Solved

Privileges that allow Local Users to do Windows OS Updates

Posted on 2007-03-27
11
981 Views
Last Modified: 2012-06-21
       Once a computer is brought on to the domain, the Local Administrators cannot do any Windows OS Updates.  Only a Domain Administrator can.  All other updates can be performed by the Local Administrator and any applications can be loaded by Local Administrators.  It’s just operating system updates that fail to load.
        I was hired a year ago and am trying to get a handle on the way things work in my school district.  One of my pains is Domain Administrator Rights.  Before I got here every tech had Domain Admin rights.  I have been attempting to scale down there privileges; however, my only stumbling block is Updates.  
        To attempt to get around this I installed WSUS to do automatic updates, but when an update fails my techs must go to the computer and do the updates locally.  Then I have to give them Domain Admin Privileges,  BAD IDEA!!!!
        I have looked and looked in the security settings and group policies at Domain level and still have not found it.  Can anyone tell me where I can look to find the setting that prevents everyone but the Domain Administrator from doing updates?

Thanks
0
Comment
Question by:msixpack
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 18800708
LOCAL administrators can do updates not domain administrators - by all means make the techs local admins on the client PC's then you dont need to make them domain admins at all

Add 2 Administrators

This tool will add the specified group into the local administrators group of each turned-on computer in your domain on the spot.

http://www.petri.co.il/software/a2a.zip

Ref and Usage
http://www.petri.co.il/a2a.htm

or

Add Domain Users to Local Admins

Create an AD security group called local admins (for Example) put your techs in it

Open a group policy

Navigate to

Computer Configuration > Windows Settings > Security Settings > Restricted Groups

Right click the right hand pane and select Add  - browse to the group you created.

In the members of this group the group you created earlier
In the are members of select administrators.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18800718
>>not domain administrators

I didnt word that well did I - you dont need to be a domain admin to do updates
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 18800759
That doesn't sound right.  I've installed patches from local administrator accounts before, though it's true that if you have your Group Policy overriding your Windows Update settings to use WSUS, then you have more of an issue.  

That said, what do you mean by "update fails"?  Is this occurring regularly?  Do you have your WSUS/GP set to automatically install updates without user intervention?  Do you have virus scanners running that may impede the install?  

0
 

Author Comment

by:msixpack
ID: 18800907
Thanks for the quick response, but I need to make this clear.

WSUS is not my issue.

My issue is that Local Admins cannot update operating system patches.  I want my Local Administrators to have the rights to do OS updates, but when they attempt to install any OS updates, the updates fail to install.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 18802140
What OSes are you using? Can you run RSoP for the DomainAdmin and LocalAdmin against one of the machines and check for any differences?

Krompton
0
 

Author Comment

by:msixpack
ID: 18802924
Krompton,
    Checked out RSop in MMC and the credential Polices appear to be the same, and I saw no glaring difference that would cause this probelm.
    The OS that I am using is 2000 Workstation SP4, XP Professional SP2, 2000 Server SP4, and Server 2003.   The problem is accorss all OS.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 18807404
Off-hand I don't recall any setting that is specifically intended to prevent a Local Admin from running WU.

I have had success using the following when I have had Windows Updates fail because the security settings for wuauserv on the computers got fouled up. But I can not say that this will fix your situation.

You may want to check them just in case. Perhaps the previous admins did not want anyone with local admin rights to install any updates without approval. That would have some merit depending on whom you've given local admin rights to. Anyway the serurity settings for wuauserv should be --- D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU. Run "sc sdshow wuauserv" in a command prompt on one of the machines to check the current settings. If they differ save the current settings by writing them down then run the command "sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)" to reset them. Try running updates again with a local admin.
If the settings got messed up they may not always display as being different so I would run sc sdset anyway to reset them.

Krompton
0
 

Author Comment

by:msixpack
ID: 18918806
I do appreciate all the responses that I have received, and have verified the RSop in MMC and everything seems to be okay.  But I still have this issue that is causing me great heart ache.  
      Please, if you have any other suggestions, I would greatly appreciate it.  I have still believe that this is a group policy that is ether preventing updates by Local Administrators or possibly changing there permission.  Any suggestions are welcomed.
0
 
LVL 9

Expert Comment

by:Krompton
ID: 18918886
Have you attempted my last post on any of the computers?
Also, does the update still fail if you download the update executable and run it locally?

Krompton
0
 

Author Comment

by:msixpack
ID: 18977364
Krompton,
          Thanks for all your help, and when you mentioned about running the updated .exe locally, something dawned in my head.  When I went to look at a log that is created in C:\WINDOWS folder on an updated that I was attempting to do locally, I noticed a comment that said “Failed to Enable SE_BACKUP_PRIVILEGE”, and “Failed to Enable SE_SHUTDOWN_PRIVLIEDGE”.  
          So there must be a correlation between the two and through days of research I was able to find a KB888791 “The user rights that are required by Update.exe”  
This was my problem.  There are six required Policy settings that must be set for a local administrator to perfume Updates.  They are:

Backup files and directories
Restore files and directories
Manage auditing and security log
Take ownership of files or other objects
Shutdown the system
Debug programs

      Three of these settings were set at the Domain level allowing only Domain Administrators the rights to do them.  Once I set them to the values necessary to allow Administrators to do these policies, everything worked.
      Thank you for your time.
0
 
LVL 9

Accepted Solution

by:
Krompton earned 500 total points
ID: 18980506
I’m glad you got it cleared up and you are welcome for any small amount of help I may have provided.

To be honest I didn’t really think of the privileges angle. I figured the previous domain admins wanted to retain control over what updates got installed. Thanks for posting back what you found. I’m sure others will find it helpful as well.

Cheers,
Krompton
0

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now