Windows Update Error 0x8007F004 (Insufficient Privilege)



When I tried to install Microsoft's latest patches (MS04-029 through
MS04-038) via Windows Update the process failed. I looked in C:\WINNT\Windows
Update.log and found the relevent entry, which listed error 0x8007F004 and
referred me to "...iuhist.xml for details...". However, iuhist.xml didn't
tell me much more -- just that it had actually failed while trying to install
the cummulative ie patch from MS04-038.

So, I tried downloading the patches manually and applying them, but got the
error "You do not have permission to update Windows 2000. Please contact your
system administrator." However, I am currently logged into Windows 2000 as a
user who is in the Administrators group.

Does anybody have any idea why I would get this kind of error? or what I can
do to try and install these patches? I already tried reinstalling IESP1
(which worked fine), deleting the Windows Update/WUTemp folders and visiting
Windows Update again. Nothing seems to be helping and I am at a loss.



I have the same problem. I try with the real administrator but i have de
same problem.


Go in propiety o f folder WINNT, and chek if u have in Security Layer
Administrator and Administrators with full controll (together). if u havent...
add and will function.



The answers people are giving just sound so generic and
uneducated. I am having the exact same problem and it is
not a permissions issue. There is something going on with
Microsoft's update engine and they will probably have it
resolved within the next few days.

-----Original Message-----
Go in propiety o f folder WINNT, and chek if u have in Security Layer
Administrator and Administrators with full controll (together). if u havent...
add and will function.


Zeveck <[email protected]> wrote in
message (e-mail address removed)>...


this issue is related to a local/group policy
somewhere... I'm having the same issue but havent been
able to resolve.



I have the same problem. I have 2 win2000 domain
controllers and one dc windows update was OK, but the
other didn't Ok ("You do not have permission to update
Windows 2000. Please contact your system administrator.").


Does any body have any updates in this regard? Is the fix
of the Microsoft's update engine in place yet?


Keith Langmead

I'm getting the same problem with some of our servers. They used to work
fine until a few months ago when the problem first occurred.

I don't think it's a permissions problem, since so far I've tried installing
it as the local administrator, the domain administrator, my own domain
administrator user, and the backup user (also a domain user, and is the
username which is logged in as on the backup server, which is one of the
ones which works correctly), all to no avail. I've also tried running
NTFileMon while running the installation (running it manually after
downloading one of the patches), and it doesn't come up with any permissions
errors, so it certainly doesn't seem to be a file system permissions error.

Does anyone have any other ideas of what to try to resolve this? Someone
mentioned that this might be a bug with windows / the patches, does anyone
know if this is true or if there is a likely fix coming out any time soon?




this issue comes from Default Policy. If you have changed default policy
or you have implemented 2003 Controller in your 2k AD. The way to check,
navigate to local policy on affected computer user rights assignment, you
will see that you your affective policy is the default policy that comes
from DOMAIN and you are not able to modify it. (LSDO) local, site, domain,
Jan 16, 2008
Reaction score
For all you people out there still having this problem (like I did recently), here's the fix!
Just put this in a BAT file:

@echo off
echo Privilege fix by Vincent Koeman (RKTOOLS.EXE needs to be installed)
echo See: (First link)
ntrights.exe -u "%USERNAME%" +r SeAssignPrimaryTokenPrivilege
ntrights.exe -u "%USERNAME%" +r SeAuditPrivilege
ntrights.exe -u "%USERNAME%" +r SeBackupPrivilege
ntrights.exe -u "%USERNAME%" +r SeBatchLogonRight
ntrights.exe -u "%USERNAME%" +r SeChangeNotifyPrivilege
ntrights.exe -u "%USERNAME%" +r SeCreateGlobalPrivilege
ntrights.exe -u "%USERNAME%" +r SeCreatePagefilePrivilege
ntrights.exe -u "%USERNAME%" +r SeCreatePermanentPrivilege
ntrights.exe -u "%USERNAME%" +r SeCreateTokenPrivilege
ntrights.exe -u "%USERNAME%" +r SeDebugPrivilege
ntrights.exe -u "%USERNAME%" +r SeEnableDelegationPrivilege
ntrights.exe -u "%USERNAME%" +r SeImpersonatePrivilege
ntrights.exe -u "%USERNAME%" +r SeIncreaseBasePriorityPrivilege
ntrights.exe -u "%USERNAME%" +r SeIncreaseQuotaPrivilege
ntrights.exe -u "%USERNAME%" +r SeInteractiveLogonRight
ntrights.exe -u "%USERNAME%" +r SeLoadDriverPrivilege
ntrights.exe -u "%USERNAME%" +r SeLockMemoryPrivilege
ntrights.exe -u "%USERNAME%" +r SeMachineAccountPrivilege
ntrights.exe -u "%USERNAME%" +r SeNetworkLogonRight
ntrights.exe -u "%USERNAME%" +r SeProfileSingleProcessPrivilege
ntrights.exe -u "%USERNAME%" +r SeRemoteShutdownPrivilege
ntrights.exe -u "%USERNAME%" +r SeRestorePrivilege
ntrights.exe -u "%USERNAME%" +r SeSecurityPrivilege
ntrights.exe -u "%USERNAME%" +r SeServiceLogonRight
ntrights.exe -u "%USERNAME%" +r SeShutdownPrivilege
ntrights.exe -u "%USERNAME%" +r SeSyncAgentPrivilege
ntrights.exe -u "%USERNAME%" +r SeSystemEnvironmentPrivilege
ntrights.exe -u "%USERNAME%" +r SeSystemProfilePrivilege
ntrights.exe -u "%USERNAME%" +r SeSystemtimePrivilege
ntrights.exe -u "%USERNAME%" +r SeTakeOwnershipPrivilege
ntrights.exe -u "%USERNAME%" +r SeTcbPrivilege
echo Privileges fixed!

Good luck ;)

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question