Admin group missing

Hi,
I'm a new Mac user and i used to dev on Linux.
I'm french too so i apologize for my poor knowledge in English practice ..
Anyway, i recently wanted to add the admin group to another user (Apache) just for a temporary test and when i tried to revert this change it seems that anyone on the system was impacted.
Here are the commands i entered :
> add the admin group :
sudo dseditgroup -o edit -a www -t user admin
> drop the group :
sudo dseditgroup -o delete -a www -t user admin
OR
dscl . -append /Groups/admin GroupMembership monusername (with root user)
These commands gave me an error :
> first : Group not found
> second :
append: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
Any idea ?

Please take these steps to restore administrator privileges to your account. This somewhat tedious procedure is only necessary if you've confirmed that no adminstrator account exists on the system.
If you don't already have a current backup of all your data, you must back up before taking any of the steps below. Ask if you need guidance. You won't need the backup unless something goes wrong—which is always possible.
Step 1
Start up in Recovery mode. The OS X Utilities screen will appear.
Step 2
Take this step only if you use FileVault 2. Launch Disk Utility, then select the icon of the FileVault startup volume ("Macintosh HD," unless you gave it a different name.) It will be nested below another icon with the same name. Click the Unlock button in the toolbar and enter your login password when prompted. Then quit Disk Utility to be returned to the main screen.
Step 3
Select
          Utilities ▹ Terminal
from the menu bar. In the window that opens, type this:
res
Press the tab key. The partial command you typed will automatically be completed to this:
resetpassword
Press return. A Reset Password window opens. Select your startup volume if not already selected. Pull down the menu labeled
          Select the user account
and select
          System Administrator (root)
Follow the prompts to set a password. It's safest to choose a password that includes only the characters a-z, A-Z, and 0-9. I suggest you write down the password. If you don't write it down and forget it, you'll have to start over from Step 1.
Select
           ▹ Restart
from the menu bar.
Step 4
This step, like Step 2, applies only if you use FileVault. Log in as usual, then select
           ▹ Log Out...
from the menu bar, or press the key combination shift-command-Q. Don't restart. You'll be returned to the login screen.
Step 5
At the login screen, click Other... Enter "root" (without the quotes) in the Name field, and enter the password you set in Step 3 in the Password field. You should now be logged in as root. This is a potentially dangerous condition. Do nothing while logged in as root except as indicated below. You'll be fine as long as you don't deviate from the plan.
Open the Users & Groups preference pane. Select your usual administrator account in the list of users and check the box marked
          Allow user to administer this computer
You'll be prompted to restart. Do that and log in as yourself—not as root. Your administrator status should now be restored.
Step 6 (optional, but recommended)
Follow the instructions in this support article under the heading "Disable the root user." You must authenticate in Directory Utility as "root" with the password you set in Step 3. Authenticating as another administrator won't work.
Credit for this idea to ASC member wessongroup.

Similar Messages

Missing properties for ADMINS group in security property file

Hi,
I'm getting the following error while trying to start the J2EE server
how to overcome this
SAP J2EE Engine Version 6.20 PatchLevel 67440.20 is starting...
Loading: LogManager ...
Loading: SystemThreadManager ...
Loading: ThreadManager ...
Loading: TimeoutManager ...
Loading: MemoryManager ...
Loading: PoolManager ...
Loading: PolicyManager ...
Loading: IpVerificationManager ...
Loading: ClusterManager ...
Loading: ClassLoaderManager ...
Loading: SwapManager ...
Loading: LockManager ...
Loading: R3StartupManager ...
Loading: ServiceManager ...
Loading core services:
Starting core service p4 ... done.
Starting core service monitor ... done.
Starting core service log ... done.
Starting core service file ... done.
Starting core service dbms ... done.
ID000544: Error starting service security. Unexpected exception: java.lang.SecurityException: Missing properties for ADMINS group in security property file!!!
[ServiceManager]: ID000544: Error starting service security. Unexpected exception: java.lang.SecurityException: Missing properties for ADMINS group in security property file!!!
Exception in core service. Kernel not started.
[ServiceManager]: * Exception in core service. Kernel not started.
Loading: ServiceManager returned false!
Kernel not loaded. System halted.
Element 1779446621 disconnected.
System Exception * Fail to start Naming. Exception is: java.lang.NullPointerException
ThreadDeath catched in deploy when trying to start it. Rethrowning...
[ServiceManager]: ThreadDeath catched in deploy when trying to start it. Rethrowning...
Starting core service naming ... done.
ThreadDeath catched in admin when trying to start it. Rethrowning...
[ServiceManager]: ThreadDeath catched in admin when trying to start it. Rethrowning...
Message was edited by: Lakshmi Manohar

Hi,
As I understand, you are using SharePoint designer worfklow on 2013 platform and you would like to edit cancelation email body for task process.
From my experience, there is no OOB option for you to edit cancelation email body. Since workflow 2013 is different from 2010, task forms are auto-generated based upon a certain Content Type. As workaround, I'd recommend you using approval workflow on 2010
platform. In addition, you could try codeplex 2013 approval workflow, please check the link below:
http://sharepointwf.codeplex.com/
More information:
http://blogs.msdn.com/b/sharepointdesigner/archive/2012/09/14/how-to-manipulate-the-task-form-with-sharepoint-designer-for-new-task-actions.aspx
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.workflowservices.activities.singletask.cancelationemailbody(v=office.15).aspx
Regards,
Rebecca Tu
TechNet Community Support

Lost Admin group

I came across a weird problem today:
A MBA started out as booting with the progress bar, then couldn't connect to the wifi, so I restarted and zapped the PRAM.
The fun was just beginning.
The present issue today is that there is no admin group anymore, the two admin accounts (IT and remote management) are now standard as of today.
What could cause the admin group to be lost/destroyed/missing?
How does one go about fixing this?

User account – restore missing admin

List users in local admin group on all workstations

Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
    $CurrentDate = Get-Date
    $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
    import-module activedirectory
     $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
     $output = "c:\temp\local admin audit $CurrentDate.csv"
     $results = @()
     $servers | ForEach-Object{
    $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
    $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
    $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
    $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
    $group =[ADSI]"WinNT://$_/Administrators,group"
    $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
    if($wmi)
       New-Object PSObject -Property @{
           DistinguishedName = (Get-ADComputer $_).DistinguishedName
           Server = $_
           Members = $members -join ";"
    } | Export-Csv $Output -NoTypeInformation

I agree use GP it is more reliable and easier to manage.
For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
There is no issue with using Test-Connection and DNS. AD/DNS cannot have the wrong names or your domain would crash. Using Get-AdCOmputer instead of a file eliminates stale information.
$csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
import-module activedirectory
#adjust Filter as needed
$adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
Get-AdComputer -Filter $adfilter |
ForEach-Object{
$props=@{
Server=$_.Name
IsAlive=$false
DistinguishedName=$_.DistinguishedName
Members=$null
if(Test-Connection $_.Name -Count 1 -Quiet){
$props.IsAlive=$true
$group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
$members=$group.Members() |
ForEach-Object{
$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
$props.Members=$members -join ";"
New-Object PSObject -Property $props
} |
Export-Csv $csvfile -NoTypeInformation
Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
¯\_(ツ)_/¯

I have two users listed in my admin group. How do I get rid of one?

I have two users listed in my admin group, but the undesired one doesn't show up in users and groups settings pane. How do I get rid of it?

Well, I found a link which showed me how to find the hidden/unwanted user and get rid of it (remove hidden users: Apple Support Communities). Now when I get info from the drive on my network I find this:
Is this normal? I would expect to find something other than (unknown).

Cant add Windows accounts to staff or admin group

cant add Windows accounts to staff or admin group
I have one Mac pro workstation on a all windows network, its added to the domain. i can give network users administrative permissions on the pc by selecting allow user to administer this computer in the accounts in system preferences but they dont have file permissions unless i add them explicitly on the file or folder. i'm new with macs and not sure on what to do.

> local users (Not domain Users) to this Group and then nest this Group
> into the Local Admin Group Built-in into Windows 8
You cannot nest local groups.
Greetings/Grüße,
Martin
Mal ein
gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me -
coke bottle design refreshment (-:

Help required in identifying the admin groups for a IT Resource

I would like to pick up the user details of the members in the admin groups of a particular IT resource.
Can anyone help me in this regard..???
Thanks in advance

If you can replace <SMALLIMAGE with <IMG then I am not
sure why you couldn't include the SRC="charcothip.jpg" with the
<IMG portion?
How are you replacing it currently? Could you store the
replacement string in a variable and use it instead.
var replacementString:String = "<IMG
SRC=\"charcothip.jpg\"";
Then you could do something like this (assume the myStr holds
the XML String):
var myArr:Array = new Array();
myArr = myStr.split("<SMALLIMAGE");
myStr = myArr.join(replacementString);
Obviously, this will only work if you are replacing all of
the <SMALLIMAGE pieces with the same image. If not then you
could use the following:
var searchFor:String = "<SMALLIMAGE";
var newString:String = myStr.substring(0,
myStr.indexOf(searchFor));
newString += replacementString;
newString +=
myStr.substr(myStr.indexOf(searchFor)+searchFor.length);
You can keep the width and height attributes since Flash will
recognize those when rendering the HTML.
Tim

DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.” This is not ideal on many networks because the end users are not allowed to have local administrator access.
Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
practice.
Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
Please help.
Thanks,

This is a hands off solution to allow all users that use a machine to be able to restore their own files.
1) Make these two cmd files and save them in c:\temp
2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
<addperms.cmd>
Cmd.exe /v /c c:\temp\addreg.cmd
<addreg.cmd>
set users=
echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
REG IMPORT c:\temp\perms.reg
Del c:\temp\perms.reg
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
posting is provided "AS IS" with no warranties, and confers no rights.
That's a good one! Thanks for that.
I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
========================================================================
$RC=setoption("WOW64AlternateRegView","on")
$DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
$uservariable = "%userdomain%\%username%"
If KeyExist ($DPMkey)
$Userstring=ReadValue($DPMkey, "ClientOwners")
If $Userstring == ""
WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
? "Key created"
else
If not instr($Userstring,$uservariable)
$Userstring = "$Userstring,$uservariable"
WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
EndIf
Endif
EndIf
==========================================================================
The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
=========================================================
$uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
=========================================================
The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

Security Settings for two admin groups with shared service

Hi all,
I use Essbase Administration Services 11.1.2 and Hyperion Shared Services Console 11.1.2.0.73 (Drop 17)
Access Rights are granted via Groups in Hyperion Shared Service Console.
We have two admin groups.
AccessGroup 1: admin rights on some cubes (A) and read rights on all others (B).
AccessGroup 2: admin rights on (B) and read rights on (A).
If someone of AccessGroup 1 copies a cube of (A) – Fin_rep for example – wether AccessGroup 1 nor AccessGroup 2 can even see the cube (and i dont even mention admin rights) execpt the one who copied it.
Settings in Shared Services Console:
- Both groups have role "Create/delete application" and "AccessManager" (or something like that - german word is "Zugriffsberechtigungsmanager") on Essbase Cluster (our essbase server).
- AccessGroup 1 has role "ApplicationManager" and "AccessManager" for all cubes which they should administrate (A)
and role "Read" for all cubes with read only (B)
- AccessGroup 2 has role "ApplicationManager" and "AccessManager" for all cubes which they should administrate (B)
and role "Read" for all cubes with read only (A)
I hope i can get some help with this topic.
Thank you in advance,
Best regards
Bernd
Edited by: 907705 on 07.02.2012 02:52

Security will not copy over when you create new cube from old cube. You have to grant security to required groups using shared services or Maxl.

Unity 7.0 - AD Domain Admin Group

I have Unity 7.0 with failover, AD, and Exchange 2010. Unity accounts are created in AD in the Domain Admin Group. Most that I have read states if Unity is a domain controller it needs to be in the Domain Admin group. I do not know how to see if Unity is a domain controller and do not know why (previous to me), Unity was setup in the Domain Admin Group.
Can you help me understand why Unity might be setup in the Domain Admin Group, reasons?
Thanks,

Melinda;
-> if you use the tools depot option in the unity server you will see an option called dc\gc reconnect tool to check if unity looks at itself as a domain controller; here is a link that will give you more informaiton on this tool; http://www.ciscounitytools.com/Applications/Unity/DCGCReconnect/Help/DCGCConnectionManager.htm
-> Can you clarify if you are asking whether the unity reference account ( unityinstall/unimgstoresvc/unitydirsvc) needs to be domain admin or not ? If you query is related to the above mentioned accounts ; what permissions do they need is documented in the following link;
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/unity/5x/installation/guide/umexfo/5xcuigumefox/5xcuigumefo070.html
-i hope this helps.

How to add an SG to the Admin Group of a newly created VM in SCVMM cloud

Hi, have given a team access to the SCVMM private cloud to create there own VM's , what I would like todo, is to add the SG that these guys are a member of to that servers Admin Group.
Otherwise they cannot log in, when once there server is created.
it joins to the domain fine etc.
Now, can this be done via PS in the template somewhere, or is there another way. ??
any ideas greatly appreciated
Thanks
Mark Green

Since VMs are domain-joined, then you can use GPOs to configure them. Create a group policy for these VMs and use "Local Users and Groups" in Computer\Preferences section to add your security group to the local Administrators group in VMs.
Gleb.

Is it possible to disallow RDP for one member of local admins group?

Hello:
I have an application server which has a service account that is in the local admins group. Is it possible to disallow only that particular service account from being able to RDP into the server? Server is Windows Server 2003 SP2. Basically, I'm trying to
bypass this: Members of the local Administrators group can connect even if they are not listed. I understand that anyone using the service account could undo any restrictions I make, so what I'm trying to do would just be
a deterrent. I cannot disable RDP altogether since our regular sys admins need to be able to RDP into the server. Thank you.

What if you specified the user and denied them rights to RDP to the server. A deny overrides every other permission, and if you can do this, then only that one user would not be able to RDP into the server, but other admins would be able to.

Config error, account determ, group missing for paid by company exp.type

Hi All,
When I am adding an Expense type to an Expense report,I am getting the following error message:
"Config error, account determ, group missing for paid by company exp.type"
I have maintained the configuration in Business configuration>Fine tune activity>Expense reporting-US.
I have maintained Expense Reimbursement Group as Z1(Customized) as well asExpense Account:- but not maintained offsetting Account For Paid Expenses.
Please find the screenshot.
Sincerely,
Rajitha

Dear All,
SAP development has created a software correction related to the issue.
Software correction is deployed in customer systems on 25th August,2014.
Sincerely,
Manasa Anantapur

Groups missing inherited permissions from parent folder on SMB share on save

If i save a file on a lion share where i have access RW over group permissions, the groups missing inherited permissions on SMB share on save.
File permissions before save:
user: read/write
group: read/write
other: no access
File permissions after save:
user2: read/write (it changed to the actual users who has permission on the Group)
group: no access !!! Why??
other: no access
On Mac OS X 10.6 i was able to force the group permission, from the parent folder.
Everytime i must manualy propagate from the parent folder to fix this !
Any ideas?

I have the same problem. What exactly do you mean by add ACL. I have tried to change the permissions to add the inheritance via ACL, with no joy - so any help you can give would be appreciated. Thank you.

Remove Send-As for domain admin groups

With referring to below link.
http://social.technet.microsoft.com/Forums/exchange/en-US/d2e97e64-536a-4c46-8e57-e0ac6a4ad64e/how-do-i-remove-domain-admins-send-as-settings-for-all-users?forum=exchangesvradminlegacy
The solution work perfectly for normal user but for user whose member of Domain Admin as well, the send-as will revert back from Deny to Allow after a while.
I have a user who member of domain admins group, say User A. Since we want to remove the send as for all users (including User A), I did followed the steps, Denied Send-As for Domain Admins group for User A.
However, after for while it return back to Allow.

The permissions on members of special groups is managed by the AdminSDHolder and SDProp.
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
The way to deal with this is to give your domain admins (and any other admins) a separate account and to remove their "normal" account from any privileged groups (and to reset the adminCount property and "allow inheritance" on the "normal" account). Do NOT
give the admins a mailbox.
If you can't do that, then deny the Domain Admins group the "Send As" and "Receive As" permission at the organization level in the AD's configuration container. Use ADSIEDIT to do that here:
CN=<Organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<tld>
--- Rich Matheisen MCSE&I, Exchange MVP

Admin group missing

Similar Messages

Maybe you are looking for