Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Privileges that allow Local Users to do Windows OS Updates

Posted on 2007-03-27
11
Medium Priority
?
1,001 Views
Last Modified: 2012-06-21
       Once a computer is brought on to the domain, the Local Administrators cannot do any Windows OS Updates.  Only a Domain Administrator can.  All other updates can be performed by the Local Administrator and any applications can be loaded by Local Administrators.  It’s just operating system updates that fail to load.
        I was hired a year ago and am trying to get a handle on the way things work in my school district.  One of my pains is Domain Administrator Rights.  Before I got here every tech had Domain Admin rights.  I have been attempting to scale down there privileges; however, my only stumbling block is Updates.  
        To attempt to get around this I installed WSUS to do automatic updates, but when an update fails my techs must go to the computer and do the updates locally.  Then I have to give them Domain Admin Privileges,  BAD IDEA!!!!
        I have looked and looked in the security settings and group policies at Domain level and still have not found it.  Can anyone tell me where I can look to find the setting that prevents everyone but the Domain Administrator from doing updates?

Thanks
0
Comment
Question by:msixpack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 18800708
LOCAL administrators can do updates not domain administrators - by all means make the techs local admins on the client PC's then you dont need to make them domain admins at all

Add 2 Administrators

This tool will add the specified group into the local administrators group of each turned-on computer in your domain on the spot.

http://www.petri.co.il/software/a2a.zip

Ref and Usage
http://www.petri.co.il/a2a.htm

or

Add Domain Users to Local Admins

Create an AD security group called local admins (for Example) put your techs in it

Open a group policy

Navigate to

Computer Configuration > Windows Settings > Security Settings > Restricted Groups

Right click the right hand pane and select Add  - browse to the group you created.

In the members of this group the group you created earlier
In the are members of select administrators.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18800718
>>not domain administrators

I didnt word that well did I - you dont need to be a domain admin to do updates
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 18800759
That doesn't sound right.  I've installed patches from local administrator accounts before, though it's true that if you have your Group Policy overriding your Windows Update settings to use WSUS, then you have more of an issue.  

That said, what do you mean by "update fails"?  Is this occurring regularly?  Do you have your WSUS/GP set to automatically install updates without user intervention?  Do you have virus scanners running that may impede the install?  

0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:msixpack
ID: 18800907
Thanks for the quick response, but I need to make this clear.

WSUS is not my issue.

My issue is that Local Admins cannot update operating system patches.  I want my Local Administrators to have the rights to do OS updates, but when they attempt to install any OS updates, the updates fail to install.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 18802140
What OSes are you using? Can you run RSoP for the DomainAdmin and LocalAdmin against one of the machines and check for any differences?

Krompton
0
 

Author Comment

by:msixpack
ID: 18802924
Krompton,
    Checked out RSop in MMC and the credential Polices appear to be the same, and I saw no glaring difference that would cause this probelm.
    The OS that I am using is 2000 Workstation SP4, XP Professional SP2, 2000 Server SP4, and Server 2003.   The problem is accorss all OS.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 18807404
Off-hand I don't recall any setting that is specifically intended to prevent a Local Admin from running WU.

I have had success using the following when I have had Windows Updates fail because the security settings for wuauserv on the computers got fouled up. But I can not say that this will fix your situation.

You may want to check them just in case. Perhaps the previous admins did not want anyone with local admin rights to install any updates without approval. That would have some merit depending on whom you've given local admin rights to. Anyway the serurity settings for wuauserv should be --- D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU. Run "sc sdshow wuauserv" in a command prompt on one of the machines to check the current settings. If they differ save the current settings by writing them down then run the command "sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)" to reset them. Try running updates again with a local admin.
If the settings got messed up they may not always display as being different so I would run sc sdset anyway to reset them.

Krompton
0
 

Author Comment

by:msixpack
ID: 18918806
I do appreciate all the responses that I have received, and have verified the RSop in MMC and everything seems to be okay.  But I still have this issue that is causing me great heart ache.  
      Please, if you have any other suggestions, I would greatly appreciate it.  I have still believe that this is a group policy that is ether preventing updates by Local Administrators or possibly changing there permission.  Any suggestions are welcomed.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 18918886
Have you attempted my last post on any of the computers?
Also, does the update still fail if you download the update executable and run it locally?

Krompton
0
 

Author Comment

by:msixpack
ID: 18977364
Krompton,
          Thanks for all your help, and when you mentioned about running the updated .exe locally, something dawned in my head.  When I went to look at a log that is created in C:\WINDOWS folder on an updated that I was attempting to do locally, I noticed a comment that said “Failed to Enable SE_BACKUP_PRIVILEGE”, and “Failed to Enable SE_SHUTDOWN_PRIVLIEDGE”.  
          So there must be a correlation between the two and through days of research I was able to find a KB888791 “The user rights that are required by Update.exe”  
This was my problem.  There are six required Policy settings that must be set for a local administrator to perfume Updates.  They are:

Backup files and directories
Restore files and directories
Manage auditing and security log
Take ownership of files or other objects
Shutdown the system
Debug programs

      Three of these settings were set at the Domain level allowing only Domain Administrators the rights to do them.  Once I set them to the values necessary to allow Administrators to do these policies, everything worked.
      Thank you for your time.
0
 
LVL 9

Accepted Solution

by:
Krompton earned 1500 total points
ID: 18980506
I’m glad you got it cleared up and you are welcome for any small amount of help I may have provided.

To be honest I didn’t really think of the privileges angle. I figured the previous domain admins wanted to retain control over what updates got installed. Thanks for posting back what you found. I’m sure others will find it helpful as well.

Cheers,
Krompton
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question