Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Uninstalling WSUS removes WSUS Administrators group

93 views
Skip to first unread message

Bobby P

unread,
May 15, 2006, 10:16:01 AM5/15/06
to
I guess this is just an comment about an annoyance, rather than a question,
now that i have figured out what is going on. Maybe a bug? I would hope
this isn't by design.

I have WSUS running at about 15 different sites on domain controllers. At
most sites, the only Win 2003 server is a domain controller, so it turns out
that every WSUS server is also that site's DC. One day when I was
implementing WSUS at other sites, I noticed that the WSUS Administrators
domain local group disappeared from Active Directory and the folders on the
servers had "account unknown" listed in the ACL where WSUS Administrators had
permissions previously. I scratched my head for a day or so and just decided
to recreate the group and reapply the permissions on all of the folders on
every server. Was a pain, but it got us back up again.

Last week I was having an issue with running WSUS on a new DC (turns out
someone had screwed up IIS, but I didn't know that at the time), so first
thing I did was uninstall/reinstall WSUS. Soon afterward I got calls from
local WSUS admins saying they were unable to authenticate to the WSUSAdmin
console. I checked AD and there was an empty WSUS Administrators group in
the default Users OU, and the ACLs on the folders on the WSUS servers once
again had "account unknown" listed instead of WSUS Administrators.

It looks like uninstalling WSUS on one domain controller removes the
security group from the domain, rendering all non "domain admins" unable to
use the WSUSAdmin console on any other domain controller. I tested this
again by uninstalling WSUS from the same server mentioned above. The WSUS
Administrators domain local group disappeared from Active Directory soon
thereafter.

Mohammed Athif

unread,
May 16, 2006, 10:09:37 AM5/16/06
to
Hi Bobby,

Thanks for posting your findings. I will add this as a new known issue
on
http://msmvps.com/blogs/athif/archive/2006/05/01/WSUS_on_Domain_Controller.aspx
(word wrap)

Happy Patching,
Mohammed Athif Khaleel
http://msmvps.com/athif

Lawrence Garvin (MVP)

unread,
May 17, 2006, 6:08:46 PM5/17/06
to
"Bobby P" <Bob...@discussions.microsoft.com> wrote in message
news:A7AA2D30-4152-4391...@microsoft.com...

>I guess this is just an comment about an annoyance, rather than a question,
> now that i have figured out what is going on. Maybe a bug? I would hope
> this isn't by design.

<snip>

> It looks like uninstalling WSUS on one domain controller removes the
> security group from the domain, rendering all non "domain admins" unable
> to
> use the WSUSAdmin console on any other domain controller. I tested this
> again by uninstalling WSUS from the same server mentioned above. The WSUS
> Administrators domain local group disappeared from Active Directory soon
> thereafter.

Bobby, I agree this is not a good thing if this is what is happening. I'm
going to do some testing on this scenario, and assuming I can reproduce the
behavior, I'll bounce the issue up to the WSUS team to see about a 'fix' or,
at least, documentation of the issue.

--
Lawrence Garvin, M.S., MVP-Software Distribution
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, eveything else is at
http://wsusinfo.onsitechsolutions.com
...


0 new messages