No logon possible with "Administrator" Account

Similar Messages

• Failure of ACL setting for CIFS share resource on Windows client logined with administrator account

  Hi,
    We accounter a puzzle of ACL setting for a CIFS share resource. In our application, we use the
  administrator account to login a Windows 7 OS which is used as the CIFS client. We can access the share resource by "\\server_ip" on  this CIFS client,  but we can't add
  a new ACE to the ACL of a CIFS share resource provided by a CIFS server.
  Why dose this hanppen? Note that the CIFS server maybe a Windows OS or a self-developed CIFS server. 
    The operation details as followed:
  1.Access the share resource by "\\server_ip", login the CIFS server by a valid account on the CIFS server.
  2.On the Windows client, select the "Security" panel in the mouse-right-button properties dialog of a cifs share resource.
  3.To add a new ACE for someone eg. user0, we input "user0" in the "Select Users ans Groups" dialog popped up.
  4.Click OK, but the Windows client will not get the user information for user0 from the CIFS server.
  WHY?
  5.By wireshare network trace, we find the Windows client didn't send any SAMR requests to the CIFS server.
  6.Restart the Windows client OS and login again with another account except administrator, carry out the above operations. We find that the Windows client can get the user information, opposite with the step 4 above.
  WHY?
  7.By wireshare network trace, we find that the Windows client has sent SAMR requests to the CIFS server to get user informations. But that is different from step 5,  WHY?
  If the Windows client OS is login with administrator account, is there any configuration on Windows client to decide whether request user information on CIFS server when setting ACL for CIFS share resource?
  Expect your help.Thanks.
  Best wishes.

  The purpose of this forum is to support the Open Specifications documentation. You can read about the Microsoft Open Specifications program here,
  http://www.microsoft.com/openspecifications/en/us/default.aspx
  The library of Open Specification documents is located here,
  http://msdn.microsoft.com/en-us/library/dd208104.aspx
  It doesn’t appear that you are implementing one of the protocols cited.  Your question may be more applicable to Technet's Windows Server Platform Networking forum at
  https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverPN or the File Services and Storage forum at
  https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverfiles.
  If you are working on implementing a protocol using the specifications cidet above, please provide more detail.
  Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

• "Block EDIT option*" for all WEBI Reports with Administrator Account

  Hi,
  I had opening CMC with Administrator Account.Due to some reasons i want to "Block EDIT option" for all WEBI Reports.Just Viewing is sufficient.In the same way for Universe"Blocking EDIT object option".Instead of Administrator guide reference (chap no 18 &19)option.Could you help in steps resolving issue.Thanks in advance.
  Regards,
  Swapna.

  Hi Swapna,
  You could perform the following steps:
  1. Login to CMC.
  2. Go to Folders >> Manage >> Top Level Security
  3. Click on Add Principal and add the user or group for which you have to set the security.
  4. Click on assign Security >> Advanced tab >> Add/Remove Rights.
  5. Select Content >> Web Intelligence Report
  6. assignt "Edit Object" right as denied and click on apply ok.
  This would help you to block edit option for only webi reports and all the webi reports in your environment.
  Regards,
  Nakul

• Denying logon to an administrative account

  I'm trying to find a way for user accounts that are used to elevate privileges cannot be logged on to. Like "Deny local logon"
  but with the added benefit of elevating a command prompt with that account.
  Anything like this exist in GPOs? Or any other kind of solution that can give me the same results?

  Hi,
  To deny logon access at the domain level to service administrators,
  please try the following steps:
  Log on with Domain Admins credentials, and then open Active Directory Users and Computers.
  In the console tree, right-click
  domain name, and then click
  Properties.
  On the
  Group Policy tab, click
  Default Domain Policy, and then click
  Edit.
  Expand the policy tree to Computer Configuration\Windows Settings\Security Settings\Local Policies, and then click
  User Rights Assignment.
  In the details pane, double-click
  Deny logon locally.
  Click
  Define these policy settings, and then click
  Add.
  Add all of the service administrator accounts (Administrators, Schema Admins, Enterprise Admins, Domain Admins, Server Operators, Backup Operators, and Account Operators) to the
  list.
  Also, follow the procedure as below for restoring logon capability to administrators so that they can log on to administrative workstations.
  Allowing Logon Access to Administrative Workstations
  http://technet.microsoft.com/en-us/library/dd379005(v=ws.10).aspx
  Hope this helps,
  Ada Liu

• Problems with Administrator Account

  I am presently using my G4 PowerBook while I am away in Australia. It is running system 10.4.11.
  It is set up with three accounts: administrator, my wife's and a visitor's account. Both the administrator account and my wife's can administer the computer. The privileges for the visitor account are very limited.
  During the last few days the administrator account is behaving very oddly. It allows only one window to be open at anytime. For example, if I am running Text Edit and I decide to bring up Safari, the Text Edit window will disappear although the programme continues to run in the background. I have tried running other pairs of programmes and the fault seems to be universal. When I cycle through open programmes by typing Command-Tab, all open programmes are represented.
  Now when I open up my wife's account, the computer behaves normally and one can have multiple windows open and drag and drop as usual.
  I have repaired permissions and run Disk Utiltiy from the original install disk. This process suggests that all is not well with the hard drive. When I ran Tech Tools, from the CD I obtained with my Apple Care, it suggested that the hard drive needed repair. I carried out the repair process and was told that everything was OK.
  I hoped that the upgrade to 10.4.11 would sort out the problem but it has not done so. It is behaving as if there is a check box somewhere that allows for multiple windows that has become unticked. I have searched high and low but have not been able to find anything amiss. I use Macaroni which carries out regular Unix maintenance.
  Any clues, anyone?
  Many thanks in advance.
  David Amies

  Ok, what I will get you to do is take each file I list below and drag it to the desktop, the log out and back in and test. Drag only 1 or 2 at once until the problem disappears. If after moving some files and testing and the issue persists, replace them in the preferences folder. If you pull multiple files to the desktop at once and the problem stops, replace them one at a time until it is apparent what file is the culprit.
  com.apple.finder.plist
  com.apple.dock.plist
  com.apple.desktop.plist
  com.apple.dashboard.plist
  com.apple.dashboard.client.plist
  com.apple.FolderActions.plist
  com.apple.FolderActionsSetup.plist
  com.apple.LaunchServices.plist
  com.apple.help.plist
  com.apple.helpviewer.plist
  com.apple.MenuBarClock.plist
  If none of those work, message me back for a few more.
  Good luck!

• Accessing standard account files with administrator account

  i have a macbook where in i have my own administrative account and a standard guest account. the thing that bothers me is that even though i am an administrator and the guest account is not, i still cant access the guests files while logged into my administrator account. is there anyway to do this?
  thank you

  As an administrator, you can temporarily change the ownership of another user's files or folders if you need to access them. You can also use the Terminal's sudo command to access them as root. You may get a warning about respecting other's privacy.

• Help with administrator account

  I have a problem I have a macbook and under accounts my name shows up and it says stander. I am fairly new to using a mac and when I try to make a change it ask me for the administrators name and password I am not sure what it is. Can anyone help me with this thanks

  Hello tinkerbell:
  Welcome to Apple discussions.
  I think this knowledge base article will help you fix the problem:
  http://docs.info.apple.com/article.html?artnum=306876
  Barry
  By the by, this forum is for OS X 10.4 (Tiger) questions, not OS X 10.5 (Leopard). That is probably why you did not get an earlier response.

• How to install and Configure sharepoint foundation on administrator account ??

  Hi there guys dev
  I want to try sharepoint foundation for first time .
  I installed windows server 2012 ans sql server 2012 and then installed sharepoint foundation 2013 .
  now when I want to create a new server farm enter my windows name as database name and then enter my administrator account name as username ans it's passwors as password but after then when I click on next to create new server farm give this error :
  "the administrator account can't use for new server "
  please help how can I create a new server farm with administrator account .
  I don't want to create it with  the active directory domain and add new forest and create it with my domain name ?
  if does it a way to create a new server farm with administrator account so please help to create it ?
  thanks dear
  Great Regards :
  Raha
  whit the best regard : Raha

  Hi Raha,
  According to your description, my understanding is that you got an error when you created a new farm with the administrator account by runnning configuration wizard.
  Is the SQL Server installed in the server that hosted SharePoint 2013 Foudation? If not, please make sure the server hosted SQL Server has the same account with the server hosted SharePoint 2013 Foudation.
  Please run the SharePoint 2013 Products Configuration wizard with ‘Run as administrator’.When you entered the user’s name, please use the format ‘domain\user_name’.
  In addition, please check the log file to find more information about this issue. The path is : C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS.
  Also , you can use Event Viewer to find the log by Start->Run->event viewer.
  Here is an article for installing and configuring SharePoint 2013,  please take a look at:
  http://sharepointv15.wordpress.com/2012/07/19/installing-sharepoint-2013-preview/
  I hope this helps.
  Thanks,
  Wendy
  Wendy Li
  TechNet Community Support

• I can NOT activate Dictation because of Parental Controls on a Administrator Account (The only one account in my Mac -Invited account inactive-)?

  I try to use Dictation but I can't, my Administrator Account appears weirdly gestioned by Parental controls! I try to deactivate it but it says that I can't use parental controls with Administrator Accounts, that It is kind of obvious but it actually is a fact in this case!

  Step by step, how did you arrive at seeing this agreement?

• How to launch an application with elevated administrator account privilege from windows service even if the account has not yet logon

  Here is the case:
  OS environment: Windows 7
  There are two user accounts in my system, standard user "S" and administrator account "A", and there is a windows service running with "Local System" privilege.
  Now i logged-in with account "S", and i want to launch an application with elevated administrator account "A" from that service program, so here is the code snippet:
  int LaunchAppWithElevatedPrivilege (
  LPTSTR lpszUsername, // client to log on
  LPTSTR lpszDomain, // domain of client's account
  LPTSTR lpszPassword, // client's password
  LPTSTR lpCommandLine // command line to execute e.g. L"C:\\windows\\regedit.exe"
  DWORD dwExitCode = 0;
  HANDLE hToken = NULL;
  HANDLE hFullToken = NULL;
  HANDLE hPrimaryFullToken = NULL;
  HANDLE lsa = NULL;
  BOOL bResult = FALSE;
  LUID luid;
  MSV1_0_INTERACTIVE_PROFILE* profile = NULL;
  DWORD err;
  PTOKEN_GROUPS LocalGroups = NULL;
  DWORD dwLength = 0;
  DWORD dwSessionId = 0;
  LPVOID pEnv = NULL;
  DWORD dwCreationFlags = 0;
  PROCESS_INFORMATION pi = {0};
  STARTUPINFO si = {0};
  __try
  if (!LogonUser( lpszUsername,
  lpszDomain,
  lpszPassword,
  LOGON32_LOGON_INTERACTIVE,
  LOGON32_PROVIDER_DEFAULT,
  &hToken))
  LOG_FAILED(L"GetTokenInformation failed!");
  __leave;
  if( !GetTokenInformation(hToken, (TOKEN_INFORMATION_CLASS)19, (VOID*)&hFullToken,
  sizeof(HANDLE), &dwLength))
  LOG_FAILED(L"GetTokenInformation failed!");
  __leave;
  if(!DuplicateTokenEx(hFullToken, MAXIMUM_ALLOWED, NULL,
  SecurityIdentification, TokenPrimary, &hPrimaryFullToken))
  LOG_FAILED(L"DuplicateTokenEx failed!");
  __leave;
  DWORD dwSessionId = 0;
  WTS_SESSION_INFO* sessionInfo = NULL;
  DWORD ndSessionInfoCount;
  bResult = WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &sessionInfo, &ndSessionInfoCount);
  if (!bResult)
  dwSessionId = WTSGetActiveConsoleSessionId();
  else
  for(unsigned int i=0; i<ndSessionInfoCount; i++)
  if( sessionInfo[i].State == WTSActive )
  dwSessionId = sessionInfo[i].SessionId;
  if(0 == dwSessionId)
  LOG_FAILED(L"Get active session id failed!");
  __leave;
  if(!SetTokenInformation(hPrimaryFullToken, TokenSessionId, &dwSessionId, sizeof(DWORD)))
  LOG_FAILED(L"SetTokenInformation failed!");
  __leave;
  if(CreateEnvironmentBlock(&pEnv, hPrimaryFullToken, FALSE))
  dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
  else
  pEnv=NULL;
  if (! ImpersonateLoggedOnUser(hPrimaryFullToken) )
  LOG_FAILED(L"ImpersonateLoggedOnUser failed!");
  __leave;
  si.cb= sizeof(STARTUPINFO);
  si.lpDesktop = L"winsta0\\default";
  bResult = CreateProcessAsUser(
  hPrimaryFullToken, // client's access token
  NULL, // file to execute
  lpCommandLine, // command line
  NULL, // pointer to process SECURITY_ATTRIBUTES
  NULL, // pointer to thread SECURITY_ATTRIBUTES
  FALSE, // handles are not inheritable
  dwCreationFlags, // creation flags
  pEnv, // pointer to new environment block
  NULL, // name of current directory
  &si, // pointer to STARTUPINFO structure
  &pi // receives information about new process
  RevertToSelf();
  if (bResult && pi.hProcess != INVALID_HANDLE_VALUE)
  WaitForSingleObject(pi.hProcess, INFINITE);
  GetExitCodeProcess(pi.hProcess, &dwExitCode);
  else
  LOG_FAILED(L"CreateProcessAsUser failed!");
  __finally
  if (pi.hProcess != INVALID_HANDLE_VALUE)
  CloseHandle(pi.hProcess);
  if (pi.hThread != INVALID_HANDLE_VALUE)
  CloseHandle(pi.hThread);
  if(LocalGroups)
  LocalFree(LocalGroups);
  if(pEnv)
  DestroyEnvironmentBlock(pEnv);
  if(hToken)
  CloseHandle(hToken);
  if(hFullToken)
  CloseHandle(hFullToken);
  if(hPrimaryFullToken)
  CloseHandle(hPrimaryFullToken);
  return dwExitCode;
  I passed in username and password of account "A" to method "LaunchAppWithElevatedPrivilege", and also the application i want to launch, e.g. "C:\windows\regedit.exe", but when i run the service program, i found it do launch
  "regedit.exe" with elevated account "A", but the content of regedit.exe is pure back. screenshot as below:
  Can anyone help me on this?

  You code is not dealing with the DACL access to Winsta0\Default.  Only the LocalSystem account will have full access and the interactively logged on user which is why regedit is not displaying properly.  You'll need to grant access to your user. 
  You also need to deal with UAC since that code is going to give you a non-elevated token via LogonUser().  You need to get the full token via a call to GetTokenInformation() + TokenLinkedToken.
  thanks
  Frank K [MSFT]
  Follow us on Twitter, www.twitter.com/WindowsSDK.

• MDT 2012 - Litetouch deploy windows 8 with different administrator account

  I have created and captured a custom image of Windows 8 using MDT2012 update 1 and Windows ADK (without SCCM). In the image, I have set an account called DeployUser, with password XXX, adding it to the Administrators group, and I have disabled the User
  Account Control.
  I did this because the Administrator account is renamed from GPO and the password is changed every 30 days (for security reasons, the password is not disclosed to any IT support).
  Next, I created a TS to deploy this image, adding the installation of some software.
  In the Unattend.xml, I also added DeployUser to perform the autologon.
  After the first logon with DeployUser, the TS stops and does not return any error message.
  If I manually run C: \ ProgramData \ Microsoft \ Windows \ Start Menu \ Programs \ Start-up \ LiteTouch.lnk nothing happens, however, if I run it with "Run as Administrator", the TS continues normally.
  Somebody who knows a solution for this?

  I believe MDT LiteTouch deployments only recognize the Administrator account name for processing task sequences.
  Are you joining the domain during an MDT Litetouch deployment? If so, you may want to delay joining to a domain or GPO processing. Take a look at these recommendations:
  Domain Policies that break MDT 2010
  It may also be possible to disable GPO processing until the end of the taks sequence via a reghack or disabling a service. Take a look at this:
  How to Disable/Enable Group Policy
  BTW, the task sequence engine in ConfigMgr prevents GPO processing during an OSD.
  V/R, Darrick West - Senior Systems Engineer, ConfigMgr: OSD

• Accounts being created with administrative group rights

  Hello,
  The server is a Windows 2003 R2 Enterprise fully patched used for Shared Hosting purposes.  It runs Hsphere control panel.  I am trying to identify how the following hack is happening. 
  1) There are users being created with Administrative group rights.   Below is the EventViewer log for the user creation:
  User Account Created:
       New Account Name:    username
       New Domain:    PCNAME
       New Account ID:    PCNAME\username
       Caller User Name:    PCNAME$
       Caller Domain:    DOMAINNAME
       Caller Logon ID:    (0x0,0x3E7)
       Privileges        -
   Attributes:
       Sam Account Name:    username
       Display Name:    <value not set>
       User Principal Name:    -
       Home Directory:    <value not set>
       Home Drive:    <value not set>
       Script Path:    <value not set>
       Profile Path:    <value not set>
       User Workstations:    <value not set>
       Password Last Set:    <never>
       Account Expires:    <never>
       Primary Group ID:    513
       AllowedToDelegateTo:    -
       Old UAC Value:    0x2DAB2B0
       New UAC Value:    0x2DAB2B0
       User Account Control:    -
       User Parameters:    <value not set>
       Sid History:    -
       Logon Hours:    <value changed, but not displayed>
  There exists entries as well where the primary group ID is changed to the Administrative group, but I am omitting such.
  2) I tried to identify what Caller Logon ID:    (0x0,0x3E7) means.  I found out from here:
   http://blog.joeware.net/2013/01/14/2667/ that I can use LogonSessions.exe to identify it.
  Output from LogonSessions.exe is pasted below (snippet):
  [0] Logon session 00000000:000003e7:
      User name:    DOMAINNAME\PCNAME$
      Auth package: NTLM
      Logon type:   (none)
      Session:      0
      Sid:          S-1-5-18
      Logon time:   9/11/2014 12:41:53 PM
      Logon server:
      DNS Domain:   
      UPN:          
          4: System
        316: smss.exe
        364: csrss.exe
        392: winlogon.exe
        440: services.exe
        452: lsass.exe
        628: svchost.exe
        756: LMAgent.exe
        840: svchost.exe
       1000: spoolsv.exe
       1252: avagent.exe
       1268: camWMIAgent.exe
       1324: cissesrv.exe
       1380: cpqrcmc.exe
       1404: vcagent.exe
       1440: svchost.exe
       1480: HsQuotas.exe
       1740: inetinfo.exe
       1780: EmailAgent.exe
       1856: snmp.exe
       1884: sysdown.exe
       1920: smhstart.exe
       2192: svchost.exe
       2388: cmd.exe
       2396: hpsmhd.exe
       2444: cqmgserv.exe
       2464: cqmgstor.exe
       2484: HSphere.exe
       2596: wmiprvse.exe
       2676: cmd.exe
       2684: rotatelogs.exe
       2692: cmd.exe
       2700: rotatelogs.exe
       2732: searchindexer.exe
       2812: hpsmhd.exe
       2824: cqmghost.exe
       2852: svchost.exe
       3044: cmd.exe
       3052: rotatelogs.exe
       3080: cmd.exe
       3088: rotatelogs.exe
       5452: svchost.exe
       5596: GravitixService.exe
       7392: csrss.exe
       7232: winlogon.exe
       6888: csrss.exe
       9832: winlogon.exe
      10388: wawrapper.exe
      10352: cpqnimgt.exe
       9496: msiexec.exe
       6068: w3wp.exe
       4748: webalizer.exe
  3) I also learned from http://support.microsoft.com/kb/243330/en-us that   Sid:          S-1-5-18 means:
  SID: S-1-5-18
  Name: Local System
  Description: A service account that is used by the operating system
  That is all great info, but I am not sure I can put together what I have learned to attempt and get closer towards identifying how in the world users are being created and then being assigned administrative group rights.
  I am a Linux person mostly, but I am comfortable following a properly explained thread regarding windows 2003 R2 Enterprise issues.
  The server is fully patched and it is running Lumension security product.  What's more, Norman Malware tracker, tdskiller.exe (Kaspersky) and McAfee rootkitremover.exe have been run without any apparent Malware/Virus infection
  Hope someone with advanced admin skills can advise.
  Thank you

  Hi,
  You mentioned that, “I am trying to identify how the following hack is happening”, would you please tell us that why did you think the event represent a hacking behavior?
  In a Shared Server Hosting environment, the underlying hosting control panel tool (Hsphere in this case) should be creating only virtual FTP users with a specific group.  So no users with Administrative group should be ever created.  If this happens,
  it constitutes a breach of server security=positive hacking attempt.
  >how in the world users are being created and then being assigned administrative group rights.
  In addition, would you please be more specific about this question? Did you find the event message on a domain joined machine?
  I want to be able to understand in full how/what process is allowing users to be created with Admin rights.  In other words, I want to know what IP was used to issue the command, if ASP.net was used (abused in this case), or anything else related to
  it so that we can patch this particular hole.
  Best Regards,
  Amy

• Set up an account with administrator rights, but did not choose a password for it

  Essentially now, cannot complete anything without the non existent password. How do I reset it or create on. It won't let me see my account unless I login as a standard account, then prompts my admin account for a password that does not exist.

  Hi Old Pappy59,
  All account should be shown in manager account interface when you logon as an administrator if you did not hide them by using register.
  I suggest you delete this account and recreate it with a password. Since according to your description you could not see this account in GUI as an administrator, you could run lusrmgr.msc to confirm user information or use
  net user command to do this job if this account is really currently existing.
  To run lusrmgr.msc
  right click start->run->type lusrmgr.msc-> OK
  To delete an account
  net user [username] /delete
  if you don’t want to delete this account, also could create a password for this account.
  To create a password for an account
  net user [username] [password]
  For more information about net user command (also apply to Windows 8):
  http://support.microsoft.com/kb/251394/en-us
  Regards

• When i login with microsoft account cannot access with administrative share c$

  i have a problem when i login to windows with microsoft account cannot access any network computer with administrative sharing c$,d$ with windows 8.1 
  but when i login with local account can access
  and some people tell  me create key in regedit t fix it 
  after enter user name and password show this error 
  and i apply your instruction  and not fix until now
  note:
   my Machine windows 8.1 if another machine in network windows 7 can access a hidden share if machine in network windows 8.1 show this message in image 2 
  but if i login with local user can i access all machine hidden share network windows 7 and 8.1

  yes this computer i want to access  name poland2-work and have two users 
  first :administrator
  second : poland 2

• Problem with software update - now can't log on to administrator account

  Hello -
  I updated software yesterday and didn't pay attention to what was updating. I always just install the updates when they come up.
  Now I can't login to my administrator account or change the password. I could log into another account, but iTunes won't stay open. It opens for about 10 seconds then closes.
  So I'm assuming that the updates were a mac OSX update and an iTunes update.
  Does anyone know why this is happening and how to fix?
  Is there anyway to "undo" the most recent update?
  Any help would be appreciated.
  -jamendan

  Hi jamendan, and a warm welcome to the forums!
  Could be many things, we should start with this...
  "Try Disk Utility
  1. Insert the Mac OS X Install disc that came with your computer, then restart the computer while holding the C key.
  2. When your computer finishes starting up from the disc, choose Disk Utility from the Installer menu. (In Mac OS X 10.4 or later, you must select your language first.)
  *Important: Do not click Continue in the first screen of the Installer. If you do, you must restart from the disc again to access Disk Utility.*
  3. Click the First Aid tab.
  4. Click the disclosure triangle to the left of the hard drive icon to display the names of your hard disk volumes and partitions.
  5. Select your Mac OS X volume.
  6. Click Repair. Disk Utility checks and repairs the disk."
  http://docs.info.apple.com/article.html?artnum=106214
  Then Safe Boot from the HD, (holding Shift key down at bootup), run Disk Utility in Applications>Utilities, then highlight your drive, click on Repair Permissions, reboot when it completes.
  The usual reason why updates fail or mess things up, is if Permissions are not fixed before & after every update, with a reboot... you may get a partial update when the installer finds it doesn't have Permissions to change one obscure little part of the OS, leaving you with a mix of OS versions.
  Some people get away without Repairing Permissions for years, some for only days.
  If Permissions are wrong before applying an update, you could get mixed OS versions, if Directory is the slightest messed up, who knows!
  If many Permission are repaired, or any Directory errors are found, you may need to re-apply some the latest/biggest updates.
  May even need to do an Archive and Install if you have room on the HD...
  http://docs.info.apple.com/article.html?artnum=107120
  I only use Software Update to see what is needed, then get them for real via...
  http://www.apple.com/support/downloads/
  That way I can wait a week or so, check the forums for potential problems, and get Permissions & such in order before installing.