Re: Automatic Updates as Limited User

From: Noel Paton (NoelDPspamless_at_btopenworld.com)
Date: 11/25/04 

Date: Thu, 25 Nov 2004 19:44:07 -0000

Certainly, SP2 requires Admin access to install - but that was not the
question that you first asked!

SP2 is a major System Upgrade (and in earlier times, may have been
considered enough for a total version change - with all that that implies!),
and should \NE|VER be attempted outside of an Admin account - after first
ensuring that your PC is clear of all known interferences (malware, Norton,
running software - in that order!)

Again - any Security Update is likely to require Admin access - simply
because it's Security-related, and therefore only Admin users should have
access! 

-- 
Noel Paton (MS-MVP 2002-2005, Windows)
Nil Carborundum Illegitemi
http://www.btinternet.com/~winnoel/millsrpch.htm
http://tinyurl.com/6oztj
Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
"en7ropia" <en7ropia@discussions.microsoft.com> wrote in message 
news:D91E9E6C-4315-4946-A266-02A60EC2DAD5@microsoft.com...
> Thanks for the link.
>
> From the article you linked to:
>
> "When critical updates are detected, Automatic Updates automatically
> downloads these updates in the background while you are connected to the
> Internet. After the download is complete, Automatic Updates waits until 
> the
> scheduled day and time to install the updates. On the scheduled day and 
> time,
> ALL LOCAL USERS receive the following message that has a five minute
> countdown timer: "
>
> Windows is ready to begin installing the updates available for your 
> computer.
>
> Do you want Windows to install the updates now?
>
> (Windows will restarts your computer if no action is taken within 5:00
> minutes)
>
>
> "If you are logged on as an administrator, when you receive this message,
> you can either click Yes to install the updates or click No to have 
> Automatic
> Updates install the updates at the next scheduled day and time. "
>
> (Note that limited users will see the No option disabled.  They will be
> forced to install the updates and reboot.)  (Good)
>
> "If you do not take any action in five minutes, Windows automatically
> installs the updates."
>
> --------------------------------------------
>
> I actually tested this in Win 2000 Pro to see if it was working as the
> article states:
>
> IT DID WORK!  (Whether it will work consistently in the future is another
> question.)
>
> (I needed to verify that auto updates was working under Limited user
> accounts
>  because I was suspicious that I was not getting some updates)
>
> After the reboot, the limited user can log back in, and work normally.
>
> However, with XP, if SP2 had been download via AutoUpdates I'm thinking 
> that
> an
> Admin login might have been required after reboot. (to complete the SP2
> install)
>
> SP2 would have hopefully required Admin intervention to be installed.
>
> Can any one confirm or deny if Auto Updates (in XP) does in fact download
> and install XP SP2 automatically?  I would hope not.
>
> I have also noticed other "Windows Updates" such as IE program updates 
> that
> required Admin login after the reboot in order to complete the install.
>
> (In fact Windows would not let the limited user log in until an Admin had
> logged in first, so that the update could complete.)  But these may just 
> have
> been updates from "Windows Update" instead of "Automatic Updates".
>
> Thanks.
>
>
> "Noel Paton" wrote:
>
>> IIRC, you're correct,  - http://support.microsoft.com/?kbid=327838
>> gives some useful advice....
>>
>> "If you are logged on as an administrator, the Automatic Updates feature 
>> in
>> Windows notifies you when critical updates are available for your 
>> computer.
>> There is a new Automatic Updates feature that you can use to specify the
>> schedule that Windows follows to install updates on your computer. This
>> article describes how to install this new Automatic Updates feature in
>> Microsoft Windows XP and Microsoft Windows 2000 and how to use it to
>> schedule Automatic Updates."
>>
>> HTH
>>
>> -- 
>> Noel Paton (MS-MVP 2002-2005, Windows)
>>
>> Nil Carborundum Illegitemi
>> http://www.btinternet.com/~winnoel/millsrpch.htm
>> http://tinyurl.com/6oztj
>>
>> Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
>>
>> "en7ropia" <en7ropia@discussions.microsoft.com> wrote in message
>> news:BD5F53DE-1C68-4199-BA14-0C4792B2F7ED@microsoft.com...
>> > Actually, I think Automatic Updates is supposed to download but NOT
>> > INSTALL
>> > the updates while running under a Limited User account.
>> >
>> > Can anyone confirm this?
>> > Thanks.
>> >
>> > "Lokesh Dave [MSFT]" wrote:
>> >
>> >> The Automatic Updates process runs as a service and you dont need to 
>> >> be
>> >> logged on as an admin for AU to be able to detect, download or install
>> >> updates. You could set Automatic Updates to install updates at a
>> >> scheduled
>> >> time. This way the updates will get installed even if you logged on as 
>> >> a
>> >> non-admin (and even if you are not logged in at all).
>> >>
>> >> Lokesh
>> >>
>> >>
>> >> -- 
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >>
>> >> "en7ropia" wrote:
>> >>
>> >> > That doesn't answer my question.
>> >> >
>> >> >  In any case, I would be fine with the Automatic Updates "process"
>> >> > running
>> >> > as admin in order to get the updates downloaded and installed.  I 
>> >> > find
>> >> > this
>> >> > to be a serious issue.   One should not be forced to be logged in as 
>> >> > an
>> >> > administrator to acquire updates.  What am I to do if I don't want a
>> >> > user to
>> >> > be able to have administrative access to a machine.  How then does 
>> >> > that
>> >> > user
>> >> > get their Automatic Updates?  (Someone has to log in as 
>> >> > administrator
>> >> > to run
>> >> > them??)
>> >> >
>> >> > There needs to be a way to have the "Automatic Updates" run under 
>> >> > the
>> >> > administrator account, without the "limited user" having to type in 
>> >> > an
>> >> > administrator password every time it needs to run.
>> >> >
>> >> > Basically, It would be nice if I could tell "Automatic Updates" to 
>> >> > run
>> >> > under
>> >> > the Admin account (I would have to type the admin password once to
>> >> > configure
>> >> > this)
>> >> >
>> >> > From then on it would run under the Admin account without prompting 
>> >> > for
>> >> > password.  (And this "Admin credential" would apply to AutoUpdates
>> >> > ONLY!!!!!)
>> >> >
>> >> > RunAs.exe is a security problem because once you /savecred, anyone 
>> >> > can
>> >> > runas
>> >> > ANY PROCESS!!! under the administrator account without a password.
>> >> >
>> >> > Thanks.
>> >> >
>> >> > "Noel Paton" wrote:
>> >> >
>> >> > > By definition, anything that runs as an Admin is a security risk -
>> >> > > the user
>> >> > > has to evaluate that risk and decide if it's worth it. (there are 
>> >> > > a
>> >> > > good few
>> >> > > things that will also run in a Limited User account that are also
>> >> > > Security
>> >> > > risks - have you stopped them yet?)
>> >> > >
>> >> > > -- 
>> >> > > Noel Paton (MS-MVP 2002-2005, Windows)
>> >> > >
>> >> > > Nil Carborundum Illegitemi
>> >> > > http://www.btinternet.com/~winnoel/millsrpch.htm
>> >> > > http://tinyurl.com/6oztj
>> >> > >
>> >> > > Please read http://dts-l.org/goodpost.htm on how to post messages 
>> >> > > to
>> >> > > NG's
>> >> > >
>> >> > > "en7ropia" <en7ropia@discussions.microsoft.com> wrote in message
>> >> > > news:B038814A-72D3-498E-8EA1-00DE9C20DE07@microsoft.com...
>> >> > > > Does anyone know if Microsoft supports a method of having 
>> >> > > > Automatic
>> >> > > > Updates
>> >> > > > run "Automatically" under a Limited User account?
>> >> > > >
>> >> > > > I have looked into "RunAs" but for it to not prompt for an
>> >> > > > administrator
>> >> > > > password, you must use the /savecred parameter which is a 
>> >> > > > security
>> >> > > > problem.
>> >> > > >
>> >> > > > Thanks.
>> >> > >
>> >> > >
>> >> > >
>>
>>
>>