How to apply a GPO to a computers group

windows active-directory windows-server-2008-r2 windows-server-2012-r2
10,340

The group is not necessary: if you link the GPO to a OU and place your computers inside that OU, the GPO will automatically be applied to those computers and only those; you don't need a group for that.

What I think is happening: the GPO security filtering based on group membership is actually blocking the GPO from being applied, because the servers are not recognized as being members of that group until a reboot occurs (just as group membership is not refreshed for users until they log off and on again).

Share:
10,340

Related videos on Youtube

nicovell3
Author by

nicovell3

Updated on September 18, 2022

Comments

  • nicovell3
    nicovell3 over 1 year

    I've just installed a "Windows Server Update Services" (WSUS) server in my company to provide updates to the Windows Server machines. Now I want to set a GPO in the servers OU to force them to get updates from the WSUS, but I'm not able to get it working. What I have done is:

    • Created a GPO called "WSUS" with the required settings (which are under "Computer Configuration" > "Windows Components" > "Windows Update") at the keys "Specify intranet Microsoft update service location", "Configure Automatic Updates" and "Enable client-side targeting".
    • Created an Organizational Unit of first level called "MyServers" and move my servers from the "Computers" container to this OU.
    • Created a group called "MyServersGroup" inside that OU containing the computers inside "MyServers" (the OU and the group contain the same servers).
    • Linked the GPO to the "MyServers" OU and, at the Security filters, added the "MyServersGroup" with the "Read" and "Apply group policy" permissions (I did not delete the "Autenticated users" group).
    • Ran the "gpupdate /force" command in my Domain Controller server and then in one of my servers inside the "MyServers" OU, lets call it FileServer.

    And the policy does not apply.

    Instead of showing that policy applied, when I run "GPResult /F /H report.html" in the FileServer machine, the only policy applied is the "Default Domain Policy", which has some settings inside the "Computer Configuration" section but not at the keys I configured. That GPO is linked to the domain root, affecting only to the "Authenticated users" group.

    In the report.html file the "WSUS" string does not even appear as the "Winning GPO" is always the "Default Domain Policy". Why can't my policy be applied? I don't understand why is this happening...

    Edit: Now I have removed the "MyServersGroup" and configured the "Group Policy Modelling Wizard". It shows the WSUS policy being applied along with the default one, but in the FileServer the policy isn't applied yet (I ran the gpupdate in case it was necessary).

    • BlueCompute
      BlueCompute over 7 years
      The security group is unnecessary and confusing. Also you state that you 'linked the GPO to MyServersGroup OU' this is incorrect/unclear. Run Group Policy Modelling Wizard - does this show your GPO being applied?
    • nicovell3
      nicovell3 over 7 years
      Yes, it's being applied@BlueCompute... I didn't know about that feature (I'm new at this). Thanks for your advice!
  • joeqwerty
    joeqwerty over 7 years
    This is exactly what's happening. The servers need to be rebooted for the group membership to be effective and that's why the policy is not being applied. As you stated, the security group is completely unnecessary.
  • nicovell3
    nicovell3 over 7 years
    The group was unnecessary (I set it up because the policy wasn't being applied), but the policy isn't applied yet even after deleting the group and rebooting the server.
  • nicovell3
    nicovell3 over 7 years
    I didn't checked well the policy after the reboot... Finally it's working! Thanks!!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unable to move OU in Active Directory (Access is denied)
Windows Server 2012 R2 in a Windows Server 2008 R2 domain
Joining an Active Directory domain using netdom
Why only one PC is not updating the GPO?
Cannot open any applications on windows server 2008 R2 Standard edition
Remove Server Manager and Powershell icons from the Taskbar
Query Active Directory UID attribute
Reuse old domain controller IP address
How can I limit a users bandwidth in Windows Server 2008 R2
Windows server 2012 Active Directory VS Windows server 2008 Active Directory