WSUS do you have to have admin rights on the pc to install updates?

We installed an WSUS server and was pushing out critical updates to automatically install as listed in our group policy set. We just started approving security updates and others and noticed if the user (non-admin) was logged on it was not asking for the updates, but if you logged in with a admin user it was notifying you of the updates to be installed. Do you have to have admin rights tio install these updates via WSUS? We do not want to give users admin rights, so is there a way around this?
LVL 1
mslibrarycommissionAsked:
Who is Participating?
 
DonNetwork AdministratorCommented:
And real good explanations of the settings here


http://community.spiceworks.com/how_to/show/1390
0
 
DonNetwork AdministratorCommented:
Enable the setting "Allow non-admins to receive update notifications"
0
 
newmathCommented:
WSUS does not require your users to have local administrative rights. You probably have an issue with your GPO deployment for WSUS. Follow this guide carefully and you should be set: http://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
mslibrarycommissionAuthor Commented:
where is that setting?
0
 
DonNetwork AdministratorCommented:
The Group policy above does exactly what you want, allow non admins to both see the yellow shield and to install updates without giving them admin rights
0
 
DonNetwork AdministratorCommented:
To allow non-administrators to receive update notifications

    In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

    In the details pane, click Allow non-administrators to receive update notifications, and set the option.

    Click OK.


http://technet.microsoft.com/en-us/library/cc720539%28WS.10%29.aspx
0
 
mslibrarycommissionAuthor Commented:
The group policy setting is to to automatically download and install, but it is not for non-admins, nor do I see a setting to let non-admins install updates
0
 
DonNetwork AdministratorCommented:
The setting is "Allow non-administrators to receive update notifications"

which allows non-admins the right to install
0
 
DonNetwork AdministratorCommented:
as in image
34922.jpg
0
 
DonNetwork AdministratorCommented:
Except in your case select "Enabled"
0
 
mslibrarycommissionAuthor Commented:
ok I see that, but it says it's just for notification and not actually for install which the GPO is set for auto download and install. This setting gives the right to install?
0
 
DonNetwork AdministratorCommented:
If they dont have a notification(Yellow shield) then how can they install?? :)


Have you read



Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy

http://technet.microsoft.com/en-us/library/cc512630.aspx
0
 
mslibrarycommissionAuthor Commented:
My GPO seetings are:
4 = Automatically download updates and install them on the schedule specified below
at 10pm every night.

which I thought you do not need a notification if it is set like this.  I will try this setting tommorow and see if it works. Thanks!
0
 
DonNetwork AdministratorCommented:
"which I thought you do not need a notification if it is set like this."

You dont, but if you want your users be able to install (Say, when updates didnt get installed at scheduled time..because a user didnt logoff or the system was off) then this setting becomes useful.

You never want to rely on your users to install their updates, but it does help the process along the way.
0
 
mslibrarycommissionAuthor Commented:
This was in the notes on http://community.spiceworks.com/how_to/show/1390  about the non-admins to receive notifications, I also don't want non-admins controlling reboots of any updated computers. I just want the updates to download and install by themselves without NO intervention.


When enabled, this will allow non-admins to:
* Receive update notifications
* Have the ability to defer reboots (‘Restart later’)
* De-select updates to install (if using option 2,3, or 5 under the ‘Configure Automatic Updates’ setting) updates, thus making them ‘hidden’.

Keep this in mind when applying updates to Terminal/Citrix Servers.

We have our setting disabled for all workstations, as we don’t want non-admins controlling reboots of any updated computers.
0
 
DonNetwork AdministratorCommented:
Your question

"We just started approving security updates and others and noticed if the user (non-admin) was logged on it was not asking for the updates, but if you logged in with a admin user it was notifying you of the updates to be installed. Do you have to have admin rights tio install these updates via WSUS? We do not want to give users admin rights, so is there a way around this? "

Yes he was referring to Terminal/Citrix Servers which would affect more than one user at a time if rebooted. The allow admin setting is only a preference(when it comes to workstations). I like to have it enabled so that if I happen walk by....I dont need to log a user off to install a simple update.
 
Scheduling the updates (4) is your best option and will achieve minimalist user interaction...  
0
 
DonNetwork AdministratorCommented:
0
 
yo_beeDirector of Information TechnologyCommented:
I know there are many replies and very good suggestions. So I am just going to add some points that I think will help also.
The reason you use WSUS and GPO is for the overall managment of your update enviroment.
So you want to limit what the standard users see as much as possible.
So by suppressing the notifcation and setting a scheduled day and time for the install to happen automaticlly from GPO.  Note you do not need a WSUS in your environment to apply the WUS GPO.  The nice thing about WSUS is a single point of download, controlling  what is offered to the clients and the overall reporting to see the status of your enviornment.

I have attached my GPO for the Standard computer in my environment.
   WUAU-Workstations.htm
0
 
yo_beeDirector of Information TechnologyCommented:
Please note the User Setting I have applied also.
This setting will restrict the users from trying to download the Updates from Microsoft Update site.
0
 
mslibrarycommissionAuthor Commented:
Ok, it just started working??? I did  not need to change anything. I'm going to give the points to dstewartjr for his determenation!!:)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.