| Author | Messages | |
DLinkOZ
Posts:10
 | | 02/20/2010 12:23 AM |
| Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for the
day-to-day use domain, 2 for the forest root). What we're trying to do is
separate our monthly patching. We've taken our WSUS GPOs, and created two -
one is for 2pm and the other is for 3pm. We then created a security group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing. I
tried leaving the filtering as-is, but within the security properties for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied to
both user- and computer-specific OUs.
| | | |
| dmarelia
Posts:394
| | 02/20/2010 12:37 AM |
| Dave-
It doesn't sound like you are doing anything wrong. So, when you run a GP Results report from GPMC against one of these machines, and look under the Summary tab at "Denied GPOs", what is the reason it gives for denying your GPO?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:21 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Splitting WSUS reboot times on DCs
Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for the
day-to-day use domain, 2 for the forest root). What we're trying to do is
separate our monthly patching. We've taken our WSUS GPOs, and created two -
one is for 2pm and the other is for 3pm. We then created a security group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing. I
tried leaving the filtering as-is, but within the security properties for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied to
both user- and computer-specific OUs.
| | | |
| DLinkOZ
Posts:10
| | 02/20/2010 12:42 AM |
| Great, so I'm not insane. The reason given is Access Denied (Security).
One oddity, and we've given plenty of time for replication, forced
replication and checked a remote DC (the one we're testing on), is that
under the RSOP section that shows what groups the machine is a member of it
doesn't show the group. We've verified, and it is indeed a member.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:35 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Dave-
It doesn't sound like you are doing anything wrong. So, when you run a GP
Results report from GPMC against one of these machines, and look under the
Summary tab at "Denied GPOs", what is the reason it gives for denying your
GPO?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:21 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Splitting WSUS reboot times on DCs
Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for the
day-to-day use domain, 2 for the forest root). What we're trying to do is
separate our monthly patching. We've taken our WSUS GPOs, and created two -
one is for 2pm and the other is for 3pm. We then created a security group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing. I
tried leaving the filtering as-is, but within the security properties for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied to
both user- and computer-specific OUs.
| | | |
| dmarelia
Posts:394
| | 02/20/2010 12:58 AM |
| Ah, I suspect that is the issue (group membership). When you added the machine to the group, did you reboot the machine? It takes a reboot to pick up new computer group membership, or, check out this blog posting I did:
http://sdmsoftware.com/blog/2008/08/22/picking-up-computer-group-membership-changes-without-a-reboot/
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:41 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Great, so I'm not insane. The reason given is Access Denied (Security).
One oddity, and we've given plenty of time for replication, forced
replication and checked a remote DC (the one we're testing on), is that
under the RSOP section that shows what groups the machine is a member of it
doesn't show the group. We've verified, and it is indeed a member.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:35 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Dave-
It doesn't sound like you are doing anything wrong. So, when you run a GP
Results report from GPMC against one of these machines, and look under the
Summary tab at "Denied GPOs", what is the reason it gives for denying your
GPO?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:21 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Splitting WSUS reboot times on DCs
Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for the
day-to-day use domain, 2 for the forest root). What we're trying to do is
separate our monthly patching. We've taken our WSUS GPOs, and created two -
one is for 2pm and the other is for 3pm. We then created a security group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing. I
tried leaving the filtering as-is, but within the security properties for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied to
both user- and computer-specific OUs.
| | | |
| DLinkOZ
Posts:10
| | 02/20/2010 1:04 AM |
| I just read that elsewhere, and is most likely the issue. We'll
investigate, and thanks for the tip.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:56 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Ah, I suspect that is the issue (group membership). When you added the
machine to the group, did you reboot the machine? It takes a reboot to pick
up new computer group membership, or, check out this blog posting I did:
http://sdmsoftware.com/blog/2008/08/22/picking-up-computer-group-membership-
changes-without-a-reboot/
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:41 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Great, so I'm not insane. The reason given is Access Denied (Security).
One oddity, and we've given plenty of time for replication, forced
replication and checked a remote DC (the one we're testing on), is that
under the RSOP section that shows what groups the machine is a member of it
doesn't show the group. We've verified, and it is indeed a member.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:35 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Dave-
It doesn't sound like you are doing anything wrong. So, when you run a GP
Results report from GPMC against one of these machines, and look under the
Summary tab at "Denied GPOs", what is the reason it gives for denying your
GPO?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:21 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Splitting WSUS reboot times on DCs
Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for the
day-to-day use domain, 2 for the forest root). What we're trying to do is
separate our monthly patching. We've taken our WSUS GPOs, and created two -
one is for 2pm and the other is for 3pm. We then created a security group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing. I
tried leaving the filtering as-is, but within the security properties for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied to
both user- and computer-specific OUs.
| | | |
| DarraghOShaughnessy
Posts:161
| | 02/20/2010 10:24 AM |
| I think you can force a refresh of computer group membership using
klist.exe depending on the OS
;~)
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Urig
Sent: 20 February 2010 01:02
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
I just read that elsewhere, and is most likely the issue. We'll
investigate, and thanks for the tip.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:56 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Ah, I suspect that is the issue (group membership). When you added the
machine to the group, did you reboot the machine? It takes a reboot to
pick
up new computer group membership, or, check out this blog posting I did:
http://sdmsoftware.com/blog/2008/08/22/picking-up-computer-group-members
hip-
changes-without-a-reboot/
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:41 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Great, so I'm not insane. The reason given is Access Denied (Security).
One oddity, and we've given plenty of time for replication, forced
replication and checked a remote DC (the one we're testing on), is that
under the RSOP section that shows what groups the machine is a member of
it
doesn't show the group. We've verified, and it is indeed a member.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:35 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Dave-
It doesn't sound like you are doing anything wrong. So, when you run a
GP
Results report from GPMC against one of these machines, and look under
the
Summary tab at "Denied GPOs", what is the reason it gives for denying
your
GPO?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:21 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Splitting WSUS reboot times on DCs
Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for
the
day-to-day use domain, 2 for the forest root). What we're trying to do
is
separate our monthly patching. We've taken our WSUS GPOs, and created
two -
one is for 2pm and the other is for 3pm. We then created a security
group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing.
I
tried leaving the filtering as-is, but within the security properties
for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the
local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied
to
both user- and computer-specific OUs.
| | | |
| DavidRadford
Posts:15
| | 02/22/2010 10:14 AM |
| I know it sounds silly but can you confirm that the Wsus GPO is an entirely separate GPO and not something you have added to an existing one.
Thanks,
Dave
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darragh O'Shaughnessy
Sent: 20 February 2010 10:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
I think you can force a refresh of computer group membership using
klist.exe depending on the OS
;~)
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Urig
Sent: 20 February 2010 01:02
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
I just read that elsewhere, and is most likely the issue. We'll
investigate, and thanks for the tip.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:56 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Ah, I suspect that is the issue (group membership). When you added the
machine to the group, did you reboot the machine? It takes a reboot to
pick
up new computer group membership, or, check out this blog posting I did:
http://sdmsoftware.com/blog/2008/08/22/picking-up-computer-group-members
hip-
changes-without-a-reboot/
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:41 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Great, so I'm not insane. The reason given is Access Denied (Security).
One oddity, and we've given plenty of time for replication, forced
replication and checked a remote DC (the one we're testing on), is that
under the RSOP section that shows what groups the machine is a member of
it
doesn't show the group. We've verified, and it is indeed a member.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:35 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Dave-
It doesn't sound like you are doing anything wrong. So, when you run a
GP
Results report from GPMC against one of these machines, and look under
the
Summary tab at "Denied GPOs", what is the reason it gives for denying
your
GPO?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:21 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Splitting WSUS reboot times on DCs
Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for
the
day-to-day use domain, 2 for the forest root). What we're trying to do
is
separate our monthly patching. We've taken our WSUS GPOs, and created
two -
one is for 2pm and the other is for 3pm. We then created a security
group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing.
I
tried leaving the filtering as-is, but within the security properties
for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the
local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied
to
both user- and computer-specific OUs.
**********************************************************************
This communication is confidential and is intended only for the use of the addressee(s) designated above. If you are not an addressee, you are hereby expressly forbidden to copy, disseminate, distribute or in any other way use this communication.
If you have received this communication in error please email us at xxxxxxxxxxxxxxxx or telephone +44 (0) 0207 486 3661.
We reserve any and all possible rights to privilege in respect of this communication.
We do not accept service by email nor can this or any email from us act as acceptance of an offer to this Company or any member of its group of companies. Pell Frischmann does not authorise any contract to be made using email.
We accept no liability for communications that are either personal in nature or do not relate to the business of Pell Frischmann.
Any file attachments to this communication will have been virus checked prior to transmission, however you should carry out your own virus check before opening.
Accordingly we do not accept liability for any damage or loss that may occur from software viruses that may be attached to this communication.
Pell Frischmann Registered Office: 5 Manchester Square London W1U 3PD
"Pell Frischmann" is the trading name of companies registered in England:
Pell Frischmann Consulting Engineers No. 4403030
Pell Frischmann Consultants No 1777946
**********************************************************************
| | | |
| DLinkOZ
Posts:10
| | 02/22/2010 1:09 PM |
| It's entirely separate. We're going to wait out the ticket aging, due to
strict Change Management requirements.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of David Radford
Sent: Monday, February 22, 2010 4:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
I know it sounds silly but can you confirm that the Wsus GPO is an entirely
separate GPO and not something you have added to an existing one.
Thanks,
Dave
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darragh O'Shaughnessy
Sent: 20 February 2010 10:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
I think you can force a refresh of computer group membership using
klist.exe depending on the OS
;~)
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Urig
Sent: 20 February 2010 01:02
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
I just read that elsewhere, and is most likely the issue. We'll
investigate, and thanks for the tip.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:56 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Ah, I suspect that is the issue (group membership). When you added the
machine to the group, did you reboot the machine? It takes a reboot to
pick
up new computer group membership, or, check out this blog posting I did:
http://sdmsoftware.com/blog/2008/08/22/picking-up-computer-group-members
hip-
changes-without-a-reboot/
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:41 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Great, so I'm not insane. The reason given is Access Denied (Security).
One oddity, and we've given plenty of time for replication, forced
replication and checked a remote DC (the one we're testing on), is that
under the RSOP section that shows what groups the machine is a member of
it
doesn't show the group. We've verified, and it is indeed a member.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:35 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Dave-
It doesn't sound like you are doing anything wrong. So, when you run a
GP
Results report from GPMC against one of these machines, and look under
the
Summary tab at "Denied GPOs", what is the reason it gives for denying
your
GPO?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:21 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Splitting WSUS reboot times on DCs
Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for
the
day-to-day use domain, 2 for the forest root). What we're trying to do
is
separate our monthly patching. We've taken our WSUS GPOs, and created
two -
one is for 2pm and the other is for 3pm. We then created a security
group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing.
I
tried leaving the filtering as-is, but within the security properties
for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the
local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied
to
both user- and computer-specific OUs.
**********************************************************************
This communication is confidential and is intended only for the use of the
addressee(s) designated above. If you are not an addressee, you are hereby
expressly forbidden to copy, disseminate, distribute or in any other way use
this communication.
If you have received this communication in error please email us at
xxxxxxxxxxxxxxxx or telephone +44 (0) 0207 486 3661.
We reserve any and all possible rights to privilege in respect of this
communication.
We do not accept service by email nor can this or any email from us act as
acceptance of an offer to this Company or any member of its group of
companies. Pell Frischmann does not authorise any contract to be made using
email.
We accept no liability for communications that are either personal in nature
or do not relate to the business of Pell Frischmann.
Any file attachments to this communication will have been virus checked
prior to transmission, however you should carry out your own virus check
before opening.
Accordingly we do not accept liability for any damage or loss that may occur
from software viruses that may be attached to this communication.
Pell Frischmann Registered Office: 5 Manchester Square London W1U 3PD
"Pell Frischmann" is the trading name of companies registered in England:
Pell Frischmann Consulting Engineers No. 4403030
Pell Frischmann Consultants No 1777946
**********************************************************************
| | | |
| DLinkOZ
Posts:10
| | 03/02/2010 9:26 PM |
| To circle back on this, we allowed time for the tickets to expire (easier
than going through change control to bounce 70-ish DCs). All works as
expected.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:56 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Ah, I suspect that is the issue (group membership). When you added the
machine to the group, did you reboot the machine? It takes a reboot to pick
up new computer group membership, or, check out this blog posting I did:
http://sdmsoftware.com/blog/2008/08/22/picking-up-computer-group-membership-
changes-without-a-reboot/
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:41 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Great, so I'm not insane. The reason given is Access Denied (Security).
One oddity, and we've given plenty of time for replication, forced
replication and checked a remote DC (the one we're testing on), is that
under the RSOP section that shows what groups the machine is a member of it
doesn't show the group. We've verified, and it is indeed a member.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, February 19, 2010 6:35 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Splitting WSUS reboot times on DCs
Dave-
It doesn't sound like you are doing anything wrong. So, when you run a GP
Results report from GPMC against one of these machines, and look under the
Summary tab at "Denied GPOs", what is the reason it gives for denying your
GPO?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Dave Urig
Sent: Friday, February 19, 2010 4:21 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Splitting WSUS reboot times on DCs
Here's my scenario:
We have about 70 sites, each with a DC. Then 4 here at our DC (2 for the
day-to-day use domain, 2 for the forest root). What we're trying to do is
separate our monthly patching. We've taken our WSUS GPOs, and created two -
one is for 2pm and the other is for 3pm. We then created a security group
for each time slot, and split our DCs between them (half are in the 2pm
group, half in the 3pm group). We filter the two GPOs to their relative
group, but the GPOs get denied. We tried enabling loopback, same thing. I
tried leaving the filtering as-is, but within the security properties for
the GPO granting Authenticated Users the right to process/load polices
(total shot in the dark). No love.
So my question is am I missing something? The policies have nothing but
computer settings, but do they still need to fall on OUs where the users
reside? We have another setup like this for putting people into the local
Administrators group on workstations based upon that workstation being a
member of a group (which the GPO is filtered to). Works perfectly, only
difference is that has both Computer and User settings, and is applied to
both user- and computer-specific OUs.
| | | |
|
|