locked
Unable to remotely run WSUS Cleanup RRS feed

  • Question

  • I created a service account for the sole purpose of running WSUS cleanup using the Invoke-WsusServerCleanup cmdlet. The account is executing a script on a utility server which then connects to each WSUS server. Here is what I have set:

    • The service account can log onto the utility server and WSUS servers only
    • The service account has "Log on as a batch job" privilege on the utility server.
    • The service account is a member of the "WSUS administrators" group on the WSUS servers.

    When I execute the script, it says it cannot run Invoke-WsusCleanup. Looking at the System log on the WSUS servers I see this:

    The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    {2FE6F8A7-285C-45DF-A1E3-88AE03E3F4C8}
     and APPID 
    {8F5D3447-9CCE-455C-BAEF-55D42420143B}
     to the user COM\ServiceAccount SID (S-1-5-21-3463006636-3956300600-3867713074-391511) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    If I place the service account in the local administrators group of the WSUS server(s) the script executes fine. Modifying the DCOM stuff looks a little messy so I wanted to see if that was my only recourse if I want to keep the  user out of the local administrators group.



    • Edited by BryanCP Monday, May 1, 2017 7:54 PM
    Monday, May 1, 2017 7:40 PM

All replies

  • Hi BryanCP,

    Could the account connect to the WSUS server and use WSUS GUI to run Server Cleanup Wizard?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 2, 2017 8:59 AM
  • Hi BryanCP,

    Could the account connect to the WSUS server and use WSUS GUI to run Server Cleanup Wizard?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    It fails in console as well with this error:

    The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, 

    Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

    System.ComponentModel.Win32Exception -- Access is denied


    Tuesday, May 2, 2017 3:53 PM
  • Hi BryanCP,

    Since Server Cleanup Wizard will clean WSUS content folder, please check if add the services account into WSUS content folder and give it read & write permission, check if it could work then.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 5, 2017 5:26 AM
  • Hi BryanCP,

    Since Server Cleanup Wizard will clean WSUS content folder, please check if add the services account into WSUS content folder and give it read & write permission, check if it could work then.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Unfortunately giving the service account full control NTFS permissions on the WSUS content folder did not work. I am still getting the same error.

    I think I am just going to make the account an admin on these servers, unfortunately.


    • Edited by BryanCP Monday, May 8, 2017 12:55 PM
    Monday, May 8, 2017 12:55 PM
  • Hi BryanCP,

    What about just use a common user Account instead of services account?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 10, 2017 2:34 AM