Wednesday, January 2, 2008

Fixing Incorrect Directory Permissions in WSUS 3.0

I have a client with a fairly large WSUS deployment, comprised of 36 WSUS servers servicing over 10,000 computers and servers in a distributed environment. Recently, we upgraded the entire WSUS 2.0 SP1 infrastructure to WSUS 3.0. I noticed the following event on many, but not all, of the WSUS downstream servers:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Core
Event ID: 10012
Date: 1/2/2008 Time: 7:30:49 AM
User: N/A
Computer: SAFS01
Description: The permissions on directory D:\WSUS are incorrect.
For more information, see Help and Support Center at blah, blah, blah

These servers also suddenly began to fail its synchronization from the upstream server. Strangely, they all had been working fine for a few weeks after the upgrade. The solution is to modify the directory permissions as follows:
  • The root folder of the local content directory must have at least Read permissions for the Users security group and the NT Authority\Network Service account. In other words, if the WSUS content directory is D:\WSUS\WSUSContent, the D:\WSUS directory must have the correct permissions. The BITS service will fail if these permissions are not set.
  • The content directory itself (in the above example, the WSUSContent directory) must have Full Control permissions for the NT Authority\Network Service account.
  • The temporary ASP.NET directory (%windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files) must have Full Control permissions for the NT Authority\Network Service account.
  • The system %TEMP% directory (usually %windir%\TEMP) must have Full Control permissions for the NT Authority\Network Service account.

After the permissions have been set correctly restart the Update Services service and check the Application event log for errors. You should be able to perform a synchronization successfully now.





8:01 AM