Wsus group membership not updating
Once all Sites are visible, you can simply right click the Site name and link the GPO that contains the WSUS server address to that Site. You should now have Group Policy handing out WSUS server addresses based on the Site that the computers is currently in.If you find things are not working as expected, you can use the handy tool (resultant set of policy) and the command nltest /dsgetsite to find out to which Site a computer currently belongs.
If, like me, you use Group Policies and apply them on computer account using security groups, you notice these GPOs do not apply with a simple First solution to the problem explained above : reboot.There is another way to apply GPO linked to a computer account through security groups : playing with Kerberos When a computer starts, it will contact a domain controller and will begin Kerberos communication to get a token.The KDC searches Active Directory for the computer account.Right click on the Sites node towards the bottom of the tree, then select Show Sites.You’ll then be able to add in all the required Sites.For reference we will be using some of the commands outlined here.
I've just installed a "Windows Server Update Services" (WSUS) server in my company to provide updates to the Windows Server machines.
This is due to the Kerberos workflow explained below.
This solution can be problematic on production servers.
Instead of showing that policy applied, when I run "GPResult /F /H report.html" in the File Server machine, the only policy applied is the "Default Domain Policy", which has some settings inside the "Computer Configuration" section but not at the keys I configured.
That GPO is linked to the domain root, affecting only to the "Authenticated users" group. Edit: Now I have removed the "My Servers Group" and configured the "Group Policy Modelling Wizard".
It creates the PAC structure : this structure includes information such as direct and transitive group membership, and encodes it into the TGT.