All Domain User update specific application

Server OS: Windows Server 2008 R2
PC: Windows 7 SP1 Professional /joined domain
We looking for any hint can allow domain user account upgrade specific appliation, we test servral method but all not work
1. This is IM QQ appliction and no MSI , version change quickly, can not use GPO deploy also the patch is not download. Force update by online.
2. We can not grant local admin right to users beacuse need to stop anyone install application without approval
3. Can not use Windows Application Control, because that feature need Windows 7 Enterprise.
4. Consider use local security policy, application control or software restrict but difficult for mangement over 100 PCs
5. Try to grant everyone under program files / (x 86) folder but patch update seem involve registry and other system permission.
6. Market has third party application control but those application can not block the application which not on their list, means we if we grant local admin right to users, they can freely install anything
seem any other information can help this case. thanks
supporthk

How about:
Group policy to add a local admin user account for a day or two, or a week
Group policy to apply a logon script to run a batch file - batch file to copy file(s) to local computer, "run as" the install file as new local admin account, then clean up temp & install files
Then edit the 1st GPO to remove that local admin account
Could be a way, but that force the admin to pre-package all software update and it allow a hole for the user to install anything while it's PC isnt rebooted.
Maybe in App-V it could be do-able. In XenApp you can stream to the computer the application, and you can allow the user to update. The registry hive is isolated and file are deployed when the user click the application. Never tried it with App-V, but I
heard you can isolate the application too. In both product you pre-install in a virtual's way, and that make like a .msi, that the user get to the workstation when they want to use the application in big, and the modified file are stored in the user profile
(for xenapp, surelly the same for app-v)
Regards, Philippe
Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
Answer an interesting question ? Create a
wiki article about it!

Similar Messages

Cannot log in on one particular PC as other domain user than specific

Hello,
We have next problem:
On one specific PC I can log in as one specific domain user. However, I cannot log in to this PC as other domain user than specific. When I try to log in as other user it turns back to "Press Ctrl+Alt+Del to log in" screen so it doesn't go
to user's desktop.
Operating system is Windows 7 Enterprise.
What could be issue in such case?

Can you access resources like file shares with the user who can login?Has the PC been off for a long time? I just ask as the computer needs to talk to the domain controller at least once every 3 months, otherwise it looses it's domain membership and has
to be removed and rejoined.

Restrict access of "domain user" to specific computer

I need to restrict access of "domain user" to a specific computer in the domain/
I try to Do it by using "Active Directory Administrative Center"
In Computers\Computer name\Properties\Extensions\Security
I add the name of user and I marked deny to all and I canceled inheritance
And yet the user can login to the computer
I searched Policy that contradicts the security and I not found.
With the "gpo" I was able to block, but I need necessarily used the Security
Because of Security can be partial restriction.

Hi,
Based on your description, I understand that you want to allow some certain users to access specific domain
computers.
Please open ADUC (Activity Directory Users and Computers) and click User container. Then select that specific
user account, open its Properties and navigate to Account tab. Please click
“Log On To…” option to open Logon Workstations panel. In Logon Workstations panel, please change
This user can log on to: All computers to The following computers. Then type the specific computer names. Please check if this can help you to achieve target.
If anything I misunderstand or any update, please don’t hesitate to let me know.
Hope this helps.
Best regards,
Justin Gu

All SAP Users on the Application Server

Hi,
Is there any place in SAP where I can see who are using sessions specific to my application server?
Thanks

Displaying all the Users in Your System
Use
When you start the User overview, the system displays to you the users who are logged on to the same application server as you are. You can however, display all the users logged on to the SAP System.

Prerequisites
You are already in the User List screen (Transaction SM04 ).
Procedure
Choose Goto -> Terminals to display a list of all users who are logged on in your SAP System. The list includes all application servers in your system.
In this display, you can look at users, but you cannot access user sessions. To display information or access a user session, switch to the server on which the session is active. You do this by positioning the cursor on the desired user, and then choose Goto -> Remote server.
You return to the server where you were previously logged on by choosing Back.
Regards

Reporting Services - Content Manager shows all reports for all domain users even without permissions

I have installed
reporting services 2008 in: Site
Settings option / Security only 3 users
have added:
BUILTIN \ Administrators
System Manager
MYDOMAIN \ user1
System Manager, System User
MYDOMAIN \ user2
System Manager, System User
I have the same settings in the "start
up" folder and inside the folder
where are my reports, however if I authenticate
any user with different domain
to user1 and user2 can see all content
of the report manager can even
manage it.
Help me, greetings
Jenny

however if I
authenticate any user with
different domain to user1 and user2 can see
all content of the report manager can
even manage it.
Hello,
Did you means that other domain user account (Other-Domain\user3) can access reports on the Report Manager without grant any permission? As per my understanding, it is not possible. SQL Server Reporting Services uses Windows Authentication
defaultly to determine who can perform operations and access items on a report server.
Based on your description, you grant the local Administrators group and two domain users with system-level role: System Administrator.  System-level role assignments grant access to global tasks and permissions that apply to a report
server site, That's may cause the user can access and manage all contents on the Report Manager.
If you want to set permissions for accessing conntents on Report Manager, you can just specify itme-level role assignments.For example, if you grant user with Browser role on a report, the user can view report and report properties, but cannot edit
report properties.
Reference:
Lesson 1: Setting System-Level Permissions on a Report Server
Lesson 2: Setting Item-Level Permissions on a Report Server
Regards,
Fanny Liu
Fanny Liu
TechNet Community Support

Download all files from a specific application server directory to Local pc

Hi Experts,
I have a requirement of downloading all the files from an application server directory to a local pc.
I know how to download a single file from an application server at a time provided the file name is known.
But my requirement is to download all the files in that particulary directory, because I dont know how many files were created in that directory and what are their names.
Please kindly provide the solution.
Thanks,
Kalikonda.

Nelson,
Here is the function module that I have used to get all the application server files.
appl_dir_name is the path of the directory i.e. '/outbound/PD1/Applnserverfiles/'
it_appl_srv_fls is the internal table where all the files gets stored in.
CALL FUNCTION 'EPS_GET_DIRECTORY_LISTING'
 EXPORTING
 dir_name = appl_dir_name
FILE_MASK = ' '
IMPORTING
DIR_NAME =
FILE_COUNTER =
ERROR_COUNTER =
 TABLES
 dir_list = it_appl_srv_fls
EXCEPTIONS
invalid_eps_subdir = 1
sapgparam_failed = 2
build_directory_failed = 3
no_authorization = 4
read_directory_failed = 5
too_many_read_errors = 6
empty_directory_list = 7
OTHERS = 8
IF sy-subrc <> 0.
 MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
 WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
ENDIF.
hope this solves your problem.
Thanks,
kalikonda.

"File History" won't open/start for domain user profile/account

I'm trying to use the File History feature in Windows 8.1 to create backups. When I click "File History" from the control panel, nothing happens. No new window opens, it just stays at the Control Page.
I've tried manually going to "Control Panel\All Control Panel Items\File History".
All works fine with local Administrative user profile.
Why does File History not start/open/run for the domain user account that is in the Administrators Group?

Hi,
Base on my lab machine (Windows Server 2008 R2 DC, Windows 8.1 client). either domain admin user or domain standard user, they all work fine.
What's your environment? Did this issue occur on all domain user or specific one?
In some cases, File History may conflict with the enterprise policies (like retention policy). I suggest you contact your IT admin to see if there is some other policy to limit this.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Difference between Domain\Domain Users and Everyone Group in SharePoint

Hi,
In SharePoint 2013, is Everyone Group an AD group ? Please help with details.
Thanks
srabon

Hi All,
Domain Users, Authenticated Users, or Everyone
Domain Users
The Domain Users is the only real group of the 3 listed above. By that I mean you can add and remove members from this group. Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain
Users group resides in. By default all users created in the domain are automatically members of this group. However, the default Guest account in the domain is NOT a member of Domain Users, instead it is placed in the Domain Guest group.
Because Domain Users is generally considered the most secure group of the three listed above.
Authenticated Users
Authenticated Users was first introduced in Windows NT 4.0 SP3. This is a built-in group and cannot be modified. The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain.
Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not. Authenticated Users specifically does not contain the built-in Guest account, but will contain
other users created and added to Domain Guests.The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account.
Everyone group
The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. NULL session connections (aka
anonymous logon) used to be included in this group but were removed in Windows 2003. This is a built-in group that cannot be modified.Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE,
LOCAL_SERVICE, NETWORK_SERVICE, etc. is generally considered the least secure of the three groups.
Short Answer is there isn't much to worry about unless folks are logging I with a guest account or you have removed a bunch of folks from the domain users group
-Ivan

Principal Name for Active Directory "Domain Users"

Hi,
I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
The system automatically recognized my Active Directory username. It worked.
For authentication in my weblogic.xml I used
<security-role-assignment>
<role-name>admin</role-name>
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
</security-role-assignment>
Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
I added
<principal-name>Domain Users</principal-name>
instead of writing all domain users.
However I couldn't authenticate. I got the "Error 403--Forbidden"
Is there anyone can help me?

test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
-Faisal
http://www.weblogic-wonders.com

From external: block all domains except one MAPPINGS file?

Here's the problem...
I have an old domain that my mailserver is still authoritive for. We receive mail through a mail ISP cluster, in that sense that our internal mailserver does not have any MX-records associated with it. All MX-records point to the ISP.
We have recently changed domain name because of a merger.
I am still rewriting all RCPT TO: [user]@olddomain.com to RCPT TO: [user]@newdomain.com in imta config.
I now want to end that rewriting using the mappings file for all except but one domain.
So the end result should be:
MAIL FROM: all domains -> [user]@olddomain.com REJECT $Netc......
but!
MAIL FROM: specific domain -> [user]@olddomain.com should still be passed on to the IMTA.
I have used SEND_ACCESS before as a method of blocking mail, but this is specific... I want to block the whole world except one originating domain (for the old domain)
Does anyone have a working example of this and could you provide it for me?
TIA
Eli

Jay :-)
We have reinstalled iPlanet Messaging Server 5.2 on Windows Server using all new servername FQDN and all new domain hosting for.
FQDN: mail.new-domain.local
Mail authoritive for: new-domain.com
Server is located on the LAN and gets it's mail from an ISP using mailkick.
Server is actually not aware (neither in MX, nor in LDAP records) of the old domain.
The only way the server gets it's mail is through smart-hosting. It just works and acts as a new server. Mail for the old-domain.com (organization) is accepted because I rewrite the domain part of the old-domain.com to new-domain.com
old-domain.com $U%[email protected]
Server accepts mail from all sending/origination domains only for the TO: new-domain.com it is authoritive for.
Now here is the catch... I want to disable the TO: domain-rewriting, because people need to use the new-domain when addressing us.
There is still only ONE organization out there that needs to address the old-domain.com because of X.509 encrypted mail. This is the only domain I will do rewriting for.
Hence is why I was looking at the SEND_ACCESS
It has some ways of blocking part of a sender or address part of a enveloppe based on wildcards etc....
Yet only blocking....
How do I block the whole world except that old organization we still do business with. Mail for the old domain is also delivered through the same mailkick by ISP.
So if whole world -> [some user]@old-domain.com REJECT
and
single organization -> [some user]@old-domain.com ACCEPT and continue REWRITING
Hope I shed a bit more light on the subject....
Eli

Allow connection to RDS applicatoins and restrict RDP connection for domain users

I have configured RDS setup, with the following Roles: RD Web Access, RD Gate Way, RD Connection Broker, RD Session Host and RD Licensing.
the problem is that the domain users can't run the published applications unless I add the "Domain Users" group into the remote desktop users on the RDS servers, but now all domain users can connect RDP to the RDS servers.
so we need domain users to connect to the RDS published applications and restricting them from connecting RDP to the RDS servers, in addition I can see that internal servers are accessible from outside through the RD gateway server.
any ideas ?

Hi,
Thank you for posting in Windows Server Forum.
For a test you can create one group, assign the specified user under that group. Add that group under “Remote Desktop User” local group. For getting access to published Remote Application you can simply assign\add the group under collection properties of the
application and that user can get access.
For restricting user to server remotely, you can add that group of user under “Deny logon through remote desktop service” under User Rights assignment. Also you can check “Deny
New User Logons to an RD Session Host Server” settings.
Hope it helps!
Thanks.
Dharmesh Solanki

Allowing the domain users Group to SCCM 2012 Remote Control

Hi There,
been working on this issue for the last few days now and its frustrating the crap out of me. My company has requested for all Domain users to be allowed to Remote Control to everyone's computer. This is so that users will be able to show each other how to
use in house application. In SCCM 2012 console, I've added the Domain users to the Premitted viewer tab. I've also added the domain user group to the administrative user section, added the Remote operator role and assigned the
ALL security scope to it. On another machine, i run the CMRCviewer to this machine and it prompts for username advising me the one i provided isn't authorized. when i check on the targeted machine, i can see domain users populated in the ConfigMgr
remote control user group
It seems only domain admins have rights to Remote control in. i've only got one client setting defined (default policy).
the interesting thing is the following layout
WINDOWS XP ---> WINDOWS 7 prompts for username
WINDOWS 7 -----> WINDOWS XP works
WINDOWS XP -----> WINDOWS XP works
WINDOWS 7 ------> WINDOWS 7 prompts for username

Hi Dave,
1) yes domain users is part of the configMgr remote control users". CMRCSERVICE.log shows the following
=== Starting security handshake ===
CmRcService
11/03/2013 10:44:29 AM
4808 (0x12C8)
HandshakeWorker failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Security filter server: DoHandshake failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
m_pSecFilter DoHandshake() failed. CmRcService
11/03/2013 10:44:29 AM 4808 (0x12C8)
DoHandshake failed on server side.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to do Handshake in Server.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to create security context.. Security Handshake failed.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to validate Security requirement..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to complete the RDP connection..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
i've confirmed this user is part of domain users as well.

Business Objects Enterprise - domain user

As mentioned in blog at /people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2 the SNC interface can be used to provide SSO with Business Objects Enterprise.
The SSO works if the Windows services are started using a domain account, because the SNC session between BO server and SAP server is initiated using these domain credentials. We have found though, after 1 week the users credentials expire (due to ticket lifetime configuration in Active Directory) so BO server needs to be restarted every week. To solve this we are aware that SAP RFC library requires an SNC_MYNAME parameter, and we have put domain credentials on BO server in a key table file. I am wondering if you know how we can configure the SNC_MYNAME parameter in the RFC connection string used by BO software ?

Ingo,
I am referring to client side SNC, as described in part 1 of your blog. As you know, a domain account is needed and the Windows services need to be changed to start as this domain account, instead of as system. When this change is made, and the WIndows services are started, they will request a Kerberos TGT from the domain, which has a lifetime associated with it - all domain users tickets have liftetime, determined by a domain policy. The liftetime of a TGT is normally about 8 hours.
When an RFC request is made by one of the Windows services, and the SNC library is invoked, it will get a service ticket from domain and store in same credentials cache that holds the TGT (inside LSA on Windows). This service ticket will expire at same time as the TGT used to request it.
If the SNC library gets a Kerberos service ticket, and the TGT has expired, but is still within the Renew Until period (normally 1 week after TGT was issued because of policy configuration) then a new TGT is issued, and the service ticket will be issued with the new TGT.
So, from above you can see that using SNC with Kerberos, means that the tickets only last for 1 week because of domain policy configuraiton of Kerberos ticket lifetime and because of renew period for tickets issued by AD. The only way that the Kerberos tickets could be used for longer, is if:
a) The service is restarted, thereby causing it to get a new TGT and the renew until date/time for this new TGT will be 1 week after the TGT was issued.
b) The TGT could be issued when an RFC call is made, and this TGT cached in a separate memory cache, instead of in MS LSA cache normally used by Windows.
Our product supports opiton b) but to make it work we need to understand how the BO software constructs the RFC connection string, and we need to add SNC_MYNAME parameter to this string. I can explain how this works in more detail if you like, but all I need is to know where the RFC parameters are stored. For example, is there an saprfc.ini file which we can edit and add the SNC_MYNAME parameter to this file ?

HT5621 I bought my iMac from someone. Everything was changed over to my name however when I try to update programs it only shows the old users apple ID and I can't update. How do I change this so I can update the applications and have everything fully und

I bought my iMac from someone. Everything was changed over to my name however when I try to update programs it only shows the old users apple ID and I can't update. How do I change this so I can update the applications and have everything fully under me?

The first thing to do with a second-hand computer is to erase the internal drive and install a clean copy of OS X. You — not the previous owner — must do that. How you do it depends on the model, and on whether you already own another Mac. If you're not sure of the model, enter the serial number on this page. Then find the model on this page to see what OS version was originally installed.
1. You don't own another Mac.
If the machine shipped with OS X 10.4 or 10.5, you need a boxed and shrink-wrapped retail Snow Leopard (OS X 10.6) installation disc from the Apple Store or a reputable reseller — not from eBay or anything of the kind. If the machine has less than 1 GB of memory, you'll need to add more in order to install 10.6. Preferably, install as much memory as it can take, according to the technical specifications.
If the machine shipped with OS X 10.6, you need the installation media that came with it: gray installation discs, or a USB flash drive for some MacBook Air models. For early MBA models, you may need a USB optical drive or Remote Disc. You should have received the media from the previous owner, but if you didn't, order replacements from Apple. A retail disc, or the gray discs from another model, will not work.
To boot from an optical disc or a flash drive, insert it, then reboot and hold down the C key at the startup chime. Release the key when you see the gray Apple logo on the screen.
If the machine shipped with OS X 10.7 or later, you don't need media. It should boot into Internet Recovery mode when you hold down the key combination option-command-R at the startup chime. Release the keys when you see a spinning globe.
2. You do own another Mac.
If you already own another Mac that was upgraded in the App Store to the version of OS X that you want to install, and if the new Mac is compatible with it, then you can install it. Use Recovery Disk Assistant to create a bootable USB device and boot the new Mac from it by holding down the C key at the startup chime. Alternatively, if you have a Time Machine backup of OS X 10.7.3 or later on an external hard drive (not a Time Capsule or other network device), you can boot from that by holding down the option key and selecting it from the row of icons that appears. Note that if your other Mac was never upgraded in the App Store, you can't use this method.
Once booted in Recovery, launch Disk Utility and select the icon of the internal drive — not any of the volume icons nested beneath it. In the Partition tab, select the default options: a GUID partition table with one data volume in Mac OS Extended (Journaled) format. This operation will permanently remove all existing data on the drive.
After partitioning, quit Disk Utility and run the OS X Installer. You will need the Apple ID and password that you used to upgrade. When the installation is done, the system will automatically reboot into the Setup Assistant, which will prompt you to transfer the data from another Mac, its backups, or from a Windows computer. If you have any data to transfer, this is usually the best time to do it.
Then run Software Update and install all available system updates from Apple. To upgrade to a major version of OS X newer than 10.6, get it from the Mac App Store. Note that you can't keep an upgraded version that was installed by the previous owner. He or she can't legally transfer it to you, and without the Apple ID you won't be able to update it in Software Update or reinstall, if that becomes necessary. The same goes for any App Store products that the previous owner installed — you have to repurchase them.
3. Other issues
If you see a lock screen when trying to boot from installation media or in Recovery mode, then a firmware password was set by the previous owner, or the machine was remotely locked via iCloud. You'll either have to contact the owner or take the machine to an Apple Store or another authorized service provider to be unlocked. You may be asked for proof of ownership.
If the previous owner "accepted" the bundled iLife applications (iPhoto, iMovie, and Garage Band) in the App Store so that he or she could update them, then they're linked to that Apple ID and you won't be able to download them without buying them. Reportedly, Mac App Store Customer Service has sometimes issued redemption codes for these apps to second owners who asked.
If the previous owner didn't deauthorize the computer in the iTunes Store under his Apple ID, you wont be able to authorize it immediately under your ID. In that case, you'll either have to wait up to 90 days or contact iTunes Support.
When trying to create a new iCloud account, you might get a failure message: "Account limit reached." Apple imposes a limit of three iCloud account setups per device. Erasing the device does not reset the limit. You can still use an account that was created on another device, but you won't be able to create a new one. Contact iCloud Support for more information.

Allowing a user to upgrade a specific Application

We have a specific application that we install on all of our mobile computers. Our newest is the Microsoft 8.1 Professional with an attached keyboard. The issues that we are facing have all been resolved with the exception of one.
The application is installed as the administrator and the user is a basic user with no real privileges. We gave the user full access to the folders that are created and would like to have the users to be able to update this application when newer versions
are released.
The Windows XP systems were performing this without fail but Windows 8 is telling me that the user does not have the appropriate permissions to install as All Users. I have spent a lot of time in GPO and still being denied. Can anyone offer assistance on
this?

Hi,
This happens on Windows 8 not on windows XP, because there is a User Account Control setting in Windows 8 User Account Control (UAC) helps prevent malicious programs (also called malware) from damaging a computer and helps organizations deploy a better-managed
desktop. With UAC, applications and tasks always run in the security context of a non-administrator account. So, a consent prompt will show up when you try to install an application with a standard user, the detailed information can be found at Microsoft:
http://technet.microsoft.com/en-us/library/jj574202.aspx
So, the suggestion is add the standard user to the administrator group, then your can check the result.
Regards
Wade Liu
TechNet Community Support

All Domain User update specific application

Similar Messages

Maybe you are looking for