Re: Automatic Updates as Limited User

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: en7ropia (en7ropia_at_discussions.microsoft.com)
Date: 11/25/04 

Date: Thu, 25 Nov 2004 12:05:02 -0800

I appreciate the feedback.
Thanks.

"Noel Paton" wrote:

> Certainly, SP2 requires Admin access to install - but that was not the
> question that you first asked!
>
> SP2 is a major System Upgrade (and in earlier times, may have been
> considered enough for a total version change - with all that that implies!),
> and should \NE|VER be attempted outside of an Admin account - after first
> ensuring that your PC is clear of all known interferences (malware, Norton,
> running software - in that order!)
>
> Again - any Security Update is likely to require Admin access - simply
> because it's Security-related, and therefore only Admin users should have
> access!
>
>
> --
> Noel Paton (MS-MVP 2002-2005, Windows)
>
> Nil Carborundum Illegitemi
> http://www.btinternet.com/~winnoel/millsrpch.htm
> http://tinyurl.com/6oztj
>
> Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
>
> "en7ropia" <en7ropia@discussions.microsoft.com> wrote in message
> news:D91E9E6C-4315-4946-A266-02A60EC2DAD5@microsoft.com...
> > Thanks for the link.
> >
> > From the article you linked to:
> >
> > "When critical updates are detected, Automatic Updates automatically
> > downloads these updates in the background while you are connected to the
> > Internet. After the download is complete, Automatic Updates waits until
> > the
> > scheduled day and time to install the updates. On the scheduled day and
> > time,
> > ALL LOCAL USERS receive the following message that has a five minute
> > countdown timer: "
> >
> > Windows is ready to begin installing the updates available for your
> > computer.
> >
> > Do you want Windows to install the updates now?
> >
> > (Windows will restarts your computer if no action is taken within 5:00
> > minutes)
> >
> >
> > "If you are logged on as an administrator, when you receive this message,
> > you can either click Yes to install the updates or click No to have
> > Automatic
> > Updates install the updates at the next scheduled day and time. "
> >
> > (Note that limited users will see the No option disabled. They will be
> > forced to install the updates and reboot.) (Good)
> >
> > "If you do not take any action in five minutes, Windows automatically
> > installs the updates."
> >
> > --------------------------------------------
> >
> > I actually tested this in Win 2000 Pro to see if it was working as the
> > article states:
> >
> > IT DID WORK! (Whether it will work consistently in the future is another
> > question.)
> >
> > (I needed to verify that auto updates was working under Limited user
> > accounts
> > because I was suspicious that I was not getting some updates)
> >
> > After the reboot, the limited user can log back in, and work normally.
> >
> > However, with XP, if SP2 had been download via AutoUpdates I'm thinking
> > that
> > an
> > Admin login might have been required after reboot. (to complete the SP2
> > install)
> >
> > SP2 would have hopefully required Admin intervention to be installed.
> >
> > Can any one confirm or deny if Auto Updates (in XP) does in fact download
> > and install XP SP2 automatically? I would hope not.
> >
> > I have also noticed other "Windows Updates" such as IE program updates
> > that
> > required Admin login after the reboot in order to complete the install.
> >
> > (In fact Windows would not let the limited user log in until an Admin had
> > logged in first, so that the update could complete.) But these may just
> > have
> > been updates from "Windows Update" instead of "Automatic Updates".
> >
> > Thanks.
> >
> >
> > "Noel Paton" wrote:
> >
> >> IIRC, you're correct, - http://support.microsoft.com/?kbid=327838
> >> gives some useful advice....
> >>
> >> "If you are logged on as an administrator, the Automatic Updates feature
> >> in
> >> Windows notifies you when critical updates are available for your
> >> computer.
> >> There is a new Automatic Updates feature that you can use to specify the
> >> schedule that Windows follows to install updates on your computer. This
> >> article describes how to install this new Automatic Updates feature in
> >> Microsoft Windows XP and Microsoft Windows 2000 and how to use it to
> >> schedule Automatic Updates."
> >>
> >> HTH
> >>
> >> --
> >> Noel Paton (MS-MVP 2002-2005, Windows)
> >>
> >> Nil Carborundum Illegitemi
> >> http://www.btinternet.com/~winnoel/millsrpch.htm
> >> http://tinyurl.com/6oztj
> >>
> >> Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
> >>
> >> "en7ropia" <en7ropia@discussions.microsoft.com> wrote in message
> >> news:BD5F53DE-1C68-4199-BA14-0C4792B2F7ED@microsoft.com...
> >> > Actually, I think Automatic Updates is supposed to download but NOT
> >> > INSTALL
> >> > the updates while running under a Limited User account.
> >> >
> >> > Can anyone confirm this?
> >> > Thanks.
> >> >
> >> > "Lokesh Dave [MSFT]" wrote:
> >> >
> >> >> The Automatic Updates process runs as a service and you dont need to
> >> >> be
> >> >> logged on as an admin for AU to be able to detect, download or install
> >> >> updates. You could set Automatic Updates to install updates at a
> >> >> scheduled
> >> >> time. This way the updates will get installed even if you logged on as
> >> >> a
> >> >> non-admin (and even if you are not logged in at all).
> >> >>
> >> >> Lokesh
> >> >>
> >> >>
> >> >> --
> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> >> rights.
> >> >>
> >> >>
> >> >> "en7ropia" wrote:
> >> >>
> >> >> > That doesn't answer my question.
> >> >> >
> >> >> > In any case, I would be fine with the Automatic Updates "process"
> >> >> > running
> >> >> > as admin in order to get the updates downloaded and installed. I
> >> >> > find
> >> >> > this
> >> >> > to be a serious issue. One should not be forced to be logged in as
> >> >> > an
> >> >> > administrator to acquire updates. What am I to do if I don't want a
> >> >> > user to
> >> >> > be able to have administrative access to a machine. How then does
> >> >> > that
> >> >> > user
> >> >> > get their Automatic Updates? (Someone has to log in as
> >> >> > administrator
> >> >> > to run
> >> >> > them??)
> >> >> >
> >> >> > There needs to be a way to have the "Automatic Updates" run under
> >> >> > the
> >> >> > administrator account, without the "limited user" having to type in
> >> >> > an
> >> >> > administrator password every time it needs to run.
> >> >> >
> >> >> > Basically, It would be nice if I could tell "Automatic Updates" to
> >> >> > run
> >> >> > under
> >> >> > the Admin account (I would have to type the admin password once to
> >> >> > configure
> >> >> > this)
> >> >> >
> >> >> > From then on it would run under the Admin account without prompting
> >> >> > for
> >> >> > password. (And this "Admin credential" would apply to AutoUpdates
> >> >> > ONLY!!!!!)
> >> >> >
> >> >> > RunAs.exe is a security problem because once you /savecred, anyone
> >> >> > can
> >> >> > runas
> >> >> > ANY PROCESS!!! under the administrator account without a password.
> >> >> >
> >> >> > Thanks.
> >> >> >
> >> >> > "Noel Paton" wrote:
> >> >> >
> >> >> > > By definition, anything that runs as an Admin is a security risk -
> >> >> > > the user
> >> >> > > has to evaluate that risk and decide if it's worth it. (there are
> >> >> > > a
> >> >> > > good few
> >> >> > > things that will also run in a Limited User account that are also
> >> >> > > Security
> >> >> > > risks - have you stopped them yet?)
> >> >> > >
> >> >> > > --
> >> >> > > Noel Paton (MS-MVP 2002-2005, Windows)
> >> >> > >
> >> >> > > Nil Carborundum Illegitemi
> >> >> > > http://www.btinternet.com/~winnoel/millsrpch.htm
> >> >> > > http://tinyurl.com/6oztj
> >> >> > >
> >> >> > > Please read http://dts-l.org/goodpost.htm on how to post messages
> >> >> > > to
> >> >> > > NG's
> >> >> > >
> >> >> > > "en7ropia" <en7ropia@discussions.microsoft.com> wrote in message
> >> >> > > news:B038814A-72D3-498E-8EA1-00DE9C20DE07@microsoft.com...
> >> >> > > > Does anyone know if Microsoft supports a method of having
> >> >> > > > Automatic
> >> >> > > > Updates
> >> >> > > > run "Automatically" under a Limited User account?
> >> >> > > >
> >> >> > > > I have looked into "RunAs" but for it to not prompt for an
> >> >> > > > administrator
> >> >> > > > password, you must use the /savecred parameter which is a
> >> >> > > > security
> >> >> > > > problem.
> >> >> > > >
> >> >> > > > Thanks.
> >> >> > >
> >> >> > >
> >> >> > >
> >>
> >>
> >>
>
>
>

Quantcast