Using Send Unix to remove admin rights

Similar Messages

• Removing Admin Rights

  Hi
  To get an audible account to register in itunes I had to give an account Admin rights... now I want to take the Admin rights away from the user, but can't seem to do it.
  Can someone tell me how to remove Admin rights (the tick box is currently 'greyed' out in the preferences box)?
  Thanks in advance!

  you may have abandoned this thread, but in case not could I suggest you do not delete the second admin. Apples dictum, a good one, is have a reserve admin. One can, I have had one, a failure of an admin, and used the reserve admin to fix it. I keep two admins on each machine. One is just kept in reserve so as 'not damaged by use'. I exercise it every so often.
  If you log in from a blank dialogue box you will not even see the name except in the users folder or some other esoteric listings.
  Of course you do 'always' have another admin in root but it is a clart enabling it and disabling it which one should always do after use of root.

• Using Oracle after install without Admin rights -- Possible?

  We are upgrading our company to Windows 7. Clearly, the best practice is to remove admin rights from users. I see lots of posts on inability to install Oracle without admin rights. That makes sense. Once installed though, we are hitting errors simply running Oracle without admin rights. Is there a change in our install methodology that would allow us to run Oracle without Admin rights? Any thoughts would be appreciated. We are having to run wide open right now.
  Thanks,
  Dave

  974992 wrote:
  We are upgrading our company to Windows 7. Clearly, the best practice is to remove admin rights from users. I see lots of posts on inability to install Oracle without admin rights. That makes sense. Once installed though, we are hitting errors simply running Oracle without admin rights. Is there a change in our install methodology that would allow us to run Oracle without Admin rights? Any thoughts would be appreciated. We are having to run wide open right now.
  Thanks,
  Davemaybe a bit more detail. It sounds like you are talking about end-user machines, in which case I would only expect the oracle client software to be installed. What exact errors are you getting?

• Using Send Unix in ARD to copy files from laptops to server--

  OK, you ARD "Send Unix" gurus, here's a question. I am still getting my feet wet in the Terminal and having lots of fun, no big mistakes yet..
  I am looking for a solution to make a teacher's life easier. It's a writing class. Each day the students do a writing exercise with the MacBook or iBook carts, and the students seldom have the same computer twice. The laptops are bound to Active Directory, and a local user folder is created in /Users using our naming scheme lastname.firstname, and the teacher laptop has Apple Remote Desktop Admin.
  Usually, students are supposed to save their documents to their own home folders on the server, but it's kind of wonky through the menus (until we get the Xserve up and running), so they usually save first to Desktop and then drag the files to their server home folder icon on the Dock. BUT, I'd like to set it up so the teacher can get copy of the Word document each day to read and archive. Setting up another share for the students to drag it to proved unreliable, e-mail is not an option (too much processing of individual files for the teacher), and the teachers can go into the home folders when absolutely necessary if one or a few kids forget, but not all of them each day.
  Here's what I'd like to do-- create a script that the teacher could run in ARD to do the following to the group of MacBooks/iBooks:
  copy contents of currently logged-in user's Desktop to /Volumes/mountednetworkdrive/sharename/classfolder/ AND rename the file if there is already one there with that name, do NOT overwrite.
  The students are supposed to name their files last.first.doc, but they forget, and the test scripting I've tried overwrites Document1.doc with Document1.doc from another student. Since they put their names in the document itself, it's not a big deal to the teacher if they forget to name it correctly.
  The major problems -- the variable for current user "~/" as in ls ~/Desktop/ doesn't seem to list the desktop contents of the current user on the remote machine, therefore I assume cp ~/ would also not work properly.
  I have also be unable to find any documentation of any of the various copy commands that talks about renaming instead of overwriting (like web browsers do if you download the same file multiple times, for example, by appending a digit).
  Options: Instead of renaming, copying the logged in user's whole Desktop directory (but not whole cached login) would eliminate the need to rename, but still not as handy as all the files in one directory. Eg. "cp /Users/(last.first)/Desktop /Volumes/mountednetworkdrive/sharename/classfolder/" but we'd need the folder name of the currently logged-in user to copy, too, (confusing I know) so that the teacher would then find in server/share/class/ a bunch of folders named last.first (the student names) with another folder called Desktop and their document inside. The rudimentary script I wrote above, even if it worked, would copy the whole cached home directory, which is too large with the Library, as well as the inevitable Photo Booth pictures.
  Another option would be to copy the contents of the desktop to a new folder named after the logged in user (if that variable exists).
  Arg. This was supposed to be simpler, but if there is any way to make this work, I'd appreciate any ideas.
  Thanks

  My usernames are shorter, so I never noticed that who only has 8 characters. Just to make it more interesting, the if command further down was goofed up by the forum. The ' -e "$DEST/$FILE" ' should have square brackets where the single quotes are in this sentence.
  Fixing the truncating problem is interesting, especially with the forum goofing up my if statements. I guess I'll have to try single quotes and you'll have to change them with square brackets. It's important that the square brackets be a space away from what's inside them. Dump the cd line and replace it with:
  USER=$(who | grep console | awk '{ print $1 }')
  DIR=$(ls -1 | grep $USER)
  if ' `echo $DIR | wc -w` -gt 1 '
  then
  echo "FAILURE!"
  exit 1
  else
  cd /Users/$DIR/Desktop
  fi
  This code will bail out if it can't find a single user directory. I doubt it will work well if the short names have spaces either. Be careful of the back-ticks in the if statement! They are significant.
  Roger

• Remove Admin Rights

  I recently bought a Mac and set up my daughter as the default account. Now I realize I should have set up an Admin account and then set my daughter up as a regular user so I can use parental controls. I set up am Admin account for me but can't seem to remove my daughter's Admin rights through the usual account settings. Any advice? Maybe there's some tricky way to do this using the root account?
  If all that fails, is there an easy way to copy all her stuff intact into a newly created account?
  Thanks

  No. All admin accounts are the same. Sounds like if you've done what's been suggested, then your system may be corrupted in some way. If it is then you will need to reinstall Snow Leopard.
  Reinstalling Snow Leopard
  Boot from your Snow Leopard Installer disc. After the installer loads select your language and click on the Continue button. When the menu bar appears select Disk Utility from the Utilities menu. After DU loads select your hard drive entry (mfgr.'s ID and drive size) from the the left side list. In the DU status area you will see an entry for the S.M.A.R.T. status of the hard drive. If it does not say "Verified" then the hard drive is failing or failed. (SMART status is not reported on external Firewire or USB drives.) If the drive is "Verified" then select your OS X volume from the list on the left (sub-entry below the drive entry,) click on the First Aid tab, then click on the Repair Disk button. If DU reports any errors that have been fixed, then re-run Repair Disk until no errors are reported. If no errors are reported click on the Repair Permissions button. Wait until the operation completes, then quit DU and return to the installer.
  Reinstall OS X: Snow Leopard's installer will not erase your hard drive and will preserve all your data, users, network preferences, and third-party applications and their support files.
  If DU reports errors it cannot fix, then you will need Disk Warrior and/or Tech Tool Pro to repair the drive. If you don't have either of them or if neither of them can fix the drive, then you will need to reformat the drive and reinstall OS X.

• How can I remove admin rights to a mobile user group

  Hi Every one.
  I am using Snow Leopard in an environment of about 1200 users. I need to strip the admin rights (i presume by a script accessing DCSL) from a group of Mobile Account users.
  Does any body have suggestions on how to do this?
  thanks
  Matt

  Sorted out using DSCL in a script.

• How do i get to burn dvd's using Encore without giving away admin rights?

  Hi All,
  We currently have a new diploma running using CS4. When attempting to burn a project using encore it will let me make it as an administrator but as soon as i transfer to any other user without the same access rights i lose the option to burn and recieve the option "not found" Can anybody give me feedback regarding this issue or is it one of those cases where you really do just need to be an admin?
  Many Thanks,
  Ross

  Many Thanks for responding. After all this my boss did a bit of searching and we have found a fix i will post the info he found below to help others if they need limited users to burn dvds/cds.
  regards,
  Ross
  SPTI is available to Administrators only. Microsoft designed it like this, don't blame me!
  Here is a quick workaround for those people wanting to stick with SPTI:
  1. Log in as an Administrator
  2. Click 'Start' -> 'Run'
  3. Type 'secpol.msc' and hit OK
  4. Expand 'Local Policies'
  5. Click 'Security Options'
  6. Change 'Devices: Restrict CD-ROM access to locally logged-on user only' from 'Disabled' to 'Enabled'
  7. Close the 'Local Security Settings' window
  8. Log on as your restricted user and try again.
  Note: Only tested on XP and Server 2003. Wording may differ on other operating systems.
  *****This setting is also in group policy, under Policies, Windows Settings, Security Settings, Local Policies/Security Options , and can be used to modify all machines in the domain ****************
  Windows XP Home Edition doesn't have 'secpol.msc' so you'll have to edit the registry directly.
  Open up RegEdit and navigate to the following key:
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  Add a new String called 'allocatecdroms' and set its value to '1'.
  0 = Administrators in the domain can gain access to data on the compact discs in the CD-ROM drive.
  1 = Only the user logged on locally can gain access to data on the compact discs in the CD-ROM drive.
  See here for more info: http://technet.micro...y/cc957388.aspx
  If you're not confident enough to make the registry change manually, you can use a program called 'FrogRights' to make the change for you... or just import the following registry file:
  allocatecdroms.reg (110bytes)
  Number of downloads: 332
  Please note: You'll need to be logged in as an Administrator to import the registry file and you'll need to reboot having done so.
  Yet another option is to use the Nero BurnRights tool. I believe this actually modifies the permissions on the device object (for some, this might be better than changing the group policy option). You can also use it to setup a security group that you can then add certain users to rather than giving everyone access to burn discs.
  ImgBurn supports several other I/O interfaces besides SPTI and there's always a chance that one of the others is already installed on your machine. Go into the Settings and change the 'Interface' option on the 'I/O' tab to see if any of the others will work for you.
  If none of them do you'll have to install an application that installs one of the other supported I/O interfaces and then tell ImgBurn to use it.
  i.e.
  You can use ElbyCDIO by installing some software from Elaborate Bytes or SlySoft - i.e. CloneDVD or Virtual CloneDrive.
  You can use Patin-Couffin by installing some software from VSO Software - i.e. VSO Inspector.

• Removing User Admin Rights

  I am currently assisting in managing a domain of 3-4000 users. All of our users have administrative privileges on their machines. We are looking into several different ways of removing these administrative rights for obvious security reasons.
  I have read about privilege management software like Avecto, but it would be great if you could utilize something like Restricted Groups in Active Directory or SCCM 2012R2 to achieve this somehow.
  I read about Restricted Groups here:
  http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html
  I am wondering if we can achieve this by deploying these Restricted Group GPO's.  I understand that these GPO's are linked to computer accounts though, but from what I am under the impression I can restrict adding accounts to the admin group and explicitly
  allow other accounts.
  Our AD functional level is 2008R2 and 99% of our workstations are running Win7 32-bit.  Has anyone had any experience removing user administrative rights without purchasing third-party software?

  We are in the process of deploying Avecto Privilege Guard (new name is DefendPoint).
  We are doing this in conjunction with revising our GPP-Local Users & Groups settings (which we decided to use some time ago, instead of using classic Restricted Groups).
  You'll need to use some method (and GP seems to be a good one) to take control of the local Administrators group membership.
  Avecto PG can/will block all attempts to modify that group (due to its anti-tamper protections), but, presumably like us, you will need to evict unauthorised members of that group, and then protect that group from further modifications.
  We also found, that the anti-tamper protections of Avecto PG, even prevent GP from cleaning up the group members, and it was suggested to us by Avecto support, that we create Avecto PG policy which allows the LocalSystem to bypass the protection. (GP CSE's
  like this, will run in LocalSystem context)
  You don't need Avecto PG to remove admin rights, you can do it with Domain GP. But, how do you maintain that position/integrity? And, how do you then allow users to perform some tasks, tasks which require privilege but your organisation approves of those
  tasks being performed by users, but Windows doesn't allow that?
  There are many types of technical controls to implement "security" (if that is your goal), but, you will find that each and every control can be bypassed with enough time and effort. Especially if your users are the determined type of person, who
  also considers that their need to "do that thing" will make them productive/happy - they will ignore all company policies in pursuit of that productivity/happiness (or so it seems to me from my experience)
  IT Support efforts/costs will rise, not drop - we are seeing this already.
  Hatred towards IT (both systems and the people in IT) is also rising.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Firefox Silent updater will not work unless I launch Firefox.exe one time with Admin rights

  I am building a Firefox 17.0.4 ESR package to use for my Enterprise. Everything is working great except for the updater piece. I am using the configuration.ini file during the install with the command MaintenanceService=true turned on, and a mozilla.cfg file with updates enabled, pref("app.update.enabled", true). I am running the install both manually, and through SCCM with Admin rights, including the maintenance service. After the install runs, I open Firefox as a limited user and go to Help->About, and it says Updates are available at www.firefox.com, and that the browser is set to the ESR release channel.
  In all my troubleshooting, the only 2 sure ways I have found that make the auto updates work for a user were to run firefox.exe as an admin 1 time, or to install the base esr package as an admin after my install package. That will fix it for the logged in user only, but another user would run into the same issue. It appears that something is not installing correctly, but I cannot determine the cause.
  My install command is:
  Firefox Setup 17.0.3esr.exe /INI=%INST%\Configuration.ini

  In my organization, we have removed Admin rights from all users, but use a product that can elevate any .exe with create a policy for to run with Admin rights. We have a policy set for updater.exe and it does work for future updates, just not this first update after install until Firefox itself is run as Admin for the first time. My thought is that when Firefox and the Maintenance service are installed with Admin rights through SCCM, the maintenance service should have inherited rights from that install. Forgive me if I am wrong in my conclusion.

• AD users losing admin rights when working offline.

  We have recently started using AD accounts on our Macs but a critical problem has presented itself.
  Under 'Allow administration by' we are using a domain group called 'Domain Users' and this works fine when users are connected to our corporate network but when they are offline and not able to see the AD servers at login they lose their admin rights.
  So even if you create a mobile account this settings has to be validated every time the user logs on.
  It has been suggested to use the following command to correct the problem but this has no effect:
  "sudo dseditgroup -o edit -a "domain\groupname" -t group admin"
  Has anyone successfully found a workaround for this problem?

  Yep.  That is the side effect of the evolution of AD integration.  Many more things are live look ups.  Have you tried password protected screen savers yet?  Yep, live call to AD.  The reason this is failing is the domain users is an AD group and the system can not resolve the GUID without access to the domain.
  In any case, there is a way around this but it is a little messy and it breaks the whole point of using the plug in to allow for a single point of control.  If you are using cached credentials, you should be able to add the user to the admin group.  Once again, this posses a number of problems as you are now injecting an AD user into a local account, you have no centralized method of removing admin rights from the user, and each machine requires a custom command (you need to issue the users shortname).
  Now, you other option is to say, "it is a security implementation to prevent unauthorized access to the machine when it is not under the protection of out LAN."  Yep, line of garbage, but the real question is, why do they need admin rights?  If for installing software, that likely should not be up to them if you are enforcing a corporate standard.  I generally can't find a good argument for permitting admin rights.

• Access developer version with admin rights

  I have MS SQL Server 2012 Developer version installed on my local machine using Windows 7.
  I lost my access to SQL Server local developer version when my company change policy to remove admin rights to local machine for some reason.
  Since I lost local machine admin rights, I am unable to access MS SQL Server 2012 developer version.
  I would like to know are there any work around to access MS SQL Server 2012 Developer version without local admin rights for Windows 7.
  Your help and information is great appreciated,
  Regards,
  Souris,

  Hello Souris ,
  Please , could you provide more information about your problem ?
  Are you unable to create new databases ? The error messages would be appreciated.
  I don't think that you have posted in the "good" forum , but for a moderator , it is difficult to find a better forum as we don't know what it is happening on your computer.
  I think that you should always be able to create databases in your own directory Users\yourusername on which you should have every access rights . The main problem could be to start/stop the SQL Server service as you need some minimum administration rights.
  Please , could you tell us whether the lost rights are on the Windows 7 level or on your SQL Server level ?
  To connect , you should have at least the db_datareader and db_datawriter permissions on the databases you are using ( I would add db_backupoperator to restore a database in case of errors )
  You should have the public and maybe dbcreator ( if you have to create new databases ) and of course your login must be enabled and have the permission to connect to the database engine .
  As we don't know what your are doing with the databases with your SQL Server Developer edition , we are unable to help you without more precise information.
  We are waiting for your feedback to try to help you more efficiently.
  Papy
  Mark Post as helpful if it provides any help.Otherwise,leave it as it is.

• Help with running programs that require admin rights to laptop

  We are not able to run java, flash, or shockwave on our laptops unless we
  log into the workstation first as an administrator. Is there a way to fix
  this so that the students do not have to log onto the workstation first as
  administrator?
  Thanks,
  Kathy

  Originally Posted by Kathy
  We are not able to run java, flash, or shockwave on our laptops unless we
  log into the workstation first as an administrator. Is there a way to fix
  this so that the students do not have to log onto the workstation first as
  administrator?
  Thanks,
  Kathy
  Hi Kathy, we have have a product that enables you to remove admin rights on XP/Vista by elevating ActiveX controls, apps, scripts etc Avecto - Eliminate Admin Rights, Implement Least Privilege

• Using ARD to send UNIX command to add item to dock

  The ARD 3 Admin Guide, page 132, says the following command sequence will install an item in the dock of the target computer(s):
  4) Type or paste the following UNIX command (replace /PathToApplication with your own path to the desired application, and be sure to include the application file extension, .app):
  defaults write com.apple.dock persistent-apps -array-add '<dict><key>tiledata</
  key><dict><key>file-data</key>
  <dict><key>CFURLString</key><string>/Path_ToApplication
  </string><key>_CFURLStringType</key><integer>0</integer></dict>
  </dict></dict>';killall -HUP Dock
  Use “persistent-others” instead of “persistent-apps” if the item is anything other than an application.
  I am unable to make it work. Could anyone help with the correct syntax or suggestions as to how to perform a remote addition to the target computer dock.

  Do you have JSS? I ask because your script contains the word JAMF allot.. if you do have a jss, is there a reason your trying to use ARD instead of your JSS to run this script?
  When issuing the script from ARD as a send unix command, Have you cosnidered using the option to run command as user "root" ?
  are you sure you want to do this? the script look like it dose more then just disable the isite. And do you know how to undo this if you change your mind?

• Remove Send-As for domain admin groups

  With referring to below link.
  http://social.technet.microsoft.com/Forums/exchange/en-US/d2e97e64-536a-4c46-8e57-e0ac6a4ad64e/how-do-i-remove-domain-admins-send-as-settings-for-all-users?forum=exchangesvradminlegacy
  The solution work perfectly for normal user but for user whose member of Domain Admin as well, the send-as will revert back from Deny to Allow after a while.
  I have a user who member of domain admins group, say User A. Since we want to remove the send as for all users (including User A), I did followed the steps, Denied Send-As for Domain Admins group for User A.
  However, after for while it return back to Allow.

  The permissions on members of special groups is managed by the AdminSDHolder and SDProp.
  http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
  The way to deal with this is to give your domain admins (and any other admins) a separate account and to remove their "normal" account from any privileged groups (and to reset the adminCount property and "allow inheritance" on the "normal" account). Do NOT
  give the admins a mailbox.
  If you can't do that, then deny the Domain Admins group the "Send As" and "Receive As" permission at the organization level in the AD's configuration container. Use ADSIEDIT to do that here:
  CN=<Organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<tld>
  --- Rich Matheisen MCSE&I, Exchange MVP

• Restrict Standard User from not removing the COM-Addins registered under HKLM with Admin rights.

  Hello,
  I have developed a COM-Addin for word 2013 by VS 2013 and installed it under the HKLM with Admin rights. Now from an non-admin account, ie Standard User I'm able to uncheck that addin from the COM-Addins dialog and remove it also. Previously I have done the
  same thing for word 2007 addins and if a non-admin user tries to uncheck it the warning "The
  connected state of Office Add-ins registered in HKEY_LOCAL_MACHINE cannot be changed" pops
  up. But this is not happening for office 2013 apps(basically word, excel and powerpoint). 
  This is happening for all Add-Ins installed under HKLM.
  How can a Standard User be restricted from unchecking and removing the Office Addins registered under HKEY_LOCAL_MACHINE with same warning "The
  connected state of Office Add-ins registered in HKEY_LOCAL_MACHINE cannot be changed" in
  a pop-up box?
  Regards, Sayan

  Hi,
  The behavior is changed since Office 2010. Office 2010 and Office 2013 allows a standard user to turn a per-machine add-in off by unchecking the add-in in the COM Add-ins dialog.
  To restrict Standard User from not removing the COM Add-ins, we can try to add the add-in to
  the Group Policy option: List of managed add-ins in the Office Group Policy template.
  Word for example, the policy is under:
  User Configuration\Administrative Templates\Microsoft Word 2013\Miscellaneous
  To enable this policy setting, provide the following information for each add-in:
  In "Value name", specify the programmatic identifier (ProgID) for COM add-ins, or specify the file name of Word add-ins.
  To obtain the ProgID for an add-in, use Registry Editor on the client computer where the add-in is installed to locate key names under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins.
  To obtain the file name of an add-in, click the File menu in the application where the add-in is installed. Click Options, click Add-ins, and then use the Location column to determine the file name of the add-in.
  In "Value," specify the value as follows:
  To specify that an add-in is always enabled, type 1.
  Hope this helps.
  Regards,
  Steve Fan
  TechNet Community Support