Access to all servers (except DC´s) without Domain Admins privilegies

Similar Messages

• Is it possible to set up ADFS without domain admin rights in Windows 2012 R2?

  I've set up Windows 2012 R2 on my development box and want to enable the ADFS feature to test claims based authN. In ADFS 2.0, you could opt to install standalone and local admin privileges would be enough to install ADFS and authenticate against the domain
  AD.
  However, with the new ADFS, after installing the feature it asks to enter the credentials for an account that is a domain admin. Is it still possible to configure ADFS without domain admin privileges?

  Hi,
  According to my research, if you want to set up AD FS in Windows server 2012 R2, each computer
  that functions as a federation server must be joined to an Active Directory domain.
  Besides, AD FS requires a certificate for SSL server authentication on each federation server in your federation server farm. Furthermore, you need a membership in
  Administrators on the local computer to install the AD FS role service.
  For more detailed information, please refer to the links below:
  How to deploy AD FS in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn303423.aspx
  Best regards,
  Susie

• Setup write access for all descendants except one

  Hi,
  I'd like to give a write access to all descendants of a member, except one.
  I thought I could simply give WRITE too all descendants, and set a NONE on the member I didn't want to give access.
  That should work according to the Planning documentation :
  Inheriting Access Permissions
  Inheritance may determine the user or group’s access permissions. You can specify an attribute
  that causes the children or descendants of that member to inherit its access permissions. Access
  permissions assigned to members take precedence over inherited access permissions. You can
  include or exclude the member from the access permissions setting.
  However, after I set it up this way, the inherited WRITE takes precedence over the NONE set up on the member.
  Am I facing a bug, or is there an error in the documentation, or am I really missing something ?
  I am working with 11.1.2.1, EPMA application.
  Thanks,
  JM

  If you set write accesss to descendants and then set none to one of the members then the none access should take precedence.
  This statement should be true "Access permissions assigned to members take precedence over inherited access permissions."
  Cheers
  John
  http://john-goodwin.blogspot.com/

• SC 2012 R2 - Operations Manager - All servers except Management server show Not Monitored

  Hi all,
  I have installed System Centre 2012 R2 - Operations Manager and configured on our Domain and running without a problem. I used the VHD available here: http://www.microsoft.com/en-gb/download/details.aspx?id=40844
  I have created a single VM called VM1 and installed Windows Server 2012 R2. VM1 has also been joined to our domain.
  The management packs for Server 2012 R2 have been downloaded to the SC2012 OM.
  I have discovered and added in VM1 server to the OM Server. I can see the agent running in VM1 (Microsoft Monitoring Agent) but it always shows as "Not monitored".
  I have restarted both servers, found the guide regarding "Greyed out or Not monitored" but the steps outlined have not resolved the issue.
  The account used in the test domain to install and run the service is a Domain Admin account. The test domain network also disabled the firewall on all member servers.
  I have stopped all services on the OM server, renamed the "Health Service State" folder as suggested but nothing has resolved the issue.
  Could anyone please help me? If more information is needed I would be happy to provide it.
  Thanks in advance,
  Graham

  Thank you all. After coming into the office today I checked the event logs on VM1. All afternoon I had been getting 4 events every 15 minutes;
  Three x 21023 - OpsMgr has no configuration for management group SCOM12 and is requesting new configuration from the Configuration Service
  And one error, 20070 The OpsMgr Connector connected to SCOM12.test.local, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the
  server, or the server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
  However at 00:04, I can see an event log 21019 - OpsMgr has returned to communicating with it's primary hostSCOM12.test.local and since then regular Health Service logs.
  I checked in OM and now it is showing as Healthy and monitored - I guess this just needed a lot of time to configure itself? Is this normal behaviour?
  I also checked VM1 TCP 5723 which it says was not open (the firewall is off on the server however it is working in OM.
  PS C:\PSScripts> Test-Port -computer VM1 -port 5723 -tcp
  Server   : VM1
  Port     : 5723
  TypePort : TCP
  Open     : False
  Notes    : Connection to Port Timed Out
  Thanks again for your help. If it goes again I shall create a new post.

• Can't login in to OS X 10.6.7 without domain admin account

  Have just bought a mac mini to test in a Windows server environment.
  I successfully bound to the Acitve Directory server and was able to login as my default user account;
  I moved on and did a software update which moved me from 10.6.4 to 10.6.7 and since this I have not been able to logon using that or any normal user accounts.
  I can successfully login as the administrator (default account created during install) and surprisingly can login as any  Domain Administrator account, something I don't want to be doing. I tested with other normal users with the same issue and can sucessfully install with any Domain Administrator account.
  I have seen a few things that are similar but none of the fixes seem to work...
  This doesn't bode well for Macs in the workplease :S

  I would recommend preparing your system first and then update by following these instructions:
  1. Backup first using Time Machine!
  2. Disconnect all peripherals except the keyboard and mouse.
  4. Download the Combo Update from Apple Downloads.
  5. Boot computer in Safe Mode. Note: Safe Boot loads a stripped down system which may reduce any chance of incompatibility while the update is running. Keep all Applications closed.
  6. Repair Permissions from Disk Utility while booted in Safe Mode.
  7. Install the update from Safe Mode.
  8. Restart as you normally would if prompted.

• How to run Adobe InDesign CC without needing Domain Admin privileges?

  Adobe InDesign CC needed Admin privileges to install which is fine but it seems to need the same just to start-up and run the program.
  I've given the user Local Admin but that didn't fix it. I don't want to have to 'Run as Administrator' every time they want to use the software, does anyone have any ideas for sorting this?

  Without proper system info and other details nobody can even begin to guess. Chances are that your network configuration is to blame and due to using specific ports that are also used by the activation system they are somehow tied together. Well, whatever. This is most definitely nothing that can be solved from within the Adobe programs themselves. Run a network monitor, find out what's wrong and fix it accordingly.
  Mylenium

• Is there a way for end users to give their manager access to change their Out of Office, without an admin involved?

  Our end users need to be able to give their managers access to enable their out of office. 
  question 1.  Can this be done without giving them full access?
  question 2.  If they need full access, can the end user themselves give this access? (I've tried giving another user "owner" rights, but the user still can't seem to open my calendar from OWA to adjust my out of office)
  question 3.  Can this be done without an Sys Admin being involved?

  You can create a RBAC role for each manager scoped to each of their employees that lets them run the Set-MailboxAutoReplyConfiguration cmdlet on the exchange server. Otherwise they will need full access to the users mailbox which an admin would have
  to grant, the end user can not grant this permission. Then they can open the other users mailbox in OWA and set the OOF
  DJ Grijalva | MCITP: EMA 2007/2010 SPA 2010 | www.persistentcerebro.com

• Exchange 2013 Give domain Admin access to all users inbox

  In the old 2007 exchange server we had domain admin access to everyones mailbox so we could open anyones email box using outlook client.
  But in 2013 exchange the mailbox delegation does not give us the option to add a "group" to the full access area, old allows to add a "user" who has a mailbox setup in exchange. I see there is Exchange Server group listed under Full Access
  , but it does not work added our domain Admin user to that group rebooted exchange and the test machine but did not work.
  Only option that works to allow mounting of xyz users mailbox via abc admin user is to actually add that abc admin user to the xyz mailbox under mailbox delegation > Full Access.
  Is  there a work around this, so we can simply have a group ABCD with user ABC or DEF etc. etc. so they can access everyones mailbox instead of going in and changing all users mailbox delegation one by one for the new user etc. ?

  Have you tried using the Exchange Management Shell?
  Get-Mailbox | Add-MailboxPermission -User Name_of_Group -AccessRights FullAccess -InheritanceType All
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
  I did i tried get-mailboxpermission and other than NT Authority and the end user the Deny was set to True for all inheritance rights. I tried your command, added user to the group i wanted under Enterprise OU in AD and restarted transport on exchange and
  logged in on the test machine again.
  Still no go, the user I am trying to add when using get-mailboxpermission shows up as Denied for fullaccess so is that overriding the group permissions ?
  RunspaceId      : 2xxxxxxx0
  AccessRights    : {FullAccess}
  Deny            : True
  InheritanceType : All
  User            : domain\abc
  Identity        : domain/Users/xyzuser
  IsInherited     : False
  IsValid         : True
  ObjectState     : Unchanged
  And for the group i just added with the above abc user inside it:
  RunspaceId      : 2xxxxxxxxx0
  AccessRights    : {FullAccess}
  Deny            : False
  InheritanceType : All
  User            : domain\newgroupadded
  Identity        : domain/Users/xyzuser
  IsInherited     : False
  IsValid         : True
  ObjectState     : Unchanged
  So is the users deny is causing this ? Not really sure why ABC domain admin/enterprise admin is the only one listed as no deny, there are other mailbox users that do not show up, I am assuming I have to create a new user a domain local user and that might
  work ? I wanted the Domain/Enterprise Manager/admin to have access so we would not have to keep toggling between users just to access someones inbox.
  Also further down the list of mailboxpermission i see the user abc (the user i want to add to the group to have access) is listed with Full access and Deny flag is set to False instead of True.
  So have two entries for user abc one with deny flag set to true and one with deny flag to false.
  AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
  Deny            : False
  InheritanceType : All

• Domain Admins and RDP Users can not RDP into Computers (Access Denied)

  Dear All,
  I got some users with Domain Admins Right and Remote Desktop Users Right. But, they are denied to access Remote Desktop services to other servers. I have confirmed that since set up I have no Remote Desktop Related GPO in Domain. I tried to create but issue
  still persists.
  Regards,
  Zaw Tun Naing
  ZAW

  YOu need to track down the machines that are denying the authentication and then look thorugh the member server and DC's to find any events within the Security Event log and post those errors.  This should define ehat specifically is the reason why
  you are being denied.
  One thought, not sure how the service accounts were intially created but someone could have gone into the local security policy and DENIED the right to remotely or locally logon.  Basically only allow to run as a service right.
  http://technet.microsoft.com/en-us/library/cc957048.aspx
  http://www.alexheer.co.uk/it-blog/deny-interactive-logon-for-service-accounts
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Reset Password without Admin Privileges

  I am using the latest APEX hosted via apex.oracle.com. I'm trying to create a 'forgot password' capability but it appears that every built-in apex utility that allows me to reset and/or update the password requires admin privileges. Is there any way to do this without having admin privileges? I'm using APEX Authentication.
  Thanks,
  Mark

  Hi Mark,
  Create an authentication function with two parameters something like this and follow the link to create a custom authentication scheme.
  http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/sec_authentication.htm#HTMDB25778
  function my_authentication (
      p_username in varchar2,
      p_password in varchar2 )
      return boolean
  is
      l_user my_users.user_name%type := upper(p_username);
      l_pwd  my_users.password%type;
      l_id   my_users.id%type;
  begin
      select id  , password
        into l_id, l_pwd
        from my_users
       where user_name = l_user;
      return l_pwd = rawtohex(sys.dbms_crypto.hash (
                         sys.utl_raw.cast_to_raw(p_password||l_id||l_user),
                         sys.dbms_crypto.hash_md5 ));
  exception
      when NO_DATA_FOUND then return false;
  end;
  and
  my_authentication

• Looking for Suggestions on granting all users access to an application *except a subset of users*

  This might not be the right forum for this question, but since it is related to an App-V application I figured I would try since this may have come up for some of you.  I am looking for the best way to grant all Domain Users access to an application
  except for Domain Admins.  Using the Full App-V infrastructure, I want to grant access to the App-V UI via User Targeting, but I don't want to allow Domain Admins access.  The reason for this is because when we make updates to provisioned
  server cores (stateless), we login with our Admin accounts to make modifications to the cores, and I would like to reduce the steps that need to be taken at the end to ensure that all AppV applications are removed before sealing up the core. 
  Currently, Domain Admins do not have access to any App-V applications, so this process is fairly clean.  All applications are User Targeted. 
  Packages are cached on a persistent D drive on each server, so the issue is that the registry, programdata, and packageinstallationroot become out of sync if packages are pulled down during core modifications after the core is attached to other servers (hence
  other D drives).  Because of this, Machine Targeting is not an option for this either.
   

  This would be so much easier with a "Configuration Manager" like feature where you could create a collection query to accomplish the same thing.  Are there other tools out there that will do the same thing?

• Comcast is blocking all outgoing email SMTP servers except for Comcast's own server

  Recently I have not been able to send any email from my Apple client on my iMac, MacBook, iPad or iPhones when connected to Comcast. I am using my iCloud account, my GMail account, and my Yahoo (SBCGlobal) account. I keep getting the error message that the SMTP Server cannot be reached. Again, this is only when I'm connected to Comcast. If I turn off my WiFi on my mobile devices, I can send just fine. I even connected to my Hotspot on my phone with my iMac and MacBook, and both of them send fine when NOT connected to Comcast. But if I connect to Comcast, I can no longer send email. I spent an hour on the phone with Apple, and they helped me determine that it is only when I'm connected to Comcast. I then spent over an hour-and-a-half on the phone with Comcast (first guy just hung up on my, the second woman transferred me to someone without telling me, the third guy transferred me to someone else, and the fourth guy said it was the mail client setup, and had nothing to do with Comcast. Comcast blocking all SMTP servers except for their own. I don't want all of my email going through their servers. Through general and advanced troubleshooting I have determined it is Comcast, or my Modem (which is a DocSys3.0 modem). But no one will help. Help!!!!!

  ehacking wrote:
  Recently I have not been able to send any email from my Apple client on my iMac, MacBook, iPad or iPhones when connected to Comcast. I am using my iCloud account, my GMail account, and my Yahoo (SBCGlobal) account. I keep getting the error message that the SMTP Server cannot be reached. Again, this is only when I'm connected to Comcast. If I turn off my WiFi on my mobile devices, I can send just fine. I even connected to my Hotspot on my phone with my iMac and MacBook, and both of them send fine when NOT connected to Comcast. But if I connect to Comcast, I can no longer send email.
  I spent an hour on the phone with Apple, and they helped me determine that it is only when I'm connected to Comcast.
  I then spent over an hour-and-a-half on the phone with Comcast (first guy just hung up on my, the second woman transferred me to someone without telling me, the third guy transferred me to someone else, and the fourth guy said it was the mail client setup, and had nothing to do with Comcast.
  Comcast blocking all SMTP servers except for their own. I don't want all of my email going through their servers. Through general and advanced troubleshooting I have determined it is Comcast, or my Modem (which is a DocSys3.0 modem). But no one will help.
  Help!!!!!
  It sounds like you may be trying to send over port 25.  Have you tried port 587/STARTTLS, or 465/SSL?
   

• TS4062 I cannot get a WiFi signal, which means that I cannot access all of the other features on my ipod. Is there anyway I can access all of the other features without Siri or WiFi?

  I cannot get a WiFi signal, which means that I cannot access all of the other features on my ipod. Is there anyway I can access all of the other features without Siri or WiFi?

  Hi. The two user tips both describe a sequence of steps that should get your library from the point where it threatens to wipe data from your device to where it is syncing normally, while recovering as much information as possible. It may still be necessary to wipe and reload the device but this should only take place once all the data that can be recovered has been recovered.
  Doing step 1 of 8 and then complaining things aren't the way you want them to be yet strikes me as premature...
  Since you appear to have all your media content, and we are discussing an iPod classic, not an iOS device, the main worries are already taken care of. What's left is ratings, playcounts, playlist membership and checked status. Since your device holds only part of your library at best you could only recover the missing data for the content that is on the device using third party tools.
  Recreating the previous checked/unchecked status of every track in your library from where you are now may not be that easy. Syncing with selected playlists has many advantages, one of which would have been that you would have a named playlist that could have been retrieved by 3rd party software if you had used this method.
  You haven't explained what caused your problem in the first place, but if you have a Previous iTunes Libraries folder holding old copies of your iTunes database (generated with each iTunes update) then it would be possible to restore the most recent of these and then update the library with any changes in your media folder.
  BTW Apple doesn't offer free support for this kind of issue with iTunes.
  tt2

• Found all the Servers that were restart without the maintenance mode were actived ?

  Hi all
  I was wondering if I can find a query about this request:
  - Found all the Servers that were restart without the maintenance mode were actived ?
  It's to make a Report To include in Reporting Services.
  sorry for my English :)
  Thank you very much and have a good day

  Hi, first if the maintenance mode is activated no events are collected, then, as example, in default rules you can see the following
  Collection Rule for Windows Restarted Events that collects eventid=6005
  with eventsourcename=eventlog from System
  log which is enabled by default.
  http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=6005&EvtSrc=EventLog&LCID=1033
  So you can check Data warehouse DB for presence such event
  select ComputerName, DateTime from Event.vEvent ev
  inner join Event.vEventDetail evd on ev.eventoriginid = evd.eventoriginid
  inner join Event.vEventParameter evp on ev.eventoriginid = evp.eventoriginid
  inner join vEventLoggingComputer elc on elc.eventloggingcomputerrowid = ev.loggingcomputerrowid
  where eventdisplaynumber = '6005' Order by ComputerName, Datetime
  http://blogs.technet.com/b/kevinholman/archive/2007/10/18/useful-operations-manager-2007-sql-queries.aspx
  So if you see this event it means the server was restarted and the maintenance mode was not activated.
  Also keep in mind that there can be other event ids when computer is restarted, as example see the rule
  Collection Rule for Windows Restart Events (restarted from bugcheck)

• Inserting values for all records except 1 or 2 column ,without specify column names.,?

  Hi,
  for example, in student table i am having 1000 columns,  column names like(id ,name,class, dept,etc,.).
  i want to insert 998 fields to department table from student tables except(id,class).
  i don't want to mention all column names in the insert command,
  is there any possibilities to filter the column names in insert command like (EXCEPT, NOT IN).
  Thanks in advance..

  duplicate of
  https://social.msdn.microsoft.com/Forums/sqlserver/en-US/b31fa034-5b8f-42e4-b4e1-592a632ca6a5/inserting-values-for-all-records-except-1-or-2-column-without-specify-column-names?forum=sqlce
  please dont cross post
  Please Mark This As Answer if it solved your issue
  Please Vote This As Helpful if it helps to solve your issue
  Visakh
  My Wiki User Page
  My MSDN Page
  My Personal Blog
  My Facebook Page