Allow non-administrator to receive update notifications?

[Guest]

I'm the only user of this computer and i use limited account most of the
time. I have automatic update set to automatic and I'm thinking configuring
it using gpedit.msc to allow non-administrator to receive update
notifications because i can't see yellow shield icon on system tray when log
in with limited account and would also like to see what the available update
is.

Are there any risk on doing this changes?

 

[Steven L Umbach]

You can try it but only when automatic updates are enabled can the updates
be automatically installed without administrator intervention. You can
periodically logon as administrator and go to the Windows Update site to see
if you are current with critical security updates or use the free Microsoft
Baseline Security Analyzer tool which is what I would use. -- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA

 

[DRG Networks]

You can try it but only when automatic updates are enabled can the updates
be automatically installed without administrator intervention. You can
periodically logon as administrator and go to the Windows Update site to see
if you are current with critical security updates or use the free Microsoft
Baseline Security Analyzer tool which is what I would use. -- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA

Steve, are you aware or do you have any links to sites/blogs where they
explain or post hacks/configs/tweaks on how to successfully run windows
update without having to login as a full administrator?

I have been trying to complete a windows update from the Microsoft
windows update site by running an IE session in runas with local
administrator credentials. Logically, this should work, but it fails.
The updates do download, but they fail to install. The only way around
it is to actually login at the full administrator and run IE to update
the OS.
--

 

[Steven L Umbach]

If you are not using automatic updates then you need to logon as an
administrator to install the updates. Runas may not work because of the
complexity involved with the installation of security updates. I don't see a
problem logging on as an administrator for the sole purpose of checking for
and installing security updates but when done it is a good idea to logoff as
administrator to do regular internet activity. The main risk with being on
the internet as an administrator is when opening email, using chat programs,
and browsing websites that may contain malicious code.

Steve

 

[DRG Networks]

If you are not using automatic updates then you need to logon as an
administrator to install the updates. Runas may not work because of the
complexity involved with the installation of security updates. I don't see a
problem logging on as an administrator for the sole purpose of checking for
and installing security updates but when done it is a good idea to logoff as
administrator to do regular internet activity. The main risk with being on
the internet as an administrator is when opening email, using chat programs,
and browsing websites that may contain malicious code.

Steve

Thanks Steve. What I am trying to do it make the machine behave more
like a *nix machine (Red Hat or SUSE desktops with GUI) when it comes to
updating and patching.

In deploying this in a non-AD managed environment (they are very small
environments and do not justify implementing AD or WUS/SUS), I am trying
to make the users stay logged in as users all the time and creating
runas shortcuts to perform admin tasks from within the logged in regular
user session. The admin credentials are buried into the shortcuts so
they don't have to type anything in and this helps discouraging them
from knowing or finding out the credentials.

Once I start telling them the administrator account credentials and
advise them to login as that once in a while, they will just start
getting into the habit of logging in as an administrator all the time.

I have collected various tips and advice from different MS experts sites
and blogs and seem to have a system setup where one is almost all of the
time using the desktop as a regular user.

What I am really fishing for here is... I have managed to get around
various application program issues that crept up when trying to run them
as a regular user by tweaking registry ACL's.

Are there any tips/advice/ways to tweak the registry ACL's to make
windows update work in IE?

 

[Steven L Umbach]

Well I would strongly consider selecting "automatic" for security updates in
System properties/automatic updates. That way no administrator intervention
is needed and it will help make sure that the computers are kept current
with critical security updates. But to answer your direct question I don't
know of a way to do what you want but I suggest you read the Microsoft white
paper in the link below about Applying the Principle of Least Privilege to
User Accounts on Windows XP. In particular you may be interested in the
section on MakeMeAdmin that can bypass some runas limitations though I have
never tried it myself.

Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
--- Applying the Principle of Least Privilege to User Accounts on Windows
XP

 

[DRG Networks]

Well I would strongly consider selecting "automatic" for security updates in
System properties/automatic updates. That way no administrator intervention
is needed and it will help make sure that the computers are kept current
with critical security updates. But to answer your direct question I don't
know of a way to do what you want but I suggest you read the Microsoft white
paper in the link below about Applying the Principle of Least Privilege to
User Accounts on Windows XP. In particular you may be interested in the
section on MakeMeAdmin that can bypass some runas limitations though I have
never tried it myself.

Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
--- Applying the Principle of Least Privilege to User Accounts on Windows
XP

Thanks for your help Steve. I was not aware of the white paper and will
read it though. We'll wait until Vista release -- MS should have it
implemented in that I thinky.

regards,