I have a large AD Domain made up (mostly) of Windows based Workstations and laptops. The OS's are a mix of Win XP and Win 7 professional editionss. We manage our windows updates via GPO's - see attached .jpg for example of settings.
My issue is this: WSUS works fine but I don't seem to be able to restrict users from manually accessing Windows automatic updates. One of the issues, that I cannot change, is that all staff users (we're a school district) are local Admins on the workstations, so the setting "Allow non-administrators to receive update notifications" doesn't apply. Is there a way that I can restrict a person's access to manually run Automatic Updates, say for example based on AD group membership, regardless of their status as a local admin?