Allows non admin users to add printers

Similar Messages

• Allow Non-Admin Users Update Software Installed In Their Computers

  Hello All;
  At our location, we have several users who are not always in the office. In some instances, the imac or macbook pro ask for several updates such as Office 2011, and Adobe CS 5 and 6. And, the second issue, these users are not part of the administrator group or ever will be the administrator of their computers.
  Is it possible to adjust the authorization file to allow non-admin users to run these sort of updates?
  or
  Is there a product on the market that can push updates to all these different programs?
  Thanks Kindly

  Is there a product on the market that can push updates to all these different programs?
  Apple Remote Desktop, for one.

• Allowing non-admin users to use certain programs without authenticating

  I would like to allow certain programs to be run by non-admin users without forcing them to authenticate as an admin. Here is my example: I'm running Parallels Desktop with a VM to Windows. I want to allow my children to use this VM to access Windows programs. But, when starting a VM, the Mac OS requires an administrator to authenticate. Needless to say, I don't want my children to be administrators on the machine. I've been assured that this is not an issue related to how Parallels works (from the support team at Parallels). Instead, this is an issue with the Mac. i'm not sure one way or the other, but it seams useful to be able to (in general) allow non-admin users to use certain programs without forcing them to authenicate as administrators.
  There is only one summary in the Mac help on allowing non-admin users to change the time zone settings by directly editing the /etc/authorization file. Does anybody know if this procedure would work for other programs?
  Thanks!

  If you know what the requested right is, that procedure can be applied to any right in an application with a graphic interface by duplicating and modifying entries. The contents of that file don't control usage of sudo in the Terminal.
  (25922)

• How to allow non-admin users to install software updates of Java, FLASH and Adobe Reader?

  Hi all,
  I have a company (+150 users) and I would like  to allow users to update Java, FLASH and Adobe Reader only.
  These software are already installed in the hosts, but there are updates of the program every week and it needs to be updated.
  How can I give permissions to every user in the domain to do that? Just "Java, FLASH and Adobe Reader"
  Remember that I dont want distribute software because they were installed.
  I tried to enable "Enable user to patch evelated products" directive but it didn't work at my domain.
  is it possible?

  I have a method that works for FLASH player, but am trying to come up with a method for the other 2 myself.  To automate flash player, I created a Policy and added the following:
  Under Computer Config, Prefrences, Windows Setting, Files I created a new File Item.
  I set Action = Replace, Created a Source File named mms.cfg* (more below) and have the destination file as systemroot%\System32\Macromed\Flash\mms.cfg (or %systemroot%\SysWOW64\Macromed\Flash\mms.cfg for x64)
  I used notepad to edit the mms.cfg, and used the following in the body:
  AutoUpdateDisable=0
  SilentAutoUpdateEnable=1
  AutoUpdateInterval=0
  My non-admin users now update flash in the background silently and automatically.

• Allowing non-admin users partial admin privileges

  Hi All
  I manage a number of Macs on a large corporate (PC-centric) network. Organisation policy prohibits giving users admin privileges. However, I want users to be able to do some admin tasks like installing software, but not to have admin privileges per se. The Parental Controls option for non-admin accounts does not offer sufficient functionality.
  All the Macs are stand alone (not managed accounts), and are accessible via Apple Remote desktop. Few of the Mac users are command line savvy, so any solution has to be invisible, or via a simple gui.
  Thanks in advance
  Dave Mitchelll

  Most software does not need to be in the Applications folder to run. Non-admin users can install most drag-and-drop software right inside their home folders and run the apps from there.

• ColorSync and non-admin users

  Is there a way to allow non-admin users to change ColorSync profiles for printers using the ColorSync Utility? Our non-admin users can launch the utility and see all the printers listed in the "Devices" section but the option to change the default profile for any particular printer is greyed out.
  Thanks.

  Kurt is far more expert on this than I am, so take his advice first.
  Hi,
  There are three things to consider...
  #1. Profiles in use, like Fast User Switching being on and another User logged in, cannot be changed/edited.
  #2. There are at least 2 locations for the .ICCs...
  /Library/ColorSync/Profiles/Displays/
  /Users/YourUserName/Library/ColorSync/Profiles/
  Profiles in the 1st location cannot be edited. ICCs in the 2nd location could have copies made & the copies moved to another User's folder & Rights/Privileges changed accordingly.
  #3. See what "Scope" Colorsync reports... I think it has to do whether all users was selected when installing drivers, not certain on that though.

• Majority of reports missing for non admin users

  I have followed the instructions here (SCCM 2012–Reporting in console for non-admins (Reporting User Role) v2) to allow non admin users the ability to view
  reports in the console. So far, so good. However, when viewing the reports with the non admin user, only about 100 of the 400+ reports appear.
  Am I missing something here?

  The custom reporting one in the link I provided, and also modified versions of the following:
  OS Deployment manager (removed rights to All driver related items (drivers and driver packages), Boot image packages (except read access), Operating system installation packages).
  Application Administrator (removed Application>Approve; Distribition Point>Set Security Scope; Distribution Point Group>Set Security Scope; Global Condition>Set Security Scope)
  The reports missing we care about primarily are Software ones (companies and products and files).

• How to allow access to winrs for non-admin user?

  I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.
  All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
  # gives 4
  winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
  # Gives Winrs error: Access is denied.
  Configuration for my user is following:
  (Get-Item WSMan:\localhost\Service\RootSDDL).value
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
  (Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
  (In each security descriptor my user is given general access to protected object).
  So what security descriptor should I set to make my winrs query work for non-admin user?

  Hi Bunyk,
  I can not recreate the erroe you posted, and please also post the screenshoot in your convenience.
  I tested with a non-domain user but has the local admin permission of the remote computer, and this worked, before running the remote cmdlet in powershell, I also configured the TrustedHosts.
  In addition, the access denied could be also caused to the Protocol Filtering on the remote server, for more detailed information, please refer to this thread:
  winrs error:access is denied
  I hope this helps.

• A Solution for Enabling Sandbox activation by non admin users for testing (OIM 11gr2 PS2)

  I just wanted to post what i came up with as a solution the the problem of not being able to Test the effects of sandbox changes for non admin level users prior to their publication.  We are constantly making changes to the UI through sandboxes, the problem is rolling a sandbox back isn't easy, and we cannot be sure of the effects they will have on non administrative users until they are published, since the out of the box sandbox link isn't available to non Sysadmin level users.
  To allow these non admin user accounts to test the effects of sandbox changes in our development environment, I did the following (as always, follow at your own risk):
  Create and activate a new sandbox.
  Close all open tabs (including the Home and Sandbox tabs) and click the "Customize" link.
  Click the view -> source drop down in the upper left.
  After the source is visible, click the Accessibility or Sandbox link to find the area that you will add the new "UserSandboxTest" (call it whatever you want) link.
  Add a new commandImageLink directly in the panelGroupLayout: horizontal item before the "switcher" item (see the UserSandboxLink in my screen shot below):
  Edit the Link you just inserted, Entering whatever you want the link to display as in your browser in the "Text" field.
  Export the sandbox.
  Unzip the exported sandbox and navigate to the IdmShellV2.jspx.xml (path should be: \templates\mdssys\cust\site\site).
  Edit the IdmShellV2.jspx.xml file and find the new item you added in step 5.
  Add the following to the commandImageLink xml item: actionListener="#{pageFlowScope.uiShell.context.launchSandboxes}" rendered="#{oimcontext.currentUser.roles['SANDBOX_USER'] != null}".  Note: I used a new custom enterprise role, SANDBOX_USER, to control the display of the new link, You should substitute whatever EL conditions you need in the rendered property.
  Save your IdmShellV2.jspx.xml file and zip the contents back up, just like you would for any other customization.
  Import your newly edited sandbox back into the target environment.
  Publish the sandbox.
  This seems to work great for allowing us to test other sandbox changes effects on different types of users. 

  On step 10, adding the check to determine if the user should have access to the role ended up breaking access to the unauthenticated pages like the self registration page and the forgot userid/user login pages.  Non-authenticated users cannot execute the method to return the role, so that fails which leaves the page not loading.  To correct this I changed the rendered property to rendered="#{securityContext.authenticated}".  This prevents the link from displaying on non authenticated pages, but displays for anyone else who's logged on.  We only plan on using this in our development environment where no one but developers and system admins have access anyway, so it's not an issue that everyone will see the link.  I wouldn't recommend putting this in an environment where end users will be logging in and testing without developing a method (or finding another way to limit the display) that can be called by unauthenticated users to prevent them from seeing the link.

• Non admin user - changes not saved (Safari settings, system prefs, etc.)

  iMac, 2 users, one is administrator and other is standard user. Recently, in the non-admin user account, it has become impossible to make any changes. For example, adding an application to the the Dock, after logging out and back in next time, the application is not in the Dock any more. Also, making changes to the prefs in Safari, changes are not saved.
  I noticed this after installing FireFox v4. I installed it as admin whilst in the non-admin users account. However, I don't believe that the installation of FF has anything to do with the problem, it just highlighted it. I've checked the permissions for the various directories that hold prefs info such as user/libraries/application prefs/etc. etc. and also Safari prefs. Nothing I can see that has changed in system prefs.
  Any ideas on what has caused the problem (kids are known to fiddle from within the non-admin account) and any ideas on how to fix it?
  Thanks

  Hi PPRuNe,
  You could try making the standard user an Admin too. To do this, make sure you are logged in to the standard user, go to System Preferences > Accounts > Standard user (you may have to unlock the padlock) > Allow user to administer this computer
  This will allow changes to be made without being prompted for a password all the time.
  However, if you had Parental Controls on, they probably won't work on an admin account because as an admin you have complete control over a computer, so the computer thinks there is no point in having the controls turned on. And if the kids are known to "fiddle," just think carefully!
  Hope this helps you.
  Chris.

• Non Admin user can cancel the time machine backup an Admin user started?

  Today I had to do a new time machine backup but as it was running the user was switched to a non admin user but that admin user was able to terminate the backup that Time Machine was running since the panel showed up on their screen. Why is that?

  Barney-15E wrote:
  I wouldn't think it was a bug. If I was a user trying to get something done that was processor intensive, I'd like to be able to stop the backup. As the admin, I wouldn't think missing one backup was a big deal.
  The o.p. didn't seem to agree.
  I'm not sure what I'd think in that situation.
  But it could easily be allowed, for those who want it -- just put the TM icon in the other user's menubar before locking the preferences panel.

• Non-admin user can not logon to web pages

  I setup an iMac, I am the administrator and I set up a non-admin user. I also setup parental controls to their default settings.
  The user can log on to their account but when they go to a web page, any web page, that requires a logon, the authentication fails. I can login to the iMac as the administrator and can go to those same pages and try to logon and it works.
  I tried disabling parenting controls but it still doesn't work. I don't think that I should have to change any settings to allow a non-admin user to log on to a website, but maybe there is something I am missing...
  Any tips or things I should try?

  It's recommended to have your Security mode on.
  Anyways if you wish to, go to ''''Firefox'''' tab > ''''Options'''' > ''''Options'''' > '''''Security'''''
  and do your custom settings.
  Re-installing Mozilla Firefox may fix this problem.

• Allow non-admins to install software?

  I find it rather tedious to have to type my password every time others want to install something on the computer (which is a shared computer, by the way). Is there any way to allow a non-admin user to install software, but not have other admin priveleges?

  On the screen where you're prompted for the password, find and note down the requested right. Use a program such as TextWrangler to edit the /private/etc/authorization file so that all accounts have that right.
  (59954)

• Non-admin users and Time Machine

  We have a 1-1 laptop program with 7th and 8th grade students. The students are not admins of their own laptops.
  This year we gave each student an external hard drive and had them use Time Machine to back-up their accounts. The problem was when a student needed to restore from Time Machine, we needed to enter the administrator's password.
  We'll be switching to Lion over the summer, and by default, a non-admin user cannot even turn on Time Machine without an adminsitrator's password, which makes Time Machine useless. I don't want to have our students go back to manually dragging and dropping all of their school data (and movies and music) to back it all up (what a messy process).
  Is there any way around the need for an admin password to use Time Machine?

  Time Machine (the application) is already allowed. That's not the problem.
  In order to set-up Time Machine the first time, users have to open the Time Machine Preference, and that is locked. When a user tries to unlock it, they need to enter an administrator's password, but our students are only standar users.
  We don't want to have to enter that password for 250 machines each time students need to access that preference.
  In addition, an administrator's password is needed to restore anything from a Time Machine drive, and we'd like a way around that too.

• Non-admin users can't view GAL with Outlook Connector

  Non-admin users are unable to view the Global Address List with Outlook Connector. When I give a test user admin rights (in our portal), the user can view the GAL. The VLV index is setup and functioning correctly for admin users. My versions are Directory Server 5.2 Patch 4, JES 2005Q4, Outlook Connector 7.1.222.4.
  I've reviewed the ACIs on o=cp per http://docs.sun.com/app/docs/doc/819-5200/gbnse?a=view and verified that they are getting passed down to the child entries. I added a new ACI for a specfic test user, but I see no effect when I run an ldapsearch as that user. Here are the ACIs:
  1. Allow Calendar Administrators to proxy
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow Calendar administrators to proxy - product=ics,class=admin,num=2,version=1";
  allow (proxy)(groupdn = "ldap:///cn=Calendar Administrators, ou=Groups, o=cp");)
  2. Allow Calendar users to read and search other users
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow Calendar users to read and search other users - product=ics,class=admin,num=3,version=1";
  allow (read,search)(userdn = "ldap:///uid=*,ou=People,o=pcc.edu,o=cp");)
  3. Allow test users to proxy
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow test users to proxy - product=ics,class=admin,num=2,version=1";
  allow (proxy)(userdn = "ldap:///uid=299899598658566,ou=People,o=pcc.edu,o=cp");)
  Here's the log for an ldapsearch as a non-admin user:
  -bash-3.00$ grep "conn=386080 op=1 msgId=2" access
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - SORT cn
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - VLV 1:1:dpelinka 2964:11852 (0)
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  When the same search is run by an admin user, nentires=3.
  Here is the test ldapsearch:
  ldapsearch -h vmpt1 -p 389 -D "uid=299899598658566,ou=People,o=pcc.edu,o=cp" -w {password} \
  -b "ou=People,o=pcc.edu,o=cp" -x -s "sub" -S "cn" \
  -G "1:1:dpelinka" "pdsRole=Employee" uid
  David,

  Jay,
  Here's a full set of logs. The first set is from my test search; the second from an actual OC search. I don't see anything different between the admin and non-admin except for the number of entries returned.
  ADMIN TEST SEARCH
  -bash-3.00$ ./test_vlvindex.shl
  version: 1
  dn: uid=375308679900788,ou=People,o=pcc.edu,o=cp
  uid: 375308679900788
  dn: uid=534616896694744,ou=People,o=pcc.edu,o=cp
  uid: 534616896694744
  dn: uid=506947161967075,ou=People,o=pcc.edu,o=cp
  uid: 506947161967075
  index 2973 content count 11893
  DS log-bash-3.00$ grep "conn=1964292 op=1" access
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - SORT cn
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - VLV 1:1:dpelinka 2973:11893 (0)
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - RESULT err=0 tag=101 nentries=3 etime=0
  NON-ADMIN TEST SEARCH
  -bash-3.00$ ./test_vlvindex.shl
  index 2973 content count 11893
  DS log-bash-3.00$ grep "conn=1973983 op=1 msgId=2" access
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - SORT cn
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - VLV 1:1:dpelinka 2973:11893 (0)
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  ADMIN OC SEARCH
  -bash-3.00$ grep -i vlv access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - VLV 0:10:9:0 10:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - VLV 0:17:20:0 21:11893 (0)
  -bash-3.00$ grep "conn=1000785 op=14 msgId=15" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - RESULT err=0 tag=101 nentries=9 etime=0
  -bash-3.00$ grep "conn=1000785 op=15" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - VLV 0:10:9:0 10:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - RESULT err=0 tag=101 nentries=11 etime=0
  -bash-3.00$ grep "conn=1000785 op=16 msgId=17" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - VLV 0:17:20:0 21:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - RESULT err=0 tag=101 nentries=18 etime=0
  NON-ADMIN OC SEARCH
  -bash-3.00$ grep -i vlv access
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - VLV 1:1:1:0 2:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - VLV 0:8:0:0 1:11893 (0)
  -bash-3.00$ grep "conn=2220710 op=1" access
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="cn mail uid objectClass"
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - SORT cn
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - VLV 1:1:1:0 2:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  -bash-3.00$ grep "conn=2220710 op=2" access.20080107-171147
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - SORT cn
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0
  -bash-3.00$
  David.