none
How to allow users group to update system/software?

    Question

  • Dears~

    I have an Active Directory test lab.

    I login a computer with an account who in the Domain Users group.
    Then, I am trying to update my WINXP, but It asked me to have a administrator permission.

    In normally condition, It should not to update system with administrator permission in every compter right?
    So, I have to get a solution for this, update by Domain Users group permission.

    Please tell me how to do it, thank you.
    • Edited by kevinbolton Saturday, October 17, 2009 11:11 AM My bad english grammar.
    Saturday, October 17, 2009 10:21 AM

Answers

  • Reading your post I'm guessing you are trying to run Windows Update and it needs administrative privileges. This is the way it normally works. However, your mentions you are running Active Directory so you can setup Automatic updates using Group Policies.
    When Automatic update is set the computer will update itself at the time set, default is 3:00am I think. If the computer is turned of at that time it will update when it comes online.
    If you don't want every update to automatically go to every computer you can set up Windows Server Update Services (WSUS) on one of your Windows Servers. It will then act as a local Microsoft Update service. In WSUS you as an administrator can aprove tested updates so you know they work before you publish them to your clients.
    Pointing your client computers to the local WSUS is also done using Group Policies.

    You don't mention what systems you are running but the settings are done with the Group Policy Management Console. If you don't have it installed on your domain controller you can download it from http://www.microsoft.com/DownLoads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
    If you need help using GPMC let us know and we'll try to help you further.

    • Marked as answer by kevinbolton Wednesday, November 04, 2009 2:51 PM
    Sunday, October 18, 2009 5:54 PM
  • Hi,

     

    Without administrator right, Windows Automatic Updates can still install updates automatically by setting the policy [Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates] to "Auto download and schedule the install". Then, the update will be downloaded and installed automatically via the SYSTEM account at the scheduled time.

     

    Meanwhile, an alternative method is to deploy updates via Windows Server Update Services(WSUS). Using this method, we still do not need to give users administrator rights. Please refer to the following pages:

     

    Windows Server Update Services

    http://technet.microsoft.com/en-us/wsus/default.aspx

     

    Configure Automatic Updates by Using Group Policy

    http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx

     

    The difference between using or not using WSUS server is whether you want to control which updates are installed on clients. If you do not use WSUS, clients will install all updates that are pushed by Microsoft Update.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Monday, October 26, 2009 3:20 AM
    Tuesday, October 20, 2009 5:56 AM
  • Yes. When Automatic Update is set to, well Automatic it uses the system account to install the updates. So the user does not need Administrative privileges.
    To do this you don't need an local WSUS nor do you need Active directory, you can set it locally on every computer. But since you have Active Directory in use I suggest you use Group policies to set this. Just download the Group policy management console and since it's a lab environment you can edit the default group policy to se how it works.
    In computer you can set the automatic update to be automatic.
    If you need any further help don't hesitate to write.
    • Marked as answer by kevinbolton Wednesday, November 04, 2009 2:50 PM
    Tuesday, October 20, 2009 9:47 AM

All replies

  • I cannot understand the question pefectly. Do you mean to say how to deploy the software for the users using Ad ?? If yes please see this

    http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

    http://technet.microsoft.com/en-us/library/cc739305(WS.10).aspx


    http://technetfaqs.wordpress.com
    Saturday, October 17, 2009 10:51 AM
  •   To install a program on a workstation you need local administrator privilege. Normally only a Domain Admin account would have that. I would not give Domain Users local administrator privilege.

      Note that we are talking about privileges on the workstation, not on the domain.


    Bill
    Sunday, October 18, 2009 2:00 AM
  • Reading your post I'm guessing you are trying to run Windows Update and it needs administrative privileges. This is the way it normally works. However, your mentions you are running Active Directory so you can setup Automatic updates using Group Policies.
    When Automatic update is set the computer will update itself at the time set, default is 3:00am I think. If the computer is turned of at that time it will update when it comes online.
    If you don't want every update to automatically go to every computer you can set up Windows Server Update Services (WSUS) on one of your Windows Servers. It will then act as a local Microsoft Update service. In WSUS you as an administrator can aprove tested updates so you know they work before you publish them to your clients.
    Pointing your client computers to the local WSUS is also done using Group Policies.

    You don't mention what systems you are running but the settings are done with the Group Policy Management Console. If you don't have it installed on your domain controller you can download it from http://www.microsoft.com/DownLoads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
    If you need help using GPMC let us know and we'll try to help you further.

    • Marked as answer by kevinbolton Wednesday, November 04, 2009 2:51 PM
    Sunday, October 18, 2009 5:54 PM
  • Hi ,



    In normally condition, It should not to update system with administrator permission in every compter right?


    I would like to understand the architecture of your domain , i accept Bill suggestion , in order to install program on a workstation / application on a workstation you would require local administrator priviliges set ( workgroup and not domain) . If these clients are in domain then it depends how you have structured the group policy and the user permissions.


    sainath !analyze
    Monday, October 19, 2009 2:25 AM
    Moderator
  • Hello,

    by default domain users are not able to install updates or software on domain conputers. This requires local administrative permissions which they don't have.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, October 19, 2009 12:18 PM
  • Reading your post I'm guessing you are trying to run Windows Update and it needs administrative privileges. This is the way it normally works. However, your mentions you are running Active Directory so you can setup Automatic updates using Group Policies.
    When Automatic update is set the computer will update itself at the time set, default is 3:00am I think. If the computer is turned of at that time it will update when it comes online.

    Hi Mats~

    Do you mean if I setup Automatic update using Group Policies, Microsoft Update can be performed not matter user have administrator right or not, right?
    Tuesday, October 20, 2009 3:42 AM
  • I would like to understand the architecture of your domain , i accept Bill suggestion
    Hi Sainath,

    My domain architecture is simply, A new Windows server 2003 with AD, And I create a Domain user.
    After this , Windows XP join to domain and login by Domain user.
    No more setting. ^_^
    Tuesday, October 20, 2009 3:56 AM
  •   To install a program on a workstation you need local administrator privilege. Normally only a Domain Admin account would have that. I would not give Domain Users local administrator privilege.

      Note that we are talking about privileges on the workstation, not on the domain.


    Bill
    Hi Bill

    Got it~
    For security issue, I don't want give user rights to install software, change setting, be infected by malware...
    But any software update is necessary.

    How to do it? Is it possable?
    Tuesday, October 20, 2009 4:06 AM
  • Hi,

     

    Without administrator right, Windows Automatic Updates can still install updates automatically by setting the policy [Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates] to "Auto download and schedule the install". Then, the update will be downloaded and installed automatically via the SYSTEM account at the scheduled time.

     

    Meanwhile, an alternative method is to deploy updates via Windows Server Update Services(WSUS). Using this method, we still do not need to give users administrator rights. Please refer to the following pages:

     

    Windows Server Update Services

    http://technet.microsoft.com/en-us/wsus/default.aspx

     

    Configure Automatic Updates by Using Group Policy

    http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx

     

    The difference between using or not using WSUS server is whether you want to control which updates are installed on clients. If you do not use WSUS, clients will install all updates that are pushed by Microsoft Update.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Monday, October 26, 2009 3:20 AM
    Tuesday, October 20, 2009 5:56 AM
  • Yes. When Automatic Update is set to, well Automatic it uses the system account to install the updates. So the user does not need Administrative privileges.
    To do this you don't need an local WSUS nor do you need Active directory, you can set it locally on every computer. But since you have Active Directory in use I suggest you use Group policies to set this. Just download the Group policy management console and since it's a lab environment you can edit the default group policy to se how it works.
    In computer you can set the automatic update to be automatic.
    If you need any further help don't hesitate to write.
    • Marked as answer by kevinbolton Wednesday, November 04, 2009 2:50 PM
    Tuesday, October 20, 2009 9:47 AM
  • Hi,

     

    Without administrator right, Windows Automatic Updates can still install updates automatically by setting the policy [Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates] to "Auto download and schedule the install". Then, the update will be downloaded and installed automatically via the SYSTEM account at the scheduled time.

     

    Meanwhile, an alternative method is to deploy updates via Windows Server Update Services(WSUS). Using this method, we still do not need to give users administrator rights. Please refer to the following pages:

     

    Windows Server Update Services

    http://technet.microsoft.com/en-us/wsus/default.aspx

     

    Configure Automatic Updates by Using Group Policy

    http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx

     

    The difference between using or not using WSUS server is whether you want to control which updates are installed on clients. If you do not use WSUS, clients will install all updates that are pushed by Microsoft Update.

     

    Regards,

    Bruce


    Thanks guys~
    I got it. ^_^
    Wednesday, November 04, 2009 2:52 PM
  • Hi,

     

    Glad to hear the information we provided was useful. If you have more questions in the future, you’re welcomed to this forum.

     

    Regards,

    Bruce

    Thursday, November 05, 2009 6:22 AM