Minimum rights to install patches on a DC Paul Jenkins 5/5/2007 1:16:00 PM Can anyone tell me the minimum rights required to install updates on a DC in and W2K3 AD Domain? We have a "computer operations" group, and it's their role to log on and install updates. Obviously they need some rights to log on and install updates, but I don't want to give them administrator rights otherwise they'll have much more priviledge than they need. Thanks. PJ.

Re: Minimum rights to install patches on a DC "Olaf Engelke [MVP Windows Server]" <oenews01[ at ]mvps.org> 5/5/2007 9:51:47 PM Hi Paul, Paul Jenkins wrote: [Quoted Text] > Can anyone tell me the minimum rights required to install updates on > a DC in and W2K3 AD Domain? We have a "computer operations" group, > and it's their role to log on and install updates. Obviously they > need some rights to log on and install updates, but I don't want to > give them administrator rights otherwise they'll have much more > priviledge than they need. Thanks. > without being Administrator you can't install any system upgrades on an DC. Since this can easily allow to compromise or destroy the OS, no other role is adequate. So keep this as one of your duties as Administrator, since you don't want patches to be installed automatically on a DC. (Makes you very unhappy if a patch shows the ugly face and all your DCs are bluescreening after next reboot.) Best greetings from Germany Olaf

RE: Minimum rights to install patches on a DC tm 5/29/2007 5:17:01 PM To get around this, I use WSUS with the GPO setting "Allow Non-Administrators ...." to receive update notifications. That way, they can log in, interact with the AU icon (or call "wuauclt /detectnow" to do so) without being Domain Admin or DOMAIN\Adminsitrators members. The Automatic Updates service runs as "Local System" and gets around any delegation issues you may have. Make sure you have good practices in place to train the Ops group WHEN to apply and reboot to prevent outages. The reboot event logs will not show their UserID, just "Local System". Also, make sure that you limit the number of people who can log on to your DCs as limited users, or else they might patch your DCs randomly. -tm "Paul Jenkins" wrote: [Quoted Text] > Can anyone tell me the minimum rights required to install updates on a DC in > and W2K3 AD Domain? We have a "computer operations" group, and it's their > role to log on and install updates. Obviously they need some rights to log > on and install updates, but I don't want to give them administrator rights > otherwise they'll have much more priviledge than they need. Thanks. > > PJ.