Automatic update and security

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I add Domain Users (2000 server domain) to the Power Users Group on the XP
local box, will Automatic updates still work? I noticed when logged on as a
domain user, you cannot do Windows update. Also I have a couple of domain
users who want to run defrag , they cannot. Is there a way to allow them to
do so without giving full admin rights on the box?
3 answers Last reply
More about automatic update security
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You could try adjusting the permissons on the NTFS and FAT Defrag engines in DCOM Config. You could also run Defrag as a scheduled task under an Administrator logon. See www.dougknox.com, Win XP Fixes, Defrag All Hard Disks. This small VB Script can be run as a Scheduled Task.

    --
    Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
    Win 95/98/Me/XP Tweaks and Fixes
    http://www.dougknox.com
    --------------------------------
    Per user Group Policy Restrictions for XP Home and XP Pro
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    --------------------------------
    Please reply only to the newsgroup so all may benefit.
    Unsolicited e-mail is not answered.

    "WWright" <WWright@discussions.microsoft.com> wrote in message news:349FE00C-7C3E-41A5-8FE7-50B8BE57540A@microsoft.com...
    >I add Domain Users (2000 server domain) to the Power Users Group on the XP
    > local box, will Automatic updates still work? I noticed when logged on as a
    > domain user, you cannot do Windows update. Also I have a couple of domain
    > users who want to run defrag , they cannot. Is there a way to allow them to
    > do so without giving full admin rights on the box?
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    WWright wrote:

    > I add Domain Users (2000 server domain) to the Power Users Group on the XP
    > local box, will Automatic updates still work? I noticed when logged on as a
    > domain user, you cannot do Windows update. Also I have a couple of domain
    > users who want to run defrag , they cannot. Is there a way to allow them to
    > do so without giving full admin rights on the box?
    Hi,

    A couple of options for your last question:

    A)
    Put defrag.exe in a scheduled task (on each computer) running under an
    administrator account.

    In the link below you will find the following vbscripts (that runs defrag.exe):

    defrag_all.vbs - Defrag All Hard Drives - Can be run as a scheduled task
    Does not create an error log

    defrag_all2.vbs - Defrag All Hard Drives - Can be run as a scheduled task
    Creates an error log and displays the error log when complete.

    http://www.dougknox.com/utility/scripts_desc/defrag_all.htm


    B)
    If it is an requirement that the (non-admin) user must be able to start
    the defrag utility manually at will, this might work as well:

    Create a service that runs defrag.exe when started using
    srvany.exe/instsrv.exe:
    http://groups.google.co.uk/groups?selm=3E8C6A94.2F5EE338%40hydro.com

    Then grant the users (or a script running under the user's credentials)
    rights to start the service (to start defrag.exe):

    HOW TO: Grant Users Rights to Manage Services in Windows 2000
    http://support.microsoft.com/default.aspx?scid=kb;en-us;288129

    The link above is relevant for Windows XP also.

    For method 3 in the article above:

    A new, bug-fixed version of SubInACL.exe is available for download here
    (Win2k/WinXP/Win2k3):

    http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b

    SETACL (freeware) at http://setacl.sourceforge.net/ can also set permissions
    on local or remote Win32 services.


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    WWright wrote:

    > I add Domain Users (2000 server domain) to the Power Users Group
    > on the XP local box, will Automatic updates still work? I noticed
    > when logged on as a domain user, you cannot do Windows update.

    At least if you set up your own WSUS server and point your clients to
    it, it will update the computers even if the users are not local
    admins. In this case, you need to configure Automatic Updates to
    AUOptions 4 (automatic download and scheduled installation).

    More about WSUS here:

    Windows Server Update Services
    http://www.microsoft.com/windowsserversystem/updateservices/default.mspx


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
Ask a new question

Read More

Domain Security Windows XP