Adding a domain user to the admin role within the local user management breaks all metro apps for all users!!
Hi,
I have posted this in another large thread under the "Windows 8 General" group but have not had any appropriate feedback from MS.
After hours of testing and working with other users I have managed to isolate a simple situation that breaks all metro ui applications within Windows 8 for all users on the machine. Here are my exact steps and notes.
Before continuing if you are running Avast then your solution may be to turn of the behaviour shield functionality as this also breaks metro apps. This is NOT the problem we are having!
I have performed 3 cleans installs after isolating the problem and am able to reproduce the issue every time using the same steps on two different machines.
First thing to say is that for us it has nothing to do with simply joining the domain, domain/group policies nor does it appear to have anything to do with the software we installed, the problem here is much more simple but the result is pretty terrible.
Here are my exact steps of what I did to reproduce our problem:
Complete format of HDD in preperation for a clean install
Clean install performed
Set up the machine initially with a local account
Test metro apps - all working fine
Open control panel from the desktop, click on System, change the system to join the domain, click reboot
Log into the system using my domain account
Test metro apps - all working fine
Here's were the problem starts. I need my domain account to have admin rights on the local machine so I can install programs without the IT men having to come over and enter their password every 5 mins.
I go to control panel via the desktop and click on User Accounts. From with here I then click on "Manage User Accounts". This requires the IT guys to enter their details to give me access to such functionality. This is fine
In the dialog box that opens I can only see the local user that was initially created during setup. The "Group" for this local account shows as "Administrators" - Image included below (important to note that metro apps are working at this point)
I click add and then add my domain account - also giving it administrator access
Sign off or reboot to ensure the new security is applied
Sign back in to the domain account
Test metro - ALL BROKEN
Sign out
Sign in as local account
Test Metro - NOW ALL BROKEN FOR THIS USER ALSO
So as soon as I add my domain account to the local user accounts and set it as admin it breaks all metro apps for all users. This is on a totally clean install with nothing at all installed other than the OS.
Annoyingly if I go back and change the domain account to a standard user or if I totally remove the domain account from the local account management system the problem does not go away for either user. basically it is now permanently broken. The only fix I
could fathom was a full re install and not giving the domain user admin access to the local machine.
Screen one - this is the local user accounts window AFTER joining the domain and logging in with my domain account (All metro apps working at this point)
Screen 2: User accounts AFTER joining the domain and AFTER adding domain account to local user management (METRO BROKEN)
I have isolated my machine from all group policies so nothing like that is affecting me. Users I have spoken to in different companies have policies that automatically add users to the local user management. This means that metro apps break as
soon as they join the domain which leads them to wrongly think it is group policies causing the error. Once they isolate themselves from this they can reproduce following my steps.
Thanks
Hi Juke,
Thank you for the response and apologies for the delay in getting back to you. My machine was running a long task so I couldn't try your suggested solution.
I had already tried running the registry merge suggested at the top of the thread to no avail. I had not tried deleting the OLE key totally so I did that and the problem still exists. I will post all the errors I see in event viewer below. For
your info, since posting my initial comment I have sent out my steps to 7 different people and we can all reproduce the problem. This comes to 10 different machines (3 of them mine then the other guys) in 3 different businesses / domains. We see the same errors
in event viewer.
Under "Windows Logs" --> "Application" : I get two separate error events the first reads "Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: The app didn't start. See the Microsoft-Windows-TWinUI/Operational log for additional
information." The second arrives in the log about 15 seconds after the first and reads "App winstore_cw5n1h2txyewy!Windows.Store did not launch within its allotted time."
Under "Windows Logs" --> "System" : I get one error that reads "The server Windows.Store did not register with DCOM within the required timeout."
Under "Applications And Services Logs" --> "Microsoft" --> "Windows" --> "Apps" --> "Microsoft-Windows-TWinUI/Operational" : I get one error that reads "Activation of the app winstore_cw5n1h2txyewy!Windows.Store for the
Windows.Launch contract failed with error: The app didn't start."
If you require any further information just let me know and I will provide as much as I can.
Thanks
Similar Messages
-
Sideloading metro apps for all users
I am having problems with my sideloaded metro app…… Doesn’t seem to work anymore on any of my machines.
For the first few months, I originally installed my Metro app by first installing the app’s signed certificate to the local machine root store (All OK), then running the following command logged on as the actual user I wanted the app run
under.
Add-AppxPackage
-Path "MyMetroApp.appx"
-ForceApplicationShutdown
While this method sort of worked, it had two problems:
I needed to manually renew the developer licence every 30 days running
Show-WindowsDeveloperLicenseRegistration
and I had to do this logged on as the user on the actual console, couldn’t to this using remote PowerShell.
I want to install the app properly for all users without needing to keep renewing the developer license. I have now run the following to install the app for all users:
#Allow Trusted Apps
New-Item
-Path "HKLM:\Software\Policies\Microsoft\Windows\Appx"
New-ItemProperty
-Path "HKLM:\Software\Policies\Microsoft\Windows\Appx"
-Name AllowAllTrustedApps
-PropertyType DWord
-Value 1
#Install the app for all users
Add-ProvisionedAppxPackage
-Online -PackagePath
"MyMetroApp.appx"
-SkipLicense
This method – even though it seemed to complete successfully, a couple of issues:
there’s no shortcut added to the start screen on one of my machines, so I can’t open the app
I am getting a message popup upon opening my app “The app can’t open: There's a problem with {app name}. Contact your system administrator about repairing or reinstalling it. [Close].” on another machine
Can someone please point me in right direction to get my app working again? I don’t think it’s anything major, I think I’m on the right track.The main steps are detailed here:
https://technet.microsoft.com/en-us/library/hh852635.aspx
It sounds like the app needs to be un-provisioned on your troublesome machine ?
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Request to make a free iwork apps for all ios device users
I am using iphone 4s & ipad 4th gen, i have request you to make a free all iworks apps for all ios devices, these apps are really good for daily use in business & college also.
Thank youYou are not talking to Apple here, just us users. You can give feedback to Apple if you like, but most companies are unlikely to start giving away core products to everybody.
-
Add ldap user to Delegate Admin role programmatically
Dear all,
I have problem with
@Control
private DelegationRoleManagerControl roleControl;
roleControl.addUserToRole(EWPConstants.USER_DA_ROLE_NAME,username,ResourceContext.createResourceContext(getRequest(),false));
I used that control to add user to delegate admin role. It is working fine on admin server.
But after we deploy on managed server (stand-alone), we get this exception intermittently.
15 Sep 2009 12:59:40 [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] ERROR ewp.control.pageflow.login.LoginController - login():
com.bea.p13n.entitlements.common.PolicyMgmtAccessException: Attempt to access Entitlement Policy Mgmt API by user in invalid role. Entitlement Policy operation attempted by disallowed user ["principals=[ewpwlpuser01]"].
at com.bea.p13n.entitlements.management.internal.SecurityHelper.isWLPAdminRole(SecurityHelper.java:881)
at com.bea.p13n.entitlements.management.internal.RolePolicyDelegate.roleExists(RolePolicyDelegate.java:387)
at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.getGlobalRoleExpression(RDBMSRolePolicyManager.java:1702)
at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.addGlobalRoleUser(RDBMSRolePolicyManager.java:1421)
at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.addGlobalRoleUser(RDBMSRolePolicyManager.java:1388)
at com.bea.p13n.entitlements.management.RolePolicyManager.addGlobalRoleUser(RolePolicyManager.java:514)
at com.bea.p13n.delegation.management.internal.DelegationRolePolicyDelegate.addPredicatesToGlobalDARole(DelegationRolePolicyDelegate.java:614)
at com.bea.p13n.delegation.management.internal.DelegationRolePolicyDelegate.updateRole(DelegationRolePolicyDelegate.java:254)
at com.bea.p13n.delegation.management.DelegationRoleManager.updateRole(DelegationRoleManager.java:431)
at com.bea.p13n.delegation.management.DelegationRoleManager.updateRole(DelegationRoleManager.java:398)
at com.bea.portal.tools.da.controls.DelegationRoleManagerControlImpl.addUsersToRole(DelegationRoleManagerControlImpl.java:76)
at com.bea.portal.tools.da.controls.DelegationRoleManagerControlImpl.addUserToRole(DelegationRoleManagerControlImpl.java:223)
at com.bea.portal.tools.da.controls.DelegationRoleManagerControlBean.addUserToRole(DelegationRoleManagerControlBean.java:295)
at ewp.control.pageflow.login.LoginController.login(LoginController.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)hi
it should work even if the managed server is not part of the cluster.
Again do you get this error randomly or can you replicate it?
Its possible that your Database / LDAP is out of sync. Can you access portal admin console and can you see if the default two visitor entitlements show and you dont get any error saying PortalSystemAdministrator is not valid?
Also you can just delete the managed server directory (under the domain/servers) it should recreate the LDAP (assuming admin server is running)
regards
deepak -
Creating a reports folder that's only visible to the Admin role
Hi all,
I want to create a new Shared Custom Analyses folder to contain Admin reports. I need to make this folder only visible to users with the Administator role. But you can't seem to add the Admin role when setting up User Visibility to Shared Report Folders. Help says that it's because the Admin role has visibility to all folders.
I understand this - but how can you resrict access to a reports folder to just the Admin role (ie. it should not be visible to other roles)??
Many thanks.You will need to assign all the other folders to rest of the roles.This would be the only way so that your required folder access is given only to admin and not to other users.
-MR -
I have loaded Lion on my MacBook and the new trackpad functions work only on one ordinary account or user and not on the admin account. The trackpad preferences are well set. What can I do?
iCloud should still help you reduce some hard drive space. Just select "optimize" in the icloud tab in Mac Photo App preferences.
Granted, not the same as completely offloading your library to a back-up drive at your location.
Good Luck! -
Error while assigning the fallowing role to the user
Hi,
ERROR 2007-01-18 14:13:25
CJS-30196 Role SAP_BC_JSF_COMMUNICATION_RO is not assigned to user SAPJSF
i am getting the fallowing error while trying to assigning the fallowing role to the user any body through some light in to it.
Thanks
kiran.BHi,
Standard roles are not assigned to users directly.Make sure that copy the role from standard roles then change naming convention like your company specification.
Ex: standard role : SAP_BC_JSF_COMMUNICATION_RO
Step:1: go to t-code: PFCG and give the role name in role tab SAP_BC_JSF_COMMUNICATION_RO
Step:2: press copy button and change the naming convention.
Step:3: Assign to the user.
I hope it will help you.
kiran kumar.v -
How can I know the security role of the logged in user
When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
Thanks
Manoharshet wrote:
role at run time.
When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
At runtime, a developer can test roles using methods like EJBContext.isCallerInRole(). -
In my third-party web application of Office 365, I want to have access to the contacts, events and emails of all the users from the organizations who installed my app. The thing is I don't want that all these users have to grant me access, I just want one
admin of the org to grant access for my app and then be able to retrieve the data I need for all the users.
To test for one organization, I logged in as the admin and proceed to the Oauth2 authentication to retrieve the access token and in the first request (the GET one to retrieve an authorization code) i add the parameter
prompt=admin_consent.
With this access token, I can access the data (emails, contact, event) of the admin
for instance for the contacts
uri: https://outlook.office365.com/ews/odata/Users(adminemail)/Contacts
but not the data of the other users of this org with this uri
uri: https://outlook.office365.com/ews/odata/Users(useremail)/Contacts
The only thing I can do is retrieve an access token for each user but it supposed that each user has to authorize the access to the app but it's very cumbersome. So, i don't see what enables the parameter prompt=admin_consent and how to use it. Does anybody
know what it does?
And my question is: how can I do to access the data of all the users of one organization when the access has been granted by one admin?
Thank you!
This was answered on StackOverflow by Dushyant Gill. http://stackoverflow.com/questions/25316175/access-to-my-office-365-third-party-app-for-external-user-a-user-account-is-n/25316678#25316678
You are sending the OAuth request to a tenant specific endpoint of Azure AD. Note the {key_provided} part of your Url - that part represents the tenantid or a registered domain name of an Azure AD tenant. Azure AD throws this error is the user signing in
is not a user in that tenant.
Multi-tenant applications like yours have two options:
Perform home realm discovery yourself and send the SSO request to the correct tenant-specific endpoint of Azure AD: when a new Azure AD organization signs-up for your application, record its tenant ID, and registered domain names. On your login page, ask
the user for their email and try to discover what Org they belong to using the suffix the email.
Use the common endpoint of Azure AD. Instead of the {key_provided} part of the URL, use 'common'. In this case Azure AD will determine the user's tenant and sign-in the user. The token that your application will receive will still be from the user's tenant
(iss claim).
2 is more convenient for apps. However #1 has an advantage when the user's Organization has customized their sign-in page with the company logo etc - in the case of #1 the user will directly be taken to the customized and familiar sign-in page.
I recommend a combination of the two: try determining the user's organization and sending them to the tenant specific SSO endpoint. If you're not able to - send them to the common endpoint. -
Help Please. I am setting up my macbook pro for a second user but office didn't transfer over. Is there a way to have additional users on the same comp have office available without having to re-install it for each user?
mpr130 wrote:
Help Please. I am setting up my macbook pro for a second user but office didn't transfer over. Is there a way to have additional users on the same comp have office available without having to re-install it for each user?
How did you attemp to transfer Office?
OS X Lion: Set up a guest account -
I want my new iPad mini to use my new Apple ID, not the old one that pops up without seemingly giving me the choice to update the Apple ID user name; as a result I haven't been able to update my APPS for some time. I changed my apple ID when I got a new e mail address a few months ago .
Any apps you have installed from the old AppleID will always be tied to that AppleID. You have no choice but to enter the password for the old AppleID if you want to update apps downloaded using that ID.
The only way to stop being asked for the password for the old AppleID is to remove all apps from the device that were downloaded using that old AppleID.
You'd then need to re-download (and re-purchase) any apps you want to keep using under the new AppleID.
Apps cannot be transferred between AppleIDs. -
Hi,
While installing XQuatrz-2.7.7, the installation blocks at the "destination" level. It asks how to install this soft, "Install for all users" is shadowed, but frozen: i cannot select anything and move on. Any idea how to get that fixed?
Thanks!It says above 2 relevant and 1 correct answere available .............
I'm new here so could anyone direct me to these answeres? -
I have the same photo in an album and in camera roll. I am trying to delete the photo from the camera rol and the only option that i get is : delete everywhere? Noooooo i just want to delete it from camera roll!!!!!
The way that I understand that it works, is that the photos are not copied into the new albums, instead it just points to the photos - the number of photos on the iPad in Settings > General > About doesn't increase when you create new album so I assume from that that it isn't copying the photo, just pointing to it. So if you delete the photo from the camera roll you will therefore also be deleting all the pointers to it
-
How to activate all inactive objects for current user
Hi
How to activate all inactive objects for current user ...
... I have found a (long winded) way to do this:
- Environment / Inactive Objects
- Add to Worklist
- Display Worklist
- Select All
- Activate
this will open a dialog titled "Inactive Objects for <username>"
which has the exact functionality I need ... but I can't figure out how to get to this dialog directly - without so many intermediate steps
the SAP docs repeatedly mention the ability to activate the inactive worklist - but do not mention how
does anybody know the TCode for this dialog?
thanks
ps does the term "mass activation" apply to importing change requests rather than development activation?
Edited by: FireBean500 on Jun 4, 2010 11:07 PMNo other way. But usually it's far more simple as all objects are already in our own worklist.
I wonder why your objects are not already in your worklist, as everytime you create or maintain an object, it is added to your worklist. -
Any way to remove all "apps" for all users?`
I get that the new start menu is a compromise, and it's neat that it's "back."
What I'm not clear on, is if it's possible to remove/hide the "apps" for all users.
I'm not keen on having all users have all of these, especially in a corporate environment.
Would be preferable to have none, except for perhaps what's "allowed" by admins.
Standard office users, power users, devs, artists, accountants, most folks at work simply don't have a use for most of these apps. I also don't want bandwidth constantly being used by any of the live tiles. If a user wants to know the weather, they can go to
weather.com. If they want news, this is also available via any number of sites.
The other compromise of having apps "windowed" is also nice, but for an office environment, I just don't see people firing up a sandboxed calculator app (or, any of the other built-in ones).
Sorry, but honestly, I'd honestly just like to know if it's possible to set up a GPO, or use some other method to get the "apps" out of the way of the "standard office user."Hi techresource0,
Use export-startlayout cmdlet to export the start menu configuration first:
Export-StartLayout
http://technet.microsoft.com/en-us/library/dn283401.aspx
Windows 10 Technical Preview has a new policy under start menu and taskbar:
Meanwhile, I have two thoughts on this if you are planning your environment:
One: a customized image.
Two: customize default profile.
For the first thought, you can uninstall all provisioned windows store app and then deploy this image to your environment. Of course, you can do this in an online system as well.
Removing Windows 8.1 Built-in Applications
http://blogs.technet.com/b/deploymentguys/archive/2013/10/21/removing-windows-8-1-built-in-applications.aspx
For second thought, you may prepare default profile, it would always copy to new created user profile:
Customize the default local user profile when preparing an image of Windows
http://support.microsoft.com/kb/973289
Alex Zhao
TechNet Community Support
Maybe you are looking for
-
HT1918 Payment Problems with FREE APPS?
For some reason, my iPhone won't let me download FREE apps to my phone, and I have money on my card? This has been going on for like 2 months and I just don't know what to do anymore... anyone else have this situation?
-
I log in, and on the next screen it says, "You have been signed out Please sign in to continue"
-
How can i recover my bookmarks?
Hi, I've got a major problem on my hands now. All my firefox bookmarks are gone!! I had many valuable bookmarks there. I can't find them anywhere now. I went to the Firefox App Data folder and looked for any backups, but there were none. Is it possib
-
HT5268 mac os 10.6.8: updates java 9, itunes 10.6.3, airport 5.6.1 lassen sich nicht installieren
mac os 10.6.8: updates java 9, itunes 10.6.3, airport 5.6.1 lassen sich nicht installieren. über die sofwareaktualisierung gefundene updates lassen sich nicht installieren. während der installation wird diese abgebrochen mit dem hinweis, daß ein fehl
-
How much space do I have in the cloud?
Hi, I was just wondering how much space we have as an individual in the cloud? Thanks,