Appendix D: Permissions on WSUS Directories and Registry Keys
Applies To: Windows Server 2003 with SP2, Windows Server Update Services
Troubleshooting Web services often involves checking permissions on related directories and registry keys. The following sections will explain in detail how to check permissions on WSUS Web services directories and registry keys.
The cacls system command
The cacls system command displays or modifies file or directory access control lists (ACLs). The output of this command specifies the level of access (f=full control, w=write, r=read, n=none) and whether or not the access is inherited by subdirectories (OI=this folder and files, CI=this folder and subfolders, IO=does not apply). See the cacls command reference (https://go.microsoft.com/fwlink/?LinkId=81084) for more information.
The WSUS installation creates several Web service directories.
WSUSInstallDir\WebServices\apiremoting30 (where WSUSInstallDir is the directory where WSUS has been installed)
All of the directories above (except for the self-update directory) should have the following ACLs:
NT AUTHORITY\NETWORK SERVICE:(OI)(CI)R
NT AUTHORITY\Authenticated Users:(OI)(CI)R
The self-update directory should have the following ACLs:
Permissions on WSUS registry keys
The following permissions are set for the registry during WSUS setup.
The Users and WSUS Reporters group must have Read access to the \HKLM\Software\Microsoft\Update Services\Server registry key.
The following accounts must have Full Control permissions to the \HKLM\Software\Microsoft\Update Services\Server\Setup registry key: