Some questions to ask yourself:
Do my clients meet the requirements to run WSUS?
• Windows 2000 Service Pack 3 (SP3) and later
• Windows XP and later
• Windows Server 2003
Have you cloned your computers on the network? If yes, did you run Sysprep, Ghostwalker, or NewSID on the computers after they have been deployed with the new image?
Each computer on a network requires a SID (Security IDentifier), which uniquely describes that computer account to the rest of the Windows network resources - supposedly not as big of an issue with computers in a domain environment as it is with workgroups. However, it is best to avoid this issue at all costs. When WSUS creates its own client ids, they are based off of the original computer SID. If these are duplicates of other computers (which happens with cloned environments where the aforementioned tools have NOT been run), then you can see how this might be a problem.
If you have not run either one of these tools (they are each mutually exclusive), then you will need to delete the WSUS Client ID keys on the affected workstations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PingID HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientId
Stop and start the Automatic Update service, then run 'wuauclt.exe /resetauthorization /detectnow'. You should see the computer report into the WSUS server shortly thereafter.
You can use this script to do it automatically for you - either a remote workstation or local (you should only need to perform this step once on each affected PC):
Want to figure out which computers have duplicate SIDS?
Use psGetSID from Sysinternals: http://www.microsoft...s/psgetsid.mspx - You can run this against all computers in your domain to discover who has a duplicate SID.
You should really then run NewSID from Sysinterals on any of the duplicate computers to resolve any potential issues in the future (not to mention the security issues involved with having duplicate SIDS on the network): http://www.microsoft...ies/newsid.mspx
NOTE: You don't need to RUN NewSID on each computer prior to fixing the duplicate ID issue in WSUS, but it may rear its ugly head later on, so if you can find the time, I would recommend fixing this issue as soon as you can.
Did you apply your GPO to the appropriate OU? Did you apply the GPO to an OU that contains computer objects?
Are you waiting long enough for your GPOs to be applied to your computers?
Link --> Refresh Group Policy settings with GPUpdate.exe
Command-line syntax for forcing a computer to check in and receive updated GPOs:
Windows 2000: secedit /refreshpolicy machine_policy /enforce
Windows XP/2k3: gpupdate /force
Be aware that if the GPO was configured/added to a DC in a multi-DC environment, GPUpdate may not work until the GPO is replicated to the computer's logon server.
Is the GPO even applying to your computer?
Use GPResult to Check if the policy is applying to your computer.
Link --> How to Use the Group Policy Results (GPResult.exe) Command Line Tool
Command-line syntax for checking the applicable GPOs against your computer:
Windows 2000: GPResult (You must download it first from: http://download.micr...S/gpresult.exe)
Windows XP/2k3: GPResult
If you don't see the GPO specified in the output of your GPResult, then you know you need to look to Active Directory as the source of the problem. If you do see the GPO applied here, then it is more likely an issue with the client (i.e. a duplicate SID issue).
Do you have 'Block Inheritance' set on your OU which would restrict a group policy from applying to the OU and objects contained therein?
Other things you can try: