Matt
07-09-2005, 11:38 PM
Hey James. I had this problem as well.
In my case it was a group policy that was interfering with the updates.
The computer I was trying to update was in an OU that had a GP setting to
auto download Windows updates from one of the servers on our network. The
policy was in Computer Configuration>Administrative Templates> Windows
Components/Windows Updates>.
The name of the policy in that container was "Specify intranet Microsoft
update service location" and it was set to enabled and was pointing to one of
our servers on our local intranet.
To fix the problem I moved the computer that I was trying to install on to a
OU that had no Group Policy and the updates went fine after that.
So in short, you may want to have a look at your domain Group Policy not
your local.
"James Fabulous" wrote:
> We appear to be having the a problem here on a number of clients (though
> not all clients). Users (who are administrators of their local machines
> through
> domain group membership) are unable to install the last set of updates. Our
> workaround has been to log into the machine as a domain administrator and
> run windows update/ automatic update (either) and the updates will install.
> I have listed errors from log files below. Having google'd the issue as
> well I found suggestions to check security policy settings comparing local
> settings to effective settings - everything checks out here (and we are not
> currently using any non-default group policy). Installing any update(s)
> alone also fails with the same error. Any help would be greatly appreciated
> as it is not possible to log into client computers as domain admins if they
> are off-site and we would obviously like to find a cause so that the
> situation can be avoided in the future.
>
> Thanks to all of you!
>
> FROM KB873333.log
> 0.070: 2005/02/25 10:31:03.696 (local)
> 0.070: c:\e1e07c4741b397d55d08\update\update.exe (version 5.5.33.0)
> 0.070: Failed To Enable SE_SECURITY_PRIVILEGE
> 0.070: Setup encountered an error: You do not have permission to update
> Windows 2000.
> Please contact your system administrator.
> 0.080: You do not have permission to update Windows 2000.
> Please contact your system administrator.
> 0.080: Update.exe extended error code = 0xf004
> 0.100:
> ==========================================================================
>
> FROM WindowsUpdate.log
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Install started
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:17:56 16:17:56 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:56 16:17:56 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:17:58 16:17:58 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:58 16:17:58 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:01 16:18:01 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:01 16:18:01 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:04 16:18:04 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:04 16:18:04 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:07 16:18:07 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:07 16:18:07 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:09 16:18:09 Error IUENGINE See iuhist.xml for
> details: Install finished (Error 0x8007F004)
> 2005-02-24 09:18:10 16:18:10 Success IUENGINE Shutting down
> 2005-02-24 09:18:10 16:18:10 Success IUCTL Shutting down
>
> FROM IUHist.log
> <?xml version="1.0" ?>
> - <items
> xmlns="x-schema:http://schemas.windowsupdate.com/iu/resultschema.xml">
> - <itemStatus xmlns="" timestamp="2005-02-25T10:26:55">
> - <identity
> itemID="ie60x.internetexplorer6x.ver_platform_win32_nt.5.0.x86.en...2195.4.0
> ..com_microsoft.q867282_ie6_sp1_updateexe." name="Q867282_IE6_SP1_updateexe">
> <publisherName>com_microsoft</publisherName>
> </identity>
> - <description priority="3" hidden="0">
> <size>3891464</size>
> - <descriptionText>
> <title>Cumulative Security Update for Internet Explorer 6 Service Pack 1
> (KB867282)</title>
> <eula href="/msdownload/update/v3/static/eula/en/eula.htm" />
> A security issue has been identified that could allow an attacker to
> compromise a computer running Microsoft Internet Explorer and gain control
> over it. You can help protect your computer by installing this update from
> Microsoft. After you install this item, you may have to restart your
> computer.
> </descriptionText>
> </description>
> - <platform name="ver_platform_win32_nt">
> <processorArchitecture>x86</processorArchitecture>
> <version major="5" minor="0" build="2195" servicePackMajor="4"
> servicePackMinor="0" />
> </platform>
> <installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />
> <client>au</client>
> </itemStatus>
>
>
>
>
In my case it was a group policy that was interfering with the updates.
The computer I was trying to update was in an OU that had a GP setting to
auto download Windows updates from one of the servers on our network. The
policy was in Computer Configuration>Administrative Templates> Windows
Components/Windows Updates>.
The name of the policy in that container was "Specify intranet Microsoft
update service location" and it was set to enabled and was pointing to one of
our servers on our local intranet.
To fix the problem I moved the computer that I was trying to install on to a
OU that had no Group Policy and the updates went fine after that.
So in short, you may want to have a look at your domain Group Policy not
your local.
"James Fabulous" wrote:
> We appear to be having the a problem here on a number of clients (though
> not all clients). Users (who are administrators of their local machines
> through
> domain group membership) are unable to install the last set of updates. Our
> workaround has been to log into the machine as a domain administrator and
> run windows update/ automatic update (either) and the updates will install.
> I have listed errors from log files below. Having google'd the issue as
> well I found suggestions to check security policy settings comparing local
> settings to effective settings - everything checks out here (and we are not
> currently using any non-default group policy). Installing any update(s)
> alone also fails with the same error. Any help would be greatly appreciated
> as it is not possible to log into client computers as domain admins if they
> are off-site and we would obviously like to find a cause so that the
> situation can be avoided in the future.
>
> Thanks to all of you!
>
> FROM KB873333.log
> 0.070: 2005/02/25 10:31:03.696 (local)
> 0.070: c:\e1e07c4741b397d55d08\update\update.exe (version 5.5.33.0)
> 0.070: Failed To Enable SE_SECURITY_PRIVILEGE
> 0.070: Setup encountered an error: You do not have permission to update
> Windows 2000.
> Please contact your system administrator.
> 0.080: You do not have permission to update Windows 2000.
> Please contact your system administrator.
> 0.080: Update.exe extended error code = 0xf004
> 0.100:
> ==========================================================================
>
> FROM WindowsUpdate.log
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Install started
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:48 16:17:48 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:17:56 16:17:56 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:56 16:17:56 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:17:58 16:17:58 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:17:58 16:17:58 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:01 16:18:01 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:01 16:18:01 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:04 16:18:04 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:04 16:18:04 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:07 16:18:07 Success IUENGINE Installing SOFTWARE
> item from publisher com_microsoft
> 2005-02-24 09:18:07 16:18:07 Success IUENGINE Installer Command
> Type: EXE
> 2005-02-24 09:18:09 16:18:09 Error IUENGINE See iuhist.xml for
> details: Install finished (Error 0x8007F004)
> 2005-02-24 09:18:10 16:18:10 Success IUENGINE Shutting down
> 2005-02-24 09:18:10 16:18:10 Success IUCTL Shutting down
>
> FROM IUHist.log
> <?xml version="1.0" ?>
> - <items
> xmlns="x-schema:http://schemas.windowsupdate.com/iu/resultschema.xml">
> - <itemStatus xmlns="" timestamp="2005-02-25T10:26:55">
> - <identity
> itemID="ie60x.internetexplorer6x.ver_platform_win32_nt.5.0.x86.en...2195.4.0
> ..com_microsoft.q867282_ie6_sp1_updateexe." name="Q867282_IE6_SP1_updateexe">
> <publisherName>com_microsoft</publisherName>
> </identity>
> - <description priority="3" hidden="0">
> <size>3891464</size>
> - <descriptionText>
> <title>Cumulative Security Update for Internet Explorer 6 Service Pack 1
> (KB867282)</title>
> <eula href="/msdownload/update/v3/static/eula/en/eula.htm" />
> A security issue has been identified that could allow an attacker to
> compromise a computer running Microsoft Internet Explorer and gain control
> over it. You can help protect your computer by installing this update from
> Microsoft. After you install this item, you may have to restart your
> computer.
> </descriptionText>
> </description>
> - <platform name="ver_platform_win32_nt">
> <processorArchitecture>x86</processorArchitecture>
> <version major="5" minor="0" build="2195" servicePackMajor="4"
> servicePackMinor="0" />
> </platform>
> <installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />
> <client>au</client>
> </itemStatus>
>
>
>
>