Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Software Update Service 1

Status
Not open for further replies.
IndyGill

IndyGill

Technical User
Jan 15, 2001
191
GB
Hi

I was wondering if anybody has used Microsoft Software Update Service. I have install SUS SP1 on my windows 2000 Server SP4 DC which distributes it to my clients which are Win 2k SP3 machines. OK so the install went well and all the Windows Updates have installed and sync.

I have added the wuau.adm template to my Group Policy and it all seems to be fine. I have selected option 4 in my Group Policy for installing the the updates at a specific time. However I noticed that the updates do not actually install on the client machine. I have found:

1) That if I (administrative rights user) logon to the client machine the little icon appears telling me that new updates are ready to install. However I have to actually double clip the icon and start the install. Does it not do the install automatically?

2) Also I have noticed that if a standard user logs onto the machine they do not see the Windows Update install icon at the bottom left of screen.

Im just wondering is there another setting that I need to tweak in order for the install to happen? I have also noticed a template called Windows Installer, do I need to have this enabled, or tweak something in here?

Many thanks in advance
 
Sort by date Sort by votes
Try enabling "Enable user to patch elevated products" under the Windows Installer template.

Paul
 
Upvote 0 Downvote
Installing updates requires Administrator level access, as does installing any software on the Win2k or XP systems. It is not a good idea to allow users to install software, they tend to really mess up the systems and generate a lot of work to fix. Likewise, I would not recommend automatically adding every "update" as soon as it appears, try it out on a test system first to see what happens, otherwise you too will be severely burned a few times!

HTH

David
 
Upvote 0 Downvote
Hi

I have Enabled the setting for "Enable user to patch elevated products" under the Windows Installer Template. This setting has been added to the machine.

However it still only flags the Windows Update Icon when a person logs on with administrative rights and asks to do the install. When I log on as a mormal user it does not flag or do the install.

I only want them to be able to run Windows Updates and not be able to install anything else. Im just wondering do I have to do any tweaks to Users Configuration setting in the group ploicy?

Thanks in advance



 
Upvote 0 Downvote
The system is working as designed, you can not change the system, you just have to live with the rules! Make your account a member of the admin group on that machine and you will be able to do the updates.
 
Upvote 0 Downvote
Why would you bother with a whole product to do security updates and then make it so that an administrator still had to touch every machine to make it work? If sus wont patch the machines with normal users logged on, I could wander around all 200+ machines doing nothing but updating security patches and never do anything else. That's no different than just using ms update online.

there's got to be more to it than that...



 
Upvote 0 Downvote
Bookouri, I totally agree with you. I thought it would be easy enough to install SUS and Update all the clients machine. However I have been disappointed with SUS requiring admin rights to install tha actuall update.

Has any one got SUS to run without Admin rights?

 
Upvote 0 Downvote
I have it working here and it does not require admin rights to install the updates.

I have set "Configure Automatic Updates" the following way:

Configure automatic updating: 4-Auto download and schedule the install

Schedule install day: 0 - everyday
Schedule install time: 03:00

I have set "Specify intranet Microsoft update service location" to point to the server hosting SUS.

With this configuration the update(s) will be downloaded and an event will be logged. If an administrator is logged on, they will be presented with a count-down box. At this point, the installation can be stopped from proceeding and the installation will be scheduled for 3:00am the next day. If an administrator is not logged on, the installation will automatically proceed. If user without admin rights is logged on, they will be presented with a notifcation that the computer is about to restart, if a restart is required.

Hope this helps.

Jim

Jim Webber
Network Administrator MCSE CNA
 
Upvote 0 Downvote
I am also distributing WUAU22.msi, windows update client, via a GPO to all computer. I believe SUS needs at least this version of the windows update client. Someone correct me if I am wrong.

Jim

Jim Webber
Network Administrator MCSE CNA
 
Upvote 0 Downvote
I do not use it and here is my 2 cents on installing it.

I feel that users should NOT be able to install / update / do anything but work on their PC's. So using GPO's I move updates to clients. Not the most efficient, but works.

Chris.
 
Upvote 0 Downvote
How do you manage to push the updates using GPO's. Ive tried to find good documentation on that, but based on what Ive been able to find out, you have to convert the updates to .msi files in order to push them out with AD. Am I missing something here...

 
Upvote 0 Downvote
I have the same questions about the users with admin rights having to manually click the update icon, as opposed to the none admin users getting the updates without a prompt. I found in another thread here that listed this site . It has a little better info than the MS site did.

I have set things up as Slainte35 shows above, but still no success with clients that have local admin rights. Non admin clients update and install fine.

dholbrook and cyberkatis:
SuS server is a tool that allows you as an administrator to control the patches that are applied to your Windows SP2 and up clients via the Windows Update service, except that you run the update site (the SuS server on IIS) internally on your network. The purpose is that you can deploy the updates on your own schedule after you have tested them. It allows the hands free installation of updates on clients where the user doesn't have admin rights. The problems people are having is with clients that have admin rights. They do not automatically install; they only prompt the client to install.
 
Upvote 0 Downvote
Ok, I will add my two cents in again.

The biggest problem I have run into with automatic updates is that there are a lot of updates put out that may not have any application to your specific configuration, application, etc., and should NOT be installed to correct a problem you DO NOT HAVE!

Every patch to the system is designed to correct a specific problem, and many times the patches then may require an additional patch to fix the new problem caused by a previous patch, so be selective and only install the patches you need. I have WIN 98 systems, for example, and the Microsoft Update keeps wanting to install about 40 patches for foreign language problems, and none of these systems use anything but English lnguage and English based applications. I can not find any way to remove all these un-needed patches from the list on all these systems, so we need to manually look at, and select, all the patches which actually apply to a specific system.

I totally agree that users should NOT be allowed to install patches, it creates too many issues which might require a total rebuild to fix. They should also be prohibited from installing any of these "cute" applications they find out there on the Internet onto their system without prior approval from IT. Smily fces and Gator type applications are a few I can immediately think of!

The real problem is that instead of putting out full service packs which have been tested with all the patches together, Microsoft is busy issuing patches and fixes to specific problems, which in turn creates new problems for us all. Always READ what the patch is for, and WHO NEEDS IT, before allowing any patch to be applied.

For what ever it is worth! :)

David
 
Upvote 0 Downvote
>The biggest problem I have run into with automatic updates >is that there are a lot of updates put out that may not >have any application to your specific configuration, >application, etc., and should NOT be installed to correct >a problem you DO NOT HAVE!

I agree. But have you seen the amount of critical updates that microsoft come out with ?

>Every patch to the system is designed to correct a >specific problem, and many times the patches then may >require an additional patch to fix the new problem caused >y a previous patch

All too true.

>I totally agree that users should NOT be allowed to >install patches,

I agree. But you are missing the point. With SUS you as the system administrator should be able to diciate which updates are installed over the network (after testing etc). SUS should then allow elevated privledges so that when any user logs on the required patches are installed. (ie. the patches the admin wants installed). At the same time it should stop users trying to install anything else.

>it creates too many issues which might require a total >rebuild to fix. They should also be prohibited from >installing any of these "cute" applications they find out >there on the Internet onto their system without prior >approval from IT. Smily fces and Gator type applications >are a few I can immediately think of!

God, I hate hotbar!

>is busy issuing patches and fixes to specific problems, >which in turn creates new problems for us all.

You are correct. BUT I want SUS to be like MSIs & group policy. If I go and assign office to the network, I don't want to go and log into all the machines. I want windows to do it for me! I was SUS to go and install all the patches for me aswell!

SUS should be about reducing TCO. I want to spend my time testing the updates, not running around logging myself in to all machines.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
94
maybeimaleo
maybeimaleo
intel233
  • Locked
  • Question
Computer GPO - Software Install
Replies
0
Views
55
intel233
intel233
jamescpp
  • Locked
  • Question
KMS update question - 2008r2 activating Windows 10
Replies
0
Views
45
jamescpp
jamescpp
AndyH1
  • Locked
  • Question
Login and Reporting Services and sessions issue
Replies
0
Views
53
AndyH1
AndyH1
kurio71
  • Locked
  • Question
Update User Fields to Fix SSO Issue w/ CSV file
Replies
0
Views
39
kurio71
kurio71

Part and Inventory Search

Sponsor

Back
Top