v-gzwang
Fri Jun 27 03:29:27 PDT 2008
Hello Ryan,
Thank you for your post and thanks for Cliff's great help.
My name is Gary Wang, and it is my pleasure to work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:
You have set delegation to deny application for domain admins on WSUS GPO.
However, the applications are still applied, even cannot revert.
If I have misunderstood your concerns please feel free to let me know.
Suggestion :
==============
I agree with Cliff's inputs. And besides his reply, I would like to share
some additional information. I suspect that you enabled "Remove access to
use all Windows Update features" under User Configuration\Administrative
Templates\Windows Components\Windows Update to prevent access to
http://windowsupdate.microsoft.com .
When you enable this setting, the operating system cannot be updated
through Windows Update, and Automatic Updates is disabled. Users or
administrators can still perform actions such as clicking the Windows
Update option on the Start menu, and the Windows Update Web site will
appear in the browser. However, it will not be possible to update the
operating system through Windows Update, regardless of the type of account
being used to log on.
And Removing user access to Windows Update also disables Windows Automatic
Update(User Configuration\Administrative Templates\System\Windows Automatic
Updates). You may need to disable Windows Automatic Update too.
For more details, please refer to the following document:
Windows Update and Automatic Updates
http://technet.microsoft.com/en-us/library/bb490846(TechNet.10).aspx
Also, please notice that if you have ISA, there is a firewall policy named
"SBS Microsoft Update Sites Access Rule". Please make sure the rule is
enabled.
Hope it helps.
If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:
Information Need
==============
1. Run gpresult /v > c:\gpresult.txt on SBS server then send
c:\gpresult.txt to me.
2. Gather WSUS MPS Report and send to me.
a. Please download the MPSRPT_SUS.EXE from the following link and then run
this tool to gather some information from the problematic server:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_SUS.EXE
b. Double-click on the MPSRPT_SUS.EXE file.
[Note] This process may take some time; however, it will not have a
negative effect on the performance.
c. A CAB file will be generated in the
%SystemRoot%\MPSReports\MSUS\Bin\Reports\Cab directory called
%COMPUTERNAME%_MPSRPT_SUS.CAB. The CAB file will contain the reports
generated by the MPS Reporting Tool.
My email address is v-gzwang@microsoft.com
3. Try to ping windowsupdate.microsoft.com to see what will happen.
I look forward to your reply. Also, if you have any questions or concerns,
please do not hesitate to let me know. I am happy to help. :-)
Thank you for your time and cooperation!
Best regards,
Gary Wang(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Cliff Galiher" <cgaliher@gmail.com>
| References:
<4351248a-ee3f-4011-93e8-f67f517755f6@e39g2000hsf.googlegroups.com>
<247199AC-04EA-46E3-88A5-8EBD00B4D345@microsoft.com>
<47a3a1f8-255b-497c-93cb-eb328b5a98d6@m73g2000hsh.googlegroups.com>
| In-Reply-To:
<47a3a1f8-255b-497c-93cb-eb328b5a98d6@m73g2000hsh.googlegroups.com>
| Subject: Re: GPO Delegation "Apply Group Policy" deny for Domain admins
does not work?
| Date: Thu, 26 Jun 2008 11:08:58 -0600
| Lines: 22
| Message-ID: <2C0D2A59-2651-4CE7-BC86-4D12EDDFCB0C@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
| X-MS-CommunityGroup-PostID: {2C0D2A59-2651-4CE7-BC86-4D12EDDFCB0C}
| X-MS-CommunityGroup-ThreadID: 3205045F-51FC-446D-B7B9-6DF5F1740DA3
| X-MS-CommunityGroup-ParentID: FB0E19AE-4B58-4264-8033-92E561262E33
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:113157
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Most group policies operate this way. They make changes to the registry.
| So, even when disabled, the registry has already been changed. The
| difference between an active GPO and a disabled one is that, when active,
| the registry permissions are either changed in a way that prevents the
user
| from making a change and/or the setting is rechecked on each
| reboot/login/application time to ensure the setting is still the same. A
| disabled GPO doesn't ENFORCE that setting anymore so the user is allowed
to
| change it to whatever they desire.
|
| So there ya go, just a good thing to keep in mind...group policies can
| permanently change your machine. There is not "magic" rollback.
|
| -Cliff
|
| "Ryan" <mindflux98@gmail.com> wrote in message
| news:47a3a1f8-255b-497c-93cb-eb328b5a98d6@m73g2000hsh.googlegroups.com...
| > Cliff,
| > Thanks. I was told that by another member elsewhere. I feel dumb!
| >
| > What about the fact I can't visit WU even after the policies were
| > removed (disabled) entirely? Why did that not revert?
|
|