Re: Install Windows Patch via GPO

Meinolf,

Any ideas???
I changed my setup to match yours. Only thing that is different is the name
of my script - I go in to the OU, edit the GPO, Startup scripts and called
the script name "Patch". I click "Show Files" and there I see conflicker.bat
(which contains the statements you mention in your last post), the KB exe,
and the empty KB txt file.
I did gpresult on the PCs and the GPO is showing up now. Not sure why but it
took a week on this particular PC. I moved another PC to the OU and it showed
up during next reboot.
However, the patch is not installing on any computer. I rebooted couple of
times and did gpupdate both on the server and computers. Let me know what you
think. Thanks.

"Asif Shah" wrote:

Meinolf,

I think I see what might be the problem.
When I go to my OU and open the GPO, I then go to Computer Configuration -
Windows Settings - Startup, double click on it and I see the path to the .cmd
file that has the command that runs the .exe:
Path to cmd file: \\servername\NETLOGON\patch.cmd
Command in cmd file: \\servername\public\z_WindowsXP-KB958644-x86-ENU.exe
/quite

I think I have to put either the .exe in the path that comes up when you hit
Browse when you want to add a new script (which is what you have) or put the
cmd file there. The path that comes up when you hit Browse is:
\\domain.com\SysVol\domain.com\Policies\{3F30361D-1A8A-4B3F-xxxx-xxxxxxxx}\Machine\Scripts\Startup\

Is this correct? What should I put there, the exe or the cmd?

"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

I am running out of ideas, i will describe the way i did it in my domains,
a bit different, but also your way should work if the configuration is as
you described it. Here is my way:

I use a startup script, including this in a GPO:
---------------------------------------------------------------------------------------------------------------------
;install KB958644(Conficker worm) in silent mode and creates logfile to prevent
loop on install

if not exist %systemroot%\W2KKB958644.log \\domain.com\SysVol\domain.com\Policies\{3F30361D-1A8A-4B3F-xxxx-xxxxxxxx}\Machine\Scripts\Startup\W2KKB958644.exe
/quiet

if not exist %systemroot%\W2KKB958644.log copy \\domain.com\SysVol\domain.com\Policies\{3F30361D-1A8A-4B3F-xxxx-xxxxxxxx}\Machine\Scripts\Startup\W2KKB958644.txt
%systemroot%\W2KKB958644.log /y
---------------------------------------------------------------------------------------------------------------------

The .txt file is empty, just a placeholder on the disk for skipping the patch
at next reboot.

So if you use "Show files" in the startup properties of the GPO under computer
configuration, there are 3 files located:
- conficker.bat
- patchfile W2KKB958644.exe (file name is shortend)
- empty W2KKB958644.txt file

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Meinolf,

I rechecked the path and it has no spaces:
\\server-name\public\WindowsXP-KB958644-x86-ENU.exe /quite
"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

The ip configuration looks ok.

Just to make sure, in your batch file are no spaces in between? It
looks
really like this:
\\server-name\public\WindowsXP-KB958644-x86-ENU.exe /quite
and not similar like:
\\server name\public\WindowsXP KB958644 x86 ENU.exe /quite
Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

Again thanks for helping out. I added another machine to that same
OU for testing (my own laptop). Below are the ipconfig /all results.
Let me know what you think. Its weird because I have never had
issues with machine not picking up GPOs.

Server:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator.DAC>ipconfig /all
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : SERVER-NAME
Primary DNS Suffix . . . . . . . : domainname.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domainname.com
Ethernet adapter Local Area Connection 1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet
#4
Physical Address. . . . . . . . . : ***********
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.120.45
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.120.254
DNS Servers . . . . . . . . . . . : 192.168.120.45
192.168.120.46
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Cable Disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet
#3
Physical Address. . . . . . . . . : ***********
Client:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\shaha>ipconfig /all
Windows IP Configuration

Host Name . . . . . . . . . . . . : Machine-name
Primary Dns Suffix . . . . . . . : domainname.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domainname.com
domainname.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : domainname.com
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
Gigabit
Cont
roller
Physical Address. . . . . . . . . : ***********
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.120.66
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.120.254
DHCP Server . . . . . . . . . . . : 192.168.120.45
DNS Servers . . . . . . . . . . . : 192.168.120.45
192.168.120.46
Lease Obtained. . . . . . . . . . : Monday, April 06, 2009
7:22:13 AM
Lease Expires . . . . . . . . . . : Tuesday, April 14, 2009
7:22:13 AM
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Dell Wireless 1390 WLAN
Mini-Card
Physical Address. . . . . . . . . : *************
"Meinolf Weber [MVP-DS]" wrote:
Hello Asif,

If gpresult does not list the policy, there can be the case, either
the GPO is not linked to the OU where the comupters are located(you
said that's the case), DNS is a problem, please post an unedited
ipconfig /all from the DNS server and the client machine.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Yes. Authenticated Users have read and apply group policy
permissions.

"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

And authenticated users have at least read on the "public"
folder?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Yes I can. Start, Run, and type in the patch and it comes up
fine.

"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

Can you map the folder when typing \\server-name\public in the
run line? If not what error pops up?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Thanks for the replies.
I changed the command to:
\\server-name\public\WindowsXP-KB958644-x86-ENU.exe /quite
What else do I need to add to the script?
I checked that Authenticated users have apply group policy.
I ran gpresult on the computer and it doesnt show my test GPO.
Its
been over
a day so it showed have applied by now. I verfied that that
computer
was in
that OU and it is. What am I missing?
I can also get to the folder from the computer directly.
"Meinolf Weber [MVP-DS]" wrote:
Hello Asif,

Make sure the "Authenticated users" have "Apply group policy"
checked on the GPO security and that you are able to access
the folder from a client. Gpresult will show you on the
client if it is applied

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
I want to deploy the KB958644 security patch to all my
machines
via
GPO. I
downloaded the .exe. I know I have to add a script to
Computer
Configuration
- Windows Settings - Scripts (Startup). As a test I made a
batch
file
(called
patch.cmd) with the below contents:
\\server-name\public\WindowsXP-KB958644-x86-ENU.exe
...and I added this batch file to the scripts in the above
GPO
without
any
parameters.
I set the above GPO on the OU that has my test computer, and
I
have
restarted that computer many times so the GPO kicks in. I
also
did
a
gpupdate
on both the server and the machine. But nothing is
happening.
What
am
I doing
wrong?
Server - Server 2003 SP2
Computer - XP Pro SP3



.

Relevant Pages

  • Re: would a GPO have been better?
    ... shortcut to everyone, and you only have to update it in one spot, and ... > file to all machines on the network with varying levels of success. ... > 2) The main operation I'm looking for the gpo to perform is just a file ... The login script is a WSH ...
    (microsoft.public.win2000.group_policy)
  • Re: Install Windows Patch via GPO
    ... the script name is the patchfile name? ... Choose Add and do not type "patch", click the browse button and then use the batch file which contains the commands. ... only reply to Newsgroups ... I did gpresult on the PCs and the GPO is showing up now. ...
    (microsoft.public.windows.group_policy)
  • Re: Setting scripts for workstations only
    ... How do I Block a GPO with User Policy, ... unless loopback processing is used. ... your script and change it to a login script, ...
    (microsoft.public.windows.group_policy)
  • Re: can a GPO do this for me?
    ... That is that a decision needs to be made as to whether a new ... The login script is a WSH ... I guess what I was looking for the GPO to do was provide ... >> file to all machines on the network with varying levels of success. ...
    (microsoft.public.win2000.active_directory)
  • Re: Install Windows Patch via GPO
    ... including this in a GPO: ... This posting is provided "AS IS" with no warranties, and confers no rights. ... only reply to Newsgroups ... Ethernet adapter Local Area Connection 1: ...
    (microsoft.public.windows.group_policy)
Loading