Domain Group Policy changes causes clients to be unable to connect to WSUS for Windows Updates

Similar Messages

• Group Policy changes cause Access Denied error for Domain Admin account

  Hi All,
  I am battling to get WSUS to work, and I think the route cause is problems editing the domain and domain controller group policy objects.
  We have 1 DC, approx 20 clients. 1 GPO for DC, 1 GPO for clients. Ther e is a link to the default domain GPO in our staff (users) OU, I don't know if it should be there or not.
  I log in as domain administrator, right-click the domain GPO in GPMC, click Edit.
  Find the setting I want to edit (specify intranet microsoft update service location), double click.
  Change something, click OK.
  I get error:
  Unhandled exception has occurred in a component in your application. If you click Continue, the application will ignore this error and attempt to continute.
  Access is denied. (Exception from HRESULT: 0x80070005
  (E_ACCESSDENIED)).
  I have followed the steps in the links posted by Brent in another post called: "restricting-domain-admin-account-to-edit-group-policies" (no links allowed for my account yet sorry) and the user does have edit settings, delete, modify security delecation.
  PLEASE NOTE: the solution may very well be something very simple/basic. I am reasonably computer savvy, but have just upgraded the whole network for an NGO on a voluntary basis. Never seen a sever before I came here, but I'm the best they have. Please bare
  that in mind when offering advice :)
  Any help appreciated!
  James

  More diagnostic info:
  Inside GPMC, there's Group Policy Results.
  If I right-click, Result Wizard, choose this computer, it works fine showing default domain controllers policy with alert that it's enforced.
  If I browse for another PC (it comes up as Domain\PC name), click Next, I get error:
  Failed to connect to DOMAIN\PCNAME due to the error listed below. Ensure that the Windows Management Instrumentation (WMI) service is enabled on the target computer, and consult the event log of the target computer for further details.
  Details: the RPC server is unavailable.
  If you need the recent related events, I will post them. I also checked that service on the client - it's automatic and started.
  PPS Clients are all Win 7, PCs are 32bit, laptops are 64. Server is Windows Server 2012 Datacenter. WSUS when clicking Help -> About from the snap-in/GUI: 6.2.9200.16384.
  PPPS Directory browsing for the whole WSUS object in IIS is enabled, thanks to SorinAlbu over at Spiceworks post WSUS and IIS.
  PPPPS Launching IE and loading http://servername:8530/iuident.cab fails 404 error from both clients and server. That file in C:\Program Files\Update Services\WebServices\Root\iuident.cab doesn't exist. Maybe because we recently removed the WSUS role and reinstalled
  it, to check if something went wrong the first time? It's all been configured using the snapin/GUI, but the new installation of the role hasn't yet connected to the Microsoft Update servers.
  PPPPPS Added the Application Server role with default settings as recommended by the step by step guide to WSUS at Technet. Still no dice.

• Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client

  Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it.  Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
  on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
  For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
  defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO").  I have not confirmed if this is the case for machine level settings defined outside of administrative
  templates in Domain Group Policy, or for any user level settings though.  (But I suspect not.)
  When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
  http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval?  I don't believe
  so, but would like confirmation.
  Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
  And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client?  I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry.  Does
  anyone know of a full list of these settings?  I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
  Policy, after unjoining the domain.
  Any info/insight/links to other doc/etc would be much appreciated!

  Hi Shaun,
  >>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?   
  As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
  the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
  >>What if a client looses network connectivity while reading Domain GPO?
  Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
  of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
  >>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
  There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
  Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Preventing Domain Group Policy from being applied

  How can a user prevent the domain group policy from being applied to his machine? And How can I stop users from doing that?

  Hi,
  No, group policy is processed by order, that is,  local GPO is processed first, and then domain policy is processed by order, which would overwrite settings in the earlier GPOs if there are conflict.
  If you don’t want to apply the domain policy, apply a higher precedence policy or disjoin the domain.
  Group Policy processing and precedence
  http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
  Alex Zhao
  TechNet Community Support

• FTP-client behind RRAS - unable to connect to external FTP servers

  FTP-client behind RRAS - unable to connect to external FTP servers
  A small network (10-20PCs) without any segmentation - one LAN with one Gateway.
  1. If the Gateway is some small hardware device, there are not any problems to make FTP-connections from LAN to Internet FTP-servers
  2. If the Gateway is Win2003+RRAS+NAT or Win2003+ISA2005, there are not any problems to make FTP-connections from LAN to Internet FTP-servers
  3. But if the gateway is Win2008+RAS+NAT or Win2012+RRAS+NAT, the computers in the LAN are not able to connect to Internet FTP-servers
  I made a few tests:
  1. On Win2012+RRAS+NAT
  TurnOff Windows Firewall for All profiles (Domain, Private, Public) - the problem disappears, it it possible to connect to external Internet FTP-servers.
  2. On Win2012+RRAS+NAT
  TurnOff Windows Firewall only for Domain profile - the problem disappears, it it possible to connect to Internet FTP-servers.
  3. On Win2012+RRAS+NAT
  TurnOn Windows Firewall for All profiles (Domain, Private, Public)
  But I excluded the Internal NIC in this list
  Windows Firewall / Properties / Domain Profile / Protected network connections 
  and the problem disappears again
  My question is:
  What new Firewall rule  I have to make and where to place it (to be able to make FTP-connection from LAN to Internet FTP-servers)?
  I made some attempts to allow port21, but any success.

  Thank you, but did you try this ? 
  Can you describe in detail "exclusion rule for FTP traffic" ?!
  In my previous post, I want to say that if you use Win 2008/2012 RAS+NAT as a network gateway, than it is not possible to make FTP-connections to external FTP servers from the computers behind that gateway.
  And the standard attempts to make "Allow"-rules for port 21 in the gateway firewall (Win 2008/2012), do not solve the problem.
  No matter which FTP-client you can try to use.
  To see this problem, just make few simple tests: 
  ">telnet <ftp-server> 21" 
  with firewall on/off  and inbound/outbound "Allow port 21 rule (All/Domain/Private/Public)"
  In my country, the Government Tax Department uses FTP-protocol to collect monthly data from companies. 
  And it is too stupid scenario (to be a small company and to) upgrade from Win 2003 to a newer 2008/2012 and than to not be able to make all your jobs.
  -------EDIT---------
  The same problem (and its solution) is described here:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0c68aed6-e22b-4cd4-86bd-f3c767e88349/advanced-firewall-blocking-through-ftp-traffic-rras
  The magic command:
  ">netsh routing ip nat delete ftp"
  solved the problem for me.
  And here is the description of this command - "Disables the FTP proxy on the NAT server."
  http://technet.microsoft.com/en-us/library/cc754535(v=ws.10).aspx#BKMK_106

• Can't activate cs5 cause, keeps telling me unable to connect to internet, although am connected

  can't activate cs5 cause, keeps telling me unable to connect to internet, although am connected, any help please ?

  it's a downloaded file. When i failed to activate it, i tried it trial bs it's expired and i wanna activate it . The serial number is right but it keeps telling me unable to connect to internet :s :s

• Apply Group Policy to external clients

  Is it possible to apply GPO's to clients on external networks such as their own personal networks. I'm looking at solutions such as authenticating them through a proxy on the perimeter network and are pushed to the Domain Controller to force these policies.
  As it stands, the clients use a VPN client to gain access to the corporate network, and I know that group policy will use the Network Location Service to detect the Domain Controller, but the VPN connection is not mandatory and most be established by the client,
  if this connection is not required for their job, the may never connect and not get updated GPO's.

  Hi,
  I agree with Joseph. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet.
  Regarding DirectAcces, the following articles can be referred to for more information.
  Using DirectAccess
  http://technet.microsoft.com/en-in/windows/dn168168.aspx
  Windows Server 2012 Direct Access – Part 1 What’s New
  http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
  In addition, for this question mainly focuses on network, in order to get more and better help, we can also ask for suggestions in the following forum.
  Network Access Protection
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
  Best regards,
  Frank Shen

• How to implement " log on locally" via Domain Group Policy

  Hello,
  Thanks for always being very helpful.
  My Goal:
  I want to restrict one domain user to login to one computer only  (admin/root users to login to every computer).
  I searched and I believe there is no such direct way to implement via the group policy unless I may add one GPO per user to implement"log on locally" from the group policy.
  Do you have some VB script or other good way so I should not login to each computer one by one and edit the policy manually.
  Thanks in advance.
  Muhammad Asif Server Administrator Linux/Windows

  I am sorry if I wasn't cleared, I am managing about 250 users and want accomplish from some centralized locations. I don't want to go to every machine and apply the changes.
  I want to let one domain user to login to one system only.
  I have the list of computer name VS username, and I want to apply from centralized location without login to each computer one by one.
  Thanks a lot for the assistance.
  Muhammad Asif Server Administrator Linux/Windows
  The solution can only be applied once at the DC with ADUC or with Set-ADUSer as I posted.  It only needs to be run once from one DC.
  ¯\_(ツ)_/¯

• ITunes won't work because of domain group policy

  Hi my work just implemented a really stupid group policy through our domain that dissallows any file named iTunes.exe to run. The good news is I can rename iTunes.exe and get iTunes to work. That bad news is once I rename iTunes.exe the iPod service is unable to start. The iPod service I assume is what automatically launches iTunes when you plug in your iPod. Does anyone know if a way to let the iPod service and any other file that depends on iTunes.exe that I have renamed it?

  I don't have a solution for you, but as a system administrator I feel I must comment.
  I don't know about where you work -- but at my job, deliberate circumvention of policy is "abuse" and is considered grounds for termination. The computer you use at work is not yours; it belongs to the company you work for.
  If you have a problem with the policy you should take it up with the administrators or your management -- not try to circumvent it. Perhaps the policy is based on a misunderstanding that you could clear up! You (your computer, really) might even be granted an exception to the policy.

• Group policy changed/device drivers

    I admit, I should not have used slimdrivers to undtae my drivers but, I did.  I only used it once and decided I wanted to use my pcs tools to updated rivers. I restored all drivers from slimdrivers and then went to device manager to update
  my drivers.  Ok, so far, im trying to get to my problem bare with me.  After I did all this, I had been having troubles with my browser so I changed to comodo dragon.  I was having problems with my point device (synaptics) and though maybe the
  driver didn't install correctly or at all so when I went to device manager to update from there again, an error report came up saying that I have installed another ps/2 pointing device driver please uninstall the synaptics driver by clicking yes then you need
  to reinstall your pointing device driver for your external device again. first off, I didn't change drivers for an external device.  unless its referring to my laptop which is a HP G60-635Dx notebook, windows 7 (2009) It asked me if I wanted to uninstall
  and I said no.  My cursor was moving erratically while pointing to my game icons on zoo world 1 game on Facebook. it doesn't do this anywhere else when im on my laptop. just on the game. and only in  comodo dragon.  I switched back to IE 10
  for now. chrome isn't an option as I deleted my user profile upon uninstalling it and deleting the browser history during uninstall. (I read later you cant so that or chrome wont reinstall)  Unless you go to registry and reset the values to zero and im
  to chicken to try it. I got the insturctions but, not the confidence.  Ok so back to my problem.  when slimdrivers was installed, from what I researched, did I give them permission as an administrator to update drivers?  and did that take away
  my advantages as an admin ?  Im only asking this because when I was going thru the motions to control panel to figure things out, a lot of errors arose. one being that I changed my group policies and I know I didn't do it manually.  Thru my research,
  all I came up with is that group policies can be changed when you do something Like I did getting another website to download and install drivers. if I am right about this, how can I change the policy? should I e-mail slimdrivers?  or is there an easy
  way I can do it from my pc?  another issue that arose was my error report says that my fire wall failed to load recommended setting for the firewall error code )x 80070422. I researched that on MS community by the error code but didn't get a fix. 
  another error code when I tried to go to advanced setting to change firewall settings was )x609. I couldn't have 2 firewalls set to on so I turned off windows defend FW because everytime Kaspersky updates the software, they turn theirs back on but windows
  wont during their updates.  I got all these problems because os slimdrivers. I didn't have nay of them before.  restore points didn't work for me either. Do you think a tecj from here can help me solve these issues one at a time. I am a middle of
  the road Pc user but unstand directions as long as abrv. aren't always used when helping me.  thank you so very much.  J.R.

  Hi Sablecat60,
  According to your description, there are several errors: a lot of errors arose in control panel, group policies relating drivers and firewll failed to load recommended settings. Please give more detailed information about the issue to help us understand
  correctly.
  Since this is a forum about Group Policy and this issue is more than taht, and as you said you got all these problems
  because os slimdrivers. We would try our best to help you. For your information, you can also connect
  http://www.driverupdate.net/support.php
  to get more help.
  Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  Regards,
  Lany Zhang

• Default domain Group Policy

  Hello,
  In my new company, I noticed that the default domain controllers policy has been (largely) modified.
  I thought it was a best practice to keep it clean (In case of restore).
  So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
  For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
  Is the GPO Link order enough ?
  Thank you

  Hi,
  Just a confirmation, did you mean that want to overwrite some settings in the
  Default Domain Controllers Policy?
  Within each domain, site, and OU, the
  Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
  Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
  Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
  unit, then control thier order of them via Link Order.
  If anything I misunderstand or any update, please feel free to let us know.
  Hope this helps.
  Best regards,
  Justin Gu

• Mail for exchange and domain group policy removing...

  Hi,
  I currently administer 2 domains,  both server 2003 with exchange 2003.  On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
  Anyone have any ideas?  I'm sure that it's a group policy setting but I cannot spot it!

  turbominor wrote:
  No certificates have been generated bar the ones that exchange installed by default
  Hmm, I don't recall ever realizing that.  Lol.  In that case, what are you using as a root certificate?  Nothing...which explains why the cert is untrusted?  (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?)  I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
  I wasn't completely sure where I was going with my question, but just did a few web searches.  Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing.  You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant.

• All SCCM clients are looking towards WSUS for the updates

  Hello,
  I have enabled "software based-client installation" option in SCCM2012 SP1 (did not configured any GPO manually), and now all my clients can no longer get the updates from Microsoft.
  Below rejistries shows the name of WSUS server on all client:
  Specify intranet Microsoft update service location
  Set the intranet update service for detecting updates
  Set the intranet statistics server: 
  I have unchecked the option to disable software based-client installation in SCCM server and also under "client settings", but it's not reverting the changes on all the machines automatically.
  What should I do to fix this?
  Thanks

  Thanks for the reply Torsten and Charsiu, yes its true I can see this local policy created by the sccm on all machines.
  Is it also possible for you to specify me the GPO setting that I should deploy, so far I have deployed the following setting with no help:
  Computer connfigration - Administrative template - Win components / win updates  
  "Specify intranet Microsoft update service location" - disabled
  "Turn on recommended updates via Automatic Updates" -enabled

• Client Security Solution - unable to open even see in Windows after succesfull install

  Hello, 
  I just downloaded and successfully installed the latest Client Security Solution for windows 7. After installation it asks for restart, I do it but after reboot I don't see it (!). Under Lenovo ThinkVantage Tools is no CSS at all .. everything others are there, at least I hope. All other features I have are absolutely up to date, since the laptop has only few days and I did careful
  updates on everything.
  I don't understand, windows install it and there is nothing .. I don't even know where to search for it ... can you help me out
  why can't I see the installed CSS?
  Password manager 3.20 - but no fingerprint options
  Backup and restore 4.31
  Downloaded CSS should be 8.30
  Solved!
  Go to Solution.

  you can stop it from auto filling PWs in PWM uncheck the box for auto log in every saved PW should have this option you should see something like this but not exactly LIKE IT this is PWM4 BETA
  Thinkpad R61 7733-1GU
  Thinkpad X61T 7762-54U
  Thinkpad X60T 6363-4GU
  Did a member help you today? Thank them with a Kudo!
  If a post answers your question, please mark it as an "Accepted Solution"!
  Regards,
  GMAC

• Shutdown workstations inactivity from domain group policy

  I need to find a way to have workstations shut down after the user has walked away or has been inactive
  meaning no keyboard, or mouse activity.  Need to have the machines shut down.    I have Active Directory on Windows 2003 server R2 Standard Edition SP 2.  If I can have this done by active directory I would like to know how. 
  If it is not possible to do so with Active Directory I would like to know of any other suggestions to do this.

  I have some questions:
  1. What research have you done on your own so far? (If you haven't researched it on your own, why haven't you done so, before asking?)
  2. Is this a scripting question? (If so, please post the script and tell what errors, if any, you are getting.)
  -- Bill Stewart [Bill_Stewart]