GPP runs in System account even if specified that it should run i user context

Similar Messages

• Cannot Retrieve referenced URL in wscript file from Local System Account, but not other accounts on the computer.

  Hello,
  I have a WScript File that includes an external resource (js file).
  It works on one computer and it does not work on another computer.
  If I run this file from a normal admin command prompt everything runs fine on both computers.
  If I run this file from the Local System account using PsExec it runs fine on one of the computers and throws an error "Cannot Retrieve referenced URL" on the other computer.
  The reason I want it to run from the Local System account is that it is executed from a Windows Service.
  Is there some setting or some way for the IE cache to get corrupt on the Local System account or something like that?

  JRV,
  You are by far the worst 'support' person I've ever seen. If you aren't going to be thoughtful in providing support, don't pretend. If you're going to pretend, leave your condescension on the shelf. You have provided no thoughtfulness whatsoever to his issue,
  and have in no way improved the discourse. You are arrogant and condescending without exhibiting any intelligence whatsoever. I'm impressed Matt kept calm through your demeaning, counterproductive diatribes.
  Matt,
  First I'd check UAC settings, because I believe that can change how elevation works substantially.
  Second, I would check the versions of wscript.exe on both machines, both in System32 and SysWow, and I'd check for updates bypassing WSUS to make sure there's not something silly going on there (totally a shot in the dark, catch-all theory).
  Have you made any headway in the last few weeks?
  -John
  This is not a support forum and it is not for assistance in fixing broken configurations.  It is a scripting forum. The OP proved that the issue is not the script but the environment it is running in.  You should not get mad just because you are
  not getting satisfaction.
  ¯\_(ツ)_/¯

• Can't delete admin account even as Root

  We're experimenting with integrating our Mac users into Active Directory. I've read that you should delete the user account in Sys Prefs first and leave the home folder.
  The problem we're having is that I can't delete the users account in system prefs even if I log in as the root user. I get a generic error after about 10 minutes of looking like it is working that says the account could not be deleted.
  My guess is it has something to do with the fact that I had already logged into the same acount with an Active Directory login and the permissions have been changed on certain files and now it can't complete archiving the home folder because of some rights issue.
  I have unbound the computer from the AD forest and ran disk permissions to no avail. I'd like to keep the existing home folder to use with the network login if possible so I haven't tried the quick delete option.
  Any advice would be greatly appreciated.
  Thanks
  -T
  MacBook Pro 2Ghz, iMac, XServe, G5   Mac OS X (10.4.8)  

  You can't delete an account if it is logged in, or if it is the only admin account on the system. So make sure that there is at least one other admin account, and that the account you want to delete os logged out.

• What problem may arise if we remove "system" account from ACL on files & folders

  hi friends
  as wee see, in the ACL of all files & folders ,the account called "system" exist & usually has full permission.
  what is the usage or benefit of this here ?  if we remove system from here, which problems may occur? if possible please give me some examples. 
  thanks in advance

  Hi,
  We have an old article for explaining this question:
  How the System account is used in Windows
  http://support.microsoft.com/kb/120929/en-us
  The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows.
  There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation).
  The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on
  an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.
  NOTE: Granting either account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file but it is not recommended.
  On shared folders if there is no system file stored inside, you can remove SYSTEM account from NTFS permission.
  If you have any feedback on our support, please send to [email protected]
  hi shaon
  nice. thank you very much
  best regards

• How do I have an exe in a logon script run as a different user (either a domain admin or even the local system account)

  So, I'm having some problems getting a logon script to work.  I need a way to deploy the agent that we use via login/startup scripts and what I have works fine if the user has admin rights, or if UAC is disabled.  I've tried to convert the .exe
  to an .msi to make it easier, but the .msi never works and it's only distributed as an .exe.  We deploy this to different clients, I can't disable UAC in their environment unless they specifically tell us to.  Can anyone think of a way around this? 
  I've been searching for days and I'm just lost.  If we could execute the file as the system account, or connect to shares using a startup script instead of logon, that would be perfect.  Basically what it does is check to see if the process for the
  agent is running (agentmon.exe) so we don't attempt to install it if it is already installed, if it's not, then it calls on a different agent installer depending on the IP address of the system (for clients that have more than one location).  Here's what
  I've got written that works for me in my test environment:
  Const strAgent1 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup1.exe"
  Const strAgent2 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup2.exe"
  Const strAgent3 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup3.exe"
  Const strFolder = "C:\Temp\"
  Const Overwrite = True
  dim objFSO, objNIC1, arrNIC, strIP, strMask, objShell, objWMIService
  dim
  'Checks for Kaseya agent process, AgentMon.exe, exits if running
  Set objWMIService = GetObject ("winmgmts:")
  Set proc = objWMIService.ExecQuery("select * from Win32_Process Where Name='agentmon.exe'")
  If proc.count > 0 Then
      WScript.Quit
  End If
  'Instantiate a NIC configuration object
  Set objNIC1 = GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")
  'Instantiate a shell object
  Set objShell = CreateObject("wscript.shell")
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  'Create Temp Dir if it doesn't exist
  If Not objFSO.FolderExists(strFolder) Then
      objFSO.CreateFolder strFolder
  End If
  For Each arrNIC in objNIC1
      if arrNIC.IPEnabled then
          StrIP = arrNIC.IPAddress(i)
          strMask = arrNIC.IPSubnet(i)
          Set WshNetwork = WScript.CreateObject("WScript.Network")
      end if
  next
  Function NetworkID(Address, Mask)
      Dim AddressOctets, MaskOctets, Result, N
      AddressOctets = Split(Address, ".")
      MaskOctets = Split(Mask, ".")
      ReDim Result(UBound(AddressOctets))
      For N = 0 To UBound(AddressOctets)
          Result(N) = AddressOctets(N) And MaskOctets(N)
      Next
      NetworkID = Join(Result, ".")
  End Function
  Select Case NetworkID(strIP,strMask)
      Case "192.168.0.0"
      ' Kaseya install commands for 192.168.0.0 subnet
      objFSO.CopyFile strAgent1, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup1.exe"
      Case "192.168.1.0"
      ' Kaseya install commands for 192.168.1.0 subnet
      objFSO.CopyFile strAgent2, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup2.exe"
      Case "192.168.2.0"
      ' Kaseya install commands for 192.168.2.0 subnet
      objFSO.CopyFile strAgent3, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup3.exe"
      Case Else
      ' Some sort of error checking. Maybe a BLAT SMTP command to send an email
  End Select
  Set objWMIService = Nothing
  Set objNIC1 = Nothing
  Set objShell = Nothing
  Set WshNetwork = Nothing
  Wscript.quit

  You need to read the documentation carefully:
  The Deploy Agents install package is created using a Configure Automatic Account Creation wizard. The wizard copies agent settings from an existing machine ID or machine ID template and generates an install package called
  KcsSetup.All settings and pending agent procedures from the machine ID you copy from—except the machine ID, group ID, and organization ID—are applied to every new machine ID created with the package.
  Including Credentials in Agent Install Packages
  If necessary, an agent install package can be created that includes an administrator
  credentialto access a customer network. Credentials are only necessary if users are installing
  packages on machines and do not have administrator access to their network. The administrator credential is encrypted, never available in clear text form, and bound to the install package.
  ¯\_(ツ)_/¯

• Requirement is to run CMD.EXE under the Local System Account. So that we can map a network drive to be used by a windows service, which will be created by command: - net use z: \\servername\sharedfolder /persistent:yes

  Environment:
  OS:  Windows 7 32/64 bit, Windows 2008 Server 64
  bit/ Windows 2012 Server 64 bit
  Priority:
  - Critical
  Requirement: - Since
  the Windows Service is running under the Local System Account, we would like to emulate this same behaviour.
  Basically, we would like to run CMD.EXE under the Local System Account. So that we can map a network drive to be used by a service using following
  command
  net use z: \\servername\sharedfolder /persistent:yes.
  Already Attempt:
  We tried to launch the CMD.exe using the DOS Task Scheduler AT command.  Here’s a sample command:
  AT 10:36 /interactive cmd.exe
  But I received a warning that “due
  to security enhancements, this task will run at the time excepted but not interactively.”
  It turns out that this approach will work for XP, 2000 and Server 2003 but due to session isolation
  Interactive services no longer work on Windows 7, Windows Server 2008 and above.
    2.  We
  tried to create a secondary Windows Service via the Service Control (sc.exe) which merely launches CMD.exe.
  <Drive>:\sc create RunCMDAsLSA binpath= "cmd" type=own type=interact <Drive>:\sc
  start RunCMDAsLSA
  In this case the service fails to start and results it the following error message:
  FAILED 1053: The service did not respond to the start or control request in a timely fashion.
    3. One
  suggestion, we found to launch CMD.exe via a Scheduled Task, but
  it is not giving any option to launch CMD.exe in interactive mode; so that I can map network drive using net command.
    4. I read an article, which
  demonstrates the use of PSTools from SysInternals. I launched the command line and executed following command
  psexec -i -s cmd.exe
  PSTools worked fine, but It seems that in scope of Sysinternals Software License
  Terms. You may not "use the software for commercial software hosting services."
  Application will deploy on client, which will be like commercial,
  so we are not able to use PSTools.         
  Kindly assist us for achieving the requirement. We have tried all the ways, but nothing is working for us. Kindly suggest.
  I will be really thankful.

  Hi Sir,
  Nothing worked from above for us. You can see our remarks on posted query.
  That’s why, we posted on forum.
  And there will not be any vulnerability, because, if we will use "net
  use ..."
  in network domain; definitely,
  we will provide username and password of mapped drive system.
  And, that system, itself is given by client; so that, there must not be any vulnerability; they are ready to provide user name and password.
  We need a way; by which we can complete the requirement. Kindly assist.
  Regards,
  S. P. Singh

• Ifweb60 processes run as local system account on w2k- how do i change?

  i am running forms 6i on an 2000 box using
  the forms servlet config and oc4j with 9ias.
  this runs fine except that the ifweb60 processes
  are owned by the local system account. this in
  turn means i can't map the forms60_path to a
  network drive because i can't give network
  privileges to a local system account. so,
  how do i change the account that spawns the
  ifweb60 processes?
  thanks,
  marta

  Never mind, resolved this myself by using the netbios name to substitute the value I need on each individual domain.
  $domain = Get-ADDomain | Select-Object -expandproperty netbiosname 
  Set-Location "dc=$domain,dc=dom,dc=co,dc=uk'
  Sets location as:
  PS AD:\dc=a,dc=dom,dc=co,dc=uk>
  ON another domain same script results
  PS AD:\dc=b,dc=dom,dc=co,dc=uk>
  Exactly what I needed!

• Running 10G as a non local system account on Windows Server 2003

  Hi,
  I have an Oracle 10G database running on Windows Server 2003, SP2. I have created the database and it all works fine while the service is running as the default local system account. However, when I change the user that the service runs as to a different account the database starts and opens, and I can log on as SYS using a bequeath connection but I am unable to log on as any other user going through the listener. The listener responds to TNSpings, and all seems to be OK. When I switch it back to the local system user again it all works fine.
  Can anyone offer any advice or help?
  Thanks,
  Rob

  That's probably because the listener is still running as the local system account. Have you tried to change the listener service to run as the same account as the Oracle service?

• SMA on Windows 7 with local system account

  Hello,
  I use SMA on Windows 7.
  When I launch the wizard (sma.exe) to capture the profiles with an admin account : it works, i have myfile.sma and myfile.sma.DriveC, which contains all profiles.
  But if I launch the same wizard (sma.exe) with Local System account, none of profiles are saves, so I don't have a myfile.sma.DriveC, juste myfile.sma one.
  (i must use Local System account)
  (to launch sma.exe as a local system account on Windows vista/7, you have to run cmd.exe as an admin, then launch "psexec -i -s cmd.exe" (so you have to dl psexec))
  Thanks

  When I launch SMA under the "SYSTEM" account, it seems the problem is that the user folders are not selected by default (even if you select the user accounts to migrate).  So you have to select the files and folders that you want to migrate (e.g. the "c:\users" folder).  When I did this, then I got both the .sma file and the .DriveC file in the location that I specified.
  The way I run as "SYSTEM" is by replacing c:\windows\system32\magnify.exe with c:\windows\system32\cmd.exe and then choosing the Magnifer option at the windows logon screen (note that you have to take ownership of magnify.exe in order to replace it).  This gives me a command prompt at the logon screen to do whatever I want to.
  I don't think SMA was really designed to be run this way (under the "SYSTEM" account), so if you're still having problems after trying the above, then you're going to need to change your process to run SMA under an actual user account or else find some other tool to use.

• A friend's eMac was working fine until the name of the administrator was changed incorrectly in Systems Accounts

  I am trying to fix a friend’s eMac. It was working fine until the name of the administrator was changed incorrectly in Systems Accounts. Upon restart the computer failed to mount. I tried to reinstall Tiger and could not. The destination to do this install could not be found. While in Disk Utilities I tried to repair and then zero out erase the hard drive, this also could not be successfully done. The hard drive was working perfectly before the name change. I may try to load Tiger from the eMac onto an external drive and then hope to erase the eMac internal drive.
  Thank you for your thoughts on this as it would be a shame to retire this trusted computer.
  Nick M.

  Hello,
  Thank you very much for your attention to this. Yesterday I was able to get the eMac to install Leopard onto an external drive. I had hoped that once done I would be able to initialize or erase the content of the internal drive in Disk Utility, but was not able to do so, I only received error messages telling me my request failed. This was also true when I tried to create partitions on it. So in effect, the computer runs, but only from the external drive. I could not even find the internal drive while running from the external drive. Where is it? And the internal drive only occasionally shows up in Disk Utility.
  As for holding Option and Alt, the internal drive did not show up.
  And Leopard was running on the eMac when I lost contact with it. Again, all failed when a name of the administrator was changed, but was not properly done. Or something like this.
  Is there anyway I can use Terminal to help reach the internal drive?
  I realize I am asking a lot of questions.
  And I thank you for your time,
  Nick M.

• Workflow Task not able to be completed due to "System Account" in Requested By field not resolving.

  I have a workflow firing on create and update in a list. The list is a calendar that is email enabled. The tasks are assigned with the requested by set to be the System Account, which shows underlined in red when trying to complete the workflow task. This
  is a sharepoint designer 2010 workflow using the assing approval task action. I was hoping to see a variable used when assigning the task to allow changing that from the system account to the created by on the original list, which I am able to assign for the
  approval workflow starting notification since that also was trying to go to the system account.
  Here is the task as it looks which will not allow completion even by site collection administrator.
  If the workflow starts with direct entry in the list, all works fine. This is related to the system account creating the initial item, but was hoping to override that during the task process.
  Anyone else run into this and have solution?

  Hi Alan,
  I can’t reproduce your issue, but you can change the requested by on the task form to “created by” column. Go to SharePoint
  designer, open the workflow, under forms section, click task type form workname.xsn to open it in InfoPath form, then you can change the requested by to created by.
  For more information, see
  http://blogs.msdn.com/b/edhild/archive/2011/06/01/creating-custom-workflow-task-approval-forms-with-sharepoint-designer-2010.aspx
  Best Regards.
  Kelly Chen
  TechNet Community Support

• The system cannot find the specified file

  I have tried to download and install a driver for hp officejet 4500 wireless on 2 different computers, one windows 7
  the other windows 8, with no sucess.  I keep getting a message saying  " The system cannot find the specified file".
  I even paid for a driver on a disk and got the same message.    
  HELP ME PLEASE
  Sincerely 
  meyerret

  Hi,
  Follow the steps below and check if that resolve the issue:
  1. Open Mcafee software, from the Virus and Spyware Protection section click on Schedule and run scans. Click on Real time scanning and then on Turn Off. select till I restart the PC and confirm by clicking the Turn Off button.
  Now try reinstalling the HP Software and check if the installation goes as expected.
  If the issue persists continue following the next steps below:
  2. Open the run dialog by clicking both the Windows key and the R key on your keyboard. Type %windir% and click on OK.
  3. Type hpoins*.dat into the top search bar, if there are any results rename the extention into old instead of dat. (e.g. hpoins1.old)
  4. Type hpwins*.dat into the top search bar, if there are any results rename the extention into old instead of dat. (e.g. hpwins1.old)
  5. Launch the Run dialog by clicking both the Windows key and the R key on your keyboard. Type MSIEXEC /UNREGISTER into the Run dialog and click on OK.
  6. Launch the Run dialog by clicking both the Windows key and the R key on your keyboard. Type MSIEXEC /REGSERVER into the Run dialog and click on OK.
  7. Run the installation file and check for any difference.
  Regards,
  Shlomi
  Say thanks by clicking the Kudos thumb up in the post.
  If my post resolve your problem please mark it as an Accepted Solution

• Workflow configuration error - System Account connection test failed

  Hi,
  Has anybody faced a problem with Workflow configuration? The version we are using is 2.6.2 on Oracle database 9.2.0.5 on AIX5L. The workflow installation from 9.2.0.1 installation CDs goes through without any problem. But when the workflow configuration tool comes up it fails with the following error.
  "SYSTEM account connection test failed".
  The system and sys accounts are fine as verified by sqlplus. Any help is greatly appreciated.
  The log file is shown below.
  Workflow Configuration Assistant-AIX
  WorkflowCA:
  WorkflowCA: Workflow Configuration in progress...
  WorkflowCA:
  WorkflowCA: Screen width -2304-, screen height -1024-
  WorkflowCA: Graphics User Interface mode
  WorkflowCA:
  WorkflowCA: Language - US
  WorkflowCA:
  WorkflowCA: Start testing connection, which takes less than 3 minutes.
  WorkflowCA:
  WorkflowCA: Account connection test for SYSTEM
  WorkflowCA: SQL Thread: Thread[TstSQL,5,main]
  WorkflowCA: chkSQL: true
  WorkflowCA: cmdLine: /app/oracle/product/9.2.0/bin/sqlplus system/<Masked Password> @/app/oracle/product/9.2.0/wf/sql/wftstcon.sql
  WorkflowCA: envVar[0]: -ORACLE_SID=rsdb-
  WorkflowCA: envVar[1]: -ORACLE_HOME=/app/oracle/product/9.2.0-
  WorkflowCA: envVar[2]: -WF_RESOURCES=/app/oracle/product/9.2.0/wf/res/wfus.res-
  WorkflowCA: envVar[3]: -TZ=EST5EDT-
  WorkflowCA: envVar[4]: -WF_NLS_LANG=AMERICAN_AMERICA.WE8ISO8859P1-
  WorkflowCA: envVar[5]: -PATH=/app/oracle/product/9.2.0/bin:/app/oracle/product/9.2.0/lib:$PATH-
  WorkflowCA: envVar[6]: -LD_LIBRARY_PATH=/app/oracle/product/9.2.0/lib-
  WorkflowCA: envVar[7]: -WF_TNS_ADMIN=/app/oracle/product/9.2.0/network/admin-
  WorkflowCA: envVar[8]: -WF_SHLIB_PATH=/app/oracle/product/9.2.0/lib-
  WorkflowCA: Exit Val : 126
  WorkflowCA: chkSQL is alive after 1 seconds: false
  WorkflowCA: SYSTEM account connection test failed.
  WorkflowCA: Terminating...
  Thanks,
  Chethan

  We had this problem on 2 machines.
  On the 1st machine, we tried the local install option after a few days (Local option with no connect string) and it worked with no problems!
  On the 2nd machine, we could never get it to work even after opening a tar with Oracle. Finally we did a remote install from the 1st machine into the database on the 2nd machine. During the remote install while running wfinstall on the 1st machine, we just had to choose the remote option and the database service name for the connect string.
  Thanks,
  Chethan

• Cannot access primary user account - even with Install CD

  I’ve been racking my brain trying to figure out how to solve a OSX problem for a friend that ran into some problems on his iMac. For some reason, he wasn’t able to log onto his user account – the only one on this computer. He didn’t try to change his password, but something strange must have happened.
  We tried to reset the password with an OS X install disc, but I couldn’t even find, much less access his user account. Thanks to the help of some folks at the Genius Bar of an Apple store, we were able to log onto the Root account and create a new account. I tried t recreate the original user account, but the computer wouldn’t allow it, as that account was already being used. If that user account was still active, why wasn’t I able to reset it with an install disc?
  I’ve rebuilt the volumes with Disk Warrior, and repaired permissions with Disk Utilities. I’m at a loss on how to deal with accessing the original user account, which has a lot of important data. I’ve copied the user data to an external drive, and I’m thinking I might be able to import various files – email data, photographs, and various documents, but I’m hoping there be an alternative to what seems like a tedious route. Other than using an install disc to reset the password to the user account it can’t seem to recognize, are there any other ways to gain access to this account?
  My friend’s computer is a G4 iMac running, I believe, 10.3.9.

  There are several possibilities as to why a user account may
  not be correctly available or a password to it reset to fix it.
  One of them may be, if the short name of the computer or of
  an account was changed by the user; and later the system
  may appear different or changed, with some of the user acct
  settings or preferences no longer as they were prior to that.
  There is a way to create a new admin level user account and
  then move the older user info into the new account; then go
  in and delete the other one. I am not certain as to how to do
  this; but the topic has come up in these discussions, and the
  general path is about the same from Panther through Leopard.
  A few details may be named different, but similar as things go.
  • Mac OS X: *How to change user short name* or home directory name:
  http://support.apple.com/kb/ht1428
  • How do I change owner's name in my Mac:
  http://www.askdavetaylor.com/howto_change_owners_name_applemac.html
  While these kinds of details may not be behind the exact problem in
  the computer in question, directory and user account issues do often
  have similar causes. Often, they are user-caused events. If the general
  Directory of information on the hard disk drive has a problem, the use
  of a third-party disk tool such as Disk Warrior is usually advised. If that
  were needed, usually more evidence across the system would appear.
  There may be a way to use a Setup Assistant to recreate a new user
  experience and start over with a new admin account and user name.
  Then go into the system to ferret out the old user info.
  +Sorry I can't be of more help; as I am being distracted by an elderly+
  +person who can't figure out why I am online or what it means to be.+
  Good luck & happy computing!

• Access to sys and system accounts

  How to determine who can access sys and system accounts?
  we have oracle 10.2.0.4. I want to know which users can access sys and system accounts?
  Please advise
  Thanks
  S.

  ski123 wrote:
  How to determine who can access sys and system accounts?That depends... access to SYS can be done via o/s - no need to compromise the db instance. Only the o/s account running it.
  Even inside Oracle, it is possible to logon as SCOTT and execute SQL and PL/SQL code as SYS - without having any DBA like privs or access to the password for SYS (possible by using a compromised DBMS_SYS_SQL package).
  Bottom line is, you cannot just look at privs inside Oracle to determine who has SYS access. Security and hardening are more complex than that.