Monday, February 06, 2006

WSUS

Microsoft Windows Software Update Services. A simple, easy to use, easy to deploy, free, application that allows a system administrator to apply OS and select Microsoft application patches without visiting each machine. Install the software on the server, synchronize, and create a GPO (or more) to configure the clients. Very easy. Till you try and take users into the equation.

I decided to set the Automatic Update and BITS services to be Enabled and for Automatic Updates to auto start. I was attempting to keep the people out there that disable services in an attempt to keep the admins out.

After implementing the policy we noticed a problem. Windows 2000 Servers and Windows Server 2003 systems checked in just fine. Some Windows XP systems would check in but never talk to the WSUS server again. It was also noted that Windows Update didn't work. Further investigation showed that the Automatic Update service was stopped and attempts to start it gave an error that the permissions were incorrect. A check of the Microsoft knowledge base gave a command to reset the permissions. Using that command allowed the service to be started. Something didn't seem right.

After some more investigation I found that if one sets Automatic Updates to start via Group Policy the permissions on the service get changed. One little article written by a MVP. Nothing from Microsoft support.

Remove the service controls from the GPO and everything works. Who'd thunk that setting a service in a GPO would change the permissions on it?

No comments: