locked
Client Side Targeting Using Group Policy RRS feed

  • Question

  • Hello everyone,

    I setup WSUS role on the backup domain controller running Server 2012 R2 but I can't get the clients to show up on the management console. We have a Domain and Active Directory set up here both servers are Server 2012 R2. So, WSUS is able to download the updates but there is no client to install. We had this feature running on a server 2008 but I decommissioned that server. What I did was going to the policy settings for windows update and changed the update service location with the address for the new server http://<servername>:8530. I updated the group policy on the server and also on the clients but still no clients showing up. I also ran the command wuauclt.exe /detectnow and nothing happens. So I would appreciate if anyone could help me with this problem. Also when I look at the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer  it shows the address for the old server not the new one. Would the group policy override that key with a new value? Also so you know the policy is set on the OU for the user and not the Computers OU, in case that helps. Thank you.


    From Microsoft Technet



    • Edited by JoeOliveira Thursday, March 12, 2015 7:40 PM
    Thursday, March 12, 2015 7:31 PM

Answers

  • Hi,

    WUAgent settings, via domain GP, must be linked to the Computers OU - the settings are not applicable to Users.

    Also, note that if the client computers are still showing the old WSUS servername in their registry, this suggests that your old domain GP is still linked - so you would want to edit that existing/old GP to reflect the new WSUS servername - otherwise you will have two domain GPs (one with zero benefit) and that is just going to confuse and complicate troubleshooting in the future.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by JoeOliveira Thursday, March 12, 2015 9:43 PM
    Thursday, March 12, 2015 8:30 PM
  • Here is a blog (with links to others) that gives good insight into configuring the clients https://thwack.solarwinds.com/community/application-and-server_tht/patchzone/blog/2013/05/02/configuring-your-first-wsus-client

    If you find the answer of assistance please "Vote as Helpful"and/or "Mark as Answer" where applicable. This helps others to find solutions for there issues, and recognises contributions made to the community :)

    • Marked as answer by Susie Long Tuesday, March 17, 2015 8:52 AM
    Thursday, March 12, 2015 8:40 PM

All replies

  • The easiest thing to do is to run a Resultant Set of Policies (RSOP) on one of the client machines, that will tell you which GPO is affecting the policies in place. 

    If you find the answer of assistance please "Vote as Helpful"and/or "Mark as Answer" where applicable. This helps others to find solutions for there issues, and recognises contributions made to the community :)

    Thursday, March 12, 2015 8:16 PM
  • Hi,

    WUAgent settings, via domain GP, must be linked to the Computers OU - the settings are not applicable to Users.

    Also, note that if the client computers are still showing the old WSUS servername in their registry, this suggests that your old domain GP is still linked - so you would want to edit that existing/old GP to reflect the new WSUS servername - otherwise you will have two domain GPs (one with zero benefit) and that is just going to confuse and complicate troubleshooting in the future.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by JoeOliveira Thursday, March 12, 2015 9:43 PM
    Thursday, March 12, 2015 8:30 PM
  • Here is a blog (with links to others) that gives good insight into configuring the clients https://thwack.solarwinds.com/community/application-and-server_tht/patchzone/blog/2013/05/02/configuring-your-first-wsus-client

    If you find the answer of assistance please "Vote as Helpful"and/or "Mark as Answer" where applicable. This helps others to find solutions for there issues, and recognises contributions made to the community :)

    • Marked as answer by Susie Long Tuesday, March 17, 2015 8:52 AM
    Thursday, March 12, 2015 8:40 PM
  • Hi Don,

    Thanks for your help. There was the same policy on a couple of GPO one as a Default Domain Policy and A Everyone Policy which was set for all the domains users. What I ended up doing was create a new OU for the computers and moved all the computers into it (for some reason the OU which all the computers were I couldn't link on the Group Policy Manager. It was just a folder not a OU) then I created a new GPO only for the windows updates and linked to the OU. Also I had to go and set as not configured all the settings related to the Windows Updates on the others GPO. Now I see the machines but I see a yellow triangle icon near them, that is probably because it have not been synced yet. Thank you again.



    From Microsoft Technet

    Thursday, March 12, 2015 9:43 PM
  • Hi Michael,

    That link was very helpful. Thanks.


    From Microsoft Technet

    Thursday, March 12, 2015 9:44 PM
  • I ran the report and it showed all the policies applied. I had to go back to the Group Policy Manager and change the settings. Thanks.

    From Microsoft Technet

    Thursday, March 12, 2015 9:51 PM
  • What I ended up doing was create a new OU for the computers and moved all the computers into it (for some reason the OU which all the computers were I couldn't link on the Group Policy Manager. It was just a folder not a OU)

    Ah.

    By default, when AD is first installed/created, there is a "Users" container and a "Computers" container.

    These are not OUs, and because of that, you cannot link GPO to them.

    The user or computer objects within these containers can inherit GPO if the GPO is linked at the domain root, but you can't link GPO directly to containers.

    The idea of containers, is that this is where new users or computers might be migrated-into (eg as part of an NT domain migration -> AD), but the intention is that you wouldn't really leave user objects nor computer objects in those default containers, rather, you would move the new or migrated objects into an appropriate OU. (and you can then link GPO there).


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by JoeOliveira Friday, March 13, 2015 4:43 PM
    • Unmarked as answer by JoeOliveira Friday, March 13, 2015 4:43 PM
    Friday, March 13, 2015 7:48 AM
  • Yeah,

    I din't know that we just a container and I couldn't see on the Group Policy Manager. Thank you for taking the time and helping me with this issue. 


    From Microsoft Technet

    Friday, March 13, 2015 4:42 PM