Once a computer is brought on to the domain, the Local Administrators cannot do any Windows OS Updates. Only a Domain Administrator can. All other updates can be performed by the Local Administrator and any applications can be loaded by Local Administrators. It’s just operating system updates that fail to load.
I was hired a year ago and am trying to get a handle on the way things work in my school district. One of my pains is Domain Administrator Rights. Before I got here every tech had Domain Admin rights. I have been attempting to scale down there privileges; however, my only stumbling block is Updates.
To attempt to get around this I installed WSUS to do automatic updates, but when an update fails my techs must go to the computer and do the updates locally. Then I have to give them Domain Admin Privileges, BAD IDEA!!!!
I have looked and looked in the security settings and group policies at Domain level and still have not found it. Can anyone tell me where I can look to find the setting that prevents everyone but the Domain Administrator from doing updates?