AD GPO & Windows Update

[Kerplunk]

Our AD has been set up some time and although the Admin Template for Windows
Update is installed and configured (Auto Update computers (option 4) at
13:00) none of the computers seem to update. I've read somewhere that the
logged on user should be a member of the Administrators Group but surely
this cannot be right ? How do I configure AD/GPO to automatically Update
Windows without giving everyone Admin rights?

Thanks in Advance.

KErplunk

 

[Herb Martin]

Our AD has been set up some time and although the Admin Template for Windows
Update is installed and configured (Auto Update computers (option 4) at
13:00) none of the computers seem to update. I've read somewhere that the
logged on user should be a member of the Administrators Group but surely
this cannot be right ?

No, that is not right -- part of the BENEFIT of the Automatic Updates
(versus Windows Update) is that an admin is NOT required since it
runs under the computer account.

First step would be to run GPResult and/or RSoP (in Win2003) and
make sure that the GPO is really applied.

How do I configure AD/GPO to automatically Update
Windows without giving everyone Admin rights?

Also, for Win2000 machines you must install the AU Client but
with current service packs that was done long ago.

Along with GPO applied, make sure the computers are properly
authenticated AND that DNS is fully functional since they must
find the servers.

How about firewall checks?

How about setting it to reboot (in AU settings that is)? Since
the updates may be installed but not yet applied.

 

[Kerplunk]

Herb,

Thanks for the guidance. Still have the same problem. SUS is installed on
one of the Central Services Servers and GPO has been set up to point at this
machine. Updates still do not happen and when we try and run Updates from a
client machine using a users logon we still get a 'no permissions' error.
We've obviously set something in AD at some time but we're at a loss to see
what. We've evne checked back through the AD Change Control Process and
nothing for Security seems to have been changed which could cause the
problems. Have you got any other ideas ?

REgards in advance

Kerplunk

Our AD has been set up some time and although the Admin Template for Windows
Update is installed and configured (Auto Update computers (option 4) at
13:00) none of the computers seem to update. I've read somewhere that
the
logged on user should be a member of the Administrators Group but surely
this cannot be right ?

No, that is not right -- part of the BENEFIT of the Automatic Updates
(versus Windows Update) is that an admin is NOT required since it
runs under the computer account.

First step would be to run GPResult and/or RSoP (in Win2003) and
make sure that the GPO is really applied.

How do I configure AD/GPO to automatically Update
Windows without giving everyone Admin rights?

Also, for Win2000 machines you must install the AU Client but
with current service packs that was done long ago.

Along with GPO applied, make sure the computers are properly
authenticated AND that DNS is fully functional since they must
find the servers.

How about firewall checks?

How about setting it to reboot (in AU settings that is)? Since
the updates may be installed but not yet applied.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks in Advance.

KErplunk

 

[Herb Martin]

Herb,

Thanks for the guidance. Still have the same problem. SUS is installed on
one of the Central Services Servers and GPO has been set up to point at this
machine.

Have you proven that GPO is applied (GPResult etc.)?

Updates still do not happen and when we try and run Updates from a
client machine using a users logon we still get a 'no permissions' error.

Where do you see this error? What precisely does it say?

Consider turning on Object Auditing on the SUS server and setting
the SUS tree to inclue something like Everyone-READ auditing.

Please understand that with Automatic Updates it is the COMPUTER
account being checked for permissions on the net.

We've obviously set something in AD at some time but we're at a loss to see
what. We've evne checked back through the AD Change Control Process and
nothing for Security seems to have been changed which could cause the
problems. Have you got any other ideas ?

Isolate what the error really means (see above) and then either fix it
or seek more help here.

Post precise error locations and exact text of any messages (helps
in searching MS or Internet.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

REgards in advance

Kerplunk

Our AD has been set up some time and although the Admin Template for Windows
Update is installed and configured (Auto Update computers (option 4) at
13:00) none of the computers seem to update. I've read somewhere that
the
logged on user should be a member of the Administrators Group but surely
this cannot be right ?

No, that is not right -- part of the BENEFIT of the Automatic Updates
(versus Windows Update) is that an admin is NOT required since it
runs under the computer account.

First step would be to run GPResult and/or RSoP (in Win2003) and
make sure that the GPO is really applied.

How do I configure AD/GPO to automatically Update
Windows without giving everyone Admin rights?

Also, for Win2000 machines you must install the AU Client but
with current service packs that was done long ago.

Along with GPO applied, make sure the computers are properly
authenticated AND that DNS is fully functional since they must
find the servers.

How about firewall checks?

How about setting it to reboot (in AU settings that is)? Since
the updates may be installed but not yet applied.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks in Advance.

KErplunk