Anyconnect permission with NT Domain user

Similar Messages

• Can we map three BPC users with single domain user

  Hi..
  When we map the three BPC users in the ABAP server in the program UJA3_WRITE_SYS_USERS with domain user,can we map with only one domain user for all three BPC users or we have to use three different domain users to map the three BPC users?
  Please do reply
  Thanks
  Bobby

  yep
  u can map three bpc user with single domain user.
  but domain user must have management roles.

• Could not start the listener with a domain user

  Hi all,
  I am working on Windows 2003 with Oracle 10.2.0.2 !
  With user "local system account", I can start the listener and I have no problems!
  after chaning the user that runs the listener from local system account to a domain user, I cannot start the listener again!
  (for the oracle service itself for the database, is it possible to change the user from local system to that domain user without problems)
  attached the error message when starting the listener with cmd.
  by starting the listener with the restart of the windows service, the listener crashed down after a few minutes
  do I have to set additional permissions for that domain user?
  thanks in advance
  Stefan
  C:\Documents and Settings\Administrator>lsnrctl start listener
  LSNRCTL for 32-bit Windows: Version 10.2.0.2.0 - Production on 17-JAN-2008 11:51:29
  Copyright (c) 1991, 2005, Oracle. All rights reserved.
  tnslsnr wird gestartet: Bitte warten...
  TNS-12537: TNS: Verbindung beendet
  TNS-12560: TNS: Fehler bei Protokolladapter
  TNS-00507: Verbindung beendet
  32-bit Windows Error: 109: Unknown error

  In this case I see three error messages:
  TNS-12537:     TNS:connection closed
  Cause:     "End of file" condition has been reached; partner has disconnected.
  Action:     None needed; this is an information message.
  TNS-12560:     TNS:protocol adapter error
  Cause:     A generic protocol adapter error occurred.
  Action:     Check addresses used for proper protocol specification. Before reporting this error, look at the error stack and check for lower level transport errors. For further details, turn on tracing and reexecute the operation. Turn off tracing when the operation is complete.
  TNS-00507:     Connection closed
  Cause:     Normal "end of file" condition has been reached; partner has disconnected.
  Action:     None needed; this is an information message.
  The most important is the tns-12560 error message, this means that an unsupported protocol exception was raised. Assuming you are using the same environment configuration when starting the listener with the local account and starting it with the domain authenticated user, then it has to do with permissions. Both the local administrator account and the domain authenticated user must belong to the ORA_DBA group, otherwise the user won't have enough privileges to start the listener.
  On the other hand, make sure the sqlnet.ora file includes this line:
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  If you use a domain user name, log on under a domain with username and password which has administrative privileges on each node
  ~ Madrid

• CWS with multiple domain users sharing a computer off work

  Hi,
  I need to know if this is an expected behaviour and if there is a workaround to this. I have AnyConnect Web Security (3.1.04063) installed on Windows 7 Enterprise computer that is part of a Windows domain. Two domain users login to the computer at work. When User1 logs in and visits "whoami.scansafe.net", his relevant user/group info is displayed in the browser. When User1 logs off and User2 logs in, the page correctly displays info for User2 in the browser.
  However, if at this point the computer is then taken off the work network say a home/public network where AD domain servers are not available. Both User1 and User2 can still logon to Windows but for both of them the "whoami.scansafe.net" page display the info for User2 only. It doesn't change even if the computer is restarted and User1 logs in - still User2 scansafe info is displayed. This happens to User1 untill the PC is brough up on Work network where Windows Logon service is available and User1 can now correctly see his scansafe info in the browser.
  Shouldn't Web Security client app be pulling the info relevant to the logged on user for both on and off work networks ? If this is expected, is there a docu reference to this ?
  Thanks,
  Rick.

  Hi Rick,
  That is the expected behaviour of AnyConnect Web Security (ACWS).
  Reason is when you are off the network, ACWS will use the cached credential of the user who last login. In your example, if user2 is the last to login when he/she is connected to the work network, then his/her user credential will be cached.
  It uses the information from the output of gpresult/r.
  Regards, Jen

• Check Delegated user permission with AD Domain and OU levels

  Hi
  We are looking for a way to check all user permissions at domain / OU levels. Is there a script or tool available for this?
  Regards
  LMS

  Hi
  We are looking for a way to check all user permissions at domain / OU levels. Is there a script or tool available for this?
  Regards
  LMS
  You can try this Powershell script:
  $ou = "AD:\OU=Users,DC=contoso,DC=com"
  $group = Get-ADGroup MyGroup
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  $acl = get-acl $ou
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"GenericAll, ","Allow"
  $acl.AddAccessRule($ace)
  set-acl -aclobject $acl $ou
  and you can also look at these given below links:
  http://technet.microsoft.com/en-us/library/cc775585(v=ws.10).aspx
  http://auditingactivedirectory.blogspot.in/2014/08/how-to-view-active-directory-delegated-permissions.html

• Conflict with the domain/user management

  Unfortunately I configured the domain management twice with the Adobe server.
  As a result, the edcprincipalentity table has duplicate records (i.e my name appears twice in the table).
  I removed the duplicate domain and synchronized but I still able to see those records.
  Due to this issue, the AWS_ASSIGNED_ID field in the form shows Id of 'System Context Account' using which i'm unable to populate the logged in user's details.
  Any idea to remove the duplicate records?
  Thanks,
  Nith

  I traced my workflow and form I figured out there's something wrong with the process so that the logged in user details are not appearing.
  I tried opening the edcprincipaluserentity & edcprincipalentity tables to verify the assigned Id value of my principal.
  There I noticed the duplicate entry. I confirmed that each entry has duplicated in the table. Hence the process doesn't recognize the assigned id.
  Yesterday I tried re-installing the adobe suite and configured the domain again from scratch.
  Now it is working without any issues.
  Thanks & Regards,
  Nith

• The domain users without administrative permission cannot install printers shared on printer server

  Dears
  We have a printer server that OS is Windows server 2003 .And all clinets are installed windows 7.Now,the domain users cannot installed printers shared on the printer server.When i logon the clinent computer with a domain user and access printer server by
  URL \\192.168.37.1 ,i can see all printers shared on the printer server.Then i double click on printer to install it on client computer.It will ask me to input user name and password of local administrator .  
  How to install the printers with domain user directly. Thanks

  refer step #8:
  http://blogs.msdn.com/b/7/archive/2011/07/11/allowing-standard-users-to-install-network-printers-on-windows-7-without-prompting-for-administrative-credentials.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Domain users and local users can't login to reporting service web environment

  Hello,
  We installed reporting services at one of our customers but aren't able to use domain users to login. We've tried to login with a domain user, a local user but both aren't working. We set the proper permissions for the users on the reports folders.
  We can only login with the buildin/administrator account on the local url: http://servername/reports
  How can we allow login with domain users on other report manager url's?

  Below link may be helpful,
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/623da309-21fa-42a8-905f-1424144a347d/setting-up-a-user-in-ssrs?forum=sqlreportingservices
  Regards, RSingh

• "Unable to check revocation" error while checking CDP from non-domain user account

  Hi!
  I use 3-tier PKI infrastructure:
  Stand-alone offline Root CA: RootCA;
  Stand-alone offline Intermediate subordinate CA: SubCA;
  Enterprise CA: EntSubCA.
  In certificate we have three CDP point for CRL check:
  ldap:///, http:// and file://
  I have Windows 2008 R2 server joined to domain.
  I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
  When I use domain user account for revocation checking, all OK.
  I have access to any CDP and all fine.
  But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
  My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
  Here is the logfile from local user:
  Issuer:
  CN=EntSubCA
  DC=DED
  DC=ROOT
  Subject:
  CN=servername.domain_name
  Cert Serial Number: 5a896145000300006ee2
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  NotBefore: 05.02.2015 20:03
  NotAfter: 05.02.2016 20:03
  Subject: CN=servername.domain_name
  Serial: 5a896145000300006ee2
  SubjectAltName: DNS Name=servername.domain_name
  Template: Machine
  70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crt
  ---------------- Certificate CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Verified "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  Verified "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Base CRL CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  OK "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  OK "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 018d:
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SubCA
  NotBefore: 13.11.2014 19:12
  NotAfter: 13.11.2017 19:22
  Subject: CN=EntSubCA, DC=DED, DC=ROOT
  Serial: 6109015b000100000008
  Template: SubCA
  9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
  file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\SubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/SubCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (32)" Time: 0
  [0.0] file://\\ca\crl\SubCA.crl
  Verified "Base CRL (32)" Time: 4
  [1.0] http://webserver/crl/SubCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 32:
  Issuer: CN=SubCA
  8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
  CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 28.05.2008 12:09
  NotAfter: 28.05.2058 12:19
  Subject: CN=SubCA
  Serial: 616bd19f000100000004
  Template: SubCA
  06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 4
  [0.0] http://webserver/crl/RootCA.crl
  Verified "Base CRL (1c)" Time: 0
  [1.0] file://\\ca\crl\RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 27.05.2008 16:10
  NotAfter: 27.05.2110 16:20
  Subject: CN=RootCA
  Serial: 258de6fbd3bbab92460530e9e9f10536
  5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crl
  Verified "Base CRL (1c)" Time: 4
  [1.0] http://webserver/crl/RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
  Exclude leaf cert:
  5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
  Full chain:
  ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
  Verified Issuance Policies: None
  Verified Application Policies:
  1.3.6.1.5.5.7.3.2 Client Authentication
  1.3.6.1.5.5.7.3.1 Server Authentication
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• Getting unknown error 0x8004011c. when trying to set up email account in Outlook 2013 with a Domain

  Hi all
  The title basically states the problem - Outlook 2013 wont set up with a Domain. This only seems to affect Windows 8.1 pro, Win 7 Pro has no problems.  If I log on to the computer itself (not the domain) Outlook runs no problem
  If anyone has any ideas I would be most grateful
  Thank you
  Fionnbarr

  Hi Fionnbarr,
  When you say "...with a Domain", do you mean login to the computer with a domain user account?
  Does this happen on all your Windows 8.1 clients? What's the error message in full? At which exact step will you get this error?
  So you have observed that "This only seems to affect Windows 8.1 pro", it could be an issue with this specific system. I would suggest we first check for Windows updates and install any available ones, then try again.
  Regards,
  Ethan Hua
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Why domain users account allowed to logon to servers directly?

  I'm using Windows Server 2008 R2 with ADDS.
  By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
  "You cannot log on because the logon method you are using is not allowed on this computer"
  I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
  Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
  And, nothing set on the Deny Logon Locally.
  But, tested that, those accounts with just Domain User Group are able to logon to Server!?
  How or where should I check, to not allow normal user account to logon to server directly?
  Thank you.

  Hi,
  >>By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP.
  By default, standard domain user accounts can log onto workstations and member servers, and they can’t log onto domain controllers unless we allow them to do so via group
  policy.
  By default, standard domain user accounts can’t remote desktop onto other computers unless they have been added to Remote Desktop User groups of the computers.
  Regarding allowing log on locally, the following article can be referred to for more information.
  Allow log on locally
  http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx
  Regarding remote desktop user groups, the following article can be referred to for more information.
  Configure the Remote Desktop Users Group
  http://technet.microsoft.com/en-in/library/cc743161.aspx
  >>How or where should I check, to not allow normal user account to logon to server directly?
  We can utilize group policy setting
  Deny logon locally to prevent users from locally logging onto the targeted computers.
  Regarding this setting, the following article can be referred to for more information.
  Deny logon locally
  http://technet.microsoft.com/en-us/library/cc957048.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Authentication prompt issue when opening an office file in a document library with read permission for domain users

  An user as part of the domain users tries to open an office file from a document library but he got an authentication prompt asking him to authenticate. Domain users has only access to this library and not to the whole site. This uses to work in SharePoint
  2007 without any problem but not in SharePoint 2013, we didn't have a workflow on SP2007.
  Domain users has read access to only this document library in the site, but he shouldn't get an authentication prompt since he is part of the domain users and he is not trying to modify the document, he can open the document but gets two prompts, he can't
  also see the list using explorer view since nothings appears using the explorer view.
  Now, when opening the file, we can see..Updating Workflow Status, but we don't have any workflow working on this site or library, event any feature related to workflow.
  If we go to the event viewer in the server, we find this information,
  I also checked this thread but I couldn't find this scenario.
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/91bc770b-bb70-4885-a4ad-a243edb88753/event-id-8026-workflow-soap-getworkflowdataforitem-failed-doc-library-no-workflow?forum=sharepointgeneralprevious
  I also created another list with the same permissions and using other office files but got the same behavior.
  Now, we have migrated this site from SP2007 to SP2013.
  Any ideas?

  OK, I am going to throw out a lot of ideas here so hopefully they get you closer to a diagnosis. Hang on :)
  Does it happen to work for some users but not others? If so, try logging in on the "good" computer with the "bad" username. This will tell you if the problem is related to the end-user's system. Also, once the user downloads a document
  successfully can they open and work on it in Word? Also, does the document library have any custom content types associated with it or does it just use 'Document'?
  I notice that there are other folks on the web that have run into this same problem and the similarity seems to be that they are either on SharePoint 2007 or have upgraded from 2007. Did this doc library start out as a 2007 library?
  What you might want to do is this: Make a site collection from scratch in 2013 (or find one that you know was created in 2013). Choose team site (or whatever you want) for the root web and set up the security the same way you have it on the malfunctioning
  library. Now, use windows explorer to copy and paste some of the documents to the new location. Be sure you recreate any needed content types. Now test it from the troubled user's computer.
  I'm thinking there may be something that is different about the library since it was migrated through various versions and updates since 2007. I've sometimes found that there can be problems (especially with user profiles but that's a different story) with
  things that go through this evolution.

• Active Sync does not start as domain user with no Administrator rights.

  Hi all,
  Searched the forums and the net but can't find anything about this.
  Situation:
  In a domain where users only have standard users rights I installed on a PC as a domain admin Active Sync 4.5
  When I logon as a user the Active Sync software can not be started.
  I disabled the firewall and even set full rights permission on the Active Sync directory both didn't help out.
  When I m logged on as this user I can choose to Start the program as a different user.
  This only works when I Start it with the domain administrator account.
  I hope that I do not have to give that information to this user to make this software work.....
  Anyone had the same problems? Anyone a idea?
  Thx in advance.
  Kind regards,
  Aartjan

  try this:
  1. make sure you install "activesync" from local harddisk (not from network), and do not delete the setup file after
  installation
  2. local in as "local administrator" and connect your PDA and make sure it can sync, I did not create a profile and just leave PDA connect as "guest" for now
  3. log off and re-login as "domain user", connect with USB should work
  4. if they still cannot communicate, run "ActiveSync" from start menu
  it works for me

• Domain users files sharing permission problem

  Dear Domain Professional,
  We have a three domain controllers  192.168.92 .162,167,150  All domain controller working with
  Global Catalog servers ( Root forest ) . All domain controller live synchronize with each others like Users , Group policy , ADS, DNS.
  lastnight we had a problem with file sharing permission . it had been asked username & password . why this problem was happened ?
  Finally we had restated with all domain controller then file sharing perfectly working fine .i had verified all events in domain controller there is no any error issue .
  Note:- we are using juniper firewall  is there any security issue ?
  happended
  Regards
  Subash

  Hi,
  According to the
  repadmin results, there isn’t any replication issue.
  I was wondering how long did the issue last until reboots of DCs?
  If the period is short, then this behavior is normal, because AD replication takes time, this issue could occur before AD replication has completed.
  Another possible cause is related to Kerberos authentication and authorization mechanism.
  During a logon session, once a user has been authenticated successfully, it gets an
  access token containing its SID and group membership and privileges.
  The user's access token is subsequently inherited by any application process that the user starts during the logon session.
  If we change user’s group membership and privileges
  after the access token has been issued, the changes won’t be updated until this user logs off and logs on again.
  Here are some related articles below for your references:
  How Access Tokens Work
  http://technet.microsoft.com/en-us/library/cc783557(v=WS.10).aspx
  How the Kerberos Version 5 Authentication Protocol Works
  http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
  I hope this helps.
  Amy

• Domain user or local administrator permission

  We have a windows 2008 R2 domain environment with windows 7 clients. Users have domain user permission.
  Security wise domain user rights is the way to go. But we have a lot of users with notebooks, with multifunctional printers at home. We configured a GPO to install printers, but they can't run setup to install the printer/scan software.
  Also some notebook user need to install/upgrade work related software.
  I thought of making the users power user.
  Or local amdin user, with UAC turned on. But we had issues with UAC turned on a year ago(can't remember what it was). I could also work with GPO's, Software Restriction Policies, Applocker. But that's to much Admin overhead. I,m looking for a solution that
  I and the users would benefit from.I like to know how other Admins deal with his
  Thanx

  Let me try to be more clearly.
  At the office we don't have any issues with installing printers drivers. We have about 100 users with laptops that need to install the multifunctional printers software(not drivers) at home. For most of them, installing the printer driver is
  no problem, because of a printer GPO's we configured.
  "Allow non-administrators to install drivers for these device setup classes" and "Point and Print Restrictions" GPO's.
  So we don't have issues with domain users
  installing printer drivers, but most of them have multifunctional devices at home. All different brands(canon, hp, Epson etc). As a domain user they don't have the permission to run the setup to install the scanner and printer software. They
  only can install the printer drivers, because of the GPO.
  This is one of the issues we have with domain users permissions. From security perspective, domain users permission is the way to go, but if does have its challenges. I don't want to install all the different software for those users, and on the other hand
  they don't want to rely on IT department for things they can do them self.
  For installing printerscanner software(not only drivers), the printer need to connected to the laptop. Users are not going to bring there multifunctional device to the office for me to install the software.
  So it's more the experience of other administrators I'm looking for, how to deal with giving users more permission to install or upgrade some software, but still have the feeling that IT department is in control of those laptops.
  Thanx