locked
Strange permission issue when installing WSUS on 2012 R2 RRS feed

  • Question

  • I added the WSUS role to a completely new 2012 R2 VM. All available updates installed before adding the role. I set it to store updates locally on E:\WSUS

    After the role has been added, Server Manager asks me to allow some "After Deployment Configuration tasks" to be done. I accept. However the action fails without any specific error. When I launch the WSUS Console it asks me for where to store updates. The value I added earlier is already entered (E:\WSUS). I hit OK but after a while it fails and references a log file, see further down below. 

    I try to reinstall the role but with same problem. 

    I also tried to use C:\WSUS as the location but with the same error.

    I have tried to add "Full access" for "Authenticated users" on the folder with no luck.

    Thank you,

    Jonas

    Log file: 

    ....

    2015-07-31 15:11:11  Value is C:\WSUS
    2015-07-31 15:11:11  Fetching group SIDs...
    2015-07-31 15:11:11  Fetching WsusAdministratorsSid from registry store
    2015-07-31 15:11:11  Value is S-1-5-21-2082564118-847745128-1538012364-1001
    2015-07-31 15:11:11  Fetching WsusReportersSid from registry store
    2015-07-31 15:11:11  Value is S-1-5-21-2082564118-847745128-1538012364-1002
    2015-07-31 15:11:11  Creating group principals...
    2015-07-31 15:11:11  Granting directory permissions...
    2015-07-31 15:11:11  Granting permissions on content directory...
    2015-07-31 15:11:11  Granting registry permissions...
    2015-07-31 15:11:11  System.Security.AccessControl.PrivilegeNotHeldException: Processen saknar privilegiet SeSecurityPrivilege som krävs för denna åtgärd.
       vid System.Security.AccessControl.Win32.GetSecurityInfo(ResourceType resourceType, String name, SafeHandle handle, AccessControlSections accessControlSections, RawSecurityDescriptor& resultSd)
       vid System.Security.AccessControl.NativeObjectSecurity.CreateInternal(ResourceType resourceType, Boolean isContainer, String name, SafeHandle handle, AccessControlSections includeSections, Boolean createByName, ExceptionFromErrorCode exceptionFromErrorCode, Object exceptionContext)
       vid System.Security.AccessControl.RegistrySecurity..ctor(SafeRegistryHandle hKey, String name, AccessControlSections includeSections)
       vid Microsoft.Win32.RegistryKey.GetAccessControl(AccessControlSections includeSections)
       vid Microsoft.UpdateServices.Administration.ConfigurePermissions.GrantRegistryPermissions(IdentityReference identity, RegistryRights registryRights)
       vid Microsoft.UpdateServices.Administration.ConfigurePermissions.GrantRegistryPermissions()
       vid Microsoft.UpdateServices.Administration.PostInstall.Run()
       vid Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)

    Friday, July 31, 2015 1:23 PM

All replies

  • make sure you're not creating this directory, delete all copies of it and let the wizard create it automatically

    also ensure all services is part of log on as a service right in secpol.msc

    • Marked as answer by Steven_Lee0510 Monday, August 10, 2015 9:01 AM
    • Unmarked as answer by Jonas Haglund Thursday, September 3, 2015 12:08 PM
    Friday, July 31, 2015 5:33 PM
  • Unfortunately that did not change anything. The folder is created and its two subfolders ("UpdateServicePackages" and "WsusContent") but the error message remains the same. 

    Thursday, September 3, 2015 12:10 PM
  • Still stuck at this. Any suggestions?
    Wednesday, September 9, 2015 8:32 AM
  • I was having this exact same issue re-installing WSUS on a computer that I was installing System Center 2012 R2 on. I had uninstalled the WSUS to re-install it for System Center to manage it. The SeSecurityPrivilege is associated to Local Policies, User Rights Assignment, Manage Auditing and Security Log. In some step of System Center installation, it was suggested that the least privelige account had to be in this group. So I put it in a GPO to put that least privilege account in there. When this propagated, it removes the local computer's built in group Administrators from that group. I removed the GPO entry, tried to gpupdate /force but that did not work. However, after rebooting the computer and then running the post installation command again it worked.

    I will have to research the GPO entry recommendation from System Center again to see why it is needed and if I do it local on computer (adding along with Administrators) or has to be on each computer and would be done via GPO. Then I want to make sure I include the builtin\administrators group also.

    Hope this helps.

    Mike


    Mike

    Wednesday, September 9, 2015 4:00 PM
  • Thanks for your input, but I am not sure I fully understad. Do you suggest i should manually add an user account to the "Manage auditing and security log"? In such case, which account do you suggest?

    Wednesday, September 16, 2015 11:14 AM
  • I now tried setting up a brand new server and did not do any customization at all excepting changing computer name, adding it to the domain and configuring IP-adress. After that I added the WSUS role using default values but the error still appears. Also applied all available updates but with no luck. ALso i did point it to a folder that did not exist to have it create it foritself. This time, as opposed to the last try, not even the folder was created.
    Wednesday, September 16, 2015 11:17 AM