My SUS Clients are updating to the server on the systems that I've manually created the registry entries on. We have Active Directory, so I downloaded the latest 'WUAU.adm' file (24k) and added to my OU's Group Policy and made all the entries.

Problem - When the user initially logs in (or the Group Policy is reloaded) the results of the GPO is 'Denied (Security)' and I can't see why. I created another GPO with non-WUAU.adm settings and it works for the same OU.

Anyone seen anything like this?

Contributed By: Chris Cowden and Cliff Hobbs [MVP SMS]

Chris Cowden
What we found was that if the GPO was on the higher OU (i.e. the OU that contained the Users OU and Computers OU) it got a Denied (Security). If I moved it to the User OU, it got applied (empty). Finally putting it against the Computers OU, it applied and created the registry entries. I was hoping to keep the GPO centralized in the higher OU, but I guess in some cases, they're going to have to go against OUs that specifically hold the objects affected by the OUs.

Cliff Hobbs [MVP SMS]
You could also try using the GPResult or the Group Policy Management Console to check for policy conflicts