Re: Possible security issue??
- From: Jeremy <Jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 8 May 2006 09:18:03 -0700
Steven,
Sorry for taking so long on my reply but last week was quite busy for me.
While I was waiting for you to get back with me I decided to re-apply the
default group policy settings since this client is small and I didn't see any
major settings already in place. Once I did that and enabled Allow automatice
updates immediate installation, rebooted my PC, I was able to to install
updates with no issues. After having my clients log off than back on, they
were able to install their auto updates as well. I may not have been able to
offically troubleshoot the issue but this will suffice. :)
Also, as you recommended, I removed my laptop from their domain and was
able to install updates right away so i know it wasn't a file system/registry
permission policy. Thanks again for you all your help. You guys are a great
asset!
Regards,
Jeremy Johnston
"Steven L Umbach" wrote:
The link below is about all I found on that error..
http://www.eventid.net/display.asp?eventid=20&eventno=1797&source=Automatic%20Updates&phase=1
I suppose that Group Policy could also be applying some file system [NTFS]
or registry permissions changes that may be interfering. Rsop.msc on an XP
Pro computer would probably show such. If that is the case then if you
unjoin your computer from the domain, reboot, and try to install the same
update it would fail again as file system/registry permissions changes are
not rolled back when a computer is removed from the influence of that Group
Policy setting. Using the free tools regmon/filemon from systinternals can
also track down when a user is being denied access to a file/registry key.
http://www.sysinternals.com/Utilities/Filemon.html --- filemon and link to
SysInternals.
I would also enable auditing of privilege use for failure on a computer
having the problem in Local Security Policy and then look to see if any
failures are recorded for privilege use when an update installation fails.
Priviliges are user rights that are controller via security/group policy
either locally or at the domain level and it this case it would be at the
domain/OU level. --- Steve
"Jeremy" <Jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C5754534-4041-4724-ADF6-A52DBEDABE33@xxxxxxxxxxxxxxxx
This is the only error I get in the system log and I did some research on
this before I posted here. I didn't find anything helpful on the net
Event Type: Error
Event Source: Windows Update Agent
Event Category: Installation
Event ID: 20
Date: 5/3/2006
Time: 11:56:13 AM
User: N/A
Computer: JEREMYLT
Description:
Installation Failure: Windows failed to install the following update with
error 0x8007f004: Windows Genuine Advantage Validation Tool (KB892130).
"Steven L Umbach" wrote:
Does it work when the built in local administrator account is used which
is
NOT a domain account? Are there and errors/warnings in the logs that you
can
view via Event Viewer that may indicate a problem with the domain such as
userenv errors? Does running the support tool netdiag on the domain
controller and client computer pass with flying colors showing no major
errors or warnings? Did you verify that the client computer is using ONLY
domain controllers as their preferred/alternate DNS servers in tcp/ip
properties as shown by ipconfig /all and that the domain controller can
be
pinged by name and IP address from the client computer? What error
messages
do the users get if any? -- Steve
"Jeremy" <Jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4E7DF6E5-9645-4724-BB63-E71100BAB79D@xxxxxxxxxxxxxxxx
No it does not. Not even if the user is a Domain Admin *shrug*
"Steven L Umbach" wrote:
Does it work when the users domain account is added to the local
administrators group? It should though I would not consider that an
ideal
solution. You can configure updates to be downloaded/installed
automatically
so that the user does not need to be a local administrator. --- Steve
"Jeremy" <Jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:17CC7491-FB25-4C6C-9775-B4108825F71A@xxxxxxxxxxxxxxxx
I have a client situation where no one seems to be able to install
windows
updates on their PC's that are joined to the domain. They can
download
them
just fine but they fail during install. The only way to install them
is
to
log in using the administrator account to the domain.
One user even has domain admin rights but he's still unable to
install
the
updates. I thought it might be a policy issue and others are saying
internal
DNS. I have searched and searched but I'm unable to find anything to
go
with
that will resolve this issue.
At first I thought it might have been an issue with a users machine
but
when
I tried to run system restore under his credentials (local admin,
domain
admin) I got a message that he didn't have the appropriate rights to
perform
this action. I could only run it from the administrators (domain)
account.
The PDC is a 2000 server..
Thank you in advance for any help.
Jeremy Johnston
- Follow-Ups:
- Re: Possible security issue??
- From: Steven L Umbach
- Re: Possible security issue??
- References:
- Re: Possible security issue??
- From: Steven L Umbach
- Re: Possible security issue??
- From: Steven L Umbach
- Re: Possible security issue??
- From: Jeremy
- Re: Possible security issue??
- From: Steven L Umbach
- Re: Possible security issue??
- Prev by Date: Permissions for removable drive
- Next by Date: Re: Disable admin password
- Previous by thread: Re: Possible security issue??
- Next by thread: Re: Possible security issue??
- Index(es):
Relevant Pages
|
