Cannot access the WSUS console

  • Article

Applies To: Windows Server Update Services

If you get an error when using or trying to access the WSUS console, use the following information to troubleshoot the problem.

Grant users permissions for WSUS console access

If users do not have appropriate permissions for the WSUS console, they receive an "access denied" message when trying to access the WSUS console. You must be a member of the Administrators group or the WSUS Administrators group on the server on which WSUS is installed in order to use the WSUS console.

Note

If WSUS is installed on a domain controller, only a member of the Domain Administrator group can use the WSUS console.

To add a user to the WSUS Administrators group

  1. On the WSUS server, click Start, click Administrative Tools, and then click Computer Management.

  2. In Computer Management, expand Local Users and Groups, click Groups, and then double-click WSUS Administrators.

  3. In the WSUS Administrators Properties dialog box, click Add.

  4. In the Enter the object names to select (examples) box, type the object name, and then click OK.

You cannot access the WSUS console with an IP address when WSUS is configured to use a proxy server

If you have WSUS configured to use a proxy server, then you cannot access the WSUS console by using an IP address. To work around this issue, use a domain name to access the WSUS server, for example, for the user name, type: DomainName\user name for the user name, when prompted to log in on the WSUS console.

Cannot access the WSUS console and a timeout error message appears

If you cannot access the WSUS console and a timeout error message appears, the CPU of the WSUS server may be at, or very close to, maximum utilization, causing the database to time out. If the database software times out, the WSUS console cannot be displayed.

One way of inadvertently overtaxing your WSUS server is to have antivirus software installed on it, which is monitoring the WSUS content directory. During synchronization, the antivirus software can overload out the CPU. You can work around this situation by setting the antivirus software to ignore where WSUS content is stored.

Cannot access the WSUS console on a Windows 2000 server after applying the hisec server.inf security template

This issue applies only to Windows 2000 servers. If you cannot access the WSUS administrative console after applying the hisec server.inf security template, you need to relax security permissions for ASP.NET and IWAM local machine accounts in order for the WSUS console to function.

The workaround is to give read access for IWAM and ASP.NET accounts to the following registry key.

HKEY_LOCAL_MACHINE\software\microsoft\update services

To give read access for the IWAM account on Windows 2000 Server configured as a domain controller

  1. Click Start, and then click Run.

  2. In the Open box, type regedit.exe and then click OK.

  3. In Registry Editor, navigate to the following key:

    HKEY_LOCAL_MACHINE \Software\Microsoft\Update Services

  4. Point to Edit, and then click Permissions.

  5. In the Permissions for Microsoft Windows Server Update Services properties dialog box, click Add.

  6. In the Select Users, Computers, or Groups box, click Locations.

  7. In the Locations dialog box, select the local computer, and then click OK.

  8. In the Select Users, Computers, or Groups box, type computer_name**\ASPNET** and computer_name**\IWAM_computer_name in the Enter the object name to select (examples) box. Use a semicolon to separate names. For example, type computer_name\ASPNET;computer_name\IWAM_**computer_name

    where computer_name is the name of the computer.

  9. Select computer_name**\ASPNET**, and click the Read box in the Allow column.

  10. Select computer_name**\IWAM_**computer_name, and click the Read box in the Allow column, and then click OK.

Promoting the WSUS server to a domain controller might disrupt your ability to access the WSUS console

When you promote a WSUS server to a domain controller and then try to access the WSUS console, you might receive a message similar to the following:

Server Error in '/' Application.

Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\wsusadmin\8c91a6b5\649b28ba\global.asax.xml" is denied.

This occurs if IIS 6.0 and ASP.NET are installed on the server before the server is promoted to a domain controller. This is because the Network Service group does not have sufficient permissions for the Temporary ASP.NET Files folder. To avoid this problem, make sure that you promote the WSUS server to a domain controller before you install IIS 6.0 and ASP.NET. To resolve this issue, enable appropriate permissions for the Network Service group by using the following procedure.

To enable appropriate permissions for the Network Service group

  1. Click Start, and then click Run.

  2. In the Open box, type cmd, and then click OK.

  3. At the command prompt, type the following, and then press ENTER:

    drive:\windows\microsoft .net\framework\v1.1.4322\aspnet_regiis -i

    where drive is the drive letter of the disk on which you installed Windows.

Cannot access the WSUS console on Windows 2000 Server configured as a domain controller

If you cannot access the WSUS administrative console and you are using Windows 2000 Server configured as a domain controller, you need to relax security permissions for ASP.NET in order for the WSUS console to function. The workaround is to give read access for IWAM account to %windir%\assembly.

To give read access for the IWAM account on Windows 2000 Server configured as a domain controller

  • At the command prompt, type the following, and then press ENTER:

    cacls %windir%\assembly /e /t /p IWAM_xxxx:R

    where %windir% is the Windows directory of the computer and where IWAM_xxxx is the IWAM computer account.

For details, see the Knowledge Base article at https://support.microsoft.com/default.aspx?scid=kb;[LN];317012