[ActiveDir] OT: WSUS and Windows Update GPO Settings

Mon, 23 May 2005 12:56:16 -0700 

Hi all,
I've attached an administrative template you may find beneficial for allowing non administrators the privilege to approve or disapprove updates. I noticed that in our environment, the remote IS Administrators were not able to delay the restart of a computer (in this case a domain controller) because they are not part of the domain administrators group but only server operators. The only option they were presented was to restart now without the capability to exit the window. 


Of course, like everything else there is a registry hack for this (well 
documented in Deploying Microsoft Windows Server Update Services). So then I 
wondered wouldn't it be nice if this option was part of the same Windows 
Update policy settings. So I came up with the following:



As recommended by Microsoft although you can edit the Administrative 
Templates that are included with Windows 2000, Microsoft recommends that you 
either create a new template or edit a copy of an existing Administrative 
Template. You must do so because the existing templates may have been 
updated or changed if you installed service packs or other updates to 
Windows.


Please test before usage.
Copy the code and save as whatever.adm.

Thanks,

-------------------------------------------------------------------------------------------------------------
CLASS MACHINE
CATEGORY !!WindowsComponents
   CATEGORY !!WindowsUpdateCat

        POLICY !!ElevateNonAdmins
                KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate"
                #if version >= 4
                    SUPPORTED !!SUPPORTED_WindowXPSP1
                #endif
                VALUENAME "ElevateNonAdmins"
                        VALUEON  NUMERIC 1
                        VALUEOFF NUMERIC 0
                EXPLAIN !!ElevateNonAdmins_Help
        END POLICY

END CATEGORY ;; WindowsUpdateCat
END CATEGORY ;; WindowsComponents

[strings]
WindowsComponents="Windows Components"
WindowsUpdateCat="Windows Update"
SUPPORTED_WindowXPSP1="Windows Server 2003, XP SP1, 2000 SP3"
Categoryname="Windows Update"
ElevateNonAdmins="Assign Elevated Privileges to Non-Administartors"

ElevateNonAdmins_Help="If you enable this policy, Users in the users 
security group are allowed to approve or disapprove updates. Also, these 
users such as non-domain administrators have the option to delay restarting 
the computer after updates have installed. If the status is set to Disabled 
or Not Configured, Only users in the Administrators user group can approve 
or disapprove updates"



List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/














    











					Reply via email to