Possible security issue??

[Guest]

I have a client situation where no one seems to be able to install windows
updates on their PC's that are joined to the domain. They can download them
just fine but they fail during install. The only way to install them is to
log in using the administrator account to the domain.
One user even has domain admin rights but he's still unable to install the
updates. I thought it might be a policy issue and others are saying internal
DNS. I have searched and searched but I'm unable to find anything to go with
that will resolve this issue.
At first I thought it might have been an issue with a users machine but when
I tried to run system restore under his credentials (local admin, domain
admin) I got a message that he didn't have the appropriate rights to perform
this action. I could only run it from the administrators (domain) account.

The PDC is a 2000 server..

Thank you in advance for any help.

Jeremy Johnston

 

[Steven L Umbach]

Does it work when the users domain account is added to the local
administrators group? It should though I would not consider that an ideal
solution. You can configure updates to be downloaded/installed automatically
so that the user does not need to be a local administrator. --- Steve

 

[Guest]

No it does not. Not even if the user is a Domain Admin *shrug*

 

[Steven L Umbach]

Does it work when the built in local administrator account is used which is
NOT a domain account? Are there and errors/warnings in the logs that you can
view via Event Viewer that may indicate a problem with the domain such as
userenv errors? Does running the support tool netdiag on the domain
controller and client computer pass with flying colors showing no major
errors or warnings? Did you verify that the client computer is using ONLY
domain controllers as their preferred/alternate DNS servers in tcp/ip
properties as shown by ipconfig /all and that the domain controller can be
pinged by name and IP address from the client computer? What error messages
do the users get if any? -- Steve

 

[Guest]

Steven,

I'm pretty sure I've checked most of what you're asking but it's been a
week and I see many clients. However, I have been scheduled to continue
working on this issue tomorrow and I will run through your notes and post my
findings sometime tomorrow around noon EST.

Thanks for your help. It's greatly appreciated.

Jeremy Johnston

 

[Guest]

Steven,

It does not work with the local admin account and I'm not seeing any errors
related to updates in the logs. I ran netdiag on the DC's and everything
passed and looked correct. DNS is setup and clients are pulling the proper
addresses for resolution.

Here is what I've done so far. I joined my personal laptop to the domain
and attempted to install one update. The update downloaded but failed during
install even though I was able to run updates before joining the domain. I
went to check the event logs and tried to click on the security log and
received the following: Unable to complete the operation on "Security". A
required privilege is not held by the client.

I may not be the man at this stuff yet but I've been swearing that this is
a policy issue being pushed to each user. GP's are still on my to do list for
training but I feel I'm close to a solution. Any thoughts?

Jeremy

 

[Guest]

This is the only error I get in the system log and I did some research on
this before I posted here. I didn't find anything helpful on the net
Event Type: Error
Event Source: Windows Update Agent
Event Category: Installation
Event ID: 20
Date: 5/3/2006
Time: 11:56:13 AM
User: N/A
Computer: JEREMYLT
Description:
Installation Failure: Windows failed to install the following update with
error 0x8007f004: Windows Genuine Advantage Validation Tool (KB892130).

 

[Steven L Umbach]

It does sound like it is a Group Policy setting that applies to the computer
and not user since user configuration would not apply to the built in
administrator account. If there are any XP Pro computers in the domain that
you can access run rsop.msc on them and look for any settings for Windows
Updates that may be causing the problem. The settings most likely would be
under computer configuration/administrative templates/windows
components/windows update. Rsop.msc will also show what GPO is applying a
particular setting and be sure to read the full explanation of any settings
that are configured.

If you find a GP setting that may be the issue you would need to move the
computer into a container/OU that does not have the GPO applied to it or
exempt the computer from GPO by filtering permissions for the GPO. If the
setting is configured at the domain level then you could not simply move the
computer into another OU as it would just inherit the GPO settings unless
the OU had a GPO linked to it with those same settings configured. If a GPO
is suspect you could also try to temporarily disable the GPO [NOT delete or
remove link], run gpupdate on the domain controller [or use secedit for
Windows 2000 domain controller], and then reboot the client computer to see
if that fixes the problem or not. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176 --- HOW TO:
Administer GPO Properties in Windows 2000 when not using GPMC

 

[Steven L Umbach]

The link below is about all I found on that error.

http://www.eventid.net/display.asp?eventid=20&eventno=1797&source=Automatic Updates&phase=1

I suppose that Group Policy could also be applying some file system [NTFS]
or registry permissions changes that may be interfering. Rsop.msc on an XP
Pro computer would probably show such. If that is the case then if you
unjoin your computer from the domain, reboot, and try to install the same
update it would fail again as file system/registry permissions changes are
not rolled back when a computer is removed from the influence of that Group
Policy setting. Using the free tools regmon/filemon from systinternals can
also track down when a user is being denied access to a file/registry key.

http://www.sysinternals.com/Utilities/Filemon.html --- filemon and link to
SysInternals.

I would also enable auditing of privilege use for failure on a computer
having the problem in Local Security Policy and then look to see if any
failures are recorded for privilege use when an update installation fails.
Priviliges are user rights that are controller via security/group policy
either locally or at the domain level and it this case it would be at the
domain/OU level. --- Steve

 

[Guest]

Steven,

Sorry for taking so long on my reply but last week was quite busy for me.
While I was waiting for you to get back with me I decided to re-apply the
default group policy settings since this client is small and I didn't see any
major settings already in place. Once I did that and enabled Allow automatice
updates immediate installation, rebooted my PC, I was able to to install
updates with no issues. After having my clients log off than back on, they
were able to install their auto updates as well. I may not have been able to
offically troubleshoot the issue but this will suffice.

Also, as you recommended, I removed my laptop from their domain and was
able to install updates right away so i know it wasn't a file system/registry
permission policy. Thanks again for you all your help. You guys are a great
asset!

Regards,
Jeremy Johnston

The link below is about all I found on that error.

http://www.eventid.net/display.asp?eventid=20&eventno=1797&source=Automatic Updates&phase=1

I suppose that Group Policy could also be applying some file system [NTFS]
or registry permissions changes that may be interfering. Rsop.msc on an XP
Pro computer would probably show such. If that is the case then if you
unjoin your computer from the domain, reboot, and try to install the same
update it would fail again as file system/registry permissions changes are
not rolled back when a computer is removed from the influence of that Group
Policy setting. Using the free tools regmon/filemon from systinternals can
also track down when a user is being denied access to a file/registry key.

http://www.sysinternals.com/Utilities/Filemon.html --- filemon and link to
SysInternals.

I would also enable auditing of privilege use for failure on a computer
having the problem in Local Security Policy and then look to see if any
failures are recorded for privilege use when an update installation fails.
Priviliges are user rights that are controller via security/group policy
either locally or at the domain level and it this case it would be at the
domain/OU level. --- Steve

This is the only error I get in the system log and I did some research on
this before I posted here. I didn't find anything helpful on the net
Event Type: Error
Event Source: Windows Update Agent
Event Category: Installation
Event ID: 20
Date: 5/3/2006
Time: 11:56:13 AM
User: N/A
Computer: JEREMYLT
Description:
Installation Failure: Windows failed to install the following update with
error 0x8007f004: Windows Genuine Advantage Validation Tool (KB892130).

 

[Steven L Umbach]

Glad you got it sorted out and thanks for reporting back what worked! Fixing
the problem without knowing the exact original cause still is a good
ing. --- Steve

Steven,

Sorry for taking so long on my reply but last week was quite busy for me.
While I was waiting for you to get back with me I decided to re-apply the
default group policy settings since this client is small and I didn't see
any
major settings already in place. Once I did that and enabled Allow
automatice
updates immediate installation, rebooted my PC, I was able to to install
updates with no issues. After having my clients log off than back on, they
were able to install their auto updates as well. I may not have been able
to
offically troubleshoot the issue but this will suffice.

Also, as you recommended, I removed my laptop from their domain and was
able to install updates right away so i know it wasn't a file
system/registry
permission policy. Thanks again for you all your help. You guys are a
great
asset!

Regards,
Jeremy Johnston

The link below is about all I found on that error.

http://www.eventid.net/display.asp?eventid=20&eventno=1797&source=Automatic Updates&phase=1

I suppose that Group Policy could also be applying some file system
[NTFS]
or registry permissions changes that may be interfering. Rsop.msc on an
XP
Pro computer would probably show such. If that is the case then if you
unjoin your computer from the domain, reboot, and try to install the same
update it would fail again as file system/registry permissions changes
are
not rolled back when a computer is removed from the influence of that
Group
Policy setting. Using the free tools regmon/filemon from systinternals
can
also track down when a user is being denied access to a file/registry
key.

http://www.sysinternals.com/Utilities/Filemon.html --- filemon and link
to
SysInternals.

I would also enable auditing of privilege use for failure on a computer
having the problem in Local Security Policy and then look to see if any
failures are recorded for privilege use when an update installation
fails.
Priviliges are user rights that are controller via security/group policy
either locally or at the domain level and it this case it would be at the
domain/OU level. --- Steve

This is the only error I get in the system log and I did some research
on
this before I posted here. I didn't find anything helpful on the net
Event Type: Error
Event Source: Windows Update Agent
Event Category: Installation
Event ID: 20
Date: 5/3/2006
Time: 11:56:13 AM
User: N/A
Computer: JEREMYLT
Description:
Installation Failure: Windows failed to install the following update
with
error 0x8007f004: Windows Genuine Advantage Validation Tool (KB892130).


:

Does it work when the built in local administrator account is used
which
is
NOT a domain account? Are there and errors/warnings in the logs that
you
can
view via Event Viewer that may indicate a problem with the domain such
as
userenv errors? Does running the support tool netdiag on the domain
controller and client computer pass with flying colors showing no
major
errors or warnings? Did you verify that the client computer is using
ONLY
domain controllers as their preferred/alternate DNS servers in tcp/ip
properties as shown by ipconfig /all and that the domain controller
can
be
pinged by name and IP address from the client computer? What error
messages
do the users get if any? -- Steve


No it does not. Not even if the user is a Domain Admin *shrug*

:

Does it work when the users domain account is added to the local
administrators group? It should though I would not consider that an
ideal
solution. You can configure updates to be downloaded/installed
automatically
so that the user does not need to be a local administrator. ---
Steve


I have a client situation where no one seems to be able to install
windows
updates on their PC's that are joined to the domain. They can
download
them
just fine but they fail during install. The only way to install
them
is
to
log in using the administrator account to the domain.
One user even has domain admin rights but he's still unable to
install
the
updates. I thought it might be a policy issue and others are
saying
internal
DNS. I have searched and searched but I'm unable to find anything
to
go
with
that will resolve this issue.
At first I thought it might have been an issue with a users
machine
but
when
I tried to run system restore under his credentials (local admin,
domain
admin) I got a message that he didn't have the appropriate rights
to
perform
this action. I could only run it from the administrators (domain)
account.

The PDC is a 2000 server..

Thank you in advance for any help.

Jeremy Johnston