none
GPO Policy for WSUS shows up on the GPO modeling but not in the GPO results RRS feed

  • Question

  • I have a WSUS desktop policy that is not being applied to an OU for a branch office. When I look at the GPO modeling results, it shows that the policy is being applied. However, when I look at the GPO results it is not being applied. ON the workstation, the policy is not being applied either. 
    Wednesday, January 12, 2011 4:25 PM

Answers

  • Hi,

     

    From the GPO modeling results, we can see that the following two GPOs were applied:

     

    WSUS Server Policy

    WSUS Desktop Policy

     

    For the winning group policy settings, you can see the report for details.

     

    Please help clarify how you configured the WSUS Server Policy and WSUS Desktop Policy. Do you need to apply the two policies at the same time? Have you enabled Client-side Targeting? Please check it on your side. How did you link the GPOs?

     

    From the GPO Policy results, we can see that the GPO “WSUS Server Policy” is applied, "WSUS Desktop Policy" is not showed under either Applied or Denied GPOs. Normally, this situation can occur due to the following factors:

     

    1. The GPO is not linked to a site, domain, or OU of which the computer or user is a member

    2. Replication

    3. Group Policy refresh

    4. Network Connectivity

     

    Please make sure the GPO is linked correctly and GP Replication is working fine. Please also run “gpupdate /force” on the client to check the results.

     

    For more information, please refer to the following articles:

     

    Configure Automatic Updates by Using Group Policy

    http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx  

     

    Best Practices with Windows Server Update Services

    http://technet.microsoft.com/en-us/library/cc708536(WS.10).aspx   

     

    Thanks.

    Nina

     


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, January 13, 2011 10:16 AM
    Moderator

All replies

  • GPO modeling results:

    acmePART\BYPWVTRWK05VDT 
    Data collected on: 1/12/2011 9:53:02 AM hide all 

    Summaryhide
    Computer Configuration Summaryhide
    Generalhide
    Computer name acmePART\BYPWVTRWK05VDT 
    Computer container acmepartners.local/Locations/Bryan/Computers/Desktops 
    Domain acmepartners.local 
    Site EDFTNA-US-BRY 
    Slowlink processing No 

    Group Policy Objectshide
    Applied GPOshide
    Name Link Location Revision 
    WSUS Server Policy acmepartners.local AD (4), Sysvol (4) 
    Default Domain Policy acmepartners.local AD (87), Sysvol (87) 
    WSUS Desktop Policy acmepartners.local/Locations/Bryan/Computers/Desktops AD (22), Sysvol (22) 

    Denied GPOshide
    Name Link Location Reason Denied 
    Workstation_Idle_Screen_Lock_Policy acmepartners.local Empty 
    Intranet IE Settings acmepartners.local/Locations Empty 

    Simulated security group membershiphide
    acmePART\BYPWVTRWK05VDT$
    acmePART\Domain Computers
    Everyone
    BUILTIN\Users
    BUILTIN\Pre-Windows 2000 Compatible Access
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    Mandatory Label\Medium Plus Mandatory Level
    WMI Filtershide
    Name Value Reference GPO(s) 
    None 

    Component Statushide
    Component Name Status 
    Group Policy Infrastructure Success 
    Registry Success 
    Security Success 

    User Configuration Summaryhide
    No data available.
    Computer Configurationhide
    Policieshide
    Windows Settingshide
    Security Settingshide
    Account Policies/Password Policyhide
    Policy Setting Winning GPO 
    Enforce password history 10 passwords remembered Default Domain Policy 
    Maximum password age 90 days Default Domain Policy 
    Minimum password age 1 days Default Domain Policy 
    Minimum password length 7 characters Default Domain Policy 
    Password must meet complexity requirements Enabled Default Domain Policy 
    Store passwords using reversible encryption Disabled Default Domain Policy 

    Account Policies/Account Lockout Policyhide
    Policy Setting Winning GPO 
    Account lockout duration 0 minutes Default Domain Policy 
    Account lockout threshold 5 invalid logon attempts Default Domain Policy 
    Reset account lockout counter after 30 minutes Default Domain Policy 

    Account Policies/Kerberos Policyhide
    Policy Setting Winning GPO 
    Enforce user logon restrictions Enabled Default Domain Policy 
    Maximum lifetime for service ticket 600 minutes Default Domain Policy 
    Maximum lifetime for user ticket 10 hours Default Domain Policy 
    Maximum lifetime for user ticket renewal 7 days Default Domain Policy 
    Maximum tolerance for computer clock synchronization 5 minutes Default Domain Policy 

    Local Policies/Audit Policyhide
    Policy Setting Winning GPO 
    Audit account logon events Success, Failure Default Domain Policy 
    Audit account management Success, Failure Default Domain Policy 
    Audit directory service access Failure Default Domain Policy 
    Audit logon events Success, Failure Default Domain Policy 
    Audit object access Failure Default Domain Policy 
    Audit policy change Success, Failure Default Domain Policy 
    Audit system events Success, Failure Default Domain Policy 

    Local Policies/User Rights Assignmenthide
    Policy Setting Winning GPO 
    Lock pages in memory acmePART\SQL_Lock_Pages_In_Memory Default Domain Policy 

    Local Policies/Security Optionshide
    Network Securityhide
    Policy Setting Winning GPO 
    Network security: Force logoff when logon hours expire Disabled Default Domain Policy 

    Event Loghide
    Policy Setting Winning GPO 
    Maximum security log size 512 kilobytes Default Domain Policy 
    Retention method for security log As needed Default Domain Policy 

    Public Key Policies/Certificate Services Client - Auto-Enrollment Settingshide
    Policy Setting Winning GPO 
    Automatic certificate management Enabled [Default setting] 
    Option Setting 
    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled 
    Update and manage certificates that use certificate templates from Active Directory Disabled 
     

    Public Key Policies/Encrypting File Systemhide
    Certificateshide
    Issued To Issued By Expiration Date Intended Purposes Winning GPO 
    Administrator Administrator 10/22/2011 6:01:27 PM File Recovery Default Domain Policy 

    For additional information about individual settings, launch Group Policy Object Editor.
    Public Key Policies/Trusted Root Certification Authoritieshide
    Propertieshide
    Winning GPO [Default setting] 
    Policy Setting 
    Allow users to select new root certification authorities (CAs) to trust Enabled 
    Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities 
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only 

    Certificateshide
    Issued To Issued By Expiration Date Intended Purposes Winning GPO 
    EDFT-Standalone-CA EDFT-Standalone-CA 3/3/2015 8:49:36 AM <All> Default Domain Policy 

    For additional information about individual settings, launch Group Policy Object Editor.
    Administrative Templateshide
    Policy definitions (ADMX files) retrieved from the local machine.Network/DNS Clienthide
    Policy Setting Winning GPO 
    DNS Suffix Search List Enabled Default Domain Policy 
    DNS Suffixes: acmepartners.local,edftrading.com,edftnadmz.local,edftnatmg.local 
     

    System/Logonhide
    Policy Setting Winning GPO 
    Always wait for the network at computer startup and logon Enabled Default Domain Policy 

    System/Windows Time Service/Time Providershide
    Policy Setting Winning GPO 
    Enable Windows NTP Client Enabled Default Domain Policy 
    Enable Windows NTP Server Enabled Default Domain Policy 

    Windows Components/Windows Updatehide
    Policy Setting Winning GPO 
    Allow Automatic Updates immediate installation Enabled WSUS Desktop Policy 
    Allow signed updates from an intranet Microsoft update service location  Enabled WSUS Server Policy 
    Automatic Updates detection frequency Enabled WSUS Desktop Policy 
    Check for updates at the following 
    interval (hours):  9 
     
    Policy Setting Winning GPO 
    Configure Automatic Updates Enabled WSUS Desktop Policy 
    Configure automatic updating: 4 - Auto download and schedule the install 
    The following settings are only required 
    and applicable if 4 is selected. 
    Scheduled install day:  1 - Every Sunday 
    Scheduled install time:   
     
    Policy Setting Winning GPO 
    Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled WSUS Desktop Policy 
    Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates Enabled WSUS Desktop Policy 
    Specify intranet Microsoft update service location Enabled WSUS Desktop Policy 
    Set the intranet update service for detecting updates: http://hopwvwsus01:8530 
    Set the intranet statistics server: http://hopwvwsus01:8530 
    (example: http://IntranetUpd01) 
     

    User Configurationhide
    No data available.
    Wednesday, January 12, 2011 4:46 PM
  • GPO Policy results:

    acmePART\BYPWVTRWK05VDT 

    Data collected on: 1/12/2011 10:21:08 AM hide all 

     

    Summaryhide

    Computer Configuration Summaryhide

    Generalhide

    Computer name acmePART\BYPWVTRWK05VDT 

    Domain acmepartners.local 

    Site EDFTNA-US-HOU 

    Last time Group Policy was processed 1/12/2011 8:45:40 AM 

     

    Group Policy Objectshide

    Applied GPOshide

    Name Link Location Revision 

    WSUS Server Policy acmepartners.local AD (4), Sysvol (4) 

    Default Domain Policy acmepartners.local AD (87), Sysvol (87) 

     

    Denied GPOshide

    Name Link Location Reason Denied 

    Local Group Policy Local Empty 

    Workstation_Idle_Screen_Lock_Policy acmepartners.local Empty 

    Intranet IE Settings acmepartners.local/Locations Empty 

     

    Security Group Membership when Group Policy was appliedhide

    BUILTIN\Administrators

    Everyone

    BUILTIN\Users

    NT AUTHORITY\NETWORK

    NT AUTHORITY\Authenticated Users

    NT AUTHORITY\This Organization

    acmePART\BYPWVTRWK05VDT$

    acmePART\Domain Computers

    WMI Filtershide

    Name Value Reference GPO(s) 

    None 

     

    Component Statushide

    Component Name Status Last Process Time 

    Group Policy Infrastructure Success 1/12/2011 8:45:41 AM 

    EFS recovery Success (no data) 11/8/2010 12:09:20 PM 

    Registry Success 1/7/2011 3:29:37 PM 

    Security Success 11/8/2010 12:09:20 PM 

     

    User Configuration Summaryhide

    No data available.

    Computer Configurationhide

    Policieshide

    Windows Settingshide

    Security Settingshide

    Account Policies/Password Policyhide

    Policy Setting Winning GPO 

    Enforce password history 10 passwords remembered Default Domain Policy 

    Maximum password age 90 days Default Domain Policy 

    Minimum password age 1 days Default Domain Policy 

    Minimum password length 7 characters Default Domain Policy 

    Password must meet complexity requirements Enabled Default Domain Policy 

    Store passwords using reversible encryption Disabled Default Domain Policy 

     

    Account Policies/Account Lockout Policyhide

    Policy Setting Winning GPO 

    Account lockout duration 0 minutes Default Domain Policy 

    Account lockout threshold 5 invalid logon attempts Default Domain Policy 

    Reset account lockout counter after 30 minutes Default Domain Policy 

     

    Local Policies/Audit Policyhide

    Policy Setting Winning GPO 

    Audit account logon events Success, Failure Default Domain Policy 

    Audit account management Success, Failure Default Domain Policy 

    Audit directory service access Failure Default Domain Policy 

    Audit logon events Success, Failure Default Domain Policy 

    Audit object access Failure Default Domain Policy 

    Audit policy change Success, Failure Default Domain Policy 

    Audit system events Success, Failure Default Domain Policy 

     

    Local Policies/User Rights Assignmenthide

    Policy Setting Winning GPO 

    Lock pages in memory acmePART\SQL_Lock_Pages_In_Memory Default Domain Policy 

     

    Local Policies/Security Optionshide

    Network Securityhide

    Policy Setting Winning GPO 

    Network security: Force logoff when logon hours expire Disabled Default Domain Policy 

     

    Event Loghide

    Policy Setting Winning GPO 

    Maximum security log size 512 kilobytes Default Domain Policy 

    Retention method for security log As needed Default Domain Policy 

     

    Public Key Policies/Certificate Services Client - Auto-Enrollment Settingshide

    Policy Setting Winning GPO 

    Automatic certificate management Enabled [Default setting] 

    Option Setting 

    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled 

    Update and manage certificates that use certificate templates from Active Directory Disabled 

     

     

    Public Key Policies/Encrypting File Systemhide

    Certificateshide

    Issued To Issued By Expiration Date Intended Purposes Winning GPO 

    Administrator Administrator 10/22/2011 6:01:27 PM File Recovery Default Domain Policy 

     

    For additional information about individual settings, launch Group Policy Object Editor.

    Public Key Policies/Trusted Root Certification Authoritieshide

    Propertieshide

    Winning GPO [Default setting] 

    Policy Setting 

    Allow users to select new root certification authorities (CAs) to trust Enabled 

    Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities 

    To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only 

     

    Certificateshide

    Issued To Issued By Expiration Date Intended Purposes Winning GPO 

    EDFT-Standalone-CA EDFT-Standalone-CA 3/3/2015 8:49:36 AM <All> Default Domain Policy 

     

    For additional information about individual settings, launch Group Policy Object Editor.

    Administrative Templateshide

    Policy definitions (ADMX files) retrieved from the local machine.Network/DNS Clienthide

    Policy Setting Winning GPO 

    DNS Suffix Search List Enabled Default Domain Policy 

    DNS Suffixes: acmepartners.local,edftrading.com,edftnadmz.local,edftnatmg.local 

     

     

    System/Logonhide

    Policy Setting Winning GPO 

    Always wait for the network at computer startup and logon Enabled Default Domain Policy 

     

    System/Windows Time Service/Time Providershide

    Policy Setting Winning GPO 

    Enable Windows NTP Client Enabled Default Domain Policy 

    Enable Windows NTP Server Enabled Default Domain Policy 

     

    Windows Components/Windows Updatehide

    Policy Setting Winning GPO 

    Allow Automatic Updates immediate installation Enabled WSUS Server Policy 

    Allow signed updates from an intranet Microsoft update service location  Enabled WSUS Server Policy 

    Automatic Updates detection frequency Enabled WSUS Server Policy 

    Check for updates at the following 

    interval (hours):  9 

     

    Policy Setting Winning GPO 

    Configure Automatic Updates Disabled Default Domain Policy 

    Specify intranet Microsoft update service location Enabled WSUS Server Policy 

    Set the intranet update service for detecting updates: http://hopwvwsus01:8530 

    Set the intranet statistics server: http://hopwvwsus01:8530 

    (example: http://IntranetUpd01) 

     

     

    User Configurationhide

    No data available.

    Wednesday, January 12, 2011 4:49 PM
  • Hi,

     

    From the GPO modeling results, we can see that the following two GPOs were applied:

     

    WSUS Server Policy

    WSUS Desktop Policy

     

    For the winning group policy settings, you can see the report for details.

     

    Please help clarify how you configured the WSUS Server Policy and WSUS Desktop Policy. Do you need to apply the two policies at the same time? Have you enabled Client-side Targeting? Please check it on your side. How did you link the GPOs?

     

    From the GPO Policy results, we can see that the GPO “WSUS Server Policy” is applied, "WSUS Desktop Policy" is not showed under either Applied or Denied GPOs. Normally, this situation can occur due to the following factors:

     

    1. The GPO is not linked to a site, domain, or OU of which the computer or user is a member

    2. Replication

    3. Group Policy refresh

    4. Network Connectivity

     

    Please make sure the GPO is linked correctly and GP Replication is working fine. Please also run “gpupdate /force” on the client to check the results.

     

    For more information, please refer to the following articles:

     

    Configure Automatic Updates by Using Group Policy

    http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx  

     

    Best Practices with Windows Server Update Services

    http://technet.microsoft.com/en-us/library/cc708536(WS.10).aspx   

     

    Thanks.

    Nina

     


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, January 13, 2011 10:16 AM
    Moderator