On Wed, Jan 3, 2018 at 4:43 PM, Charles F Sullivan <charles.sulliva...@bc.edu> wrote: > I'm not sure why you're using security filtering. Is your objective to only > have *some* DCs get this policy?
Correct. I can't have all DCs rebooting to install updates at the same time. So I want 1 to reboot at 4AM, 1 at 5AM, etc. So I have multiple GPOs, set for different times, and I filter based on group membership, to stagger reboots. > If so, as Joe said those servers need to > get the group membership into their access tokens. Ha! I saved a post which > says how to do that without rebooting and it turns out it was from you! > > I actually used the method you described after I added a server to a group > about a month ago, so thanks. You're welcome! Yes, I remembered that tip, too, and so now it is working. For anyone else: klist purge –li 0x3e7 This will reset the computer access token (Kerberos ticket), so you don't need to reboot. Then just do a "gpupdate /force", and all should be good. > > On Wed, Jan 3, 2018 at 3:26 PM, Michael Leone <oozerd...@gmail.com> wrote: >> >> OK, I'm scratching my head over this. I made a new GPO, set it to >> automatically install Windows Updates at a specific time. I set it to >> filter only to an AD group. I linked it to the Domain Controllers OU. >> Pretty much what I've always done. The only difference is that this >> time, this new GPO is for my DCs. >> >> When I run a "gpresult /r", I see the new GPO being not applied, >> because it was being filtered out. The reason shows as "Security". >> >> And I can't figure out what I did wrong. This particular DC is a >> member of the AD group that this GPO is set to filter on. Now, the >> "Default Domain Controllers Policy" is being applied. And this is just >> set to filter on "Authenticated users". >> >> I don't get it. I checked the link order, and the updating GPO is a >> lower number than the Default policy. Running the Group Policy >> Modeling, I see the new GPO as a winning GPO. >> >> So what am I doing wrong? Where to look next, to figure out where this >> filtering is taking place? >> >> > > > > -- > > Charlie Sullivan > > Sr. Windows Systems Administrator > > Boston College > > 197 Foster St. Room 367 > > Brighton, MA 02135 > > 617-552-4318