Privileges that allow Local Users to do Windows OS Updates
Once a computer is brought on to the domain, the Local Administrators cannot do any Windows OS Updates. Only a Domain Administrator can. All other updates can be performed by the Local Administrator and any applications can be loaded by Local Administrators. It’s just operating system updates that fail to load.
I was hired a year ago and am trying to get a handle on the way things work in my school district. One of my pains is Domain Administrator Rights. Before I got here every tech had Domain Admin rights. I have been attempting to scale down there privileges; however, my only stumbling block is Updates.
To attempt to get around this I installed WSUS to do automatic updates, but when an update fails my techs must go to the computer and do the updates locally. Then I have to give them Domain Admin Privileges, BAD IDEA!!!!
I have looked and looked in the security settings and group policies at Domain level and still have not found it. Can anyone tell me where I can look to find the setting that prevents everyone but the Domain Administrator from doing updates?
Thanks
I was hired a year ago and am trying to get a handle on the way things work in my school district. One of my pains is Domain Administrator Rights. Before I got here every tech had Domain Admin rights. I have been attempting to scale down there privileges; however, my only stumbling block is Updates.
To attempt to get around this I installed WSUS to do automatic updates, but when an update fails my techs must go to the computer and do the updates locally. Then I have to give them Domain Admin Privileges, BAD IDEA!!!!
I have looked and looked in the security settings and group policies at Domain level and still have not found it. Can anyone tell me where I can look to find the setting that prevents everyone but the Domain Administrator from doing updates?
Thanks
>>not domain administrators
I didnt word that well did I - you dont need to be a domain admin to do updates
I didnt word that well did I - you dont need to be a domain admin to do updates
That doesn't sound right. I've installed patches from local administrator accounts before, though it's true that if you have your Group Policy overriding your Windows Update settings to use WSUS, then you have more of an issue.
That said, what do you mean by "update fails"? Is this occurring regularly? Do you have your WSUS/GP set to automatically install updates without user intervention? Do you have virus scanners running that may impede the install?
That said, what do you mean by "update fails"? Is this occurring regularly? Do you have your WSUS/GP set to automatically install updates without user intervention? Do you have virus scanners running that may impede the install?
ASKER
Thanks for the quick response, but I need to make this clear.
WSUS is not my issue.
My issue is that Local Admins cannot update operating system patches. I want my Local Administrators to have the rights to do OS updates, but when they attempt to install any OS updates, the updates fail to install.
WSUS is not my issue.
My issue is that Local Admins cannot update operating system patches. I want my Local Administrators to have the rights to do OS updates, but when they attempt to install any OS updates, the updates fail to install.
What OSes are you using? Can you run RSoP for the DomainAdmin and LocalAdmin against one of the machines and check for any differences?
Krompton
Krompton
ASKER
Krompton,
Checked out RSop in MMC and the credential Polices appear to be the same, and I saw no glaring difference that would cause this probelm.
The OS that I am using is 2000 Workstation SP4, XP Professional SP2, 2000 Server SP4, and Server 2003. The problem is accorss all OS.
Checked out RSop in MMC and the credential Polices appear to be the same, and I saw no glaring difference that would cause this probelm.
The OS that I am using is 2000 Workstation SP4, XP Professional SP2, 2000 Server SP4, and Server 2003. The problem is accorss all OS.
Off-hand I don't recall any setting that is specifically intended to prevent a Local Admin from running WU.
I have had success using the following when I have had Windows Updates fail because the security settings for wuauserv on the computers got fouled up. But I can not say that this will fix your situation.
You may want to check them just in case. Perhaps the previous admins did not want anyone with local admin rights to install any updates without approval. That would have some merit depending on whom you've given local admin rights to. Anyway the serurity settings for wuauserv should be --- D:(A;;CCLCSWRPWPDTLOCRRC;;
If the settings got messed up they may not always display as being different so I would run sc sdset anyway to reset them.
Krompton
I have had success using the following when I have had Windows Updates fail because the security settings for wuauserv on the computers got fouled up. But I can not say that this will fix your situation.
You may want to check them just in case. Perhaps the previous admins did not want anyone with local admin rights to install any updates without approval. That would have some merit depending on whom you've given local admin rights to. Anyway the serurity settings for wuauserv should be --- D:(A;;CCLCSWRPWPDTLOCRRC;;
If the settings got messed up they may not always display as being different so I would run sc sdset anyway to reset them.
Krompton
ASKER
I do appreciate all the responses that I have received, and have verified the RSop in MMC and everything seems to be okay. But I still have this issue that is causing me great heart ache.
Please, if you have any other suggestions, I would greatly appreciate it. I have still believe that this is a group policy that is ether preventing updates by Local Administrators or possibly changing there permission. Any suggestions are welcomed.
Please, if you have any other suggestions, I would greatly appreciate it. I have still believe that this is a group policy that is ether preventing updates by Local Administrators or possibly changing there permission. Any suggestions are welcomed.
Have you attempted my last post on any of the computers?
Also, does the update still fail if you download the update executable and run it locally?
Krompton
Also, does the update still fail if you download the update executable and run it locally?
Krompton
ASKER
Krompton,
Thanks for all your help, and when you mentioned about running the updated .exe locally, something dawned in my head. When I went to look at a log that is created in C:\WINDOWS folder on an updated that I was attempting to do locally, I noticed a comment that said “Failed to Enable SE_BACKUP_PRIVILEGE”, and “Failed to Enable SE_SHUTDOWN_PRIVLIEDGE”.
So there must be a correlation between the two and through days of research I was able to find a KB888791 “The user rights that are required by Update.exe”
This was my problem. There are six required Policy settings that must be set for a local administrator to perfume Updates. They are:
Backup files and directories
Restore files and directories
Manage auditing and security log
Take ownership of files or other objects
Shutdown the system
Debug programs
Three of these settings were set at the Domain level allowing only Domain Administrators the rights to do them. Once I set them to the values necessary to allow Administrators to do these policies, everything worked.
Thank you for your time.
Thanks for all your help, and when you mentioned about running the updated .exe locally, something dawned in my head. When I went to look at a log that is created in C:\WINDOWS folder on an updated that I was attempting to do locally, I noticed a comment that said “Failed to Enable SE_BACKUP_PRIVILEGE”, and “Failed to Enable SE_SHUTDOWN_PRIVLIEDGE”.
So there must be a correlation between the two and through days of research I was able to find a KB888791 “The user rights that are required by Update.exe”
This was my problem. There are six required Policy settings that must be set for a local administrator to perfume Updates. They are:
Backup files and directories
Restore files and directories
Manage auditing and security log
Take ownership of files or other objects
Shutdown the system
Debug programs
Three of these settings were set at the Domain level allowing only Domain Administrators the rights to do them. Once I set them to the values necessary to allow Administrators to do these policies, everything worked.
Thank you for your time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Add 2 Administrators
This tool will add the specified group into the local administrators group of each turned-on computer in your domain on the spot.
http://www.petri.co.il/software/a2a.zip
Ref and Usage
http://www.petri.co.il/a2a.htm
or
Add Domain Users to Local Admins
Create an AD security group called local admins (for Example) put your techs in it
Open a group policy
Navigate to
Computer Configuration > Windows Settings > Security Settings > Restricted Groups
Right click the right hand pane and select Add - browse to the group you created.
In the members of this group the group you created earlier
In the are members of select administrators.