Admin vs. Non-Admin Accounts

Can someone point me to a Knowledge Base article that details the differences/usages of these two types of accounts?
On all my past Macs I've just set up the one admin account and always logged in as that... but being more security concious these days I'd like to stop that practice.
Specific questions include:
- how to make programs/apps/files available to all accounts (they have to be on root level, right? is that sufficient?)
- how well iTunes plays with multiple accounts (are mutiple auths necessary?)
- browser considerations (consistency of bookmarks/plugins across accounts - probably need to cloud sync for that, or do I?)
I realize these are pretty basic questions and apologize that my research on them so far has been less than exhaustive... Still, if anyone knows of a quick link they can shoot my way it'd be much appreciated!
PDiggy

Mac OS X 10.7 Help- Create a new user or group account
Mac OS X- Setting Up User Accounts
More can be found using Google.

Similar Messages

System PATH environment variable issue when user log off and log in or switch from admin to non-admin account

Hi,
Problem Description:
After installing my new product version, when user does log-off and log in again into admin account
or switch from admin account to non-admin account, PATH environment variable shows incorrect path of my product (previous product version’s path) using command prompt.
It seems windows refresh issue during session changes (log off and log in / switch from Admin to
Non-admin account).
Why PATH environment variable is not refresh immediately after log off and log in again or Switch
from admin to non-admin mode?.
Please see my thread for more details http://social.msdn.microsoft.com/Forums/vstudio/en-US/445ab42c-bdff-405a-8d53-558e1b6c7d34/path-environment-variable-issue-when-user-logoff-and-login-or-switch-from-admin-to-nonadmin?forum=windowsgeneraldevelopmentissues
Also submitted bug for this in connect.microsoft.com portal.In that it has lots of information
like problem statement, Reproduction steps and Expected Results.
Bug ID: 871782
Could you please any body help me for this?. your support will be appreciated.
Thanks,
Marichamy

Why PATH environment variable is not refresh immediately after log off and log in again or Switch
from admin to non-admin mode?.
I wouldn't have any expectation of what you are doing to work the way you expect. E.g. why is the %ABC% being replaced at all? There is some help about this ambiguous scenario in the cmd help...
/V:ON Enable delayed environment variable expansion using ! as the
delimiter. For example, /V:ON would allow !var! to expand the
variable var at execution time. The var syntax expands variables
at input time, which is quite a different thing when inside of a FOR
loop.
/V:OFF Disable delayed environment expansion.
So, what's the setting for the /V: switch that your users would be using? Perhaps you should be using the ! instead of the % for your ABC variable?
Oh. There's more below where I found that...
Delayed environment variable expansion is NOT enabled by default. You
can enable or disable delayed environment variable expansion for a
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable delayed expansion for all invocations of CMD.EXE on a
machine and/or user logon session by setting either or both of the
following REG_DWORD values in the registry using REGEDIT.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
and/or
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
to either 0x1 or 0x0. The user specific setting takes precedence over
the machine setting. The command line switches take precedence over the
registry settings.
In a batch file the SETLOCAL ENABLEDELAYEDEXPANSION or DISABLEDELAYEDEXPANSION
arguments takes precedence over the /V:ON or /V:OFF switch. See SETLOCAL /?
for details.
If delayed environment variable expansion is enabled, then the exclamation
character can be used to substitute the value of an environment variable
at execution time.
So, I guess the essence of your "bug" will boil down to whether you
need the feature to get the result you want and the
truth of that first sentence but it certainly looks like a "can of worms" to me. ; )
HTH
Robert Aldwinckle

App Locker: admin user (non-admin token) unexpected run behavior

As an administrative user with a filtered token (not choosing Run As Admin), when I double-click an .exe residing in a location that no App Locker rule would allow a non-admin token to run - I expect to see the application blocked by App Locker, but it runs
instead.
Background:
No App Locker rule exists that would allow the .exe file's location (on my administrative user's desktop) or any of the other .exe's I'm able to run from my user's profile directory. I checked several of these with ProcExp and they all show
BUILTIN\Administrators = DENY on the security tab.
The only App Locker rule that would allow me to run this is the default rule for BUILTIN\Administrators.
I have verified with ProcExp that the current Explorer.exe is running with a filtered token (BUILTIN\Administrators is denied).
My administrative user is a member of a group, Workstation Local Admins, which is a member of BUILTIN\Administrators. I am not expecting this to match the Default rule for BUILTIN\Administrators.
UAC group policy is configured as follows and I have verified this policy is applied to this system and registry keys have been set to match by group policy processing: ENABLED -> [Admin Approval Mode, Only elevate UIAccess applications...secure locations,
Run all administrators in Admin Approval Mode, Switch to secure desktop when prompting..., Virtualize file and registry write failures...]; DISABLED -> [Allow UIAccess applications to prompt...without using the secure desktop, Detect application installs...,
Only elevate executables...signed and validated]; PROMPT FOR CONSENT -> [Behavior of the elevation prompt for administrators..., Behavior of elevation prompt for standard users]
AppIDSvc is running and seems healthy
all rules categories are set to enforce
So what is going on here? App Locker event log happily reports that all these "were allowed to run" - but how are the rules evaluating to allow them to run?
born to learn!

> Admin), when I double-click an .exe residing in a location that no App
> Locker rule would allow a non-admin token to run - I expect to see the
> application blocked by App Locker, but it runs instead.
This guy experienced the same issue:
http://superuser.com/questions/744350/applocker-and-uac-on-windows-8-1
Seems to be a design change in W8, although I couldn't find any
information about it...
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Newbie Question - application install/setup for admin and non-admin users

Hi,
I'm 100% new to the Mac environment and OS X and I'm a bit confused as to the environment and setting up applications and such for users.
I have a brand new Macbook Pro that I need to set-up.
USER Setup
- have a dedicated admin account called "Administrator"
- have a user account for my son, Joe.
- have a user account for me, Matt, so I can fool around on the machine to see if I like it enough to get one myself.
This is the account setup model I'm most accustomed to using under OpenVMS and Windows - an administrator account and separate lower privilege accounts for users.
I have managed to accomplish these three tasks ok. I also enabled File Vault on my account only.
APPLICATION Setup
We want to install the following applications but I'm having problems:
- Firefox, for use by all three accounts, but with separate bookmark files for each user. This is the browser we are familiar with and want to start with (sorry Safari, maybe as time goes by).
- Eudora for e-mail for just the two user (mine and Joe's) accounts, with separate user files for each account. It's the program we're familiar with.
- Microsoft Office for all three accounts.
- An architectural CAD program (ArchiCAD) for use only in my account.
- PGP for use only in my account.
My real issues appear to be with how to install apps the way I need them to be 'visible' to users.
I started by logging in as Administrator and downloading/installing Firefox.
It installed ok under the administrator account but I can't find/access Firefox when logged in via my or my son's account and I don't know what to do to give my/Joe's account access to it.
So,
1) How do I install an application once and make it available to all accounts (admin & user)?
2) How do I install an application and make it useable only by a subset of users
Thanks for any assistance.

matt212, welcome to Apple Discussions & the Mac community.
Suggest you buy the book by David Pogue - Mac OS X The Missing Manual Tiger Edition.
Includes everything you need to know about installing OS X, using OS X & maintaining OS X.
Look at these links for new users. They should give you an overview regardless of which version of OS X you are using.
Switch 101
http://www.apple.com/support/switch101/
Mac 101
http://www.apple.com/support/mac101/
Quick Assist
http://www.apple.com/support/quickassist/
A guide for switching to a Mac
http://lifehacker.com/software/mac/hack-attack-a-guide-for-switching-to a-mac-224674.php
Welcome to the Switch To A Mac Guides
http://switchtoamac.com/guides/
 Cheers, Tom

Making non-admin account

I've been using an admin account for everything (no scolding please), but am considering using a non-admin account instead.
Seems to me easiest would be I could simply change it from admin to non-admin, and back again when necessary. Would there be any problems doing it this way?
Or must I create a new, non-admin account and copy / migrate my current home folder from the admin account, and as much else as possible, over? If I have to go the second route, what's the easiest way to do that? Thanks.

Thanks Kiraly, Yeah, I think that's what BD had in mind when he said make sure to have another working Admin account before changing to non-Admin.
I've just been doing a little experimenting. I already have another Admin "test" account. What I've noticed is I can use the password from that one in the "main" working Admin account, but not the other way. Strange. Tried logging in to the "test" account with the "main" account password, but it wouldn't let me. But no problem logging in to the "main" account with the "test" password. In any case, since I've already got another working Admin account, it should be no problem, as you say, to change this one to non-Admin and use the test pword to authenticate when necessary.
*BD, if you're reading this,* you didn't think it would be all that dangerous to keep this one Admin. referring, I suppose, to the low risk of my wreaking havoc to the system files and data. Apart from the issue of my wife also using this account--and I actually don't think she'll do anything bad--isn't the main risk supposed to be a security one? That, navigating with an Admin account, some sort of rootkit, backdoor or keylogger, or whatever, might have unimpeded access to the system itself?

Non-admin users can't view GAL with Outlook Connector

Non-admin users are unable to view the Global Address List with Outlook Connector. When I give a test user admin rights (in our portal), the user can view the GAL. The VLV index is setup and functioning correctly for admin users. My versions are Directory Server 5.2 Patch 4, JES 2005Q4, Outlook Connector 7.1.222.4.
I've reviewed the ACIs on o=cp per http://docs.sun.com/app/docs/doc/819-5200/gbnse?a=view and verified that they are getting passed down to the child entries. I added a new ACI for a specfic test user, but I see no effect when I run an ldapsearch as that user. Here are the ACIs:
1. Allow Calendar Administrators to proxy
(targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
(targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
(version 3.0;acl "Allow Calendar administrators to proxy - product=ics,class=admin,num=2,version=1";
allow (proxy)(groupdn = "ldap:///cn=Calendar Administrators, ou=Groups, o=cp");)
2. Allow Calendar users to read and search other users
(targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
(targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
(version 3.0;acl "Allow Calendar users to read and search other users - product=ics,class=admin,num=3,version=1";
allow (read,search)(userdn = "ldap:///uid=*,ou=People,o=pcc.edu,o=cp");)
3. Allow test users to proxy
(targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
(targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
(version 3.0;acl "Allow test users to proxy - product=ics,class=admin,num=2,version=1";
allow (proxy)(userdn = "ldap:///uid=299899598658566,ou=People,o=pcc.edu,o=cp");)
Here's the log for an ldapsearch as a non-admin user:
-bash-3.00$ grep "conn=386080 op=1 msgId=2" access
[02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
[02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - SORT cn
[02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - VLV 1:1:dpelinka 2964:11852 (0)
[02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
When the same search is run by an admin user, nentires=3.
Here is the test ldapsearch:
ldapsearch -h vmpt1 -p 389 -D "uid=299899598658566,ou=People,o=pcc.edu,o=cp" -w {password} \
-b "ou=People,o=pcc.edu,o=cp" -x -s "sub" -S "cn" \
-G "1:1:dpelinka" "pdsRole=Employee" uid
David,

Jay,
Here's a full set of logs. The first set is from my test search; the second from an actual OC search. I don't see anything different between the admin and non-admin except for the number of entries returned.
ADMIN TEST SEARCH
-bash-3.00$ ./test_vlvindex.shl
version: 1
dn: uid=375308679900788,ou=People,o=pcc.edu,o=cp
uid: 375308679900788
dn: uid=534616896694744,ou=People,o=pcc.edu,o=cp
uid: 534616896694744
dn: uid=506947161967075,ou=People,o=pcc.edu,o=cp
uid: 506947161967075
index 2973 content count 11893
DS log-bash-3.00$ grep "conn=1964292 op=1" access
[07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
[07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - SORT cn
[07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - VLV 1:1:dpelinka 2973:11893 (0)
[07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - RESULT err=0 tag=101 nentries=3 etime=0
NON-ADMIN TEST SEARCH
-bash-3.00$ ./test_vlvindex.shl
index 2973 content count 11893
DS log-bash-3.00$ grep "conn=1973983 op=1 msgId=2" access
[07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
[07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - SORT cn
[07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - VLV 1:1:dpelinka 2973:11893 (0)
[07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
ADMIN OC SEARCH
-bash-3.00$ grep -i vlv access
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - VLV 0:8:0:0 1:11893 (0)
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - VLV 0:10:9:0 10:11893 (0)
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - VLV 0:17:20:0 21:11893 (0)
-bash-3.00$ grep "conn=1000785 op=14 msgId=15" access
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - SORT cn
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - VLV 0:8:0:0 1:11893 (0)
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - RESULT err=0 tag=101 nentries=9 etime=0
-bash-3.00$ grep "conn=1000785 op=15" access
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - SORT cn
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - VLV 0:10:9:0 10:11893 (0)
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - RESULT err=0 tag=101 nentries=11 etime=0
-bash-3.00$ grep "conn=1000785 op=16 msgId=17" access
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - SORT cn
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - VLV 0:17:20:0 21:11893 (0)
[07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - RESULT err=0 tag=101 nentries=18 etime=0
NON-ADMIN OC SEARCH
-bash-3.00$ grep -i vlv access
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - VLV 1:1:1:0 2:11893 (0)
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - VLV 0:8:0:0 1:11893 (0)
-bash-3.00$ grep "conn=2220710 op=1" access
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="cn mail uid objectClass"
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - SORT cn
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - VLV 1:1:1:0 2:11893 (0)
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
-bash-3.00$ grep "conn=2220710 op=2" access.20080107-171147
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - SORT cn
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - VLV 0:8:0:0 1:11893 (0)
[07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0
-bash-3.00$
David.

Flash player does not work on Non Admin accounts

I have 2 citrix servers running Windows Server 2k3. Flash
installs and plays fine as the administrator, but once logged in as
a regular user. Flash does not work. I have set the security
permissions for the C:\Windows\System32\Macromed\Flash folder so
that non admin users can modify and write to the folder. That did
not work, flash asks to install, but when you click ok, it becomes
a red X. Any ideas?

Hi all,
Please see the following article that may address this issue:
http://www.adobe.com/go/624850b5
“After successful installation under the Windows
Administrator account, Restricted User accounts are unable to
display Flash Player content.”
This issue is never encountered with a new install of
Windows. It is sometimes encountered with older images and it is
strictly an issue with the ActiveX installer not for plug-ins.
Please reply to this thread with your results. If the
registry fix mentioned on this article helps, we will update the
document to reflect that it is still an issue.
Important Note: These online forums are for user-to-user
discussions of Adobe products, and are not an official customer
support channel for Adobe. If you require direct assistance, or
prefer to contact Adobe support staff directly, please contact
Adobe support.
http://www.adobe.com/support/contact/

Access to Resources via Non-admin accounts

Is there any way to provide access to resources so that they are accessible via
non-admin accounts. For e.g. to Retrieve my JMSConnectionfactory i do a
Environment env = new Environment();
env.setProviderUrl(url);
env.setSecurityPrincipal(username);
env.setSecurityCredentials(password);
Context ctx = env.getInitialContext();
The username and password here is the admin account. This works fine but if i
use a non-admin account(member of Operators group), i get exceptions on Domainloghandler
runtime
Problem: I need to register a mbean that needs to access JMS Resources. Since
our deployment team doesnt want to provide us access to admin accounts, we use
a "operators" group account to register our mbeans. if i do this, i get a
Access not Allowed for subject:principals=[operator, Operators], on ResourceType:
DomainLogHandlerRuntime Action: execute Target: registerToMe.
This happens when my managed resource tries to access a JMS ConnectionFactory.
Instead if i register my mbeans using the admin account, everything is fine and
my managed resource works nice.
This is on weblogic 81 SP1 on Solaris. Please let me know if you need more details.
Any clues/hints/solutions greatly appreciated. There is not a lot of documentation
on how to access/register mbeans using non-admin accounts.
TIA
Raj

I have done some more debugging on this and have narrowed down the issue to the
location where my initialcontext is being obtained.
so if i register my mbean as a non-admin account and do an operation on the managed
resource which fetches initial context, i get the below exception. This is how
i get my initialcontext
weblogic.jndi.Environment env = new weblogic.jndi.Environment();
env.setProviderURL("t3://machine:8102,machine:8103");
env.setSecurityPrincipal("operator");
env.setSecurityCredentials("operator");
Context ctx = env.getInitialContext();
I am doing this from a mbean thats registered on a different managed server(t3://machine:8101)...
Whats wrong with this?
TIA
Raj
"Raj" <[email protected]> wrote:
>
Is there any way to provide access to resources so that they are accessible
via
non-admin accounts. For e.g. to Retrieve my JMSConnectionfactory i do
a
Environment env = new Environment();
env.setProviderUrl(url);
env.setSecurityPrincipal(username);
env.setSecurityCredentials(password);
Context ctx = env.getInitialContext();
The username and password here is the admin account. This works fine
but if i
use a non-admin account(member of Operators group), i get exceptions
on Domainloghandler
runtime
Problem: I need to register a mbean that needs to access JMS Resources.
Since
our deployment team doesnt want to provide us access to admin accounts,
we use
a "operators" group account to register our mbeans. if i do this, i get
a
Access not Allowed for subject:principals=[operator, Operators], on ResourceType:
DomainLogHandlerRuntime Action: execute Target: registerToMe.
This happens when my managed resource tries to access a JMS ConnectionFactory.
Instead if i register my mbeans using the admin account, everything is
fine and
my managed resource works nice.
This is on weblogic 81 SP1 on Solaris. Please let me know if you need
more details.
Any clues/hints/solutions greatly appreciated. There is not a lot of
documentation
on how to access/register mbeans using non-admin accounts.
TIA
Raj

Is there any way to prevent non-admin user accounts to receive software update prompts?

I am the admin account user on our MacBook Pro, and there is one standard user account on it as well. Generally we are both logged on so we can quickly switch between user accounts and 'spin the desktop'.
For some reason, all the software update notifications seem to be received when the standard user account is the active one.
I know that the standard user cannot actually update without my account password and my Apple ID, but a) The notifications confuse the non-admin user, and she gets flustered, and b) Even if she manages to cancel them from the notification area, she then has to remember to tell me verbally that she had had one.
Is there any way to stop her receiving the update notifications altogether?
Running OS X 10.8.2 on MacBook Pro.
Thanks in advance.

You should be able to do this by unchecking the software update service in the system preferences to prevent the system from running the check as the "_softwareupate" user and passing it to the notification service that broadcasts to all user accounts. Then you can check for the software update in an admin account using the following Terminal line:
/System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdateCheck -Check YES
This line can be scripted via Terminal services to run on a schedule (ie, every few hours), and if there are found updates it will launch the App Store for that account and present them. Granted this approach circumvents the notification service, but should work. To try this, open TextEdit on your computer and in a new document choose "Make Plain Text" from the Format menu.
Then copy and paste the following text into the new document:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
 <key>Label</key>
 <string>local.softwareupdatecheck</string>
 <key>ProgramArguments</key>
 <array>
 <string>/System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdateCheck</string>
 <string>-Check</string>
 <string>YES</string>
 </array>
 <key>StartInterval</key>
 <integer>21600</integer>
</dict>
</plist>
When done, save the document to your desktop as "softwareupdatecheck.plist" or anything as long as it ends with ".plist." Then get information on the file in the Finder to ensure its name ends with plist and not anything else like "plist.txt" (rename it accordingly in the Info window's "Name & Extension" section.
With the file name appropriate, hold the Option key and choose the "Library" option in the Finder's "Go" menu. Then locate the folder called "Launch Agents" in the library and drag the text file to this folder. Then log out and log back into your account.
This text file is a launch agent script that instructs the system to run the program arguments every 21600 seconds (6 hours) whenever the user is logged in. The program arguments here are simply those to check for software updates for the system. You can change this time interval to be any number of seconds you would like, but there are other options to use besides the "StartInterval" key for scheduling the task. This approach simply has it repeat every number of seconds, but you can use other options to have it only run on specific hours or days, or only have it run once when you log in, etc.
If this works for you, then if you'd like to explore these other options write back here and we can go over them for you.

Screen sharing to OS X Lion Server with non-admin account

I have set up a Lion Server with one admin (in addition to the root user) and several non-admin normal accounts. In Server.app, I have enabled remote login with ssh, and remote management via screen sharing. I am unable to use Screen Sharing to connect to the server from the non-admin accounts, but able to use the admin account. I've read that it is only enabled for admin users, but need to access from non-admin accounts, and I can't add these accounts to the admin group. Is there a way to do this with Workgroup Manager? I tried changing the Remote Management settings in System Preferences by adding the non-admin, but when selecting 'Observe' and 'Control' in the options for the user, they are not saved.

I resolved this issue by deselecting the "Enable screen sharing and remote management" in Server.app and going to System Preferences, Sharing Preferences, Screen Sharing, and allowing access for "All Users". If you have some users you want to allow VNC, you can create a group, add the allowed users to the group, and add the group under "Only these users".

Can't login to local NON-admin accounts-Directory Access set to server

I have a strange problem on a set of laptops that I cannot resolve and am hoping someone can help me.
Here is the issue:
I have a set of building laptops (PowerPC, OSX.4.11) that seemingly will not "search locally" in the authentication process. The logins seem to work fine for NETWORK logins to our Open Directory Master xserve, but these machines will not login to any LOCAL non-admin accounts. The local root and local admin account logins do, however, work fine. ?? The remainder of the building computers (Intel iMacs OSX.4.11) appear to have the exact same settings and login fine both locally and via the network home directories.
I have tried the following:
Deleted DirectoryService preferences folder (MacintoshHD-->Library-->Preferences->DirectoryService)
Deleted the mcx cache in Directory Access
Tried adding a new non-admin user to test (still will not login)
Removed and re-created LDAP configuration (all set to custom)
Tried setting the LDAP to the automatic settings ("Add DHCP-supplied LDAP servers to automatic search policies")
Disabled all network connectivity (turned off Airport and disconnected the ethernet cable), still cannot login to local accounts
Tried to bind in LDAP configuration (when I did bind the machine, it would no longer authenticate to the network authentication server, so I did an "unbind" and restarted and it went back to performing the network logins, but still will not login to local non-admin accounts).
Reset passwords in System Prefs and also re-typed them in NetInfo Manager
Deleted login keychains
Deleted mcx.plist
Reinstalled the OS from disk and local logins worked TEMPORARILY--UNTIL I set the LDAP directory access to authenticate to our server (which I also need for the network logins to work),then, the issue started again.
*Same results with both ethernet and wireless connectivity enabled.
*Note: I also manage these local accounts via WGM (installed on the local machine) and even tried disabling that and still no luck.
Please help...I have spent hours and hours trying to find a solution and nothing seems to work! What am I missing??

Mostly just a bump...
How about that .local extension, or trailing / ?

Photoshop Elements 6 in non-admin account?

I just got the long-awaited Photoshop Elements 6 for Mac and installed it. The installation seemed to go well. But when I tried to use it, non of the layer styles and effects show up. I have read the Adobe site and see that it is intended to run only in and Admin account, but doesn't that defeat the purpose of several accounts. I tried letting the rebuild the mediadatabase.db3 file as suggested here,
http://www.scrappersguide.com/forums/showthread.php?p=28421
but that hasn't fixed the problem. I'm hoping some one here has a solution that will let me work in a non-admin account.
Thanks!

Previous versions also had permissions problems. Maybe some of the fixes will help the current version
<http://forums.macnn.com/82/applications/237093/installing-photoshop-elements-3- a/>

M3u streams won't play in non-admin account

Using Firefox 3.6.8 with Win XP SP3 with auto updates.
After years of being able to go to Amazon.com and click on an mp3 preview button (streams m3u format), I can no longer do so in my user account - I get a "What should Firefox do with this file?" dialog. Clicking on the link works fine if I log in as admin - it plays seamlessly. When I look in my user account Options -> Applications form as non-admin, I see "M3U file" listed in Content Type. Action is "Always ask." That Content type is not listed in the admin account's browser's list.
It frustrates me to NO END when things that worked perfectly fine no longer work.
Please advise!!!!

After looking at another post (How do I remove a filetype from the Applictions Menu), I succeeded in removing m3u from my Application's Content Type in my user-account but it did not solve my problem. I still get a "What should Firefox do with this file?" dialog.
Crap!!!

Installing apps from non-admin account

I read an earlier post that installing apps from a non-admin account is a bad idea because SL applies the wrong permissions. I normally install from a non-admin account.... I don't see that the permissions on stuff I've installed are any different from apps that came with SL. Most everything is drwxr-xr-x. Was this fixed, or am I missing the problem.

KJK555 wrote:
+"That isn't a problem at all. Applications should not require that the user have write+
+access to the application."+
I didn't say anything about a user having write access permission, I was talking about read
permissions. All apps installed in the /Applications directory should have group permissions
set to admin or wheel (depending on the type of app), so the system can read them without
problems. That's the Unix way.
I completely disagee. The system already has read permission to all applications in the /Applications folder. It doesn't matter what the group privilege is set to. The "other" permissions are set to read only. System (root) can read it regardless. If you can show me an Apple tech article that says that apps installed in the /Applications folder should have their group privilege changed to "admin" or "wheel" then I would gladly take that back.
+"Leopard does not put any ACLs on anything installed in the /Applications folder"+
That's right, it doesn't normally, but if it finds an app that it does not have permission
to read, it will assign an ACE(s) to it so that it can access it.
I just tested that in 10.5.8, and it does not happen as you say. I can't try it in 10.6. I'd appreciate if you could provide a specific example where you can make this happen.
Besides, all users, by default, have read only access to all applications. Unless a user specifically changes permissions on an app to deny read access to everyone, then this isn't an issue.
http://discussions.apple.com/thread.jspa?threadID=1875193&start=60&tstart=0
http://discussions.apple.com/thread.jspa?threadID=1866808&start=15&tstart=0
http://discussions.apple.com/thread.jspa?messageID=8776714&#8776714
http://discussions.apple.com/thread.jspa?threadID=1850256&start=30&tstart=0
http://discussions.apple.com/thread.jspa?threadID=2351437&start=15&tstart=0
http://discussions.apple.com/thread.jspa?messageID=9447059&#9447059
http://discussions.apple.com/thread.jspa?messageID=9067640&#9067640
I know what ACLs are and how they work. I have read through those and cannot find in any of those threads anything about what you had been talking about.
+"That is also false. Root rights are granted by the user entering the admin username+
+and password when prompted. It does not matter where an application is installed in+
+order for it to be given root permission."+
http://support.apple.com/kb/HT2963
"Application installers, Applications folder
A third-party application installer incorrectly sets permissions on the files it installs,
or even the entire Applications folder. Symptoms of the Application folder's permissions
being set incorrectly include applications appearing in the dock as question marks, and/or
not being able to connect to the Internet. It is also possible that software installed while
logged in as one user will be inaccessible when logged in as another. To avoid this, make sure
you are logged in with your normal user account when installing software that you wish to use
with that account."
That has to do with third party installer apps that developers have not written properly to conform to OS X standards. It isn't an issue with applications that install by drag-and-drop. It sounds to me like you have looked at the permissions that Apple has put on its own apps and jumped to the conclusion that third party apps won't work unless they have the exact same permissions applied to them. That simply isn't true.
"Software access=user access
Most applications executed by a user only have access to the files that the user has access to.
Backup software, for example, may not back up Mac OS X system files that have root ownership."
Utilities, especially disk utilities, are to be installed in the /Applications/Utilities folder, for reasons
stated above.
No. That is completely wrong. Like I said earlier, an application is given root permission by user authentication. It matters not one little bit what the application's enclosing folder is. I personally have no third party apps in /Applications/Utilities; just what Apple puts there as part of a standard OS X installation.
More permission tips:
http://www.bombich.com/mactips/image.html
http://mostlyslow.blogspot.com/2009/04/technical-mac-os-x-permissions-issues.htm l
Have you even read those? I suggest that you do; because most of what you have written about how file/folder/application permissions in OS X is completely wrong.

Font engine issues in non-admin account

I have an account with administrator rights (a privileged, or -pr account) for installing software and a non-privilged account for everyday use, on my Windows XP computer. I am having the following font issues with Illustrator CS3. When using the non-pr account, a number of fonts are unavailable, e.g. <Symbol> (Adobe type 1) and <Symbol> (Open Type). Also, names for available fonts are not forced to display in English, despite my having checked the box for EDIT>PREFERENCES>TYPE_Show_Font_Names_in_English. For example, the name of the Symbol_Italic font is displayed in Greek letters. When I log on as the -pr user, the font engine works fine. Both Symbol fonts are available, and all font names are displayed in English. The font engine in InDesign CS3 works fine from either account, so this seems to be a bug in Illustrator.

Did some research on this the other day, to see if i could get Software Update to run in the middle of the night like Windows can do.
Software Update requires Root powers, so when you give it your Admin Password your opening a sudo window of 5 minutes for it to complete it's task.
Software Update doesn't check for updates while in Standard User becuase Standard Users supposedly can't do anything about it anyway and it would be a obvious distraction. "Mommy the computer....!!!"
Apple should have a option in Software update preferences to let certain Standard Users know a Software Update is ready just for the purpose your explaining. I run in Standard as well.
I ran some Software Update commands via the Terminal for a launchd just to see what I could do.
Apprantly one can DOWNLOAD updates automatically with launchd in Admin, but not install them because of the need for sudo.
I just misssed a perfect opoortunity (todays update) to run a launchd to do automatic downloads of Software update, then see how to go about installing them afterwards. So fsck me, I'll have to wait now. (unless i use my other machine! ahhh!!)
Anyway the program you want is this little gem: Lingon
it's on Sourceforge (grab the image)
Ok so that takes care of the Software update downloads (man softwareupdate in Terminal for commands)
/usr/sbin/softwareupdate --download --all
Will do the automatic downloads, now it's just a script away to let you know ( a nice pop up window) that you have something in your folder where the Software Update just downloaded into.
That's the next question is where that is and how to run it.

Lightroom 3 asks for serial number launching in non-admin account

The following information was provided by Carey Burgess (Adobe Employee):
Does Lightroom 3 launch and work fine in an admin account, but when you launch the application in a standard (i.e. non-admin) account it asks for a serial number?
If so, then it is likely due to a file permissions issue either in the original (admin) account or with the standard account.
(Although you need administrator access to install Lightroom, and you do need proper access permissions to your photos, you should be able to run Lightroom without issue in a standard user account.)
Lightroom 3 stores registration data (the serial number) in a file called Lightroom 3.0 Registration, which is stored by default in one of these locations:
    * Mac OS: /Library/Application Support/Adobe/Lightroom
    * Windows XP: C:\Documents and Settings\All Users\Application Data\Adobe\Lightroom
    * Windows 7/Vista: C:\ProgramData\Adobe\Lightroom
- Check for the registration file in the appropriate location for your system.
If the file does not exist in that location, then ensure you are logged in with the admin account (the one where Lightroom doesn't prompt for a serial number) and check the user-specific location instead:
    * Mac OS: /Users/YOUR USER NAME/Library/Application Support/Adobe/Lightroom
    * Windows XP: C:\Documents and Settings\YOUR USER NAME\Application Data\Adobe\Lightroom
    * Windows 7/Vista: C:\Users\YOUR USER NAME\AppData\Roaming\Adobe\Lightroom
If the file exists in the user-specific location instead, then I would suggest that you ensure that you have quit Lightroom, and then move the registration file from the user location to the default system-wide location. Lightroom should now no longer prompt for serial number when you open it from a non-admin account.
If the registration file did (or now does) exist in the default system-wide location, but you are still being prompted to enter a serial number when opening Lightroom in a standard user account, then that account does not have sufficient access permission to the registration file.
To resolve this aspect, there are two possible solutions (the first being the recommended solution):
1. Change the access permissions on the Lightroom folder that contains the registration file to grant "Read" access for the standard user account. (You can do this for each account individually, or you can use a broader group like Everyone.)
For more information about changing permissions, see one of these articles:
    * Windows XP: http://support.microsoft.com/kb/308419#4
    * Windows Vista/Windows 7: http://windows.microsoft.com/en-us/windows7/What-are-permissions
    * Mac OS: http://docs.info.apple.com/article.html?path=Mac/10.6/en/8342.html
2. Copy the registration file from the system-wide location to the user-specific location for the standard user account. (You would need to repeat this step for each standard user that needs access to Lightroom.)
Reply here if these steps do not resolve your issue, or if you have any questions.

Months ago, I had a routine clearout of old software boxes etc and chucked out my Lightroom 1.0 box. A couple of weeks ago I reinstalled Lion on my mac to find that I cannot register Lightroom. I have the 3.0 upgrade serial, the 2.0 upgrade serial, but the 1.0 was on the box..
I followed the instructions above to find the files in crashplan form before the fomat that hold the registration details. I have tried placing them in the location described, but it doesn't seem to work.
The serials (or something) are in the file, but given in the string that is difficult to decipher - and doesn't work in the registration screen, wrong size and a mix of letters and numbers rather than just numbers as my 3.0 serial is.
Any suggestions for what I could do? Could I send the strings in to Adobe to be deciphered? Perhaps move files around a bit more?
Thanks in advance,
Rog.

Admin vs. Non-Admin Accounts

Similar Messages

Maybe you are looking for