Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

allow no-admin user to install windows update


  • Please log in to reply
18 replies to this topic

#1 adel87

adel87

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 25 August 2014 - 08:33 AM

Hi every I'm newbie with windows server I want to know how i can allows no-admin users to install windows update

I have find  this GPO " Allow non-administrators to receive update notifications"
but in the explication  it is said "On Windows 7: This policy setting has no effect. Users will always see an Account Control window and require elevated permissions to do either of these tasks"

Please can you explain
Thank you



BC AdBot (Login to Remove)

 


m

#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 25 August 2014 - 02:49 PM

Give this a read. You are on the right track with the GPO, but in Windows 7 there are some extra configuration steps you need to take: http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_update/permit-limited-user-to-runinstall-windows-updates/8433dd8f-116b-4f40-b5ba-eba8fe4957a7

Scroll down to the first answer, where he explains how to configure this for Windows 7.



#3 adel87

adel87
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 25 August 2014 - 03:53 PM

hi thank you i have read

"STEP 1. First of all, as an administrator, you need to enable Automatic Updates.
The easiest way in your limited account to enable Automatic Updates without logging off into an admin account is to go into the Control Panel and hold shift, and right click on Automatic Updates and choosing “Run As”. You'll need to run it as an account with admin privileges. Using an admin account without a password will not work!

STEP 2. Next, you need to open the Group Policy editor as an administrator. To do so, click on Start; in the run box (Windows XP) type gpedit.msc and right click to “Run as administrator”. In Windows Vista/7, type gpedit.msc in the start search box and choose “Run as administrator”

 

so for the step 1 the network administrator must enable it on each PC individually?

for the step 2 there is the same GPO in Active directory so why it must be set in the local GPO

Thank you



#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 25 August 2014 - 04:01 PM

Yes, it needs to be set individually on each computer. Can't explain why Microsoft decided to do it this way on Windows 7 -- but they did. :huh: 



#5 adel87

adel87
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 25 August 2014 - 05:21 PM

Hi thank you for your help

but I don't understand the step 2 why it is neccessary to set the local GPO ( I can do that in the GPO of the domain)

Thank you



#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 25 August 2014 - 07:02 PM

After some review to refresh my memory, it seems the advice from Microsoft is a bit confusing on this point.

 

I have confirmed that the policy has to be changed in Computer Configuration > Administrative Templates > Windows Components > Windows Updates, then enable the Allow Non-Administrators to Receive Update Notifications policy, as apparently users will need elevated privileges to install updates if it is set at the domain level.

 

But some Microsoft documentation states the policy needs to be set at the domain level -- typical Microsoft clarity :mellow: . Probably best to test it out on one computer -- set the policy at the domain level, and let a non-admin try to install new updates. If they can't, then it will have to be changed on each computer where you want users to have that permission.



#7 adel87

adel87
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 August 2014 - 12:45 AM

Hi thank you for your help please and for the step 1 is it necessary?

Thank you



#8 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 26 August 2014 - 01:22 AM

As I said, the Microsoft documentation doesn't make it entirely clear where the policy needs to be set, at the domain level or on each computer. So start by setting the group policy at the domain level only, and see if that allows non-admin users to install updates on their computers.

If it doesn't, then you will have to set it in the local group policy as well, on each computer where you want non-admin users to be able to install updates.

 

Hope that clarifies it.



#9 adel87

adel87
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 August 2014 - 01:23 AM

hi thank you for answer



#10 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 26 August 2014 - 01:29 AM

Sorry the answer wasn't more definitive.

No doubt there are others who are trying to figure this out as well. You could help all of us by posting back once you've figured out where the group policy change needs to be made. :)



#11 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:10:20 AM

Posted 26 August 2014 - 04:07 PM

The Windows update settings GPO does NOT need to be set at domain level. Anywhere in your tree of OUs that is inherited by the OUs containing your target computers will work.

 

You could have one GPO and apply it to several OUs or sub-trees of OUs that contain the desired systems, or you could have several different policies and apply those to different classes of systems by applying the appropriate policies to the appropriate OUs of computers.

 

Re point 1 -  the administrator does NOT need to visit each PC physically - enabling windows update and setting the basic mode of operation can be done in your windows update GPO  (under 'configure automatic updates')

 

Allow non-admin users to receive notification is just that - they get the Notifications but to not have the power to do anything about it.

 

I might recommend that you make updates install automatically, using the GPOs to lock those settings, but giving the users to accept or defer the installation of the updates at shutdown time...

 

If you desire control over which updates get installed, the Windows server update services is the way to go.

 

x64

 

(that said- I think that control of Windows update through group policy and WSUS is very primitive and inflexible for the importance that updating has gained. :angry: )



#12 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 26 August 2014 - 04:17 PM

I agree re WSUS, but the poster was asking how to allow non-admin users to install updates -- which if he doesn't have a Windows Update server, might make sense.

 

Point taken on setting it at the OU level, which is safer than setting it for the entire domain.

 

And I couldn't agree more -- given how important updates are nowadays, the tools for controlling them leave much to be desired.



#13 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:10:20 AM

Posted 26 August 2014 - 04:54 PM

Indeed, but given that Windows update on win 7 does require elevation in order to command the selection and installation of updates through through the WU UI it does not look like that will be be possible in the way that I think the OP intended. - Questioning the original requirement and suggesting alternatives was the way to go. Setting the system to install the update automatically and allowing the user to defer them at shut-down time may be an acceptable compromise - you don't know until you ask!.

 

One thing I've learned in 30 years of IT support is to question the question itself (along, naturally with any and all assertions and evidence supplied  :rolleyes:  :lol:  )

Maybe one day I'll learn something else :)



#14 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 26 August 2014 - 06:19 PM

I know what you mean. :)

 

I do know from experience that small companies with domains that only have a few users and who don't have much, if any, in-house tech support prefer not to hassle with installing, configuring and troubleshooting a Windows Update server. I also know that some senior types within companies don't like being pestered with reminders to reboot or reschedule, and prefer to install updates on their own time. You can try to reason with them, but...  :rolleyes:



#15 JohnnyJammer

JohnnyJammer

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:20 PM

Posted 27 August 2014 - 07:17 PM

I have no idea why you are having issues, the setting to allow non admins to install updates from wsus has been around for donkeys years.

The only ones that will trigger UAC are ones that have a licence agreement!

 

Always structure your WSUS to match the OU groups in AD, just goto ComputerConfig/Admin templates/Windows components/Windows Updates and select and enable Allow non admins to receieve notifcations (Which you have but make sure the GPO is structured in the workstation OU).

Quote from policy

Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface , End User License Agreement , or Windows Update setting changes.

Also make sure your domain functional level is set to 2008 as i have ound when installing print drivers with out UAC.

 

I seperate users and computers in my domain, this allows me to create a properly structured GPO's, i also have mu;tiple locatiosn each with their own WSUS servers so i have to create seperate WSUS policies depending on locations.

Never had an issue with WSUS or the GPO settings allwing non admins to install

 

I forgot to add, dont EVER add anything to the default domain policy unless its something like pointing to certificvate server etc. I cannot tell you how much of importance structured OU groups are when using GPO's


Edited by JohnnyJammer, 27 August 2014 - 07:21 PM.





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users