Software Updates Management
>
Group policy settings were overwritten by a higher authority.....
Group policy settings were overwritten by a higher authority.....
- There is no GP set for Windows Updates. So when I run rsop on the client, there is no WSUS server set under "Specify intranet Microsoft update service location" policy.
At the same time, if I look at the local group policy, the client is successfully configuring this setting to point to the SMS SUP server. Correct port.
However, I am seeing following errors in WUAHandler.log:
.
.
.
Its a WSUS Update Source type ({E2273F0F-ACA6-41AC-8FF9-E3C55A1BF832}), adding it. 10/28/2009 5:20:19 PM 10352 (0x2870)
Unable to read existing resultant WUA policy. Error = 0x80070002. 10/28/2009 5:20:19 PM 10352 (0x2870)
Enabling WUA Managed server policy to use server: https://servername:443 10/28/2009 5:20:19 PM 10352 (0x2870)
Waiting for 2 mins for Group Policy to notify of WUA policy change... 10/28/2009 5:20:19 PM 10352 (0x2870)
Unable to read existing WUA resultant policy. Error = 0x80070002. 10/28/2009 5:21:27 PM 10352 (0x2870)
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and Policy NOT CONFIGURED 10/28/2009 5:21:27 PM 10352 (0x2870)
Failed to Add Update Source for WUAgent of type (2) and id ({E2273F0F-ACA6-41AC-8FF9-E3C55A1BF832}) . Error = 0x80040692. 10/28/2009 5:21:27 PM 10352 (0x2870)
.
.
.
I am not sure if this is related, but I am also seeing Event ID 1202 in the Application log. "Security policies were propagated with warning. 0x534: No mapping between account names and security IDs was done......:
Mayur
All Replies
- It looks like you used to have a group policy in place and are now having group policy issues that are manifesting as other issues. The first step is to fix the cause of 1202 error.
Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys - I go with along with Jason, from the log it looks like you have a GPO defined. But with the error you are seing I think the problem is related to you not reading the lastest gpo's. Check this for a similar problem - http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/21df79bb-bd21-427e-bc9b-023dc5c5c08b
Kent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products - Hi,
Try this:
Backup & Delete C:\Windows\System32\GroupPolicy
Backup & Delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
Policy\History
Backup & Delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies
Restart the client.
HTH.
Jie-Feng Ren - MSFT- Marked As Answer byJie-Feng Ren - MSFTMSFT, ModeratorThursday, November 05, 2009 11:35 AM
- Unmarked As Answer byMayur Kirti Thursday, November 05, 2009 3:19 PM
- I am going to try what Jie-Feng suggested here. Since this is a production server, I am going to be working on the issue tonight. Will update later.
Mayur As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios.
If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
Thanks!
Jie-Feng Ren - MSFT- I am un-marking it as an answer. I tried the edits and ended up locking the server. It did not let me logon to the domain after the reboot. I couldnt find what caused this from whatever little time I had to look at the logs. I reverted the VM snapshot to discard the changes.
I will be troubleshooting this further in next few days and will keep you posted. Let me know if you have any other suggestions in the meantime.
Thanks.
Mayur - Hi I am also having the same problem. I have checked and i have no GPO's set on the DC, and only half of the machines assigned to my Site server are having the issue.
Any Help much appreciated?
Matt - I have only ever seen the message Group policy settings were overwritten by a higher authority (Domain Controller) when there is really a GPO in-place. Can you do RSOP on one of those machines to triple check?
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum - John, the actual error is this:
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and Policy NOT CONFIGURED
So it is reading that the policy is not actually configured.
I did another rsop on the server. There is no Windows Updates folder under Windows Components, or in short no Windows Updates policies applied. There are other servers in the same OU level as this one without this issue.
Mayur - This is interesting...I dont want to digress from our original discussion, but when I run RSOP on my XP machine where software updates is working fine, I see the update service location is defined. Although I cant see this policy defined in GPMC. Is this normal? I thought RSOP only showed the domain policies that get applied as a part of GPs.
Mayur - RSOP also shows the local policies. When Software Updates are enabled on your ConfigMgr Site, then the ConfigMgr client will set a local policy that points to your Software Updates Point.
My Blog: http://www.petervanderwoude.nl/
