Installing updates under restricted user account

In order to install updates in my win2k environment, I have to log
workstations out of the user's restricted user account, log in as
administrator, install, and have the user log back in. Is there a way to
allow Windows Updates to be installed under non-administrative user accounts?
can this be automated without third-party tools?

I appreciate the help,
AF

In the services applet on the local machines, if you set the "logon as" to
administrator in the Automatic Updates service, I would think it would use
this account to download and install updates. That is if Automatic Updates is
set to do these tasks automatically and without user interaction.

"AF" wrote:

> In order to install updates in my win2k environment, I have to log
> workstations out of the user's restricted user account, log in as
> administrator, install, and have the user log back in. Is there a way to
> allow Windows Updates to be installed under non-administrative user accounts?
> can this be automated without third-party tools?
>
> I appreciate the help,
> AF

Good idea, but it doesnt seem to work - even after configuring admin rights
for the Automatic Update Service, the icon prompting the user to install the
updates (in the lower-right) does not appear llike it does when loggind in as
administrator. I cant set the updates to automatically install because this
might cause unstoppable reboots at bad times for users.

thx,
AF

"Crack" wrote:

> In the services applet on the local machines, if you set the "logon as" to
> administrator in the Automatic Updates service, I would think it would use
> this account to download and install updates. That is if Automatic Updates is
> set to do these tasks automatically and without user interaction.
>
> "AF" wrote:
>
> > In order to install updates in my win2k environment, I have to log
> > workstations out of the user's restricted user account, log in as
> > administrator, install, and have the user log back in. Is there a way to
> > allow Windows Updates to be installed under non-administrative user accounts?
> > can this be automated without third-party tools?
> >
> > I appreciate the help,
> > AF

AF wrote:

> In order to install updates in my win2k environment, I have to log
> workstations out of the user's restricted user account, log in as
> administrator, install, and have the user log back in. Is there a way to
> allow Windows Updates to be installed under non-administrative user accounts?
> can this be automated without third-party tools?
>
> I appreciate the help,
> AF

See if this works (at least it works when using a WSUS server for
updating):

Be sure to have the latest Windows Update Agent installed, run
WindowsUpdateAgent20-x86.exe (use a user account that have local
admin rights).

Download location for WindowsUpdateAgent20-x86.exe
http://go.microsoft.com/fwlink/?LinkId=43264


Then put the following text in a registry file (.reg) and import it
by double-clicking on it in Explorer.

--------------------8<----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate]
"ElevateNonAdmins"=dword:00000001

--------------------8<----------------------
(be sure to have a blank line at the end of the registry file)

Then reboot.

This will enable the policy "Allow non-administrators to receive
update notifications".

With ElevateNonAdmins set to 1 a non-admin is allowed to select
"Restart Later", and also to use the AU icon in the system tray to
start installations before scheduled installation time (good), as
well as un-select updates that is scheduled to be installed on the
computer (not so good maybe, but see further down for a possible
counter-measure).

With ElevateNonAdmins enabled, the end user experience of Automatic
Updates is completely the same all the way for both admins
and non-admins (at least when using a WSUS server).


If you are afraid that some users will hide some updates, here is a
counter-measure you can use if the computers are in an Active
Directory domain.

Use a script that unhides all hidden updates every time the computer
starts up.

You could put the vbscript below in a computer startup script (with a
GPO) that runs as part of the boot up process (before the user logs
in). It runs under the system context and has admin rights.


'--------------------8<----------------------

On Error Resume Next
Dim oSearcher, oSearchResult, i, oUpdate

Set oSearcher = CreateObject("Microsoft.Update.Searcher")

' use locally cached information
oSearcher.Online = False

' find updates that are hidden
Set oSearchResult = oSearcher.Search("IsHidden=1")

If Err.Number = 0 Then
If oSearchResult.Updates.Count > 0 Then
For i = 0 to oSearchResult.Updates.Count - 1
Set oUpdate = oSearchResult.Updates(i)
' unhide the update
oUpdate.IsHidden = False
Next
End If
End If

'--------------------8<----------------------




--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

I did what you suggested and still cannot receive update notifications for
users (even if the user belongs to the local Administrators group).
Only Administrator user receives notifications.

Here are my policies:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate]
"ElevateNonAdmins"=dword:00000001
"TargetGroup"="WSUS"
"TargetGroupEnabled"=dword:00000001
"WUServer"="http://wsussrv"
"WUStatusServer"="http://wsusrv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU]
"AUOptions"=dword:00000003
"AutoInstallMinorUpdates"=dword:00000000
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003
"UseWUServer"=dword:00000001


--

ArthurB


"Torgeir Bakken (MVP)" wrote:

> AF wrote:
>
> > In order to install updates in my win2k environment, I have to log
> > workstations out of the user's restricted user account, log in as
> > administrator, install, and have the user log back in. Is there a way to
> > allow Windows Updates to be installed under non-administrative user accounts?
> > can this be automated without third-party tools?
> >
> > I appreciate the help,
> > AF
>
> See if this works (at least it works when using a WSUS server for
> updating):
>
> Be sure to have the latest Windows Update Agent installed, run
> WindowsUpdateAgent20-x86.exe (use a user account that have local
> admin rights).
>
> Download location for WindowsUpdateAgent20-x86.exe
> http://go.microsoft.com/fwlink/?LinkId=43264
>
>
> Then put the following text in a registry file (.reg) and import it
> by double-clicking on it in Explorer.
>
> --------------------8<----------------------
> REGEDIT4
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate]
> "ElevateNonAdmins"=dword:00000001
>
> --------------------8<----------------------
> (be sure to have a blank line at the end of the registry file)
>
> Then reboot.
>
> This will enable the policy "Allow non-administrators to receive
> update notifications".
>
> With ElevateNonAdmins set to 1 a non-admin is allowed to select
> "Restart Later", and also to use the AU icon in the system tray to
> start installations before scheduled installation time (good), as
> well as un-select updates that is scheduled to be installed on the
> computer (not so good maybe, but see further down for a possible
> counter-measure).
>
> With ElevateNonAdmins enabled, the end user experience of Automatic
> Updates is completely the same all the way for both admins
> and non-admins (at least when using a WSUS server).
>
>
> If you are afraid that some users will hide some updates, here is a
> counter-measure you can use if the computers are in an Active
> Directory domain.
>
> Use a script that unhides all hidden updates every time the computer
> starts up.
>
> You could put the vbscript below in a computer startup script (with a
> GPO) that runs as part of the boot up process (before the user logs
> in). It runs under the system context and has admin rights.
>
>
> '--------------------8<----------------------
>
> On Error Resume Next
> Dim oSearcher, oSearchResult, i, oUpdate
>
> Set oSearcher = CreateObject("Microsoft.Update.Searcher")
>
> ' use locally cached information
> oSearcher.Online = False
>
> ' find updates that are hidden
> Set oSearchResult = oSearcher.Search("IsHidden=1")
>
> If Err.Number = 0 Then
> If oSearchResult.Updates.Count > 0 Then
> For i = 0 to oSearchResult.Updates.Count - 1
> Set oUpdate = oSearchResult.Updates(i)
> ' unhide the update
> oUpdate.IsHidden = False
> Next
> End If
> End If
>
> '--------------------8<----------------------
>
>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scr...r/default.mspx
>

ArthurB wrote:

> I did what you suggested and still cannot receive update notifications for
> users (even if the user belongs to the local Administrators group).
> Only Administrator user receives notifications.
>
> Here are my policies:
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate]
> "ElevateNonAdmins"=dword:00000001
> "TargetGroup"="WSUS"
> "TargetGroupEnabled"=dword:00000001
> "WUServer"="http://wsussrv"
> "WUStatusServer"="http://wsusrv"
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU]
> "AUOptions"=dword:00000003
> "AutoInstallMinorUpdates"=dword:00000000
> "NoAutoRebootWithLoggedOnUsers"=dword:00000001
> "NoAutoUpdate"=dword:00000000
> "ScheduledInstallDay"=dword:00000000
> "ScheduledInstallTime"=dword:00000003
> "UseWUServer"=dword:00000001
>
Hi,

Your settings look fine...

A)
Do you have "Client for Microsoft Networks" installed/enabled for your
network connection? If not, install it, reboot, and see if it helps.

B)
Please see if this helps:

1. Start Explorer.
2. In Explorer, right click on "My Computer"
3. Select "Manage"
4. Expand Local Users and Groups.
5. Select Users.
6. Open the account used to access Windows Update.
7. Click the Member Of tab.
8. If you find anything else than the "Administrators" group there,
remove those other entries. You need to have only the
"Administrators" group listed there.
9. If you did any changes to the Member of list, log off and on again,
and try Windows Update again.


If the above did not work, could you please post back all membership
entries for each of the local groups?




--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx