Re: Automatic Updates on Server Turned on & greyed out - yikes!
- From: "Steve V." <steve@xxxxxxxxxx>
- Date: Fri, 24 Aug 2007 09:56:44 -0400
Thanks for the response Bill, here's the feedback from the GpResult command,
any ideas? ;
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 8/24/2007 at 9:50:41 AM
RSOP data for PCWHIP\administrator on SBSERVER : Logging Mode
--------------------------------------------------------------
OS Type: Microsoft(R) Windows(R) Server 2003 for Small
Business Server
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=SBSERVER,OU=Domain Controllers,DC=PcWhip,DC=local
Last time Group Policy was applied: 8/24/2007 at 9:48:43 AM
Group Policy was applied from: sbserver.PcWhip.local
Group Policy slow link threshold: 500 kbps
Domain Name: PcWhip
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Small Business Server Auditing Policy
Default Domain Controllers Policy
Small Business Server Client Computer
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Small Business Server Domain Password Policy
Default Domain Policy
WSUS
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista
Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
SBSERVER$
Exchange Domain Servers
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Exchange Enterprise Servers
SQLAccessGroup {5c9e071e-3dcc-463b-94df-c07bc066e7ef}
RAS and IAS Servers
PrivUserGroup {5c9e071e-3dcc-463b-94df-c07bc066e7ef}
Resultant Set Of Policies for Computer
---------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
GPO: Default Domain Policy
Policy: MaxServiceAge
Computer Setting: 600
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 50
GPO: Default Domain Policy
Policy: MaxTicketAge
Computer Setting: 10
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 24
GPO: Small Business Server Domain Password Policy
Policy: MinimumPasswordAge
Computer Setting: N/A
GPO: Small Business Server Domain Password Policy
Policy: PasswordHistorySize
Computer Setting: 24
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 4294967295
GPO: Small Business Server Lockout Policy
Policy: LockoutDuration
Computer Setting: 10
GPO: Small Business Server Lockout Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Default Domain Policy
Policy: MaxClockSkew
Computer Setting: 5
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: N/A
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/A
GPO: Small Business Server Domain Password Policy
Policy: MinimumPasswordLength
Computer Setting: N/A
GPO: Small Business Server Lockout Policy
Policy: LockoutBadCount
Computer Setting: 50
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 10
GPO: Small Business Server Domain Password Policy
Policy: MaximumPasswordAge
Computer Setting: 4294967295
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 10
GPO: Default Domain Policy
Policy: MaxRenewAge
Computer Setting: 7
Audit Policy
------------
GPO: Default Domain Controllers Policy
Policy: AuditPolicyChange
Computer Setting: No Auditing
GPO: Default Domain Controllers Policy
Policy: AuditPrivilegeUse
Computer Setting: No Auditing
GPO: Default Domain Controllers Policy
Policy: AuditLogonEvents
Computer Setting: Success
GPO: Small Business Server Auditing Policy
Policy: AuditDSAccess
Computer Setting: No Auditing
GPO: Default Domain Controllers Policy
Policy: AuditAccountLogon
Computer Setting: Success
GPO: Default Domain Controllers Policy
Policy: AuditObjectAccess
Computer Setting: No Auditing
GPO: Default Domain Controllers Policy
Policy: AuditDSAccess
Computer Setting: No Auditing
GPO: Default Domain Controllers Policy
Policy: AuditAccountManage
Computer Setting: No Auditing
GPO: Small Business Server Auditing Policy
Policy: AuditLogonEvents
Computer Setting: Success, Failure
GPO: Default Domain Controllers Policy
Policy: AuditProcessTracking
Computer Setting: No Auditing
GPO: Default Domain Controllers Policy
Policy: AuditSystemEvents
Computer Setting: No Auditing
User Rights
-----------
GPO: Default Domain Controllers Policy
Policy: MachineAccountPrivilege
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: DenyNetworkLogonRight
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: RestorePrivilege
Computer Setting: Administrators
Backup Operators
GPO: Default Domain Controllers Policy
Policy: TcbPrivilege
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: SystemProfilePrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: DenyServiceLogonRight
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: ServiceLogonRight
Computer Setting: PCWHIP\CRM_WPG
NETWORK SERVICE
PCWHIP\Administrator
PCWHIP\QBDataServiceUser17
GPO: Default Domain Controllers Policy
Policy: UndockPrivilege
Computer Setting: Administrators
*S-1-5-32-547
GPO: Default Domain Controllers Policy
Policy: CreatePermanentPrivilege
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: AuditPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
GPO: Default Domain Controllers Policy
Policy: TakeOwnershipPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: CreatePagefilePrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: EnableDelegationPrivilege
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: DebugPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: SystemTimePrivilege
Computer Setting: Administrators
*S-1-5-32-547
LOCAL SERVICE
GPO: Default Domain Controllers Policy
Policy: DenyBatchLogonRight
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: BackupPrivilege
Computer Setting: Administrators
Backup Operators
GPO: Default Domain Controllers Policy
Policy: CreateTokenPrivilege
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: ChangeNotifyPrivilege
Computer Setting: Users
Backup Operators
Everyone
Administrators
*S-1-5-32-547
PCWHIP\QBDataServiceUser17
GPO: Default Domain Controllers Policy
Policy: SyncAgentPrivilege
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: ProfileSingleProcessPrivilege
Computer Setting: Administrators
*S-1-5-32-547
GPO: Default Domain Controllers Policy
Policy: LoadDriverPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: InteractiveLogonRight
Computer Setting: PCWHIP\IUSR_SBSERVER
Users
Administrators
Backup Operators
*S-1-5-32-547
GPO: Default Domain Controllers Policy
Policy: RemoteShutdownPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: IncreaseBasePriorityPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: NetworkLogonRight
Computer Setting: PCWHIP\CRM_WPG
PCWHIP\IUSR_SBSERVER
Users
Backup Operators
Everyone
Administrators
ENTERPRISE DOMAIN CONTROLLERS
*S-1-5-32-547
PCWHIP\IWAM_SBSERVER
PCWHIP\QBDataServiceUser17
GPO: Default Domain Controllers Policy
Policy: LockMemoryPrivilege
Computer Setting: N/A
GPO: Default Domain Controllers Policy
Policy: ShutdownPrivilege
Computer Setting: Administrators
Backup Operators
*S-1-5-32-547
GPO: Default Domain Controllers Policy
Policy: SecurityPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: AssignPrimaryTokenPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
PCWHIP\IWAM_SBSERVER
GPO: Default Domain Controllers Policy
Policy: SystemEnvironmentPrivilege
Computer Setting: Administrators
GPO: Default Domain Controllers Policy
Policy: IncreaseQuotaPrivilege
Computer Setting: LOCAL SERVICE
NETWORK SERVICE
Administrators
PCWHIP\IWAM_SBSERVER
GPO: Default Domain Controllers Policy
Policy: BatchLogonRight
Computer Setting: PCWHIP\CRM_WPG
PCWHIP\Administrator
PCWHIP\IUSR_SBSERVER
PCWHIP\IIS_WPG
PCWHIP\IWAM_SBSERVER
PCWHIP\SQLDebugger
GPO: Default Domain Controllers Policy
Policy: DenyInteractiveLogonRight
Computer Setting: PCWHIP\SBS Remote Operators
PCWHIP\SBS STS Worker
PCWHIP\SQLDebugger
PCWHIP\QBDataServiceUser17
Security Options
----------------
GPO: Default Domain Policy
Policy: TicketValidateClient
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled
GPO: Small Business Server Domain Password Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Small Business Server Domain Password Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Controllers Policy
Policy: Microsoft network server: Digitally sign
communications (if client agrees)
ValueName:
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: Network security: LAN Manager
authentication level
ValueName:
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
Computer Setting: 2
GPO: Default Domain Controllers Policy
Policy: Domain controller: LDAP server signing
requirements
ValueName:
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: Domain member: Digitally encrypt or sign
secure channel data (always)
ValueName:
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
Computer Setting: 1
GPO: Default Domain Controllers Policy
Policy: Microsoft network server: Digitally sign
communications (always)
ValueName:
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
Computer Setting: 1
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: Small Business Server Remote Assistance Policy
KeyName: software\policies\microsoft\windows NT\Terminal
Services\fAllowUnsolicitedFullControl
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS
KeyName:
Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0,
47, 0, 115, 0, 98, 0, 115, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 58, 0,
56, 0, 53, 0, 51, 0, 48, 0, 0, 0
State: Enabled
GPO: Small Business Server Remote Assistance Policy
KeyName: software\policies\microsoft\windows NT\Terminal
Services\RAUnsolicit\PCWHIP\Domain Admins
Value: 80, 0, 67, 0, 87, 0, 72, 0, 73, 0, 80, 0, 92,
0, 68, 0, 111, 0, 109, 0, 97, 0, 105, 0, 110, 0, 32, 0, 65, 0, 100, 0, 109,
0, 105, 0, 110, 0, 115, 0, 0, 0
State: Enabled
GPO: WSUS
KeyName:
Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0,
47, 0, 115, 0, 98, 0, 115, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 58, 0,
56, 0, 53, 0, 51, 0, 48, 0, 0, 0
State: Enabled
GPO: Small Business Server Client Computer
KeyName: software\policies\microsoft\windows\network
connections\NC_ShowSharedAccessUI
Value: 0, 0, 0, 0
State: Enabled
GPO: WSUS
KeyName:
Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
Value: 0, 0, 0, 0
State: Enabled
GPO: WSUS
KeyName:
Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions
Value: 4, 0, 0, 0
State: Enabled
GPO: Small Business Server Client Computer
KeyName: software\policies\microsoft\windows\network
connections\NC_AllowNetBridge_NLA
Value: 0, 0, 0, 0
State: Enabled
GPO: Small Business Server Client Computer
KeyName:
software\microsoft\windows\currentversion\policies\explorer\NoWelcomeScreen
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS
KeyName:
Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
Value: 1, 0, 0, 0
State: Enabled
GPO: Small Business Server Client Computer
KeyName: software\microsoft\windows
nt\currentversion\winlogon\SyncForegroundPolicy
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS
KeyName:
Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime
Value: 3, 0, 0, 0
State: Enabled
GPO: Small Business Server Remote Assistance Policy
KeyName: software\policies\microsoft\windows NT\Terminal
Services\fAllowUnsolicited
Value: 1, 0, 0, 0
State: Enabled
GPO: WSUS
KeyName:
Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
Value: 0, 0, 0, 0
State: Enabled
USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=PcWhip,DC=local
Last time Group Policy was applied: 8/24/2007 at 9:20:33 AM
Group Policy was applied from: sbserver.PcWhip.local
Group Policy slow link threshold: 500 kbps
Domain Name: PCWHIP
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista
WSUS
Filtering: Not Applied (Empty)
Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2
Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2
Small Business Server Lockout Policy
Filtering: Disabled (GPO)
Local Group Policy
Filtering: Not Applied (Empty)
Small Business Server Remote Assistance Policy
Filtering: Disabled (GPO)
Small Business Server Client Computer
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Group Policy Creator Owners
SBS Report Users
Schema Admins
SBS Internet Users
SBS Mobile Users
Enterprise Admins
UserGroup {5c9e071e-3dcc-463b-94df-c07bc066e7ef}
Offer Remote Assistance Helpers
ReportingGroup {5c9e071e-3dcc-463b-94df-c07bc066e7ef}
The user has the following security privileges
----------------------------------------------
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Resultant Set Of Policies for User
-----------------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
----------------------------------------
N/A
Internet Explorer Connection
----------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
""Bill Peng [MSFT]"" <v-bpeng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:G5k2p8f5HHA.5204@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Steve,
I agree with Lanwench - this shall be a policy issue. Please run the
following command:
gpresult /z > C:\gpresult.txt
Then post the content of C:\gpresult.txt here for a look.
Sincerely,
Bill Peng
MCSE 2000, MCDBA, CCNP, CCDA
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
The public newsgroup only focuses on SBS related technical issues, for
other Microsoft products, we recommend you to post to appropriate
newsgroup
to get most qualified responses.
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive notification. When responding to
posts via your newsreader, please "Reply to Group" so that others may
learn
and benefit from your issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "Lanwench [MVP - Exchange]"<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <eOAC26a5HHA.1168@xxxxxxxxxxxxxxxxxxxx>this
Subject: Re: Automatic Updates on Server Turned on & greyed out - yikes!
Date: Thu, 23 Aug 2007 15:14:27 -0400
Lines: 24
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-RFC2646: Format=Flowed; Response
Message-ID: <ePP00pb5HHA.4436@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: cpe-24-193-56-181.nyc.res.rr.com 24.193.56.181
Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:58521
X-Tomcat-NG: microsoft.public.windows.server.sbs
Steve V. <steve@xxxxxxxxxx> wrote:
Hi all,
I have several SBS2003 servers out in the world and doing just fine.
My policy has always been to do the Server Updates for these servers
MANUALLY during off hours to avoid problems. Thus I have
intentionally turned off automatic updates on the servers. Recently I
noticed that a couple of these servers had turned the 'Automatic
Update' setting back on and also had greyed out the options so that I
cannot change them back. I assume that this is a policy change but I
don't know how it got there and why it is present on some servers and
not others.
I am using WSUS on these servers and have excluded the server from
automatic approval updates. I have not seen anyone out there with the
same issue....
Anyone run across this yet?
Thanks for your help - Steve V.
Group Policy will do this ...run an rsop.msc on the server & see where
is being applied. I agree that "download & notify" is the way to go on a
server.
.
- Follow-Ups:
- Re: Automatic Updates on Server Turned on & greyed out - yikes!
- From: "Bill Peng [MSFT]"
- Re: Automatic Updates on Server Turned on & greyed out - yikes!
- From: George Merriman
- Re: Automatic Updates on Server Turned on & greyed out - yikes!
- References:
- Automatic Updates on Server Turned on & greyed out - yikes!
- From: Steve V.
- Re: Automatic Updates on Server Turned on & greyed out - yikes!
- From: Lanwench [MVP - Exchange]
- Re: Automatic Updates on Server Turned on & greyed out - yikes!
- From: "Bill Peng [MSFT]"
- Automatic Updates on Server Turned on & greyed out - yikes!
- Prev by Date: Re: Client computers cannot acces internet
- Next by Date: Recovering a purged mailbox
- Previous by thread: Re: Automatic Updates on Server Turned on & greyed out - yikes!
- Next by thread: Re: Automatic Updates on Server Turned on & greyed out - yikes!
- Index(es):
Relevant Pages
|
Loading
