Policy applied is ghost. Where's it cached?

-

i know lengthy posts don’t response, because of intense focus required on reader’s part, understand situation presented. i’ll try best to point here. domain names , ip schema not actual ones in use presented here, obvious reasons.

lab setup: server 2008r2 domain controller set test.local domain. pdc has wsus installed. workstations not joined test domain, , use wsus.reg file merge in workstation registry point @ test.com wsus. when setting new workstations, saves ton of time getting them date before deploying them production domain.

production setup: server 2012r2 standard pdc.  this server has ad, dns, dhcp , group policy management roles.

domain has mix of win 7 pro , win 8.1 pro.

also have server 2008r2 standard member server joined domain. 2008r2 server not have ad installed. it’s joined domain no differently workstations are. 2008r2 server has wsus installed, along rd gateway configured certificate remote access, , last computer joined domain.

problem: have wsus policy on pdc directs workstations point 2008r2 server wsus updates. distribution of policy weirdest thing i’ve ever seen. if remove policy (by remove, mean delete existence in entirety) nothing distributed workstations. on workstation can check registry @ hklm/software/policies/microsoft/windows , windowsupdate key not there expected. starting windows update applet in control panel shows gets updates ms site. expected.

however, when create , implement policy point wsus server in production environment, policy distribution “appears” occur because windowsupdate key appears in registry should. (and weird part) values of wuserver , wustatusserver shows pointing wsus server in lab. different ip address! occurs on 10 workstations, mix of win 7 , 8.1.

i’ve deleted policy, rebooted servers , workstations, recreated policies, ran gpupdate /force until fingers hurt, , can’t seem point production server in city 15 miles away no physical connection of type, in way, form or fashion test lab setup. cached @ on workstations? note of these computers have been reloaded ground within last month or so. in effect, a  “new” production network in every sense of word.

okay, i've got problem solved. seems cause "user error" whereas had forgotten basic gpo fundamental. i'll repeat here sake of others, i've seen few other posts in forum same problem me, different policies.

the order in policies applied matter. machine/computer policies need applied before user policies. since wsus policy machine/computer policy, when it's listed last among 9 policies, not applied. if applied, either it's not applied correctly, or lucky. since machine policies applied on boot , user policies applied on login, having wsus machine policy last either not being applied @ on user login, or applied incorrectly using cached information somewhere in la-la land.

when grouped policies more making machine policies first in order of application too. policies need applied in order appear in policy template. have 5 computer policies. since wsus policy last policy in computer configuration container of template, made 5th policy applied in policy application order list of gui.

same rule holds true user policies. user policies should applied after machine policies, , user policies should applied in order in users configuration section of policy template.

once did this, not policies applied correctly every time on every computer, had 2 more computers pop in wsus console morning, totally unaware of having issue, due focus on 10 other computers aware of.

much donpick helping me head straight. case of couldn't see forest because trees in way. return simple basics of gpo fundamentals needed figure out , fix it.



Windows Server  >  Group Policy



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more