GPO used to assigned computers to groups not updating WSUS
Jen
WSUS to use Group Policy to assign computers to groups. However as we add new
computers to the OU, WSUS is not synchronizing with the OU to see the new
computers. How can I make WSUS sync with the OU to see the new machines?
Lawrence Garvin [MVP]
"Jen" <J...@discussions.microsoft.com> wrote in message
news:C777BC8C-76EB-4095...@microsoft.com...
WSUS does not synchronize with policy or the OU to see the new computers.
1. The Group Policy informs the WUAgent of the managed client what the
target group assignment(s) are. These values are stored in the registry.
2. The WUAgent reads these values at service startup, and anytime it
performs a detection with an expired targeting cookie. (If the cookie is not
properly expiring, such as the case when the client has a one hour detection
frequency configured, the WUAgent will continue to use the target group
obtained during service startup.)
3. The group configured in the policy must exist on the WSUS console; if it
does not exist, you will need to create it.
4. The WSUS console, in Options | Computers, must be have the option "Use
Group Policy or registry settings on computers" selected.
So, assuming all of the above is copasetic, and adding new computers to the
OU does not result in the new computers appearing in the WSUS console, there
are a couple of possibilities that could exist:
1. The computers have duplicated SusClientIDs in the registry, and are
appearing (and then disappearing) because the same SusClientID is being used
to identify multiple computers.
2. The computers are simply not getting that policy applied to them. Use
GPRESULT and/or RSOP to confirm that the policy is actually being applied to
the new computers, or inspect the registry key at
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate to verify that
TargetGroupEnabled=dword:0x1 and TargetGroup contains the correct name(s) of
the assigned target group(s).
3. The new computers have already registered with the WSUS server prior to
being placed in that OU and have registered in another group, or "Unassigned
Computers", and have a one hour detection frequency, and thus are unable to
expire the targeting cookie and obtain new target group information. This
scenario can be easily tested at the client by running the command wuauclt
/resetauthorization /detectnow and then inspecting the WindowsUpdate.log and
the WSUS console. If the computer then appears in response to that commmand,
a cached (and invalid) targeting cookie was the culprit.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)
My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Jen
i followed your recommendations and the client is getting the correct gpo
applied and is able to communicate with the wsus server. do you have any
other troubleshooting ideas? are there any tables that i should be looking at
in the database?
Lawrence Garvin [MVP]
>> > However as we add new
>> > computers to the OU, WSUS is not synchronizing with the OU to see the
>> > new
>> > computers. How can I make WSUS sync with the OU to see the new
>> > machines?
> i followed your recommendations and the client is getting the correct gpo
> applied and is able to communicate with the wsus server. do you have any
> other troubleshooting ideas?
Yes.
Rather than approach this from trying to sort out what you think WSUS is
*not* doing . . .
Let's talk about what it is doing.
Pick one computer, and let's determine the answers to the following
questions:
1. What target group is configured in the Group Policy for this computer?
2. Does this group exist on the WSUS Server?
3. Does the group have any other members appearing on the WSUS Server?
4. What is the setting in the dialog at Options | Computers in the WSUS
console?
5. What is the data in the registry value "TargetGroupEnabled" and
"TargetGroup" in the registry key
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate?
6. What group(s) is this computer actually appearing in on the WSUS server?
> are there any tables that i should be looking at in the database?
Absolutely not. There is no purpose in inspecting database tables in any
aspect of WSUS administration or troubleshooting. Everything you need can be
found in logfiles and the admin console.
Jen
Thankyou for your help. I will try to answer the question to the best of my
ability.
1. What target group is configured in the Group Policy for this computer?
The target group is SSC Servers - subgroups are SSC_Level_1 and SSC_Level_2
2. Does this group exist on the WSUS Server?
Yes
3. Does the group have any other members appearing on the WSUS Server?
Yes
4. What is the setting in the dialog at Options | Computers in the WSUS
console?
Use Group Policy or registry settings on computers
5. What is the data in the registry value "TargetGroupEnabled" and
"TargetGroup" in the registry key
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate?
TargetGroupEnabled = 1
TargetGroup = SSC_Level_1
6. What group(s) is this computer actually appearing in on the WSUS server?
The server does not appear in the WSUS target group.
Lawrence Garvin [MVP]
> 1. What target group is configured in the Group Policy for this computer?
> The target group is SSC Servers - subgroups are SSC_Level_1 and
> SSC_Level_2
> 5. What is the data in the registry value "TargetGroupEnabled" and
> "TargetGroup" in the registry key
> HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate?
> TargetGroupEnabled = 1
> TargetGroup = SSC_Level_1
The settings in the registry do not match what you have stated is configured
in your policy object.
The conclusion here would be that the group policy object is not being
applied successfully to this system.
> 6. What group(s) is this computer actually appearing in on the WSUS
> server?
> The server does not appear in the WSUS target group.
Granted, it's not appearing in SSC Servers -- but the question was whether
the computer is appearing on the WSUS Server *anywhere*,
as in "All Computers", "Unassigned Compters", or "SCC_Level_1" which is the
group it's actually configured to use.
Jen
is exactly the same. I did a gpo result and it shows that the policy is
getting applied to the server.
Lawrence Garvin [MVP]
>I compared the registry setting to a server that does appear in WSUS and it
> is exactly the same.
The registry setting has nothing at all to do with whether it appears in
WSUS.
My point was to establish that the system is absolutely not appearing in
WSUS =anywhere= (including an incorrectly assigned group), rather than only
being able to assume that it was not appearing in the expected group (which,
lacking statements to the contrary, is the only thing I could assume from
your post).
> I did a gpo result and it shows that the policy is getting applied to the
> server.
Then you must have a conflicting policy that is superceding this one,
because the value you cited from the registry most certainly does not match
the value you say is configured in the policy.