I have a problem in that a lot of the users in the network are able to use
windows update, even though they don't have the permissions to do so. I think
this was set up so people could install iTunes and the like, but I'm not
sure, (I've only been working here for four weeks).

I would like it so that people can still install iTunes and similar
programs, but they cant access windows update.



Any help would be appreciated,

Thanks

Matt

In a corporate network why would you want normal users to have permissions
to install iTunes and similar programs? You can probably use a group policy
to prevent them from running Windows Update, but how are you doing the
patching necessary on both the SBS and workstations?

"Matt" <Matt@newsgroup> wrote in message
news:C849EF78-0815-4FD2-A2CB-DE1E3D4BEAB7@newsgroup

>I have a problem in that a lot of the users in the network are able to use
> windows update, even though they don't have the permissions to do so. I
> think
> this was set up so people could install iTunes and the like, but I'm not
> sure, (I've only been working here for four weeks).
>
> I would like it so that people can still install iTunes and similar
> programs, but they cant access windows update.
>
> Any help would be appreciated,
>
> Thanks
>
> Matt

Several comments:

I agree with Steve, users should not have admin rights on the workstations.
What I do is to create a local admin account and the office manager has the
password. So if someone needs work-appropriate software installed or
updated, they can get him and he'll enter the credentials at the UAC prompt.
This is a domain user account so that access is granted to server resources
(such as shares containing app installers or patches), and a local
administrator on the client PCs, but NOT a domain admin account.

What are the users getting from Windows Update that you object to them
having? I'm surprised they bother with attempting to update the PC in the
first place, but I don't think you're going to have much success in
preventing them doing so in the absence of making them standard users rather
than administrators.

I'm surprised that you want to block them from applying security or other
updates from MS, but you're ok with them installing iTunes, generally
considered one of the buggiest programs on Windows.

I occasionally use Microsoft Update when troubleshooting a client PC - just
to make sure there's not a relevant update I somehow overlooked or
accidentally declined in WSUS. If you figure out a way to disable admins
from using WU or MU, you'd lose the ability to do that. (I'm not aware of a
way to do it in group policy, so I'm thinking you'd probably have to block
it at the firewall).



"SteveB" <newsgroup@newsgroup> wrote in message
news:ex7Pt529KHA.4308@newsgroup

> In a corporate network why would you want normal users to have permissions
> to install iTunes and similar programs? You can probably use a group
> policy to prevent them from running Windows Update, but how are you doing
> the patching necessary on both the SBS and workstations?
>
> "Matt" <Matt@newsgroup> wrote in message
> news:C849EF78-0815-4FD2-A2CB-DE1E3D4BEAB7@newsgroup

>>I have a problem in that a lot of the users in the network are able to use
>> windows update, even though they don't have the permissions to do so. I
>> think
>> this was set up so people could install iTunes and the like, but I'm not
>> sure, (I've only been working here for four weeks).
>>
>> I would like it so that people can still install iTunes and similar
>> programs, but they cant access windows update.
>>
>> Any help would be appreciated,
>>
>> Thanks
>>
>> Matt

>
>