Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Domain Controller patches update error by normal user

Answered Domain Controller patches update error by normal user

  • Monday, August 20, 2012 9:46 AM
     
     
    Sign In to Vote
    0

    Hi,

    I have a problem with my domain controller. All servers are working fine with the WSUS and GPO i applied to. Once, WSUS found the patches from Microsoft, It downloaded and deploy to the server including DC which will wait for the local IT to click install. The problem is it's not working with domain controller.

    The local IT has no authorization to config DC(They are in the Local\Administrator but DC has no local user database) but they can remote to the server and do some task e.g. create users, groups within appropriate OU that we are desired.

    I believe it's fine because in the GPO there is a policy setting call "Allow non-administrators to receive update notifications", This problem just happen when we upgrade the DC from 2003 to 2008R2, that mean it's working well when it's in 2003.

    Does anyone know how to fix the problem?

    Thank you,

    Satit Tang,

     

All Replies

  • Tuesday, August 21, 2012 2:15 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    The policy setting "Allow non-administrators to receive update notifications" generally only has relevance to Windows XP systems, where non-admin users do not get such notifications, or to Win2003-based Terminal Servers, where TS users would typically not have admin privileges. On Vista and later systems, all users get notifications by default.

    And,code 800702E4 usually indicates that your current user privileges are insufficient to install it.Since it is a DC,pls logon with the domain admin right to see whether the installation is ok.

    regards,

    Clarence

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     
  • Tuesday, August 21, 2012 4:34 AM
     
     
    Sign In to Vote
    0

    Hi Clarence,

    Thank you for the reply, I have tested and it's working with domain admin.

    However, in my system the local ITs(In other country) will not be able to configure the server so, i don't give them the domain admin which is working well when my system still in Windows 2003 environment.

    I don't know what's the change in Windows 2008R2 but Is it possible to make 2008R2 updated by local IT with no domain admin right?

    Thanks again,

    Regards, Satit Tang,

     
  • Tuesday, August 21, 2012 1:19 PM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Is it possible to make 2008R2 updated by local IT with no domain admin right?

    Yes. Go to Control Panel | Windows Update, select "Change settings", and enable the option "Allow all users to install updates on this computer" in the "Who can install updates" section.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

     
  • Wednesday, August 22, 2012 1:10 AM
     
     
    Sign In to Vote
    0

    Hi Lawrence,

    Thank you Lawrence for the reply,

    I'm not sure what's the GPO that make the check box you mentioned checked and grey out already. I believe that the GPO "Allow non-administrators to receive update notifications" is the one that make the box checked. Unfortunately, It's not working even checked.

    How can i investigate this problem further?

    Regards,

    Regards, Satit Tang,

     
  • Wednesday, August 22, 2012 4:21 PM
    Moderator
     
     
    Sign In to Vote
    0

    I'm not sure what's the GPO that make the check box you mentioned checked and grey out already.

    There is no GPO. That is the default installation configuration on Windows Server systems.
    I believe that the GPO "Allow non-administrators to receive update notifications" is the one that make the box checked.
    It is not. "Allow non-admins..." as already pointed out, is only relevant to Windows XP systems in order to give NON-admin users the ability to install updates on WinXP systems.
    Unfortunately, It's not working even checked.
    Were you able to check the box? Is any other functionality in the Windows Update appliet available to the currently logged on user?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

     
  • Wednesday, August 22, 2012 11:39 PM
     
     
    Sign In to Vote
    0

    Hi,

    I don't know where exactly i will need to check on WSUS or GPO, but as you can see in my capture above. There are only those policies that i apply to the computer. Also, the user i'm using is in builtin\server operator already.

    Could you please specific more on where i should go to check?

    Thank you,

    Regards, Satit Tang,

     
  • Thursday, August 23, 2012 10:14 PM
    Moderator
     
     Answered
    Sign In to Vote
    0

    as you can see in my capture above. There are only those policies that i apply to the computer.

    However, those are not the only policies that impact the behavior of the Windows Update applet.

    From the WSUS Deployment Guide: Configure Automatic Updates Using Group Policy

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

     
  • Wednesday, August 29, 2012 4:18 AM
     
     
    Sign In to Vote
    0

    Hi ,

    I have read that article before i post this question here, However, the policy that i deploy to all member servers are working fine except the domain controller. I think there is something that may need to do more to allow normal user update the domain controller.

    Do you have any other suggestion to check or configure more?

    Regards,

    Regards, Satit Tang,

     
  • Thursday, August 30, 2012 12:27 AM
    Moderator
     
     
    Sign In to Vote
    0

    the policy that i deploy to all member servers are working fine except the domain controller.

    Did you link a GPO to the Domain Controllers OU?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

     
  • Thursday, August 30, 2012 1:56 AM
     
     
    Sign In to Vote
    0

    Hi,

    I have linked the GPO to the OU that all servers(member servers and domain controllers) belonging to but not in the default "Domain Controllers" OU as our design of AD.

    Also, The GPO has been applied to the member server and domain controller.

    Regards, Satit Tang,

     
  • Friday, August 31, 2012 12:38 AM
    Moderator
     
     
    Sign In to Vote
    0

    I have linked the GPO to the OU that all servers(member servers and domain controllers) belonging to but not in the default "Domain Controllers" OU as our design of AD.

    Typically Domain Controllers are left in the Domain Controllers OU because there is a Domain Controllers *GPO* that has settings specific to Domain Controllers impacting their security. Now that's even assuming that Domain Controllers can be removed from the Domain Controllers OU.... frankly, I've never tried.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

     
  • Thursday, October 04, 2012 2:23 AM
     
     
    Sign In to Vote
    0
    Just want to get back to let any one that may have the same problem know that the problem has been resolved by lower the UAC.

    Regards, Satit Tang,