We have a Windows 2008 standard Terminal Server which runs our business management software, which itself requires local admin access to run.
When Automatic Updates are available users are presented with the option to restart, and it only takes one user to restart to take the whole system offline for everyone else.
We've disabled notifications for domain users using a Group Policy, but can't find any way to prevent Local Admins from getting them. Is there way to do this? Disabling access to the Restart/Shutdown options doesn't prevent the users from restarting from an Automatic Update prompt.
Best Answer
AFAIK, you have two way of doing that: - Install a WSUS Server and don't push any updates to the machine group your TS server is member of (create one for this). - Disable automatic updates altogether and, when needed, do a manual update.
There is no way to prevent an admin user from changing these parameters, but at least, it won't be automatic. You might consider finding a way to run your CMS software without admin rights, though. It's usually possible to do so by changing permissions on files, registry keys and database objects (although, obviously, is the application checks if it holds admin rights, you're not going to go very far).
Another option would be to use virtual desktops but that's usually waaaay more expensive.