Windows Update Group Policy Settings?

I browsed through SCCM 2012 documentation for an answer of what to set in a GPO when wanting to use SCCM 2012 SP1 to handle updates.
At the moment I have:
WSUS/Reporting pointing to wsus server and its appropriate ports
Allow Automatic Updates immediate installation: Enabled
All signed updates from intranet Microsoft Updates: Enabled
Configure Automatic Updates: Enabled
Configure automatic Updating - 4 Auto download and schedule the install
Scheduled install day: Every Friday
Scheduled install time: 21:00
Enabling Windows Update Power Management to auto wakeup the system to install Enabled
No auto-restart with logged on users for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installation: Disabled
I didn't see any hint, perhaps it is there and I missed it, on what might be the prescribed settings for a GPO.
What is happening is Windows 8ish is drawing a band across the screen and reporting that your computer needs to reboot; and then reboots. From what I could tell in the WindowsUpdate.log file is that round the time it was observed rebooting smsexec
requested a reboot. But oddly I also saw in the Windows Update log was a reboot was scheduled to expire on the 26th, two days after the observed behavior and I also saw that other reboot requests either expired or had been scheduled.
What I have recently done to various Windows Update deployments was to remove the check boxes for Deadline behavior to prevent Software Updates and System restarts outside the Maintenance Window and also checked Device restart behavior
Suppress system restart on the following devices Servers and Workstations.
At the moment I would like to figure out what the GPO settings should be and also how to determine what had requested reboot and when and if the reboot actually happened.
Thanks!

This blog series by Jason should help you with that (it's still applicable):
http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude

Similar Messages

Any applicable\recommended Group Policy settings (Local & Domain) for configuring windows 8.1 "gold master image" for collection

Happy Friday everybody -
I'm working on implementing Microsoft RDS 2012\VDI for the folks here at work. I've read - online - a lot of articles on VDI and RDS 2012 - and have a working model that is working somewhat satisfactorily. I haven't seen much online about steps
I could take in Local Group Policy on my Windows 8.1 'gold image' - or for that matter Domain level group policy - that can assist in creating a better, more reliable/robust Windows 2012 VDI environment.
Anybody out there got any information or opinions or advice on Group Policy settings for VDI environments?
Thanks again, everyone!
Adrian
anr

Hi Adrian,
Thank you for posting in Windows Server Forum.
In regards to your issue you can refer beneath article for detail information.
1. Group Policy Best Practices for VDI Environments
2.Some Basic Group Policy Settings for VDI
Hope it helps!
Thanks.
Dharmesh Solanki

Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client

Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it. Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO"). I have not confirmed if this is the case for machine level settings defined outside of administrative
templates in Domain Group Policy, or for any user level settings though. (But I suspect not.)
When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval? I don't believe
so, but would like confirmation.
Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client? I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry. Does
anyone know of a full list of these settings? I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
Policy, after unjoining the domain.
Any info/insight/links to other doc/etc would be much appreciated!

Hi Shaun,
>>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?
As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
>>What if a client looses network connectivity while reading Domain GPO?
Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
>>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

EMET 5.0 Group Policy Settings Ignored (Probable race condition with Policy application)

In our deployment, EMET 5 seems to be ignoring group policy settings from immediately after the first group policy refresh post-boot.
Settings are being applied to the computer correctly, and are appearing in the registry correctly, and on boot, a set of Event ID 50 events are logged containing ConfigAppmitGPO (and similar for the other settings) elements with the correct settings.
Upon the first group policy refresh, further eventID 50 events are logged, with empty ConfigAppmitGPO elements.
Investigation with Process Monitor seems to indicate this is a race condition between Group Policy Registry settings being refreshed (which deletes the entries) and the EMET service reading out these settings from the registry (which appears to be triggered
by Group Policy application or by a notification on the registry keys themselves)
This is reproducible on Windows 7 and Windows 8.1.
Is there any way to arrange for settings to be applied correctly at all times, or is this a bug that will need to be fixed in a future update?

We're experiencing the exact same behavior currently. I was starting to think I was going crazy. Glad to know others are experiencing the same behavior.
I've found that using the method from pervious versions to read and update settings from Group Policy, using "emet_conf.exe --refresh" still works, and upon every execution, the event log shows the GPO settings being read and applied. While I welcome the
move to have EMET update from GPO settings without requiring running a separate task, as it stands now in its current condition, it is a step back.
Scott Ladewig http://www.ladewig.com

Windows 7 Group Policy Processing - EventID 1058

I am having an issue with Windows 7 clients refreshing group policy. When I run gpupdate the user policy refreshes and the moves on to the computer policies but fails displaying the error below. Replication topology checks out, dcdiag returns
no errors and sysvol permissions look ok too. Curiously the same policies apply just fine on windows xp pro systems. The Domain Controller is running Server 2008 Enterprise Edt R2 SP1, I see no 1030 eventid's on the domain controllers as others
frequently report with this error. The domain is running at Windows Server 2003 functional level but I have creaded a PolicyDefinitions folder in the sysvol for admx files etc. Where to go from here? Does anyone have any suggestions/insight
as to what the issue may be?
The sysvol and the gpt.ini file is accessible from the Windows 7 client using UNC path.
Thanks in advance for any assistance given.
The error code listed is 0 which is not mentioned in this article
http://social.technet.microsoft.com/wiki/contents/articles/1456.aspx
## Error details
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          2/8/2012 2:38:09 PM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:
User:          SYSTEM
Computer:      win7box.abc123.net
Description:
The processing of Group Policy failed. Windows attempted to read the file
\\abc123.net\SysVol\abc123.net\Policies\{EB062BE8-CAF6-47B4-9B8B-27A19268C520}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused
by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2012-02-08T20:38:09.770740300Z" />
    <EventRecordID>3972</EventRecordID>
    <Correlation ActivityID="{24F60AA4-DC8D-4F6D-8787-9535072F03C0}" />
    <Execution ProcessID="996" ThreadID="1148" />
    <Channel>System</Channel>
    <Computer>win7box.abc123.net</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">816</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">3354</Data>
    <Data Name="ErrorCode">0</Data>
    <Data Name="ErrorDescription">The operation completed successfully. </Data>
    <Data Name="DCName">DC.abc123.net</Data>
    <Data Name="GPOCNName">CN={EB062BE8-CAF6-47B4-9B8B-27A19268C520},CN=Policies,CN=System,DC=abc123,DC=net</Data>
    <Data Name="FilePath">\\abc123.net\SysVol\abc123.net\Policies\{EB062BE8-CAF6-47B4-9B8B-27A19268C520}\gpt.ini</Data>
</EventData>
</Event>
## DCDiag Results (No RODC's hence NCSecDesc error )
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: North\DC
      Starting test: Connectivity
         ......................... DC passed test Connectivity
Doing primary tests
   Testing server: North\DC
      Starting test: Advertising
         ......................... DC passed test Advertising
      Starting test: FrsEvent
         ......................... DC passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=abc123,DC=net
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=abc123,DC=net
         ......................... DC failed test NCSecDesc
      Starting test: NetLogons
         ......................... DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC passed test Replications
      Starting test: RidManager
         ......................... DC passed test RidManager
      Starting test: Services
         ......................... DC passed test Services
      Starting test: SystemLog
         ......................... DC passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC passed test VerifyReferences
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   Running partition tests on : abc123
      Starting test: CheckSDRefDom
         ......................... abc123 passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... abc123 passed test CrossRefValidation
   Running enterprise tests on : abc123.net
      Starting test: LocatorCheck
         ......................... abc123.net passed test LocatorCheck
      Starting test: Intersite
         ......................... abc123.net passed test Intersite

I shortened this down a good bit but here is the gist of it, my question is which context/user/account is being denied access to the .ini files?  I have never used the streams utility but I'll give it a whirl and report back what I get. Most of
the cannot be accessed are probably just policies that are not applicable to the machine but the gpt.ini errors are baffling me.
New GPO - it appears that new GPOs are fine
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: Searching <cn={5D0EF3CD-7942-4A89-A879-4F9FDB3064BF},cn=policies,cn=system,DC=abc123,DC=net>
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: Machine has access to this GPO.
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: GPO passes the filter check.
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: Found functionality version of: 2
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: Found file system path of: <\\abc123.net\SysVol\abc123.net\Policies\{5D0EF3CD-7942-4A89-A879-4F9FDB3064BF}>
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: Found common name of: <{5D0EF3CD-7942-4A89-A879-4F9FDB3064BF}>
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: Found display name of: <gpoC-Win7Test>
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: Found machine version of: GPC is 0, GPT is 0
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: Found flags of: 0
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: No client-side extensions for this object.
GPSVC(3e4.80c) 12:43:27:510 ProcessGPO: GPO gpoC-Win7Test doesn't contain any data since the version number is 0. It will be skipped.
Older GPO's - not so fine
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={B34A8F23-269C-43D8-A097-2307729FBFF6},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: ==============================
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Searching <CN={55338992-95C9-4FA2-80E4-0ED4A623EE09},CN=Policies,CN=System,DC=abc123,DC=net>
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Machine has access to this GPO.
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: GPO passes the filter check.
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Found functionality version of: 2
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Found file system path of: <\\abc123.net\SysVol\abc123.net\Policies\{55338992-95C9-4FA2-80E4-0ED4A623EE09}>
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Found common name of: <{55338992-95C9-4FA2-80E4-0ED4A623EE09}>
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Found display name of: <gpoS-RealPlayerEnt6 - Security>
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Found machine version of: GPC is 0, GPT is 0
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Found flags of: 0
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: No client-side extensions for this object.
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: GPO gpoS-RealPlayerEnt6 - Security doesn't contain any data since the version number is 0. It will be skipped.
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: ==============================
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={C92FD413-E891-47E0-B554-BD7F9209D036},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={FEF33797-46D0-452A-B3D7-0BEEC2330592},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={CCBFECA5-2FF8-4512-8CE4-108C4092D009},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={767959D5-7AB6-4D55-A02E-3F54439CC7DA},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={10DCAC5E-9904-41FF-B678-E8514F481E56},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={3229FD3D-868A-4406-AFAF-6449ADBB4749},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={1DD39B5C-B930-4750-8EC3-42D0FB89A3B9},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={E10350D2-F632-4D5E-9668-4151596B1D77},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={86C864C5-C861-42FC-B728-BAEE81C9A091},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={FE1162BF-9FE2-4F04-A514-80A8E6D5F7CD},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={F68214D3-33F3-4F76-BE26-306D0237A048},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={CA6B06CE-C546-41F1-87FB-9013701AEF00},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={C8C9EFA2-90AA-4162-9051-23FD83B5CF62},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={DE445C4F-9A0F-488F-8769-C041CF2184AA},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={7CDB465C-55AC-4CBC-9C18-F3ADACDFEB46},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={F4E0F78E-BE36-4793-A8B1-83B2D67083F1},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={53359F0A-8C9B-4831-936F-3D47C4CC2694},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={6793DBEE-47B0-458D-8F1C-D92EB7015733},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={93919120-7113-47C0-AA38-0561EAB18E42},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={5ABD1D9E-07E4-4A53-B854-A2FFC3B257CB},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={71E2B86C-A4A0-47C0-9D7F-BDD6220B9FA4},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={4401CF1C-7839-4496-BB87-304A8AB917FC},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={1244CA5A-D654-4ED6-9374-148F1F3DA8ED},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={42875CF2-B9E9-4EFA-90C2-7ACA8882F1B7},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={6DD428B6-6B19-4A53-B172-57DB3E15A38E},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={983BFDAD-65F0-42B4-807A-E78DF275C352},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={AFA31A2D-07D8-4CB4-BE86-067A9624E324},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={77C9CA17-6359-4355-9FDF-F605F0441245},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={75D43291-6FA2-4B98-8422-228DDB45571B},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={870C6FB3-74CD-46E8-9D4D-E6E6C0A2B52D},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={2144E4CF-01C1-4C5B-984B-E9BD4461406F},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={7D9DB917-1245-46BD-AEBF-163A2F0FCD06},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={B7431941-5DAA-4DD2-A569-35C31B92B677},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={D01BF1D1-33C8-4FC3-95C3-5948A1EE1647},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={57D4AD83-3BBF-43C2-9A3B-F71F3E52C2A6},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={A8DB7DAC-42F0-43FC-99E1-F1AC15006101},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={56574927-6DC5-48A7-82F9-A00E820335F6},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={2FB6858E-8B1C-4C89-83B2-0EEE97D9A72B},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={93C56E3F-5334-4325-A328-0CCAFED0828B},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={1B64E00F-D3B6-49B6-B6C8-7AD0A8C9AEFA},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={81B4E46C-8249-4547-BC75-9A1FB395E282},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={43D5184A-73C8-4BFD-9B09-33C70B8BC3C2},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: ==============================
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Searching <CN={0ABE0BCF-0BC5-481E-AC86-5768D00901D5},CN=Policies,CN=System,DC=abc123,DC=net>
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Machine has access to this GPO.
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: GPO passes the filter check.
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Found functionality version of: 2
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Found file system path of: <\\abc123.net\SysVol\abc123.net\Policies\{0ABE0BCF-0BC5-481E-AC86-5768D00901D5}>
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: Couldn't find the group policy template file <\\abc123.net\SysVol\abc123.net\Policies\{0ABE0BCF-0BC5-481E-AC86-5768D00901D5}\gpt.ini>,
error = 0x0. DC: DC2.abc123.net
GPSVC(3e4.80c) 12:43:27:541 ProcessGPO: ==============================
GPSVC(3e4.80c) 12:43:27:541 EvalList: ProcessGPO failed
GPSVC(3e4.80c) 12:43:27:541 GetGPOInfo: EvaluateDeferredGPOs failed. Exiting
GPSVC(3e4.80c) 12:43:27:541 GetGPOInfo: Leaving with 0
GPSVC(3e4.80c) 12:43:27:541 GetGPOInfo: ********************************
GPSVC(3e4.80c) 12:43:27:541 ProcessGPOs: GetGPOInfo failed.
GPSVC(3e4.80c) 12:43:27:541 ProcessGPOs: No WMI logging done in this policy cycle.
GPSVC(3e4.80c) 12:43:27:541 ProcessGPOs: Processing failed with error 87.
GPSVC(3e4.80c) 12:43:27:557 Application complete with bConnectivityFailure = 0.
GPSVC(3e4.80c) 12:43:27:557 Signalling 1 Refresh Policy callers
GPSVC(f84.df4) 12:43:27:557 Exiting RefreshPolicyForPrincipal with status = 0
GPSVC(3e4.80c) 12:43:27:557 GPLockPolicySection: Sid = (null), dwTimeout = 600000, dwFlags = 0
GPSVC(3e4.80c) 12:43:27:557 LockPolicySection called for user <Machine>
GPSVC(3e4.80c) 12:43:27:557 Sync Lock Called
GPSVC(3e4.80c) 12:43:27:557 Writer Lock got immediately.
GPSVC(3e4.80c) 12:43:27:557 Lock taken successfully
GPSVC(3e4.80c) 12:43:27:557 UnLockPolicySection called for user <Machine>
GPSVC(3e4.80c) 12:43:27:557 UnLocked successfully

Backup & Restore non-administrators Group Policy Settings

Hi,
I'm trying to setup a few reference images of Windows 7 which will be deployed to our client computers. The baseline Group Policies are configured through Local Group Policies set in the image. I've setup a Master GPO machine on which to build the policies
and test them.
The Local Group Policies have been set for Local Computer Configuration, Local User Configuration and for Local Non-Administrators Configuration. The thinking is that members of the local Administrators group on the computer are unrestricted and still have
the ability to do most things. Users which log onto the computer abide by the more restrictive Non-Administrators Group Policy settings.
Using the "LocalGPO.wsf" script I'm able to backup and restore Computer and User Configuration which affects all users of the machine but it does not backup the Non-Administrators Policies. Is this possible?
After some digging around in the "GPOPack.wsf" files I've found that the Machine & All Users Policies are restored by the "LocalPol.exe" file. This utility has command line switches for '-m' machine and '-u' user. So I'm guessing
that it's not possible to restore the Non-Administrators Policies?
For what it was worth I've tried copying the "Registry.pol" file from "%windir%\System32\GroupPolicyUsers\S-1-5-32-545\User" folder on the GPO Master machine and placed the file in the same location on target computer. A test which had
one value set worked on the reference computer but when the policies were copied form the GPO Master machine, the target computer ignored all the settings.
Any ideas how to backup/restore Local Machine Non-Administrator Group Polices?
Thanks!

Not entirely sure of the specific policies you're dealing with, but you would typically use the Microsoft Security Compliance Manager to create GPO packs that you would then apply using the Apply Local GPO Package task sequence step in MDT.
I'd encourage you to look over the Applying Group Policy Object Packs section of the
Using the Microsoft Deployment Toolkit.docx file in the MDT 2013 documentation for more details.
MDT 2013 documentation can be downloaded here: LINK

Windows 10 Group Policy (.ADMX) Templates now available for download

Windows 10 Group Policy (.ADMX) Templates now available for download Just to let you all know that we have released the Windows 10 Group Policy (.ADMX) templates on our download center as an MSI installer package. These .ADMX templates are released as a separate download package so you can manage group policy for Windows 10 clients more easily. This new package includes additional (.ADMX) templates which are not included in the RTM version of Windows 10. DeliveryOptimization.admxfileservervssagent.admxgamedvr.admxgrouppolicypreferences.admxgrouppolicy-server.admxmmcsnapins2.admxterminalserver-server.admxtextinput.admxuserdatabackup.admxwindowsserver.admxTo download the Windows 10 Group Policy (.ADMX) templates, please visit http://www.microsoft.com/en-us/download/details.aspx?id=48257 To review which settings are new in Windows 10,...
This topic first appeared in the Spiceworks Community

Rubicon Project is the operator of one of the advertising industry’s largest independent real-time trading platforms for digital advertising, and has engineered one of the largest real-time cloud and Big Data computing systems, processing trillions of transactions within milliseconds each month. The company’s pioneering technology created a new model for the advertising industry—similar to what NASDAQ did for stock trading. Rubicon Project’s automated advertising platform is used by more than 500 of the world’s premium publishers to transact with over 100,000 ad brands globally. To meet their expanding communications requirements, Rubicon Project selected 8x8 to provide 8x8 Virtual Office business VoIP, unified communications and mobile solutions to its nine international locations.8x8’s cloud-based telephony solutions enabled Rubicon...

Import Windows XP Group Policy into Windows 7?

Is it possible to import a Windows XP Group Policy into Windows 7? It seems ZCM will not let you edit the XP policy from Windows 7 even though you can apply the policy to a Windows 7 Workstation and have the policy applied without issue. I'm still researching it, but the search terms return many Active Directory results.
ZCM 10.3.3 on Linux. and eDirectory only.

jcsmith1,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/

User Group Policy Settings not applied to new user profiles at first logon

Good Afternoon,
We have an issue that occurs to a new user when they first log on to their machines. They log on and a new profile creates from the Default User Profile. We can see that a number of our Group Policy Settings applied as "User Configuration" are
not applying.A log off and back on is required before the policies apply.
Any thoughts to this behaviour please?
Regards
LeeB
Lee Bowman MCITP MCTS

Hi,
How about your problem now? How many system encounter this problem? Is all policy couldn't be applied? Is there any feedback when using gpresult to check policy applied status?
As Group Policy applies after user identity authentication, generally speaking, user logoff and back doesn't helpful with this problem.
When this problem occures, have you checked event log if it identify this problem?
Roger Lu
TechNet Community Support

Windows 2012 Group Policy Option missing for Windows 7 Client

Hi there,
We have a deployment with a windows 2012 DC and various Windows 7 clients.
I am trying to set up a group policy on the 2012 DC to configure the Windows 7 clients and basically disable the Aero feature.
The "Do not allow desktop composition" is the one I need to enable and this would sit under Admin Templates > Windows Components > Desktop Windows Manager.
In Windows 2012 Group Policy editor this does not show...does anyone know how I can do this to a remote Windows 7 machine from 2012 DC?
Note if it helps on a windows 7 machine you can also disable the service "Desktop Window Manager Session Manager”
to achieve the same thing BUT when looking through the Group Policy again I can’t seem to find this!!
Thanks for any help,
Steve

> In Windows 2012 Group Policy editor this does not show...does anyone
> know how i can do this to a remote Windows 7 machine from 2012 DC?
Install RSAT and edit on W7. Or copy all W7 admx/adml templates to the
central store.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

How to update group policy on MAC OS 10.6.8

Hi,
I am not able to update group policy on MAC 10.6.8 like gpupdate comand from terminal.
Regards
Govind Singh

OK, makes sense. Any idea what the DMG preference should be in Firefox?
It was set to "Always Ask"
... and I changed it to "Use MacOS"
The funny thing is that all the other updates (these were Add On updates) that I ran downloaded the DMG file and it started right up. It is only the Adobe products (Acroread, Flash, ect) that are having troubles, and they all get the same error.
BTW - Thanks for helping!
NEW UPDATE:
Found /System/Library/CoreServices/DiskImageMounter.app and set the Firefox preferences DMG file to use that now.

How to install Windows Updates on a 2012 Domain Controller w/Group Policy Settings

Hello All,
I'm having an issue installing Windows Updates on my Windows Server 2012 Standard with AD DS role, acting as a backup DC.
I have Group Policies setup for the Domain Controllers to download updates from my WSUS server but not to install them. When I go to my Windows Server 2003 R2 Domain Controller, I can install updates via the "Install Updates and Shutdown". That
option doesn't show up on the 2012 server. I can see from my WSUS server and the event viewer that the updates are being downloaded to the 2012 server........just no option for me to install the updates.
Am I just missing something or will I need to change the way my Group Policy is setup to allow installs and/or downloads? Any help would be greatly appreciated!
Tony

So I've totally removed the GPO settings for configuring updates on the Default Domain Controllers OU and I can get the Windows Server 2003 Server to get updates from Windows Updates, but the 2012 Server still won't show me how to download or install any
updates. It just states on the log-in screen that there are "Windows Updates Sign in and install important updates".
Well guess what Microsoft! I've signed in and still don't see where I can install updates!!!
I guess because you've set AU=3.
There doesn't seem to be much documented in depth about AU/WUAgent (not in the history of forever), but Lawrence and others in the WSUS forum do cover a lot of related question about the agent and also GP settings.
Lawrence has blogged a lot of detail about the registry settings which are available for AU/WU, and how some of those settings are not practically of any use since WinXP.
So, even though your question isn't about WSUS, the WSUS forum is a great place to visit for help for WUAgent etc.
Anyway, "where can I install updates?" :
on the Start screen, Search for "Windows Update"
or
Settings charm
Change PC Settings
Update and Recovery
Windows Update
or
Control Panel\System and Security\Windows Update
Some further (light) discussion on the "new" behaviour:
http://blogs.msdn.com/b/b8/archive/2011/11/14/minimizing-restarts-after-automatic-updating-in-windows-update.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Removing Windows 2003 Group Policy user settings

I'm having a difficult time finding what to do.
I have a windows 2003 domain with many GP settings. One of which I can't find. It has to do with the favorites bar in IE. When a user from a certain OU logs on to any computer with any Windows OS, any favorites saved either to their Favorites
bar, or even in the Favorites folder, disappear on next logon. This happens all the time.
I thought I would create another OU with a BLANK GP and blocked inheritance. I moved a user from the original OU into the test OU, replicated the changes, and rebooted the computer on which the user would log on. The user logged on and the settings
from the original OU still applied.
I created a completely new user in the test OU and no settings were applied, which is what I want.
What is the best way to remove the original OU settings from a user that was in that original OU?
Thank you for any help

Thanks for the quick response. There are no scripts that run with the former GPO.
I did run RSOP.MSC from the test computer and received an error about not being able to read the computer settings, but the user settings were displayed. The settings the account received were from "Software Restriction Policy" and "Public
Key Policy". Nothing shows about any IE settings. I'm at a loss as to why this is happening and where these dang policies are coming from.
I've even gone as far as to go to the original GPO, and in Delegation, deny the Apply Group Policy permission to the user.
And the only policy that is applying is the test policy. The others show as either Disabled(link), or Blocked(SOM).

Error while updating Group Policy

Hello All,
I get the below error while updating the group policy on the user machin.
C:\Users\905288>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
The following warnings were encountered during user policy processing:
Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor
e information" link.
Computer Policy update has completed successfully.
For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.
Is there a way I can find which group policy is causing this issue?

> Do you want me to give you those site details as well?
Hm - not really, I have no error with zone assignments. It's you with
the error :)
Verify your site entries against
http://support.microsoft.com/kb/184456
- most probably, some of them do not adhere to the allowed wildcard rules.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

My SCCM 2012 server is listed in the Windows updates local policy

On my end user computers Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Updates > Specify intranet Microsoft update service location
Does it specify your Primary Site server? YES
Endpoint Protection leverages the software update component of ConfigMgr for delivery of definitions. This local Windows Updates policy was created when you configured this component.
1. How do I disable this local Windows Updates policy in SCCM ? Thanks

The client will set these local policy settings if your Client Settings are set to manage software updates and you don't have a group policy in place.
If you do NOT want ConfigMgr to control updates, then you can go to Client Settings > Software Updates and change "Enable software updates on clients" to No.
Nash Pherson, Senior Systems Consultant
Now Micro -
My Blog Posts
If you've found a bug or want the product worked differently,
share your feedback.
<-- If this post was helpful, please click "Vote as Helpful".

Windows Update Group Policy Settings?

Similar Messages

Maybe you are looking for