Permissions to Run WSUS Administrator Console
Manuel Gomez
to be a part of in Active Directory so that a they can administer the WSUS
Console without the Technician being a member of the Domain Admin group. I
have a Technician that I do not want to give full Domain Admin rights to who
will be administering the WSUS console. I have added this user to the WSUS
Administrators group and the Technician can not access the WSUS Console but
when I add them to the Domain Admin group he can access the WSUS Console.
What other groups do I need the Technician to be a part of for him to access
the WSUS Console short of adding him to the Domain Admin group?
--
Manuel Gomez
Lawrence Garvin (MVP)
news:05F8F09B-2BA2-4D0B...@microsoft.com...
>I am trying to find the necessary group(s) that are needed for a Technician
> to be a part of in Active Directory so that a they can administer the WSUS
> Console without the Technician being a member of the Domain Admin group.
You need to create a Domain Security group (whatever name you prefer), then
add that Domain Security Group to the LOCAL "WSUS Administrators" group on
the WSUS server. Then add this user to the Domain Security group that is a
member of "WSUS Administrators".
If you added the user's Domain Account directly to the WSUS Administrators
group, then that user needs to be sure to authenticate with the WSUSAdmin
console using the /domain/ account, not a simple username/password (which
would be interpreted as a local user account).
--
Lawrence Garvin, M.S., MVP-Software Distribution
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, everything else is at
http://wsusinfo.onsitechsolutions.com
....
c_wady
Anyway to give a user rights to only run reports and check the status of
computers, but not make changes, like approve updates or change the way
computers are put in groups.
Thanks
--
c_wady
"Lawrence Garvin (MVP)" wrote:
> .....
>
>
>
Manuel Gomez
DC. Is this still a problem because there are no Local accounts on a DC from
what I can remember. The scenario is that I have a Domain Security Group
called Technicians and I have added this group to the WSUS Administrators
group. The Technician in question is a part of the Technicians group. This
does not work when the WSUS server is running on the DC. Will I have to
change my Default Domain Controller Policy for me to allow the Technicians
group to have access to the WSUS Console via the WSUS Administrators group?
--
Manuel Gomez
"Lawrence Garvin (MVP)" wrote:
> .....
>
>
>
Lawrence Garvin (MVP)
news:A6397BFA-83C1-46FE...@microsoft.com...
> Adding them to this group gives them rights to make changes to the
> configs.
> Anyway to give a user rights to only run reports and check the status of
> computers, but not make changes, like approve updates or change the way
> computers are put in groups.
Not officially. WSUS v2 only supports one access privilege level; however,
awhile back somebody in this newsgroup posted a methodology for creating the
ability to do read-only access to reporting. I'd suggest a Google Groups
search of the newsgroup for the keywords 'read-only' and 'reporting'.
The other option is to deploy the WSUS API Samples and Tools Reporting
Rollup tool on a separate server.
Lawrence Garvin (MVP)
>> >I am trying to find the necessary group(s) that are needed for a
>> >Technician
>> > to be a part of in Active Directory so that a they can administer the
>> > WSUS
>> > Console without the Technician being a member of the Domain Admin
>> > group.
>> You need to create a Domain Security group (whatever name you prefer),
>> then
>> add that Domain Security Group to the LOCAL "WSUS Administrators" group
>> on
>> the WSUS server. Then add this user to the Domain Security group that is
>> a
>> member of "WSUS Administrators".
>>
>> If you added the user's Domain Account directly to the WSUS
>> Administrators
>> group, then that user needs to be sure to authenticate with the WSUSAdmin
>> console using the /domain/ account, not a simple username/password (which
>> would be interpreted as a local user account).
>I have another question. The WSUS server that I am running is located on a
> DC. Is this still a problem because there are no Local accounts on a DC
> from
> what I can remember.
It's not a problem, you just need to adjust for the fact that WSUS installed
on a Domain Controller creates a /DOMAIN/ Global Security Group called "WSUS
Administrators" instead of a /LOCAL/ Security Group on the WSUS server. As
such, you only need to add those domain users to the Domain Security Group
"WSUS Administrators" that is already created.
It does become a problem if you have multiple WSUS on DC installations in
the same domain, because then membership in that one domain security group
grants access to all of the WSUS servers in the domain.
> The scenario is that I have a Domain Security Group
> called Technicians and I have added this group to the WSUS Administrators
> group.
This is a practical way to address the issue.
> The Technician in question is a part of the Technicians group. This
> does not work when the WSUS server is running on the DC.
It certainly should.
> Will I have to
> change my Default Domain Controller Policy for me to allow the Technicians
> group to have access to the WSUS Console via the WSUS Administrators
> group?
You should NEVER change the "Default Domain Controller Policy".
Nor would it be necessary for you to modify any other policy, as this is
exclusively a group membership/permissions issue.