Re: Install Windows Patch via GPO



Hello Asif,

Errors, maybe access denied mesages etc.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


I got the log. What should I look for?

"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

Enable logging according to this and check the logfile:
http://support.microsoft.com/kb/221833

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Meinolf,

Any ideas???
I changed my setup to match yours. Only thing that is different is
the
name
of my script - I go in to the OU, edit the GPO, Startup scripts and
called
the script name "Patch". I click "Show Files" and there I see
conflicker.bat
(which contains the statements you mention in your last post), the
KB
exe,
and the empty KB txt file.
I did gpresult on the PCs and the GPO is showing up now. Not sure
why
but it
took a week on this particular PC. I moved another PC to the OU and
it
showed
up during next reboot.
However, the patch is not installing on any computer. I rebooted
couple of
times and did gpupdate both on the server and computers. Let me know
what you
think. Thanks.
"Asif Shah" wrote:
Meinolf,

I think I see what might be the problem.
When I go to my OU and open the GPO, I then go to Computer
Configuration -
Windows Settings - Startup, double click on it and I see the path
to
the .cmd
file that has the command that runs the .exe:
Path to cmd file: \\servername\NETLOGON\patch.cmd
Command in cmd file:
\\servername\public\z_WindowsXP-KB958644-x86-ENU.exe
/quite
I think I have to put either the .exe in the path that comes up
when
you hit Browse when you want to add a new script (which is what you
have) or put the cmd file there. The path that comes up when you
hit
Browse is:
\\domain.com\SysVol\domain.com\Policies\{3F30361D-1A8A-4B3F-xxxx-xx
xx
xxxx}\Machine\Scripts\Startup\
Is this correct? What should I put there, the exe or the cmd?

"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

I am running out of ideas, i will describe the way i did it in my
domains, a bit different, but also your way should work if the
configuration is as you described it. Here is my way:

I use a startup script, including this in a GPO:

------------------------------------------------------------------
-- -------------------------------------------------

;install KB958644(Conficker worm) in silent mode and creates
logfile to prevent

loop on install

if not exist %systemroot%\W2KKB958644.log
\\domain.com\SysVol\domain.com\Policies\{3F30361D-1A8A-4B3F-xxxx-x
xx xxxxx}\Machine\Scripts\Startup\W2KKB958644.exe /quiet

if not exist %systemroot%\W2KKB958644.log copy
\\domain.com\SysVol\domain.com\Policies\{3F30361D-1A8A-4B3F-xxxx-x
xx xxxxx}\Machine\Scripts\Startup\W2KKB958644.txt

%systemroot%\W2KKB958644.log /y

------------------------------------------------------------------
-- -------------------------------------------------

The .txt file is empty, just a placeholder on the disk for
skipping the patch at next reboot.

So if you use "Show files" in the startup properties of the GPO
under computer
configuration, there are 3 files located:
- conficker.bat
- patchfile W2KKB958644.exe (file name is shortend)
- empty W2KKB958644.txt file
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Meinolf,

I rechecked the path and it has no spaces:
\\server-name\public\WindowsXP-KB958644-x86-ENU.exe /quite
"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

The ip configuration looks ok.

Just to make sure, in your batch file are no spaces in between?
It
looks
really like this:
\\server-name\public\WindowsXP-KB958644-x86-ENU.exe /quite
and not similar like:
\\server name\public\WindowsXP KB958644 x86 ENU.exe /quite
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

Again thanks for helping out. I added another machine to that
same OU for testing (my own laptop). Below are the ipconfig
/all results. Let me know what you think. Its weird because I
have never had issues with machine not picking up GPOs.

Server:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator.DAC>ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : SERVER-NAME
Primary DNS Suffix . . . . . . . : domainname.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domainname.com
Ethernet adapter Local Area Connection 1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet
#4
Physical Address. . . . . . . . . : ***********
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.120.45
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.120.254
DNS Servers . . . . . . . . . . . : 192.168.120.45
192.168.120.46
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Cable Disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
Ethernet
#3
Physical Address. . . . . . . . . : ***********
Client:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\shaha>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Machine-name
Primary Dns Suffix . . . . . . . : domainname.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domainname.com
domainname.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : domainname.com
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
Gigabit
Cont
roller
Physical Address. . . . . . . . . : ***********
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.120.66
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.120.254
DHCP Server . . . . . . . . . . . : 192.168.120.45
DNS Servers . . . . . . . . . . . : 192.168.120.45
192.168.120.46
Lease Obtained. . . . . . . . . . : Monday, April 06, 2009
7:22:13 AM
Lease Expires . . . . . . . . . . : Tuesday, April 14, 2009
7:22:13 AM
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Dell Wireless 1390 WLAN
Mini-Card
Physical Address. . . . . . . . . : *************
"Meinolf Weber [MVP-DS]" wrote:
Hello Asif,

If gpresult does not list the policy, there can be the case,
either the GPO is not linked to the OU where the comupters are
located(you said that's the case), DNS is a problem, please
post an unedited ipconfig /all from the DNS server and the
client machine.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Yes. Authenticated Users have read and apply group policy
permissions.

"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

And authenticated users have at least read on the "public"
folder?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Yes I can. Start, Run, and type in the patch and it comes
up fine.

"Meinolf Weber [MVP-DS]" wrote:

Hello Asif,

Can you map the folder when typing \\server-name\public in
the run line? If not what error pops up?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Thanks for the replies.
I changed the command to:
\\server-name\public\WindowsXP-KB958644-x86-ENU.exe
/quite
What else do I need to add to the script?
I checked that Authenticated users have apply group
policy.
I ran gpresult on the computer and it doesnt show my test
GPO.
Its
been over
a day so it showed have applied by now. I verfied that
that
computer
was in
that OU and it is. What am I missing?
I can also get to the folder from the computer directly.
"Meinolf Weber [MVP-DS]" wrote:
Hello Asif,

Make sure the "Authenticated users" have "Apply group
policy" checked on the GPO security and that you are
able to access the folder from a client. Gpresult will
show you on the client if it is applied

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
I want to deploy the KB958644 security patch to all my
machines



.



Relevant Pages