Fixing Incorrect Directory Permissions in WSUS 3.0

Wednesday, January 2, 2008
I have a client with a fairly large WSUS deployment, comprised of 36 WSUS servers servicing over 10,000 computers and servers in a distributed environment. Recently, we upgraded the entire WSUS 2.0 SP1 infrastructure to WSUS 3.0. I noticed the following event on many, but not all, of the WSUS downstream servers:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Core
Event ID: 10012
Date: 1/2/2008 Time: 7:30:49 AM
User: N/A
Computer: SAFS01
Description: The permissions on directory D:\WSUS are incorrect.
For more information, see Help and Support Center at blah, blah, blah

These servers also suddenly began to fail its synchronization from the upstream server. Strangely, they all had been working fine for a few weeks after the upgrade. The solution is to modify the directory permissions as follows:
  • The root folder of the local content directory must have at least Read permissions for the Users security group and the NT Authority\Network Service account. In other words, if the WSUS content directory is D:\WSUS\WSUSContent, the D:\WSUS directory must have the correct permissions. The BITS service will fail if these permissions are not set.
  • The content directory itself (in the above example, the WSUSContent directory) must have Full Control permissions for the NT Authority\Network Service account.
  • The temporary ASP.NET directory (%windir%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files) must have Full Control permissions for the NT Authority\Network Service account.
  • The system %TEMP% directory (usually %windir%\TEMP) must have Full Control permissions for the NT Authority\Network Service account.

After the permissions have been set correctly restart the Update Services service and check the Application event log for errors. You should be able to perform a synchronization successfully now.





10 comments:

  1. It helped me too.. Thanks

    ReplyDelete
  2. Thanks for helping to solve my WSUS problem!

    ReplyDelete
  3. This worked, but I also had to change premissions on D:\ for some reason.

    I'm still getting a "failed to download" message though, maybe this will clear.

    ReplyDelete
  4. I had to give NT Authority\Network Service account read on the root of the drive too. Thanks

    ReplyDelete
  5. Hi! Thanks for the article,

    It's secure giving to the system %TEMP% directory Full Control permissions for the NT Authority\Network Service account ?


    Thanks!

    ReplyDelete
  6. Just to add, I started getting "The permissions on directory D:\ are incorrect" after I did the above, additionally needed to give NETWORK SERVICE Read, Read / Execute & List Folder Contents on the ENTIRE D Drive.

    ReplyDelete
  7. again, just for clarification purposes, this is secure, correct?

    ReplyDelete
  8. Thank you, Jeff.

    ReplyDelete
  9. You rock, this solved my issue!! Woot Woot!

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.