AD users losing admin rights when working offline.

Similar Messages

• Active Directory: user has admin rights when logs in for the first time

  I have an Xserve server running OS X server 10.5.8 and trying to host _open and active directory_ for both Mac and PC machines. The open directory works fine but what happens on the active directory side is that, when a user logs in from a windows machine he/she can access all the other users folders. In other words, he/she almost has *admin rights*. Is this normal or there is some settings that I can look into to fix this?
  Details: The first time user logs in, his only effect on the server is the password change. What this means is that his changes dont get uploaded to the server. It is only the second time the user logs in from ANOTHER computer that the server starts saving the his profile. Also, after the second login the user doesnt have admin rights anymore.
  Thanks,
  MR

  If you've just changed your login password in Recovery mode, follow these instructions. Otherwise, see below.
  At some point, you may have reset your keychain to default in Keychain Access. That action would have caused your login keychain to be renamed.
  Back up all data before proceeding.
  In Keychain Access, delete the login keychain from the keychain list. Choose Delete References when prompted, not Delete References & Files.
  Triple-click anywhere in the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
  ~/Library/Keychains
  In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar, paste into the box that opens (command-V), and press return. A folder will open. Rename the file "login.keychain" in that folder to something like "login-old.keychain". Rename the file "login_renamed_1.keychain" to "login.keychain". You can then close the folder.
  Back in Keychain Access, select 
            File ▹ Add Keychain...
  from the menu bar. Add back the file now named "login.keychain". If any of your needed keychain items are missing from it, also add back the file you named "login-old.keychain". I suggest you transfer any needed items from that keychain to the login keychain, then delete it. The transfers are made by drag-and-drop in Keychain Access. You'll need to enter your password for each item transferred.

• SBS 2003 server admin rights dont work access denied on VSS and Network settings

  Hi I have just taken over support for a company and have inherited a SBS 2003 Server.
  The server has had no backup for over a year (when the last admin left).
  VSS does not work, so the back does not work, unable to install any other backup as no admin rights.
  I want to repair it so I can do a backup to move to a new server.
  I did not know the administrator account password (the last admin didn't tell anyone)
  So I used a password reset boot cd and then restarted Windows 2003 in Directory Service Restore Mode.
  Copied SRVANY and INSTSRV to a temporary folder, mine is called D:\temp. Copied cmd.exe to this folder too. Next ran at a command prompt instsrv PassRecovery "d:\temp\srvany.exe"
  next
  Started Regedit, and navigated to
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PassRecovery
   Created a new subkey called Parameters and added two new values:
  name: Application
  type: REG_SZ (string)
  value: d:\temp\cmd.exe
  name: AppParameters
  type: REG_SZ (string)
  value: /k net user administrator 123456 /domain
  "123456 is substituted for the password I used" Im not daft enough to publish it lol
  Next
  opened the Services applet (Control Panel\Administrative Tools\Services) and opened the PassRecovery property tab. Checked the starting mode is set to Automatic.
  to the Log On tab and enable the option Allow service to interact with the desktop.
  Restart Windows normally, SRVANY run the NET USER command and reset the domain admin password.
  OK so now I am logged in as administrator but guess what I still don't have admin rights???
  I can add new user with admin rights and log in as them but they still don't have admin rights Im totally lost??????????? Help please

  I'm thinking the previous tech may have renamed the built-in domain Administrator and then created a new account called 'administrator' with lesser rights?  He then used another domain admin account to manage the server. 
  If so, and given the fact that you don't know any domain admin account usernames or passwords, I think you may be in for a move to a new server without a proper NT backup of the SBS 2003. 
  However, If you can at least log into the SBS 2003, I wonder if you could download and run DIsk2VHD and create VHDs (not VHDX) of the current SBS 2003 drives, saving them to an external USB drive connected to the server. 
  You could then 'attach' the VHDs to a Win7 Pro computer and gain access to the files/folders, although not the Active Directory stuff.  Moving Exchange and Sharepoint would impose additional pain.  For Exchange, you could log
  onto workstations as each user and export their Exchange mailboxes as .PSTs.  I believe you could do the same with any Public Folders.
  Disk2VHD
  http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx
  How to Mount a Virtual Hard Disk in Windows 7
  http://www.online-tech-tips.com/windows-7/mount-vhd-windows-7/
  Of course, the owner could also have his attorney contact the previous tech and threaten legal action unless he coughs up the correct domain admin username and password.  That username and password belong to the owner, not the
  tech.
  Merv Porter
  =========================

• Users with Admin Rights

  I've been looking through the Admin Ref Manual and Admin Guide (9.0.42) to see if there is a way to list the users that have been given Administrative rights on any given node within the node network on our server. I thought I remember seeing this documented somewhere but now I can't find it.
  Does anyone know if it's possible and if so where is it documented?
  Thanks in advance for you words of wisdom! :)
  -Gail

  In the BASIC web browser login popup there is a read-only field called
  "Realm". This is what is specified in the tab. It is merely there for
  informational purposes for the user logging in.
  Neil Smithline
  WLS Security Architect
  BEA Systems
  "veena" <[email protected]> wrote in message
  news:3ae5ab86$[email protected]..
  does weblogic support different security domains for different web
  applications ? if not, what is the purpose of the Auth Realm Field in the
  Other Tab when installing a web application ?
  Veena.
  "Neil Smithline" <[email protected]> wrote in message
  news:3ae563d4$[email protected]..
  This is not possible in current WLS releases. Each "administrativedomain"
  (referred to simply as a "domain" in WLS doc) corresponds to one andexactly
  one "security domain". Users have the same permissions throughout the
  domain.
  We are currently considering various options for how to support this inthe
  future.
  Neil Smithline
  WLS Security Architect
  BEA Systems
  "Nick Roberts" <[email protected]> wrote in message
  news:[email protected]..
  Can anyone provide information about how to have different users
  have admin rights to different servers in a domain ?
  Is there any documentation on the different resources defined in
  the ACLs list of the default server ?
  Nick

• Change postalsoft user to admin rights

  How do we enable a current Postalsoft user with admin rights?  Currently, she doesn't have upgrade rights, some print options are greyed out...  The originally installed Postalsoft is under a ex employee logon.
  Is there a simple way to change over the rights?
  Appreciate any help with this.  Thanks.  jb

  JB,
  It still sounds like there is a permission issue.  Some settings are stored in the registry, and some of the printing options are stored in the Windows Printers folder.  So when you say that they have Read/Write Administrative rights are you sure that all the folders were changed?  As for the Presort options being gray it could be that the database is set to Read Only.  To check that you can open a job and go to File > Properties > Document.  Click on the Database Permissions tab.  Make sure that Other's Rights are set to None and Your Rights are set to Read/Write.  If this does not fix it please log a message for us in Support.
  Below are the steps to log a message for support -
  1.  Go to http://service.sap.com/bosap-support.
  2.  Click on "Create a message / Contact technical support".
  3.  Under System Search, click the drop down arrow next to your installation and choose your system, and click Search and then click on the BOB link.
  4. When creating a SAP message it is required to search for Notes. (Knowledge Base articles) to see if you can find an answer to your question without having to log the message for support. In the Search Terms area, type your question and click Continue.
  5. If you do not see any Notes pertaining to your question click on Create Message.
  6. Choose the correct Component for the product you are creating the message for. The component is the support Q that your call will go into so the correct team can assist you. To do this click on the icon next to the icon next to the Component window to see a drop down list.
  7. Click the arrow by BOJ-EIM to see a more detailed list. By each component the names of the u201Cproductsu201D you are using are listed. Choosing the correct component will get your Message logged for the correct support team.
  For example:
  a. BOJ-EIM-COR is used for ACE, DataRight IQ, Match/Consolidate, IACE, and FirstPrep products.
  b. BOJ-EIM-COM is used for DeskTop Mailer, Business Edition, Presort, PrintForm, Label Studio
  c. BOJ-EIM-DEP is used for DQXI, Data Insight, eDQ Infa, SAP Siebel, PSFT, Oracle, Rapid Library
  8. After choosing the component, fill in any remaining required/optional items. **Required fields under Problem Details are flagged with a red asterisk.
  u2022 In the Short Text box, enter a brief description of the question or issue.
  u2022 In the Long Text box, you can go into further detail about what you are seeing or questioning.
  u2022 click Send Message.
  Thanks,
  Melissa

• Creation of a normal user without admin rights

  Hi,
  I am new to oracle apex. Can you please let me know how to create a normal user without admin rights in oracle apex application.
  Thanks & Regards,
  venkat
  Edited by: 866673 on Jun 17, 2011 9:53 AM

  Welcome to the forum: please read the FAQ and forum sticky threads (if you haven't done so already), and ensure you have updated with your profile with a real handle instead of "866673".
  You'll get a faster, more effective response to your questions by including as much relevant information as possible upfront. This should usually include:
  <li>Full APEX version
  <li>Full DB version and edition
  <li>Web server architecture (EPG, OHS or APEX listener)
  <li>Browser(s)/version(s) used
  <li>Theme
  <li>Templates
  <li>Region type
  (although for your question only the APEX version is necessary).
  Assuming you mean a user who can authenticate to an application that uses Application Express Account Credentials?
  In APEX 4.0:
  1. Go to Home > Application Builder > [Your Application ] > Administration > Create Users and Groups > Create User
  2. Enter the User Identification information.
  3. In the Account Privileges, specify:
  User is a workspace administrator: No
  User is a developer: No
  4. Complete the rest of the form as necessary.

• Additional User with admin rights

  Hi all,
  i checked the documentation but i could not found a possibility to create an additional user with admin rights to access the Vibe Management Console.
  Does anybody know if this is possible and how to do this?
  Thanks in advance
  Alex

  Hi Willem,
  thank you for the great post. It did the job very well.
  Alex
  >>> <[email protected]> schrieb am 1.8.2013 um 07:46 AM:
  > arlorenz;2275156 Wrote:
  >> Hi all,
  >>
  >> i checked the documentation but i could not found a possibility to
  >> create an additional user with admin rights to access the Vibe
  >> Management Console.
  >> Does anybody know if this is possible and how to do this?
  >>
  >> Thanks in advance
  >>
  >> Alex
  >
  > Hey Alex,
  >
  > Yes, that's possible. It's somewhat a twofold/threefold process, as
  > you have to give an accounts right to administer the zone, and then also
  > have to give that account rights to the personal workspace root (to be
  > able create/delete user accounts) and any workspaces that need to be
  > administered.
  >
  > I always create an vibe-admins group (local group) that gets the rights
  > to the zone and workspace roots. Then add the needed users to that
  > group.
  >
  > Access for the zone can be set within the administration console:
  > https://www.novell.com/documentation...ata/bk4saug.ht
  > ml
  >
  > Then add the needed rights on the workspace roots, Global, personal &
  > team workspaces.
  >
  >
  > !Do note that admin is the only user that is not allowed to get
  > blocked. Other admin users can be filtered out via ACL's.
  >
  >
  > Cheers,
  > Willem

• How can I browse localhost when working offline?

  When I startup FF when not connected to a network FF start as Working offline. This disables web-development until I uncheck Work offline.
  This is annoying, since I work in various environments, frequently not connected. I want to browse localhost when working offline or simply disable FF getting to Work offline

  Properties are another level below the items. These properties have also attributes like Quality, Timestamp etc. like the items too.

• Want to configure a GPO "Stop (domain) users [having admin rights] from installing software"

  Want to configure a GPO "Stop (domain) users [having admin rights for some particular users]  from installing/uninstalling software"
  Requirements :-
  1. Domain user should not be allowed to install/uninstall any software's. Rest all the actions can be performed by the user like an administrator can do.
  Please suggest if possible then how can I implement the same.

  Hi Amar Chand,
  You can do so by using certain Group Policy settings to control the behavior of the Windows Installer, prevent certain programs from running or restrict via the Registry Editor. The Windows Installer, msiexec.exe, previously known as Microsoft Installer,
  is an engine for the installation, maintenance, and removal of software on modern Microsoft Windows systems.
  You can try the following method to resolve this issue:
  Method 1: Disable or restrict the use of Windows Installer via Group Policy
  Open “GPMC”, create a GPO linked to the correct scope. You can refer to this article
  Create a new Group Policy object.
  Right-click it, click Edit, and then navigate to
  Computer Configuration/Policies/Windows Components/Windows Installer.
  In RHS pane double-click on Disable windows installer.
  Click Enable and configure the option as required. "Always "option indicates that Windows Installer is disabled.
  This setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.
  Click Apply to save this configuration.
  Run gpupdate /force on the clients. 
  For your information, please refer to the following article to get more help:
  Managing options for computers through Group Policy
  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_wininstall_group_policy_computers.mspx?mfr=true
  Method 2: Restrict Programs from being installed via Registry Editor
  Open Registry Editor and navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\DisallowRun
  Create String value with any name, like 1 and set its value to the program’s EXE file.
  e.g., If you want to restrict msiexec, then create a String value
  1 and set its value to msiexec.exe. If you want to restrict more programs, then simply create more String values with names 2, 3 and so on and set their values to the program’s exe.
  Note: You may have to restart your computer.
  In addition, if you choose this method, you could deploy the registry configuration via GPO. Please refer to the following article:
  Configure a Registry Item
  http://technet.microsoft.com/en-us/library/cc753092.aspx
  Regards,
  Lany Zhnag

• Local admin rights when Edit locally

  Hello, all!
  We have the same problem as in
  Local Admin rights to "Edit Locally" ?
  "The end users do not have administrator rights on their local PCs , they logon to the domain server with restricted rights. When it comes to portal, when trying to edit a document with "Edit locally" it is not possible to do is even if the user has all the rights for the document in the Portal KM configuration. When we make the user local admin, everything is OK"
  We are on SPS14, Windows XP SP2. Domain users can run corresponding applications and can create dirs or files in a temp directory. We also utilize env. variable SAPKM_USER_TEMP but with no success.
  Could yoã please suggest, how to find rights needed to execute Local Edit. Are there any way to trace this Docservice ActiveX?

  Hello Roman,
  here a note which describes a solution for a user account wuth restricted rights:
  The Edit Locally activex will be installed based on following
  installation steps:
  The browser will recognize that the KM DocService activex has to be
  started.
  In case of the activex isn't installed on the the PC, it will be
  downloaded from the KM server (...etc/docservice/docservice.cab)
  The browser will extract two DLLs from the docservice.cab file
  (docservice.dll and sapkmprogressplayer.dll) and register them on the
  local PC. To see if the installation succeed you can open within the
  browser following dialog: Tools/Internet Options/Settings/View Objects,
  look for program file SAP KM DocService Control.
  Registry keys in following areas will be created:
  Area HKEY_CLASSES_ROOT:
  HKCR\AppID\{5F8983A6-347C-46B9-BA7A-1B87E5DAE0BC}
  HKCR\ProgressPlayerMod.ProgressPlayer
  HKCR\ProgressPlayerMod.ProgressPlayer.1
  HKCR\CLSID
  HKCR\TypeLib
  Area HKEY_LOCAL_MACHINE:
  HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Down
  Downloaded Program Files/DocService.dll
  HKLM\Software\Microsoft\Code Store Database\Distribution Units\
  When finishing these steps successfully the installed version can be
  located within the browser dialog Tools/Internet Options/Settings/View
  Objects SAP KM DocService Control and den KM DocService will
  start loading the document content from the KM server and starting the
  corresponding application for editing.
  Installation with restricted user accounts:
  With restricted user accounts e.g. no access rights to create registry keys in the area of HKCR or HKLM etc., which lets the described installation fail, following installation procedure leads to success:
  Register the needed DLLs manually on the PC (e.g. via a shell command script) with a user account having enough access rights.
  1.1 Create an installation folder (don't use /windows/system32) on the PC and copy the DLLs (docservice.dll and sapkmprogressplayer.dll) to it (extract them from docservice.cab with a tool e.g. winzip).
  1.2 Open a command shell on this installation folder.
  1.3 Unregister possible existing versions with the following command:
  "regsvr32 docservice.dll /U " and "regsvr32 sapkmprogressplayer.dll /U "
  1.4 Register the both DLLs with: "regsvr32 docservice.dll" and "regsvr32 sapkmprogressplayer.dll "
  1.5 If the two registration steps fail check the permissions to write
  into the system registry.
  1.6 The installation folder do not need special permissions, the linkage to the DLLs will be done via the system registry.
  1.7 Additionally the following setting is mandatory to succeed the installation:
  Disable the "ActiveX Version Check" function within the KM Configuration
  SystemAdministration->SystemConfig->KnowledgeManagement->
  ->Configuration->ContentManagement->Utilities->Editing->LocalEditing-> ActiveX Version Check (Uncheck the checkbox)
  Setting a different TEMP directory:
  In cases that it is problematic to use the standard %TEMP% directory, setting the environment variable SAPKM_USER_TEMP pinpointing to a corresponding directory path (e.g. X:\SHARES\USERS\xxx\CheckedOutDocuments) will be also supported. If the access to that directory fails the standard %TEMP% directory will be used as fallback.
  Hope this helps,
  Michael
  Message was edited by: Michael Braun

• Agent Installation on users without Admin Rights

  There are around 500 users and all are having non admin rights on their computers. When the software is download from the cas to the users pc it says that the software cannot be installaed as the user does not have admin rights. so each time we have to logon as a admin and install the software. Is there an easy way that we can install the agent. Even if i have to install the stub, it also requires admin rights.

  Talha,
  That is correct. You have to install the stub as an admin. For convenience it is available as a MSI which you can push using any of your software push methods you use (SMS, GPOs, Altiris etc) but the initial install requires admin access.
  HTH,
  Faisal

• Directory service : find user with admin rights

  Hi,
  I'm just taking over an existing LPAD server and i need to know which user on the directory has admins rights.
  I'm playing around with ldapsearch, but i'm not able to get the right search string.
  Os is Solaris 10 5/09 s10s_u7wos_08 SPARC.
  Any thoughts ?
  Thanks,

  Hi,
  Can the user execute the program through explorer? In Windows Server 2003, the Users group does not have Read and Execute permissions to the command processor (Cmd.exe). 
  You could refer to the article below to resolve the issue:
  "Access is denied" error message when you run a batch job on a Windows Server 2003-based computer
  http://support.microsoft.com/kb/867466
  Best Regards,
  Mandy 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• User with admin rights can't access files through the command prompt

  I have a strange situation where I have 2 users both setup exactly the same with admin rights on a 2003 (32 bit) server through an AD group membership, but one can do everything as expected but the other can't.
  The one that can't is trying to execute a program is a command prompt and keeps getting access denied or invalid directory when trying to cd into the folder.   I double and tripled check the permissions and they are correct, this person should have
  full admin.  In fact I did a effective permissions through explorer and it states full rights.  Along those lines this person can also access the folder in question through explorer just not a command prompt. 
  Has anyone seen this before ? and if so what can be done about it.
  Thanks

  Hi,
  Can the user execute the program through explorer? In Windows Server 2003, the Users group does not have Read and Execute permissions to the command processor (Cmd.exe). 
  You could refer to the article below to resolve the issue:
  "Access is denied" error message when you run a batch job on a Windows Server 2003-based computer
  http://support.microsoft.com/kb/867466
  Best Regards,
  Mandy 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to set a encrypted value on a ConfigurationProperty when working offlin

  So, I have a particular instance of configuration property that I am trying to modify when working on a domain offline, in particular during the configuration of a domain template in final.py.
  wls:/offline>ls()
  -rw- EncryptValueRequired true
  -rw- EncryptedValueEncrypted {3DES}istgZKedh7j6eu/9GdqXMg==
  -rw- Name IntegrityKeyPassword
  -rw- Notes null
  -rw- Value null
  wls:/offline>prompt()
  As I am working in offline mode cmo.setEncryptedValue() doesn't appear to work as it complains there is no such attribute. I can set "Value" but the server only reads the encrypted value so that doesn't help me.
  I did work out how to calculate the encrypted value using weblogic.security.Encryption; but I can't find a set(...) or cmo.setXXX(...) combination that works. It is very likely something very obvious,
  Thanks,
  Gerard Davison

  Hi Gersh
  Sorry for my late reply and thanks for your helpful information.
  I tried the second way of your information and I could configure it.  
  And I 'll try first way of your information.
  Regards,
  Keisuke

• Does user have admin rights to portlet?

  I have a portlet in which 2 groups have access, users of this portlet and admins of this portlet (not portal or community admins) They simply should get different functionality. Does the SettingType.Admin mean you are a portal/community admin or you have "admin" rights to the portlet?

  Neither.
  I'm guessing you're using the hasSettingsRight method of the IDK, no?
  if hasSettingsRight(SettingType.Admin) returns true it implies two things:
  1) You're in the admin prefs gateway and
  2) You have at least edit rights on the portlet object.
  HTH,
  Chris Bucchere | bdg | [email protected] | http://www.bdg-online.com