Administrative Groups- for MPLS TE

Similar Messages

• Grant access to modify membership of local administrator group

  hello
  I am active directory administrator and i like to grant a certain user access to modify membership of the local administrator group for computers in a specific OU only. i tried to do that via delegation of control to modify membership of the group,
  however when he tries to modify administrators group of one computer on that ou, he gets a message with access denied. Is there a way to do that other than delegation of control.

  Hi,
  According to your description, you want to grant the right to modify local administrator group membership on computers which belong to one specific OU through ADUC, right?
  I don’t think it is possible via delegate control, since local administrator group membership can only be modified by local administrator on the local machine, what you did only grant the right to modify the group membership of
  the specific OU, which means adding/deleting members within this OU.
  In other words, you need to add this user into the local administrator group on local machines to achieve your goal.
  Best Regards,
  Amy

• OIM Attestation Process Default Administrative Groups

  It seems that, by default, when a user creates an attestation process that it inherits all the groups that the user is a member of as members of the Administrative Groups for that process. Furthermore, these groups have write and delete privileges.
  This is troublesome to me. Every OIM user is a member of the Employees group, therefore every attestation task could be deleted, modified, run, etc, by any user on the system. Surely this is not the intended behavior.
  It would make sense if the Process owner group were added to the Administrative Groups, but not every single group that they are a member of!
  Does anyone have an idea on how to correct this?

  Martin, Thank you for the reply. The OIM product docs have content indicating that OIM supports attestation at entitlement level. So was wondering if there is any straightforward way to achieve and I was missing something. I guess there will be a lot of overhead in maintaining the AD Groups as resource objects in OIM. In certain cases there will be thousands of AD Groups. If you know could you please advise on the impact / care to be taken with this approach.
  Thank you.

• Report EM12C for targets not associated with (Administration) Group

  Is there a report/view in EM12C for showing which targets are not associated with a Administration Group or a standard group?

  For administration groups, check the Unassigned Targets report, accessible from the Associations tab.
  For more details, look for the section "Identifying Targets Not Part of Any Administration Group" in the Administration Groups chapter of the EM 12c Administrator's Guide:
  http://docs.oracle.com/cd/E24628_01/doc.121/e24473/administration_group.htm#EMADM10011

• Accounts being created with administrative group rights

  Hello,
  The server is a Windows 2003 R2 Enterprise fully patched used for Shared Hosting purposes.  It runs Hsphere control panel.  I am trying to identify how the following hack is happening. 
  1) There are users being created with Administrative group rights.   Below is the EventViewer log for the user creation:
  User Account Created:
       New Account Name:    username
       New Domain:    PCNAME
       New Account ID:    PCNAME\username
       Caller User Name:    PCNAME$
       Caller Domain:    DOMAINNAME
       Caller Logon ID:    (0x0,0x3E7)
       Privileges        -
   Attributes:
       Sam Account Name:    username
       Display Name:    <value not set>
       User Principal Name:    -
       Home Directory:    <value not set>
       Home Drive:    <value not set>
       Script Path:    <value not set>
       Profile Path:    <value not set>
       User Workstations:    <value not set>
       Password Last Set:    <never>
       Account Expires:    <never>
       Primary Group ID:    513
       AllowedToDelegateTo:    -
       Old UAC Value:    0x2DAB2B0
       New UAC Value:    0x2DAB2B0
       User Account Control:    -
       User Parameters:    <value not set>
       Sid History:    -
       Logon Hours:    <value changed, but not displayed>
  There exists entries as well where the primary group ID is changed to the Administrative group, but I am omitting such.
  2) I tried to identify what Caller Logon ID:    (0x0,0x3E7) means.  I found out from here:
   http://blog.joeware.net/2013/01/14/2667/ that I can use LogonSessions.exe to identify it.
  Output from LogonSessions.exe is pasted below (snippet):
  [0] Logon session 00000000:000003e7:
      User name:    DOMAINNAME\PCNAME$
      Auth package: NTLM
      Logon type:   (none)
      Session:      0
      Sid:          S-1-5-18
      Logon time:   9/11/2014 12:41:53 PM
      Logon server:
      DNS Domain:   
      UPN:          
          4: System
        316: smss.exe
        364: csrss.exe
        392: winlogon.exe
        440: services.exe
        452: lsass.exe
        628: svchost.exe
        756: LMAgent.exe
        840: svchost.exe
       1000: spoolsv.exe
       1252: avagent.exe
       1268: camWMIAgent.exe
       1324: cissesrv.exe
       1380: cpqrcmc.exe
       1404: vcagent.exe
       1440: svchost.exe
       1480: HsQuotas.exe
       1740: inetinfo.exe
       1780: EmailAgent.exe
       1856: snmp.exe
       1884: sysdown.exe
       1920: smhstart.exe
       2192: svchost.exe
       2388: cmd.exe
       2396: hpsmhd.exe
       2444: cqmgserv.exe
       2464: cqmgstor.exe
       2484: HSphere.exe
       2596: wmiprvse.exe
       2676: cmd.exe
       2684: rotatelogs.exe
       2692: cmd.exe
       2700: rotatelogs.exe
       2732: searchindexer.exe
       2812: hpsmhd.exe
       2824: cqmghost.exe
       2852: svchost.exe
       3044: cmd.exe
       3052: rotatelogs.exe
       3080: cmd.exe
       3088: rotatelogs.exe
       5452: svchost.exe
       5596: GravitixService.exe
       7392: csrss.exe
       7232: winlogon.exe
       6888: csrss.exe
       9832: winlogon.exe
      10388: wawrapper.exe
      10352: cpqnimgt.exe
       9496: msiexec.exe
       6068: w3wp.exe
       4748: webalizer.exe
  3) I also learned from http://support.microsoft.com/kb/243330/en-us that   Sid:          S-1-5-18 means:
  SID: S-1-5-18
  Name: Local System
  Description: A service account that is used by the operating system
  That is all great info, but I am not sure I can put together what I have learned to attempt and get closer towards identifying how in the world users are being created and then being assigned administrative group rights.
  I am a Linux person mostly, but I am comfortable following a properly explained thread regarding windows 2003 R2 Enterprise issues.
  The server is fully patched and it is running Lumension security product.  What's more, Norman Malware tracker, tdskiller.exe (Kaspersky) and McAfee rootkitremover.exe have been run without any apparent Malware/Virus infection
  Hope someone with advanced admin skills can advise.
  Thank you

  Hi,
  You mentioned that, “I am trying to identify how the following hack is happening”, would you please tell us that why did you think the event represent a hacking behavior?
  In a Shared Server Hosting environment, the underlying hosting control panel tool (Hsphere in this case) should be creating only virtual FTP users with a specific group.  So no users with Administrative group should be ever created.  If this happens,
  it constitutes a breach of server security=positive hacking attempt.
  >how in the world users are being created and then being assigned administrative group rights.
  In addition, would you please be more specific about this question? Did you find the event message on a domain joined machine?
  I want to be able to understand in full how/what process is allowing users to be created with Admin rights.  In other words, I want to know what IP was used to issue the command, if ASP.net was used (abused in this case), or anything else related to
  it so that we can patch this particular hole.
  Best Regards,
  Amy

• Photoshop Elements 11 installed on Mac Mini OS X 10.9.5. Application running successfully on bot main user and administrative accounts for considerable time with no warning messages. When established a new user account on same computer and try to call up

  Photoshop Elements 11 installed on Mac Mini OS X 10.9.5. Application running successfully on bot main user and administrative accounts for considerable time with no warning messages. When established a new user account on same computer and try to call up elements receive message “Some ot the application components are missing from the Application directory. Please reinstall the application.” How do I correct this problem without disturbing application in main user account?

  Brooks lansing if you create a new Administrator account does the same issue occur?  If so then it is likely that there is a file permission failure and file permissions have been set for the existing Users instead of the groups they belong to.
  Have you removed and reinstalled Photoshop Elements 11?  This may reset the file permissions to the correct state to allow it to work under new accounts.

• Same user with administrative rights on all the servers in single domain versus domainadmin as a part of administrator group in all the servers

  same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
  same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
  How this is technically different?
  If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
  dhomya

  If the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing  accounts,
  groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
  I think that is a pretty big difference.
  In fact, it is bad practice to perform you daily server management with an AD privileged account.
  In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
  privileges. Always be carefull when assuming resulting privileges will be the same.
  MCP/MCSA/MCTS/MCITP

• Account group for Customer

  Hi is there any Transcation to find Account group for particular Customer. Other than XD07 as we dont have authorization for XD07 in production.
  Regards
  Nagesh

  Hi,
  in XD03, enter customer number, view the customer and go to "Extras / administrative data", there you can see the account group.
  Best regards, Christian

• Managing Monitoring Templates Based on Target Properties (not Administration Groups)

  I understand how to create administration groups, based on a hierarchy of target properties.  In addition, I've assigned monitoring templates to these various groups with limited success.
  But I would like to be able to setup different monitoring templates, metric values, compliance configuration, etc based on the target properties themselves and not just the hierarchy.
  For example, lets say I have a hierarchy of administration groups starting with "Cost Center" at the top and "Location" as the next level.  Now, I want to set up some compliance rules based on Operating Systems and want to do this across all my systems, regardless of administration group.  (ie all Solaris 10 machines setup one way, Solaris 11 machines another).
  Can I do this?

  does your RCDC info look something like the following?
   <my:Control
  my:Name="GroupMemberOfSG"
  my:TypeName="UocListView"
  my:ExpandArea="true"
  my:Caption="Security Groups"
  my:RightsLevel="{Binding Source=rights,
  Path=isAdminAccount}">
  <my:Properties>
  <my:Property
  my:Name="ColumnsToDisplay"
  my:Value="DisplayName,Email,Domain,DisplayedOwner"
  />
  <my:Property
  my:Name="EmptyResultText"
  my:Value="There are no groups according to the filter definition." />
  <my:Property
  my:Name="PageSize"
  my:Value="20" />
  <my:Property
  my:Name="ShowTitleBar"
  my:Value="true" />
  <my:Property
  my:Name="ShowActionBar"
  my:Value="false" />
  <my:Property
  my:Name="ShowPreview"
  my:Value="false" />
  <my:Property
  my:Name="ShowSearchControl"
  my:Value="false" />
  <my:Property
  my:Name="EnableSelection"
  my:Value="false" />
  <my:Property
  my:Name="SingleSelection"
  my:Value="false" />
  <my:Property
  my:Name="ItemClickBehavior"
  my:Value="
  ModelessDialog " />
  <my:Property
  my:Name="ListFilter"
  my:Value="/Group[(Type='Security') and ((ComputedMember='%ObjectID%')
  or (ExplicitMember='%ObjectID%'))]"
  />
  </my:Properties>
  </my:Control>
  </my:Grouping>
  Anthony Marsiglia

• How to add first log on user to local administrator group

  Hi All,
  When first time user log in to system, i need to add that particular user to local administrator group?
  How to achieve it using vbscript?
  Thanks
  Divakar

  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯
  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯

• Wmi script to find out the time when the user was added to local administration group

  Hi Friends,
  i need a script/query based on wmi/wql that find out the time when the user was added to local administration group on this computer
  Regards
  Tanoj
  OSLM ENGINEER - SCCM 2007 & 2012

  WMI does not keep security information.
  Unless you have enabled auditing, this information is not retained in any way.
  If auditing is enabled, you can write a powershell script to look for the specific event in the eventlog. More specifically, you should look for all security events with id 4732 containing the group.
  this one command does the trick
  get-eventlog -logname security -instanceid 4732 -message *administrators*
  https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
  MCP/MCSA/MCTS/MCITP

• RECOVERING FORGOTTON ADMINISTRATOR PASSWORD FOR MACBOOK PRO WITH OS MOUNTAIN LION REQUIRES (A) OPTICAL DISK READER or (B) ANOTHER COMPUTER. I HAVE NONE OF THE TWO. I HAVE BEEN ABLE TO LOGIN TO APPLE SUPPORT AND COMMUNITIES. NO SOLUTION IS AVAILABLE

  RECOVERING FORGOTTON ADMINISTRATOR PASSWORD FOR MACBOOK PRO WITH OS MOUNTAIN LION REQUIRES (A) OPTICAL DISK READER or (B) ANOTHER COMPUTER. I HAVE NONE OF THE TWO. I HAVE BEEN ABLE TO LOGIN TO APPLE SUPPORT AND COMMUNITIES. NO SOLUTION IS AVAILABLE

  Terribly sorry Joseph Kriz. I had absolutley no intention of annoying anyone. This was the first time I have been communicating in a discussion group, and as I wrote my comments I had no idea how my typing would reflect and where my question would be going. Hope my unintentional typing will be forgiven and causes no further agitation.The only additional comment I can make on your response is that "I do not use capital letters or CAPS LOCK while I try to enter my administrator password". Thank you for guiding me

• Creating Administration Groups using custom Target Properties?

  I've added a Target Property "Usage" to my 'host' Target type.  I would like to use this property when creating my Administration Groups.  When I try to create my Administration Group hierarchy, the only Target Property's available to use are the default ones (Lifecycle, Location, etc).  Usage does not show up.
  Is there a way to make this work or is this just a limitation of OEM?

  Hi Timothy
  Typically you want to create user groups for functional areas or grouped reports/queries. You can enter as many users as needed into a user group and only those who have the checkbox next to their name in the user group screen will have authorization to create/modify queries in the infosets where the usergroup is assigned. If you are creating 2 usergroups with the same users and authorizations then that is redundant but if the list of users is different or the authorizations may change then it would make sense to have 2 usergroups. You should have some naming convention to follow when creating the queries but the Z prefix is not required.
  Andy

• Administration Role for SLD

  Hi Gurus,
  I want to create a new user ID for the administration of the SLD.
  As my Web AS's UME is config to abap datasource. I created a SLD_ADMIN via SU01 (I cannot create a UME-based ID via portal's "User Administration")
  After that I edited the UserID(datasource ABAP)'s portal role. I included the following:
  Assigned Groups: SAP_SLD_ADMINISTRATOR(UME DATABASE)
  Assigned Roles: LcrAdministrator(UME DATABASE)
  Assigned Actions: LcrAdministrator, LcrInstanceWriterAll, LcrInstanceWriterCR (UME Type)
  But whenever I try to access to the SLD administration link of my instances' SLD
  http://<hostname>:5XX00/sld/cimom
  I get an error : " 403 Forbidden: You are not authorized to view the requested resource."
  What did I do wrong? Are there anymore group/roles I need to assign? My "administrator" ID runs well with the same assigned group.
  Thanks,
  Jansen

  Hello Jansen,
  You should also certain groups that you can find in the SLD Configuration guide to the user. Also in Visual admin you need to add this use to the administrator group under the following path
  services -> security provider -> Policy configurations tab -> Security roles tab -> administrators -> add the user in it
  regards,
  Anand

• Add Managed By AD value to Local Administrator group.

  Hi,
  I'd like to add the user account of the AD computer's Managed by attribute to the Local Administrator Group.
  Could that  be done via GPP?
  Thanks in advance.

  Hi,
  I am doubtful about it, as when I run %manager%, the system could not recognize the variable, and also I didn't find out the environment variable.
  I would like suggest you use script to do that, first retrieve all "Managers", then add them to each computers local admins group.
  For scripting, please refer to the below link:
  http://social.technet.microsoft.com/Forums/en-US/ITCG/threads
  Best Regards,
  Yan Li
  Yan Li
  TechNet Community Support