First published on TechNet on Apr 24, 2013
[This post comes to us courtesy of Charanjeet Singh and Rituraj Choudhary from Microsoft Commercial Technical Support]
Certain Group Policy Objects (GPOs) are created and configured by default during the installation of Windows Small Business Server 2011 Standard. This blog post will cover how to create these GPOs manually in the event that they are missing or have been accidentally deleted without a backup.
Note:
If one or more of these GPOs are missing as the result of a failed install, you should not follow this procedure. We recommend that you call Microsoft Product Support as other components are likely to be broken.
The steps have been broken down into two types of Group Policies.
Update Services Policies:
-
Update Services Client Computers Policy
-
Update Services Common Settings Policy
-
Update Services Server Computers Policy
Windows SBS Policies:
-
Windows SBS Client – Windows 7 and Windows Vista Policy
-
Windows SBS Client - Windows 8 Policy
-
Windows SBS Client – Windows XP Policy
-
Windows SBS Client Policy
-
Windows SBS CSE Policy
-
Windows SBS Users Policy
-
Small Business Server Folder Redirection Policy (
Optiona
l)
-
SharePoint Psconfig Notification Policy
We do not cover the steps to create the Default Domain Controllers Policy or the Default Domain Policy in this post. Either restore these policies from backup or contact Microsoft Product Support Services for assistance.
Create the three Update Services Policies
-
Open Start > Run and enter
gpmc.msc
to open the Group Policy Management Console.
-
Expand
Forest: <SBS Forest>\Domains\<SBS Domain>\Group Policy Objects.
-
Right-click the
Group Policy Objects
key and choose
New
.
-
Enter
Update Services Client Computers Policy
as the name.
-
Select
OK
.
*** The name must be entered exactly as shown, DOUBLE CHECK the spelling before selecting OK.
-
Create the two remaining WSUS policies in the same way.
-
Update Services Common Settings Policy
-
Update Services Server Computers Policy
Configure the Update Services Client Computers Policy
-
Right-click
Update Services Client Computers Policy
and choose
Edit
. On the Group Policy Management Editor, open
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
-
Configure the settings as shown in the report below
Configure the Update Services Common Settings Policy
-
Right-click
Update Services Common Settings Policy
and choose
Edit
. On the Group Policy Management Editor, open
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
-
Configure the settings as shown in the report below
Important:
The
Set the intranet update service for detecting updates
and
Set the intranet statistics server
policies are specific to your server and must be configured with http://<
YourServerName
>:8530
Note:
The above report for this GPO shows the “enabled” and “disabled” policy settings only. Any policy that does not appear in the above report should be set to “Not configured” on your server.
Configure the Update Services Server Computers Policy
-
Right-click
Update Services Server Computers Policy
and choose
Edit
. On the Group Policy Management Editor, open
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
-
Configure the settings as shown in the report below
Configure the scope of the new Update Services Policies
Update Services Client Computers Policy
-
Leave “Links” empty
-
Remove any object under “Security Filtering”
-
Set “WMI Filtering” to <none>
Update Services Server Computers Policy
-
Leave “Links” empty
-
Remove any object under “Security Filtering”
-
Set “WMI Filtering” to <none>
Update Services Common Settings Policy
-
Leave “Links” empty
-
“Authenticated Users” must be listed under “Security Filtering”
-
Set “WMI Filtering” to <none>
Link the new Update Services Policies
-
In the Group Policy Management Console, right-click on your SBS domain and select
Link an Existing GPO
-
Select the following 3 policies
-
Click
OK
Once the WSUS policies have been updated and applied, Security Filtering on the Client Computers and Server Computers GPOs will begin populating with the machine accounts of your domain joined clients and servers. This is done automatically by SBS every 5 minutes.
Create the Windows SBS Policies
Create the Small Business Server Folder Redirection Policy (Optional):
This is an optional GPO. Follow these steps only if you wish to use folder redirection.
-
On the SBS 2011 Console, select the
Shared Folders and Web Sites
tab
-
On the Right hand side, under “Tasks” select
Redirect folders for user accounts to the server
-
Complete the wizard
Create the remaining SBS GPOs
These steps will create the following GPOs:
-
Windows SBS Client – Windows 7 and Windows Vista Policy
-
Windows SBS Client – Windows XP Policy
-
Windows SBS Client – Windows 8 Policy
-
Windows SBS Client Policy
-
Windows SBS CSE Policy
-
Windows SBS Users Policy
-
Copy the file
GPOFix11.txt
from the following link and save it to an easily accessible path, such as c:\windows\temp, on the SBS 2011 server:
http://cid-d5fe25afb6c3615f.skydrive.live.com/self.aspx/.Public/GPOFix11.txt
-
Right-click on the Command Prompt and select
Run as Administrator.
-
Run the following command from the Administrator Command prompt, substitute the path to the gpofix.txt file as needed (We recommend that you
DO NOT
copy & paste the command directly from the blog post):
“C:\Program Files\Windows Small Business Server\Bin\GPOTask.exe” /config:c:\windows\temp\gpofix11.txt
-
The task will take a few moments to complete, after which it will return to the command prompt.
-
Verify that the GPOs have been created in the Group Policy Management Console.
-
Run and complete the
Internet Address Management Wizard
from the SBS 2011 Console to complete the configuration.