After mapping groups, should I deny all users on ACS ?
I've created and mapped security groups in active directory DomainWirelessOK and DomainVPNOK. I mapped those to ACS_Wireless and ACS_VPN.
In my production environment, currently all users on ACS authenticate using "Default Group".
What's the best way to let only users of ACS_VPN and ACS_Wireless have acccess to resources ? Should I "deny" access to Default group ? Is there any specific order you would setup this ?
Also, if you have suggestions on how I can test this avoiding system disruption please let me know. I thought that I could perhaps include the IP address of few selected Access Points to confirm that mappings work accordingly ?
Hi
If you add a 3rd mapping to map everything else to "No access" that would lockout members of other AD groups.
Additionally, create two NDGs - one for VPN and one for WLAN. In each ACS group you can setup Network Access Restrictions (NARs) such that the VPN group only has access to the VPN NDG and the same for WLAN.
If a WLAN user authenticated via a device in the VPN NDG they would be rejected & vice versa. This assumes the groups are mutually exclusive which they probably arent. So you might needs to make each of the 2 ACS groups have access to both NDGs.
Darran
Similar Messages
-
Sshd_config with UseLogin denying all users shell access
I have searched for solutions to this problem for quite some time, so any help would be greatly appreciated.
For clarity, I will give the full description:
Solaris 10, fully patched, running Sun SSH.
back with rsh (and still can if rsh is enabled), if you set /dev/console in /etc/default/login, you could, as root perform:
# rsh problemHost <some_command>
and it would execute, however if you ran
# rsh problemHost
it would return "not on system console"
If a normal user did it, it would work, as /dev/console was only limited to ROOT.
Currently, I have UseLogin set in my sshd_config file. This is allowing this same functionality; root is allowed remote execution and denied shell access via ssh (with keys only of course). However, my problem is that it is denying ALL USERS a shell. So, users can run ssh problemHost <command>, but cannot ssh to the problem host for an interactive session.
I need this type of functionality to maintain a solid BSM audit trail for compliance to our SOX standards.
EXAMPLE::
Current Situation:
# whoami
root
# ssh problemHost hostname
problemhost.domain
# ssh problemHost
Not on a system console.
connection closed
# whoami
user1
# ssh problemHost hostname
problemHost.domain
# ssh problemHost
Not on a system console.
connection closed.
Desired/EXPECTED results:
# whoami
root
# ssh problemHost hostname
problemhost.domain
# ssh problemHost
Not on a system console.
connection closed
# whoami
user1
# ssh problemHost hostname
problemHost.domain
# ssh problemHost
Welcome to problemHost!!!
problemHost ~>
Edited by: jcarlson-cin on Apr 22, 2008 5:27 PMif UseLogin (see below) is left out, ssh performs as expected. However, it does not deny root access to an interactive session. that is what I am trying to achieve with the /dev/console setting in /etc/default/login. According to the man pages, UseLogin tells sshd to read /etc/default/login.
sshd_config:
# Allow root to login with SSH
PermitRootLogin without-password
## UseLogin -- Specifies whether login(1) is used for interactive login sessions.
UseLogin yes -
Google drive does not work with specific group but works with all users group!!
Hi,
Why Google drive does not work with specific group but works with all users group?
My rule : Internal > external > all users = works fine
But
Internal > external > A group = not working !!Hi,
if you require user authentication in Firewall policy rules, the clients must bei Webproxy clients (for HTTP / HTTPS) or TMG clients (for TCP/UDP):
http://technet.microsoft.com/en-us/library/bb794762.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote -
Retrieving User groups and email for all users in a group
Hi Everyone,
I need to create an ADF application to retrieve all the groups in OID, the user would select a group and it should list down all the email addresses in that group.
Can you suggest what is the best way to achieve this. My main concern is how to retrieve groups and email addresses from OID. I was unable to find APIs for it.
Your suggestions are greately appreciated.
Thanks,
HusainIn a multi-user environment, a user install a dreamweaver extension,but just the user who install the extension can use it.
Is there a way that administrator install the extension and make this extension available for other users in multi-user environment(e.g. the Windows 7)
Dreamweaver had this capability many releases ago, but it has been dropped, so it's no longer available.
Regards,
Randy Edmunds
Dreamweaver Development
Adobe Systems, Inc. -
Triggering Group Membership Rules against all users
I have created a few new groups and access policies that use rules to define membership. How do I trigger the search through the entire user list to populate the new groups? If I edit a single record, then the rule gets applied. I need to batch apply the new rules to all users.
KCHi,
I am not very sure if it will work or not but try running this default task it update all the user I guess.
Set User Provisioned Date
Else you can write a schedule task to update some attribute on user profile.
Regards
Nitesh -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
Group Policy for Remote Desktop Users
Hi,
Currently my users use desktops and have user and computer GPOs applied (typical things like logon scripts etc.) at the OU level where they reside e.g. Finance Users, Sales Users etc.
I am planning a Remote Desktop 2012 environment.
I have read the following:
TechNet cc779327
So, my understanding is that I create a new OU for my Remote Desktop Server only (not users), and create a new security Group for my RD Users and a security group for my RD server.
Remote Desktop Servers OU
* RD User GPO (filter on RD User security Group and RD Computer Security Group)
* RD Computer GPO (filter on RD User security Group and RD Computer Security Group)
I then apply all computer settings to the RD Computer GPO (loopback processing, Windows installer, hide shortcuts etc.).
I then apply all user settings to the RD User GPO (app specific, templates etc.)
Why not consolidate the two GPOs into one?
If I set computer settings in the computer GPO, and apply it as above to filter to the RD Server group and RD Users Group will this apply to only users un the RD User Group...or ALL users since I added the server to the filter?
If a user currently gets a setting in their normal OU e.g. Finance logon script, will they still get it on the Remote Desktop? Or do I need to copy that GPO setting to my new RD User GPO also?
Am I right to add both RD Server and RD User groups to the filter on both RD User and RD Computer GPOs?
Loopback processing - merge or replace typically for Remote Desktop?Hi,
Thank you for posting in Windows Server Forum.
Create OU for RDS Server in Active Directory. Create security group for users who will use Remote Desktop Host (i.e. RDS Users). Create GPO (i.e. RDS Server Lock Down). In Security Filtering delete Authenticated Users, add RDS Server Account, and the security
group created in previous step.
Please check beneath article might useful for better understanding.
Lock Down Remote Desktop Services Server 2012
How to secure your remote desktop server with GPO
Hope it helps!
Thanks,
Dharmesh -
How to set a common page for all users after loging on?
hi all,
Now "My Dashboard" is the default page after logon.
i want to set a default home page for all users. users can see the home page after loging on.
how to change the default dashboard from "My Dashboard" to "Home page" for all users?
thanks,
danHi,
Steps:
Tried to set default dashboard for all the users.
1. Created a session init block
2. Used data source as select '/shared/SH Test/_portal/Test1' from dual
3. Assigned this value to PORTALPATH session variable
4. In Presentation services > Administration > My account > Default dashboard should be set to 'default'. Then only the dashboard specified in init block will be displayed otherwise My account will override the init block.
5. Save the changes made to rpd.
5. Logout and relogin to see if it is working fine. it is working perfectly fine.
For details please refer the GSC replication document. But it is for all the users.
if customer would like to have user/group based home page.
1. They may need to have 2 separate tables.
i. Group_path_tab with 2 columns. Group_id, portal_path
Have group wise portal path for all the groups
ii. User-group map table
Group_id, Group_name, user_id
User should be part of some group.
2. Then in the init block write the sql should be something like this
select A.portal_path from Group_path_tab A, User_group_map B
where B.user_id = :USER
and B.Group_id = A.Group_id
SO based on USER session variable, it will try to identify the group and then the portal_path.
Finally assign this value to PORTALPATH session variable.
ref:
http://total-bi.com/2011/01/obiee-11g-change-default-dashboard/
Thanks! -
AD Not all users groups brought into BO
Post Author: ChrisNorris
CA Forum: Authentication
Hi,
We have an issue that shows itself on a few sites. User A belongs to AD groups X, Y, Z. All of those groups are already existing in BOXI R2.
What we find is that often with new users A will be imported BUT not for all of the groups, it may onyl bring in X, Y in the Users Tab for Group Membership. Sadly though when looking at the members of group Z User A belongs to it.
This has the effect that User A does not get the permissions of group Z because, from a user perspective they are not assoociated.
Has anyone seen this problem, or know why / fix?
I have logged this with Support ages ago, with no success, and it has appeared in a number of different installations.
CheersPost Author: TAZ
CA Forum: Authentication
Well the LDAP plugin has undergone some changes for the reason of scalability. As of the latest XIR2 patch it should be possible to run 10's of thousands of groups and 100's of thousands of users. If we removed our graph the problems would likely shift as the CMS which doesn't authenticate just authorizes would get slammed not having the graph.
As far as the removing groups the product was patched, both AD and LDAP in XIR2 SP2 and further patched in FP 2.4. Removing groups from AD/LDAP will no longer bring down the plugins, instead we passively handle the error and keep the plugin running until the bad groups have been removed.
I actually remember a case or two of yours maybe 1.5 - 2 years back. I was pretty new back then and couldn't provide much help. I think we were working on a multi forest issue in CE10, I think that was you, could just be another Lester.
The only way to usually capture the problem is to run a constant CMS trace and packet scan of LDAP traffic. The tracing must be running before the problem(s) during and after. Then it's incredibly hard to find the queries between the CMS and IP scans but that's how we escalated the last synch issue that was fixed for the LDAP plugin -FP 3.7.
I'm not sure it's feasible for you but if you use trusted auth in XIR2 or import users via script you can remove the AD/LDAP graph dependancy, something to consider.
regards,
Tim -
LDAP Authentication Failed :user is not a member in any of the mapped group
Hi,
I tried to set up the LDAP Authentication but I failed.
LDAP Server Configuration Summary seems to be well filled.
I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list.
But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
LDAP Hosts: ldapserverip:389
LDAP Server Type: Custom
Base LDAP Distinguished Name: dc=vds,dc=enterprise
LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
LDAP Referral Distinguished Name:
Maximum Referral Hops: 0
SSL Type: Basic (no SSL)
Single Sign On Type: None
CMS Log :
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
trace message: LDAP: De-activating query cache
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 89
trace message: LdapQueryForEntries: incr. retries to 1
trace message: LDAP: Updating the graph
trace message: LDAP: Starting Graph Update...
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 89
trace message: LdapQueryForEntries: incr. retries to 1
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
, chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
trace message: LDAP: query for DSE root returned 0
trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
trace message: [UID=0;USID=0;ID=79243] Update object in database failed
trace message: Commit failed.+
Can you please help?
JoffreyPlease do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
Since the same result happens on multiple computers, it is not the profile.
I am recommending you delete the AD account (or rename to backup the account).
It will not effect the users Exchange account, but you will need to link it back to the new AD user account.
You can also delete her profile just to remove it, for the "just in case" scenario.
Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional -
Group Policy Pref - Mapped Drives Not Applying to One User
Hi All,
I’m new to this list, so please excuse any etiquette slip ups.
I have three users at a site. All their machines are running Windows XP Service Pack 3 and have client side extensions installed. I created a group policy to map their default drives using GP User Preferences.
Each of the drives is set to "update".
As an example of the policy created XML is as follows:
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="H:" status="H:"
image="2" changed="2009-11-25 05:13:58"
uid="{8A44D2F4-AAE5-4F43-AEEC-D36F08EA619C}" desc="Maps the users H drive to
ServerName\users$\%username%" bypassErrors="1"><Properties action="U"
thisDrive="NOCHANGE" allDrives="NOCHANGE" userName=""
path="\\ServerName\users$\%username%" label="Home (ServerName)"
persistent="1" useLetter="1" letter="H"/></Drive>
and
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="J:" status="J:"
image="0" changed="2009-11-30 03:52:58"
uid="{535CD462-A45D-4363-ADA1-2316D5ECC703}" desc="Maps J drive for users to
\\ServerName\apps" bypassErrors="1"><Properties action="C"
thisDrive="NOCHANGE" allDrives="NOCHANGE" userName=""
path="\\ServerName\Apps" label="Apps (ServerName)" persistent="1"
useLetter="1" letter="J"/></Drive>
The group policy is applied to an OU for that site.
All three users are in the same OU.
All three users are also in the same “xxsitecode Users” group.
2 of the users log into their pc and get the mapped drives with no issue, but one user doesn’t.
There are no other login scripts and the user has no manually mapped drives.
He does have a H drive mapped using the profile field in his AD object as a temp measure. But every 90 mins any other manually mapped drives are removed by the policy.
We don’t use roaming profiles
To trouble shoot I have tried
- Reinstalling client side extensions
- Re-joining the pc to the domain
- Running gpupdate from the command prompt to see if any event logs are generated (none are)
- Manually mapping the drives to make sure there is network access etc – I can manually map them/he can access them.
- Creating the user a new account, when he logs in using that account he gets his mapped drives on all PC’s
- Getting the user to log into a different pc, when he does this he doesn’t get his drives – so it’s not his machine or profile
- Manually checking the security on the user object in AD against one of the users who gets their drives mapped
I'm sure the GP is fine because it works for two other users and the testing isolates his user account as the issue.
The Policy I’m having issues with is xxxx Mapped Drives/ Printers
I have posted this issue on the tech net GP discussion groups page, but haven’t had any replies.
Any suggestions would be appreciated.
SimoneWhat's interesting is that I applied a new GP to users - it has one policy setting and one preferences setting. He only gets the policy setting.. aka he gets the wallpaper but not the homepage.
Also, Jorke asked me to post the gpresult /z .
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/02/2010 at 2:19:34 PM
RSOP results for DOMAIN\USER on MACHINENAME : Logging Mode
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: DOMAIN
Domain Type: Windows 2000
Site Name: SITECODE
Roaming Profile:
Local Profile: C:\Documents and Settings\USER.DOMAIN
Connected over a slow link?: No
COMPUTER SETTINGS
CN=MACHINENAME,OU=Laptops,OU=SITECODE,DC=DOMAIN,DC=com,DC=au
Last time Group Policy was applied: 10/02/2010 at 1:06:38 PM
Group Policy was applied from: XXXXXADC.DOMAIN.com.au
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
Allow Remote Assistance
au-mdwsus
Default Domain Policy
Legal Notice
Proxy Settings
Logon as service, operating system
AU-WSUS
Desktop Background & Home Page
Reg Permissions for default desktop
Local Admin & Local Power Users
The following GPOs were not applied because they were filtered out
SITECODE Mapped Drives/ Printers
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
AVD Rollout
Filtering: Disabled (GPO)
The computer is a part of the following security groups:
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
MACHINENAME$
Domain Computers
CERTSVC_DCOM_ACCESS
Resultant Set Of Policies for Computer:
Software Installations
N/A
Startup Scripts
GPO: Desktop Background & Home Page
Name: image.bat
Parameters:
LastExecuted: 7:55:34 PM
Name: swiftdesktop.vbs
Parameters:
LastExecuted: 7:55:35 PM
Shutdown Scripts
N/A
Account Policies
Audit Policy
User Rights
Security Options
Event Log Settings
Restricted Groups
System Services
Registry Settings
File System Settings
Public Key Policies
N/A
Administrative Templates
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\CurrentVersion\Winlogon
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Desktop Background & Home Page
Setting: Software\Policies\Microsoft\Internet Explorer\Security
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
USER SETTINGS
CN=Matthew Luhrs,OU=Users,OU=SITECODE,DC=DOMAIN,DC=com,DC=au
Last time Group Policy was applied: 10/02/2010 at 1:54:53 PM
Group Policy was applied from: XXXXXADC.DOMAIN.com.au
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
Allow Remote Assistance
**** SITECODE Mapped Drives/ Printers - has Gp Pref's that should apply
Default Domain Policy
Proxy Settings
**** Desktop Background & Home Page - has Gp Pref's that should apply
Local Admin & Local Power Users
The following GPOs were not applied because they were filtered out
AU-WSUS
Filtering: Not Applied (Empty)
Legal Notice
Filtering: Disabled (GPO)
Reg Permissions for default desktop
Filtering: Not Applied (Empty)
Logon as service, operating system
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
au-mdwsus
Filtering: Not Applied (Empty)
AVD Rollout
Filtering: Disabled (GPO)
The user is a part of the following security groups:
Domain Users
Everyone
Offer Remote Assistance Helpers
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Computer Account Operators
Internet Users
SITECODE Users
DOMAIN-Public Folders Administrators
All Email Users
DOMAINSWIFTEMAIL
Domain Admins
Offer Remote Assistance Helpers
WSUS Administrators
DHCP Administrators
CERTSVC_DCOM_ACCESS
Resultant Set Of Policies for User:
Software Installations
N/A
Public Key Policies
N/A
Administrative Templates
N/A
Folder Redirection
N/A
Internet Explorer Browser User Interface
GPO: Proxy Settings
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: N/A
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
HTTP Proxy Server: Proxy:port
Secure Proxy Server: Proxy:port
FTP Proxy Server: Proxy:port
Gopher Proxy Server: Proxy:port
Socks Proxy Server: Proxy:port
Auto Config Enable: Yes
Enable Proxy: Yes
Use same Proxy: Yes
Internet Explorer URLs
GPO: Proxy Settings
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: Proxy Settings
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
GPO: Proxy Settings
Import the current Program Settings: No -
Server 10.5.7 upgrade deleted all user and group Info -- Receiving error -1
After upgrading our Dual 2.0 G5 server that was running 10.5.6 to 10.5.7 all groups and user information lost access. In addition when starting the workgroup manager error -14008 appears. Also when we look into the console log the following shows up
------------com.apple.launchd[1] (edu.mit.kadmind) Throttling respawn: Will start in 10 seconds
over and over
Any help would be greatly appreciated.I looked into A&I more, maybe it's not as nuclear as I thought. I presumed it meant I needed to reinstall all non-apple Apps, which means digging up disks and codes, none of which I have here. I'm away from home for another 4 weeks, which means doing that is difficult.
Being away is also why my back-up is a little out of date, I didn't bring the time machine drive for that MBP with me. I had it shipped to me as soon as I had problems, but the back-up I'd have to roll back to is now 1-2 weeks old and might still have the funky user:group problems since my timezone problems began before the 10.5.7 update.
I think DiskWarrior may of finally repaired the user:group issues. Not 100% sure but it's looking better. I just noticed that the primary user is admin but User is 502 and Group is 502. Whereas my secondary user account (also Admin) on that MBP User is 501 and Group is 20. My recollection is 20 is staff and both users groups should be 20.
I'll look into A&I more, probably do it when I get home.
Thanks.
Message was edited by: jb510 -
Not all users are displayed for log on after a reboot or startup...
Problem summary: Not all users are displayed for log on after a reboot or startup...
This problem only occurs after a fresh start-up or restart. The only users displayed are the initial (admin user) and "Guest". Two other (non-admin) users are not shown for log on.
To work around this problem and get them to log on we have to log on as the admin user, then we can see the other users in the Fast User Switching menu (top right-hand corner of the screen), listed under the current logged on user. After selecting the non-admin user we can log in and use the laptop as normal.
If we lock the screen, use fast user switching or log out all users; all users are available for log in, until a reboot is done; at which point the non-admin users disappear again and we have to log in as the admin user and use fast user switching again.
The laptops are both brand new MacBook Airs. The initial configuration of Mac OS X Yosemite was done using the Apple ID of the purchaser (parent) and then the OS was patched, immediately, through the App store (no further updates available as of the date of this posting). After this Family Sharing was activated and new users set up for the two children who will be using these laptops.
Has anybody else experienced this problem with Yosemite?
Cheers,
David.David,
Users not enabled for FileVault unlock are only able to log into the computer after an unlock-enabled user has started or unlocked the drive. Once unlocked, the drive remains unlocked and available to all users, until the computer is restarted.
FileVault has to be On.
To Enable the users to be able to unlock FileVault Go to:
System Preferences > Security & Privacy > FileVault ( Tab ) > Click the Lock in the bottom left > Put in your administrator password > Should see an option to Enable Users > Enable User.
Hope that helps,
Weston
Supporting Articles,
OS X: About FileVault 2 - Apple Support -
How to retrieve all users in a specific group
Hi,
I am using SunOne directory server. Can someone please post a sample code that illustrates how to fetch all the list of users in a particular group.
1) Let's say I want to find all the users in a group called "marketing". The root context is dc=mycompany,dc=com This group can be anywhere below this root context. Only information I am told is the name of the group - "marketing". How will I get all the users in this group?
2) For each user that is retrieved from the group marketing, how will I find out the user's DN?
Thanks for the help,
- SatishDo it like this...
String searchBase = "ou=marketing";
StringBuffer filter = new StringBuffer();
filter.append("(|");
if (organizationName != null && !organizationName.trim().equals("")) {
filter.append("(");
filter.append(ou);
filter.append("=");
filter.append("marketing");
filter.append(")");
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
constraints.setCountLimit(200); // How many users should be found
constraints.setTimeLimit(100000); // how much time should this search wait
// Get a initial context and set it to the ctx object
ctx.search(searchBase, filter.toString(), constraints); -
Upgraded to 3.1 and lost all users and groups. How do we get them back?
We ran the update to Server 3.1 (from 3.0) on our Mavericks Mac-Mini Server.
Everything had been fine before the update, but now all users and groups have completely disappeared.
The only user we have is the main administrator log-in.
Since we verified that all of our data, wikis, and other items are still in place, it might be easier to just re-create the groups and users (and permission therein).
But, we cannot log into Workgroup Manager, nor can we add users/groups in the Server app (because it is "grayed-out").
Can somebody please provide a suggestion??
We are a small engineering firm with only 5 users, so it's not like this would take all day.
Thanks, MikeHave you tried
sudo sso_util configure -r REALM_NAME -a diradmin afp
(cf. Lion Server: AFP users unable to authenticate with Kerberos after upgrading)in Apple Support ?
p.
Maybe you are looking for
-
HT1338 what is the latest OS that my mac supports?
I have a Macbook 2GH Intel Core 2 Duo with a MAc OS X 10.5.8, my updater does not find anymore updates and my computer is super slow, I want to know what is the newest OS that my Macbook supports because I hear it does not support Lion.
-
IPayment with 3rd Party payment system
Hi All, I have to configure iPayment with the third party payment system. the 3rd party talks with the Paymentech for credit card processing. Here in this case, 1. 3rd party server is providing web services to talk with them 2. 3rd party server is wo
-
Need help choosing a new all in one printer. Help!!!
I'm so sick my hp d135 It has given me nothing but pain.multiple users never worked ink cartriges never lasted. And I've had a scanner failure for the past two years. shame on me I kept it this long.
-
Photoshop CS 6- Can't see any picture
Hi, I am actually looking for the german support but I can't find it nowhere. Anyway maybe there are some people who have the same problem. I have the new version of adobe creative suite 6 Design standard sudent and teacher edition (german edition).
-
Hi Guys, I'm trying to configure transaction launcher for transaction VA11 (ZDD_VA11).. I've done all the necessary settings but when I try to test it via Web client, it open up VA11 transaction in Popup Window within the browser. I received help be