Assigned wrong role to administrator account.

Similar Messages

• Former Employee Obtained access to Administrator Account somehow and has been messing with roles, files ect... Just a question...

  Ok, so about six months ago, my company let go of their Systems Administrator because she was causing many problems in the workplace... Yesterday morning i logged onto the server and found several files open with her name on them, including her confidentiality
  agreement, and Employment offer letter, as well as the confidential folder that holds all employees personal identity information (she remote into the Server about 10 Minutes before i logged in, thus kicking her off not allowing her to close what she was opening/copying.
  I attempted to check the logs to see what IP she was connecting with but was only able to find the following:
  She remoted into the server about through Remote Desktop about 20 times on the 27th of May 2014, (horrible weather and she was probably logging in in a McDonald's Wifi and it kept kicking her off).
  I took the day off because my area was flooded and couldnt make it to work.
  She logged on, on the 28th of May, 2014 about 16 times before i logged on kicking her off, leaving everything she was doing open for me to see.
  Everytime i remote into the server from my house or the office i get the following...
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}"
  />
    <EventID>1149</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-05-28T03:24:49.860045100Z" />
    <EventRecordID>1943</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="3884" ThreadID="3868" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>Servername.server.local</Computer>
    <Security UserID="S-1-5-20" />
    </System>
  <UserData>
  <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
    <Param1>Administrator</Param1>
    <Param2>ServerName</Param2>
    <Param3>IP.IP.IP.IP</Param3>
    </EventXML>
    </UserData>
   </Event>
  when she would log in, there was no IP address everytime except the first time she logged in it seems, and looks like the following.. The first time she logged in remotley I have an IP address that seems to belong to a McDonalds using AT&T wifi,
  and was able to trace it to the center of town, and get a Longitude/Latitude...
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}"
  />
    <EventID>261</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x1000000000000000</Keywords>
    <TimeCreated
  SystemTime="2014-05-28T17:25:03.210845100Z" />
    <EventRecordID>1969</EventRecordID>
    <Correlation
  />
    <Execution ProcessID="3884" ThreadID="4224" />
    <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel>
    <Computer>Servername.Server.local</Computer>
    <Security UserID="S-1-5-20" />
    </System>
  <UserData>
  <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
    <listenerName>RDP-Tcp</listenerName>
    </EventXML>
    </UserData>
    </Event>
  As you can see no IP address is shown unlike everyone other PC that remotes into the server... She has been using our server as her personal file host for her real estate business, she was fired last year for sabotaging AutoCad drawings her ex boyfriend
  was working on (they are back together and was the one she set up with full access to server)  and she has been adding and modifying files in her group drive via the administrator account. She also disabled several roles we had installed, and gave her
  boyfriend (who happens to work at the company) More administrator right than myself, as I built the server from ground up, and Only the Company owners had access to remote desktop, besides the administrator account... I want to make sure she didn't create
  any hidden accounts that she can still log into.. I found under ADSI Edit Under Domain Controllers, Subscription Properties an account (servername$) which doesn't not show up in active directory, but had full access to everything... Is there a way to uncover
  hidden Accounts she may have created to get into the server, as I've know from previous experiences, that $ sign normally refers to a hidden account or file of some sort.. Any help with this would be greatly appreciated, The FBI is currently investigating
  the situation, but i am trying to make sure all my basis are covered so this doesn't happen again... Thank you for taking the time to read my long ass thread, I will bestow upon you great fortune and Karma for any help given =-D

  Hello,
  the $ behind the machine name object is normal.
  For security related questions please use
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Also I would immediately remove all people form any kind of administrative groups, MUST of course be agreed from the company owner, then change the administrator account password. If there is a need for the additional administrators the company chief
  has to agree on this and there should also be made some clear rules, maybe from a lawyer about consequences etc. Remote access to the network should be blocked or made more secure with two factor authentication, tokens for example, just using Remote Desktop
  at the moment I would not allow until the network is better secured and you can be sure there are no unknown administrative accounts.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• OES MAPI problem of "Assigning Principals to an Administration Role"

  Hi,
  I meet the problem of programmatically Assigning Principals to an Administration Role using Oracle Entitlement Server Management API. I can successfully run the sample code following the <Developer Guide>, Chapter 5.4.3 Assigning Principals to an Administration Role
  My code snippet is like this:
  List<PrincipalEntry> principals = new ArrayList<PrincipalEntry>();
       principals.add(new BasicPrincipalEntry
         ("weblogic.security.principal.WLSUserImpl", "Lisa"));
       //Grant the users in the list the role
       admManager.grantAdminRole(adminRole, principals);
  And no error or exception occurs in java app side or oes_admin side. But when login to http://vmware.localdomain:7001/apm admin GUI, I could not login with Lisa.
  I also tried manually assign app1 with delegated admin role, and then Lisa can successfully login to admin GUI.
  Then I run the app program to programmatically assign app2 with delegated admin role to Lisa. Login with Lisa could not see app2.
  I have checked the system admin "weblogic" login to admin GUI and it can see that app2 already have Lisa listed on the external user of delegated admin of app2.
  I even checked the DEV_APM.JPS_CHANGELOG in the oracle database schema for oes. I can see the changelog of java app assiging operation.
  Can anyone tell me the reason why programmatically assign user to an delegated admin not work correct? Is there some mistake steps in my java app code or there is a bug in OES product?
  I use the OES 11.1.1.5 version with Oracle Database 11.2.0, Weblogic 10.3.5 on Oracle Enterprise Linux 6 32bit.
  Thanks very much.

  Thanks very much for all the reply posts. With the suggestions from yours, I tried distribute the policy and finally it works!
  The code snippet is from 4-8 Using the distributePolicy() Method  , listed below:
  //get the PolicyDistributionManager
  PolicyDistributionManager pdm =
    app.getPolicyDistributionManager();
  //distribute policies
  String distID = pdm.distributePolicy(true);
  DistributionStatusEntry status = pdm.getDistributionStatus(distID);
  System.out.println("Start distribute policy");
  while (status.getPercentComplete() != 100) {
    Thread.currentThread().sleep(200);
    System.out.print(".");
    status = pdm.getDistributionStatus(distID);
  System.out.println("Finish distribute policy");
  There is another trick that I discovered from DEV_APM.JPS_CHANGEBLOG:
  If this is the first time that user be assigned as a delegated admin, you should also grant user with applicaionRole "APMViewer" to the application "oracle.security.apm"
  You can refer to the sample code from 2-9 Assigning Principals to an Application Role  , also listed below:
  ApplicationPolicy app = ps.getApplicationPolicy("oracle.security.apm");
  AppRoleManager roleMgr = app.getAppRoleManager();
  //Construct the list of users to be granted
  List<PrincipalEntry> principals = new ArrayList<PrincipalEntry>();
  principals.add(new BasicPrincipalEntry
    ("weblogic.security.principal.WLSUserImpl", "Nick"));
  //Grant the users in the list the role
  //admManager.grantAdminRole(adminRole, principals);
  AppRoleEntry appviewerRole = roleMgr.getAppRole("APMViewer");
  roleMgr.grantAppRole(appviewerRole, principals);

• Tried accessing administrator account with wrong password

  I forgot my administrator access password,tried with a wrong password to many times and now the computer can't access account.I understand this to be a safety mechanism.How can I get myself out of this? Any assistance would be greatly appreciated!

  The above linked article is for the administrator to change other users' passwords from the administrator account. That won't help you when you have forgotten the administrator's password.
  Here is how to change the administrators password. These instructions come from Mac Help, available from the Help menu in the Finder.
  To reset the administrator password using the Mac OS X disc:
  1. Insert the Mac OS X Install disc and restart the computer.
  2. When you hear the startup tone, hold down the C key until you see the spinning gear.
  3. When the Installer appears, choose Utilities > Reset Password.
  4. Follow the onscreen instructions to change the password.
  5. Quit the Installer and restart your computer while holding down the mouse button to eject the disc.

• Portal Runtime error in assigning a role to a user by UME

  Hi ALL,
  I am assigning a role to a user through UME using this piece of code:
  String uids = userFactory.getUserByUniqueName("Shilpa").getUniqueID();
  String roleid = roleFact.getRoleByUniqueName("pcd:portal_content/administrator/content_admin/content_admin_role").getUniqueID();
  roleFact.addUserToRole(uids,roleid);
  The userid and role is beinf fetched successfully but at the assignment of the role to the user , I am gettign Portal runtime error.
  The error log is following.
  <b> java.lang.NoClassDefFoundError: com/sap/abc/network/util/InfEPLog
       at UserListeners.userAssigned(UserListeners.java:27)</b>
       at com.sap.security.core.imp.RoleFactory.assignUserPerformed(RoleFactory.java:1466)
       at com.sap.security.core.persistence.imp.DistributedTransaction.doCacheUpdateAndNotificationForMembers(DistributedTransaction.java:565)
       at com.sap.security.core.persistence.imp.DistributedTransaction.doCacheUpdateAndNotificationForMembers(DistributedTransaction.java:815)
       at com.sap.security.core.persistence.imp.DistributedTransaction.doCacheUpdateAndNotification(DistributedTransaction.java:465)
       at com.sap.security.core.persistence.imp.DistributedTransaction.afterCompletion(DistributedTransaction.java:252)
       at com.sap.engine.services.ts.jta.impl.TransactionImpl.commit(TransactionImpl.java:414)
       at com.sap.engine.services.ts.jta.impl.TransactionManagerImpl.commit(TransactionManagerImpl.java:316)
       at com.sap.engine.services.ts.transaction.TxManager.commitLevel(TxManager.java:581)
       at com.sap.engine.services.ts.transaction.TxManagerImpl.commitLevel(TxManagerImpl.java:63)
       at com.sap.transaction.TxManager.commitLevel(TxManager.java:237)
       at com.sap.security.core.persistence.imp.DistributedTransaction.commit(DistributedTransaction.java:2742)
       at com.sap.security.core.imp.Role.commit(Role.java:337)
       at com.sap.security.core.imp.RoleFactory.addUserToRole(RoleFactory.java:1338)
       at com.sap.user.UserAdded.doContent(UserAdded.java:63)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.doPreview(AbstractPortalComponent.java:240)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:168)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
       at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
       at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
       at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753)
       at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
       at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Please tell me where I am wrong.
  Regards,
  Shilpa.

  Hi Shilpa,
  The error "java.lang.NoClassDefFoundError" means that your classpath is not set correctly. This is likely due to a missing reference. The class file may be in the jar, but at runtime the component (your component) needs to have access to the jar file which contains the class.
  Try adding the servlet.jar, activation.jar file in your project and also through your ADd external libraries at 'java build path'. also please ensure tht WAS and NWDS at the same SP level.
  Hope this might help you.
  Regards,
  Shaila

• SharePoint 2013 Administrative Account Permissions

  I'm looking for documentation about the permissions needed to administrate SharePoint Server 2013. My administrative account needs to have access to Central Administration, web applications, PowerShell, and local server resources like the file system, event
  logs, services, etc.
  I have found several articles that I had hoped would have the information but do not:
  Plan for administrative and service accounts in SharePoint 2013 literally has the sentence:
  This article does not describe security roles and permissions required to administer in SharePoint 2013.
  This upsets me as I am looking for the documentation that does describe the roles and permissions required to administer in SharePoint 2013 and this line offers no help other than telling me what I need isn't here. For anyone from the documentation
  team that happens to read this I offer the feedback that following that sentence there should be a link to the documentation that I am asking about here (assuming it exists ;)
  Initial deployment administrative and service accounts in SharePoint 2013 details permissions for the setup user account which is like an administrative account except that in my
  case the farm has been set up and I need to have administrative accounts.
  Account permissions and security settings in SharePoint 2013 describes the permissions accounts and groups are granted on individual resources on the server. While this is informative,
  it doesn't describe what rights I need to grant an account so it can administer.
  Use Windows PowerShell to administer SharePoint 2013 describes the permissions needed to run Add-SPShellAdmin to grant others administrative access, but doesn't actually
  describe the permission needed to use PowerShell to administrate.
  Does this information exist publicly?
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

  Partner Support has confirmed there is no documentation that details specific rights needed for specific administration tasks. Given how the permissions depend on the task and how many tasks there are I don't see this ever appearing in official public documentation.
  I did some testing and I was able to use PowerShell as a non-admin, but I was limited to accessing objects that don't require the admin rights. For example I couldn't get the farm object (I get an exception) or the search service application (Get-SPEnterpriseSearchServiceApplication
  returns null), but I could list site collections and sites. Again, certain tasks require certain rights and this totally makes sense given the ability to delegate permissions built into the SharePoint platform.
  So where does this leave me? For now I suppose it needs to be tested on a case-by-case basis.
  For users who I want to administrate a farm with PowerShell, who have the ability to log into the servers to check local resources, services, logs, etc. practically they need to be local administrators and have SPShellAdmin. For anything else I would be
  looking at creating an account with no rights and gradually add permissions until I get to a level where it can perform the required tasks. If I want an account to manage site collections I may need Remote Desktop User machine group, SPShellAdmin against the
  content database, and site collection administrator (at the moment this is a guess).
  So in the end it seems there is no definitive answer or broad best practice for assigning permissions to administrators beyond testing it out to see what works and hiring administrators who you trust and are accountable for their actions.
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

• Prevent locking of Administrator account

  Hello,
  We'd like to expose our portal to the internet. This means everyone will be able to logon to the portal (after creating an UME user account). UME is configured to lock user accounts after 3 invalid login attempts.
  Now how can we prevent anonymous internet users to lock the Administrator account or other system accounts like ADSUser?
  The first option would be to implement this on the revert proxy, e.g. block requests containing j_user=Administrator either in the URL during a GET request or in the body during a POST request.
  However, because of performance reasons, especially because of the need to scan all POST requests, this option doesn't look very attractive.
  A second option would be to deploy a new JAAS LoginModule, configured to be always executed as the first one, that checks the username first and halts the login process if the username is Administrator and the request is coming from a certain IP (the reversed proxy), e.g. by throwing a RuntimeException in the login method (will that work? any other possibility besides throwing a RuntimeException?).
  This doesn't look as very clean solution either.
  What would be the best (safe, clean, easy) way to stop anonymous users from locking the Administrator user account?
  Thanks!
  Sigiswald

  At the end we decided to write a custom LoginModule anyway.
  import java.io.IOException;
  import java.net.InetAddress;
  import java.net.UnknownHostException;
  import java.util.ArrayList;
  import java.util.Arrays;
  import java.util.Iterator;
  import java.util.List;
  import java.util.Map;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.UnsupportedCallbackException;
  import javax.security.auth.login.LoginException;
  import com.sap.engine.interfaces.security.auth.AbstractLoginModule;
  import com.sap.engine.lib.security.LoginExceptionDetails;
  import com.sap.engine.lib.security.http.HttpGetterCallback;
  import com.sap.security.api.IUser;
  import com.sap.security.api.NoSuchUserException;
  import com.sap.security.api.UMException;
  * <p>
  * <div>This LoginModule either succeeds or fails, but in fact it
  * <u>never</u> authenticates the user. What is meant is that even if
  * all relevant methods of the LoginModule API - i.e. login and commit
  * - return true, indicating success, the Subject is never
  * authenticated. Therefore this LoginModule should <u>never</u> be
  * configured as SUFFICIENT.</div>
  * </p>
  * <p>
  * <div>The purpose of this LoginModule is to abort the authentication
  * process in case an unauthorized user tries to authenticate as
  * administrator and thus it stops unauthorized users from locking
  * administrator accounts.</div>
  * </p>
  * <p>
  * <div>This LoginModule accepts two optional configuration
  * options:<ul>
  * <li>ip_allow</li>
  * <li>ip_deny</li></ul>
  * The value of both options is a comma separated list of IPv4 ranges.
  * e.g.
  * <code>ip_allow=145.50.76.81,145.50.77.0-145.50.77.255,194.196.236.70-194.196.236.71</code>
  * The localhost is added implicitly.</div>
  * </p>
  * <p>
  * <div>If the IP address of the client that sent the HTTP request is
  * within the range(s) defined by ip_allow and is not within the
  * range(s) defined by ip_deny, authentication succeeds. If this is
  * not the case, authentication fails if the user tries to
  * authenticate by username (and password) and supplies the username
  * of an existing UME user that is assigned the internal_use_only
  * role. Otherwise, authentication succeeds.</div>
  * </p>
  * <p>
  * <div>To meet its purpose, i.e. prevent the locking of administrator
  * user accounts, this LoginModule <u>should</u> be configured as
  * <u>REQUISITE</u> and should be in the login stack <u>before</u> the
  * standard BasicPasswordLoginModule.</div>
  * </p>
  * @author smadou
  public final class AdministratorFilterLoginModule extends AbstractLoginModule {
    private static final String INTERNAL_USE_ONLY =
      LogonUtil.getRoleid("internal_use_only");
    private static final String IP_ALLOW = "ip_allow";
    private static final String IP_DENY = "ip_deny";
    private static boolean initialized;
    private static List IPRANGE_ALLOW = new ArrayList();
    private static List IPRANGE_DENY = new ArrayList();
    private CallbackHandler callbackHandler;
    private boolean succeeded;
    public void initialize(
      Subject subject,
      CallbackHandler callbackHandler,
      Map sharedState,
      Map options) {
      super.initialize(subject, callbackHandler, sharedState, options);
      this.callbackHandler = callbackHandler;
      this.succeeded = false;
      AdministratorFilterLoginModule.initialize(options);
    public boolean login() throws LoginException {
      try {
        if (ipAllowed()) {
          succeeded = true;
          return true;
      } catch (UnsupportedCallbackException e) {
        throwUserLoginException(e);
      } catch (IOException e) {
        throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
      String logonid = null;
      IUser user = null;
      String userid = null;
      try {
        logonid = getLogonid();
        user = logonid == null ? null : LogonUtil.getUser(logonid);
        userid = user == null ? null : user.getUniqueID();
      } catch (UnsupportedCallbackException e) {
        throwUserLoginException(e);
      } catch (IOException e) {
        throwUserLoginException(e, LoginExceptionDetails.IO_EXCEPTION);
      } catch (NoSuchUserException e) {
        // TODO connect to NetWeaver logging API - DEBUG
        e.printStackTrace();
      } catch (UMException e) {
        throwUserLoginException(e);
      if (userid == null) {
        return true;
      if (user.isMemberOfRole(INTERNAL_USE_ONLY, LogonUtil.RECURSIVE)) {
        throwNewLoginException(
          "Access Denied to user with logonid "
            + logonid
            + " having role "
            + INTERNAL_USE_ONLY
            + "!");
      succeeded = true;
      return true;
    public boolean commit() throws LoginException {
      return succeeded;
    public boolean abort() throws LoginException {
      return succeeded;
    public boolean logout() throws LoginException {
      succeeded = false;
      return true;
    private static synchronized void initialize(Map options) {
      if (initialized) {
        return;
      IPRANGE_ALLOW.addAll(Arrays.asList(AddressRange.parseRanges("127.0.0.1")));
      try {
        IPRANGE_ALLOW.addAll(
          Arrays.asList(
            AddressRange.parseRanges(
              InetAddress.getLocalHost().getHostAddress())));
      } catch (UnknownHostException e) {
        // TODO connect to NetWeaver logging API - INFO
        e.printStackTrace();
      String ipAllow = (String) options.get(IP_ALLOW);
      String ipDeny = (String) options.get(IP_DENY);
      if (ipAllow != null && ipAllow.length() > 0) {
        IPRANGE_ALLOW.addAll(Arrays.asList(AddressRange.parseRanges(ipAllow)));
      if (ipDeny != null && ipDeny.length() > 0) {
        IPRANGE_DENY.addAll(Arrays.asList(AddressRange.parseRanges(ipDeny)));
      initialized = true;
    private String getClientIp()
      throws UnsupportedCallbackException, IOException {
      HttpGetterCallback hgc = new HttpGetterCallback();
      hgc.setType(HttpGetterCallback.CLIENT_IP);
      callbackHandler.handle(new Callback[] { hgc });
      return (String) hgc.getValue();
    private String getLogonid()
      throws IOException, UnsupportedCallbackException {
      NameCallback nc = new NameCallback("username: ");
      callbackHandler.handle(new Callback[] { nc });
      return nc.getName();
    private boolean ipAllowed()
      throws UnsupportedCallbackException, IOException {
      String clientIp = getClientIp();
      return match(IPRANGE_ALLOW, clientIp) && !match(IPRANGE_DENY, clientIp);
    private boolean match(List ipRanges, String ip) {
      for (Iterator i = ipRanges.iterator(); i.hasNext();) {
        AddressRange range = (AddressRange) i.next();
        if (range.match(ip)) {
          return true;
      return false;
  import com.sap.security.api.IRole;
  import com.sap.security.api.IRoleFactory;
  import com.sap.security.api.IUser;
  import com.sap.security.api.IUserFactory;
  import com.sap.security.api.NoSuchRoleException;
  import com.sap.security.api.NoSuchUserException;
  import com.sap.security.api.UMException;
  import com.sap.security.api.UMFactory;
  * @author smadou
  public final class LogonUtil {
    static final boolean RECURSIVE = true;
    static String getRoleid(String uniqueName) {
      try {
        IRoleFactory rf = UMFactory.getRoleFactory();
        IRole role = rf.getRoleByUniqueName(uniqueName);
        return role.getUniqueID();
      } catch (NoSuchRoleException e) {
        // TODO connect to NetWeaver logging API - WARN
        e.printStackTrace();
        throw new SecurityException(
          "NoSuchRoleException while getting role with unique name ""
            + uniqueName
            + "": "
            + e.getMessage());
      } catch (UMException e) {
        // TODO connect to NetWeaver logging API - WARN
        e.printStackTrace();
        throw new SecurityException(
          "UMException while getting role with unique name ""
            + uniqueName
            + "": "
            + e.getMessage());
    static IUser getUser(String logonid)
      throws NoSuchUserException, UMException {
      IUserFactory uf = UMFactory.getUserFactory();
      return uf.getUserByLogonID(logonid);
  * This code is based on
  * http: //drc-dev.ohiolink.edu/browser/fedora-core/tags/2.0/src/java/fedora/server/security/IPRestriction.java
  * @author smadou
  public final class AddressRange {
    private static final int IP_OCTETS = 4;
    private static final int OCTET_MIN = 0;
    private static final int OCTET_MAX = (int) Math.pow(2, 8) - 1;
    private long start;
    private long end;
    private AddressRange(long start, long end) {
      this.start = start;
      this.end = end;
    public boolean match(String address) {
      return match(parseAddress(address));
    private boolean match(long address) {
      return address >= start && address <= end;
    private static long parseAddress(String address) {
      String[] octets = address.split("\.");
      if (octets.length != IP_OCTETS) {
        throw new IllegalArgumentException("invalid adress: "" + address + """);
      long lAddress = 0;
      for (int i = 0, n = octets.length; i < n; i++) {
        lAddress += parseOctet(octets[ i ], n - i - 1);
      return lAddress;
    private static long parseOctet(String octet, int byteNum)
      throws NumberFormatException {
      long lOctet = Long.parseLong(octet);
      if (lOctet < OCTET_MIN || lOctet > OCTET_MAX) {
        throw new IllegalArgumentException("invalid octet: "" + octet + """);
      return lOctet * (long) Math.pow(Math.pow(2, 8), byteNum);
    private static AddressRange parseRange(String range) {
      String[] parts = range.split("-");
      if (parts.length > 2) {
        throw new IllegalArgumentException("invalid range: "" + range + """);
      long start = parseAddress(parts[0].trim());
      long end = parts.length == 1 ? start : parseAddress(parts[1].trim());
      return new AddressRange(start, end);
    public static AddressRange[] parseRanges(String ranges) {
      String[] parts = ranges.split(",");
      AddressRange[] addressRanges = new AddressRange[parts.length];
      for (int i = 0, n = parts.length; i < n; i++) {
        addressRanges[ i ] = parseRange(parts[ i ].trim());
      return addressRanges;

• Security Scopes: All instances of the objects that are related to the assigned security roles greyed out

  So the guy who built our SCCM server is no longer in the company and his AD account no longer exists.  I noticed in SCCM however his account as the "All instances of the objects that are related to the assigned security roles"
  is selected. however the option is greyed out for everyone else.
  This option is the one found under Administration/Security/Administrative Users select the user and open properties then select the Security Scopes tab.
  Is there a way we can provide another user this same level access when we can no longer access through the original build account?
  Already looked into tombstone resurrection of his account thats a no go.
  

  Hi,
  I recommend you rebuild SCCM or open a case with Microsoft.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Can I switch the user IDs (or names) of two administrator accounts?

  I have an iMac and a MacBook Air both running Lion. Both have the same two administrator accounts, but the UserIDs of the two are switched around, like this:
  iMac Admin1 (UID 501), Admin2 (UID 502)
  MacBook Air Admin1 (UID 502), Admin2 (UID 501)
  It has been like that for a month or so and never bothered me. This morning I was copying files across to the MacBook Air, which went fine until I force quit the Finder on the MacBook. After that event, copying was no longer possible. I apparently ran into the problem described here: Problems transferring Powerpoint files in Lion
  I don't understand why I didn't have this problem before. (I don't complain, don't get me wrong, I just don't understand). I'm trying to reset the MacBook Air by restoring yesterday's Time Machine copy. Can't tell if this helps yet; have to wait 12 more hours... But even if it does, the situation appears to be unstable.
  Hence my question. Is there an easy way to get the UID numbering of the Admin accounts the same on both machines?
  By the way, I read the solution referred to in he quoted article, which involves assigning a new, unused UID to an existing account. That seems like a cumbersome and error-prone method. And I would have to go through it twice. So: is ther an easier way to solve my particular problem?

  Peter_Philologos wrote:
  Both have the same two administrator accounts, but the UserIDs of the two are switched around, like this:
  iMac Admin1 (UID 501), Admin2 (UID 502)
  MacBook Air Admin1 (UID 502), Admin2 (UID 501)
  Unfortunately with what you want to do and using just your MacBook Air as an example:
  May have to create 503 first.
  Change Admin2 - UID 501 to 503.
  Change Admin1 - UID 502 to 501.
  Change new Admin2 - UID 503 to UID 502.
  End result would be Admin1 - UID 501 and Admin2 - UID 502 which would match your iMac accounts.

• Creating more administrator accounts for Visual Administrator

  Hi
  Is it possible to create more accounts for Visual Administrator besides the Admin account. So for example if I wanted to let the development team have access to Visual Admin but I don’t want them to use the Administrator account ???
  Regards,

  Boris,
  If you want to use the Visual Admin, use these instructions:
  http://help.sap.com/saphelp_nw04s/helpdata/en/23/355d87507141548c6f893f28aac7f5/frameset.htm
  If you want to use identity management (user administration console) use these instructions:
  http://help.sap.com/saphelp_nw04s/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm
  Both UIs do more or less the same thing. With Visual Admin you can assign security roles. With identity management, you can assign UME roles and actions.
  The identity management UI has been updated in NW2004s if you are using NW2004 use the instructions here:
  http://help.sap.com/saphelp_nw04/helpdata/en/70/9be23d44d48e5be10000000a114084/frameset.htm
  Feel free to ask more questions if you have trouble. I maintain some of those help files so I would be interested to find out where you are having trouble.
  -Michael

• Unable to log into administrator account after software update

  I've done a clean installation of server 10.5 on a G5 Xserve using the simplified "workgroup" setting. Created a named administrator account as part of the setup. Once passed the initial setup screens I did a software update to 10.5.8. After reboot I'm locked out of the named administrator account. I can still log in as root and localadmin using the same password. However, I don't see any accounts listed under the Users tab in Server Preferences. I've done nothing to this system other than answer a few standard questions during install and then update software.
  This result is repeatable as I tried simply reinstalling the server OS figuring I must have done something wrong the first time. In fact the reason I'm reinstalling in the first place is related to this problem. Something caused all my admin and user accounts to go away on the original server setup. Couldn't figure it out so I decided to do a fresh install. I realize now it was likely related to a software update.
  When logged in as root and using Console I see errors like "'No LDAP Master' while processing a command of type: 'readSettings' in plug-in: 'servermgr_accounts'". I'm a newbie to the server world and I'm not sure what that means.
  There should be nothing remotely fancy going on here. Simply a stand alone server getting a fixed IP from a router. A single admin account, no directory services. Before the software update everything seemed fine.
  Any help would be appreciated.

  Hi,
  I have same issue and i have resolve so.
  login as root and password
  Verify if you have in /Users/xyz : your admin home folder
  if yes, create a new user with : Preference System, Account, create new user
  set as Administrator, give same name as your /Users/xyz home folder
  then click OK, a message will appeart that the folder exist, click YES.
  that's resolve my issue

• Problem with software update - now can't log on to administrator account

  Hello -
  I updated software yesterday and didn't pay attention to what was updating. I always just install the updates when they come up.
  Now I can't login to my administrator account or change the password. I could log into another account, but iTunes won't stay open. It opens for about 10 seconds then closes.
  So I'm assuming that the updates were a mac OSX update and an iTunes update.
  Does anyone know why this is happening and how to fix?
  Is there anyway to "undo" the most recent update?
  Any help would be appreciated.
  -jamendan

  Hi jamendan, and a warm welcome to the forums!
  Could be many things, we should start with this...
  "Try Disk Utility
  1. Insert the Mac OS X Install disc that came with your computer, then restart the computer while holding the C key.
  2. When your computer finishes starting up from the disc, choose Disk Utility from the Installer menu. (In Mac OS X 10.4 or later, you must select your language first.)
  *Important: Do not click Continue in the first screen of the Installer. If you do, you must restart from the disc again to access Disk Utility.*
  3. Click the First Aid tab.
  4. Click the disclosure triangle to the left of the hard drive icon to display the names of your hard disk volumes and partitions.
  5. Select your Mac OS X volume.
  6. Click Repair. Disk Utility checks and repairs the disk."
  http://docs.info.apple.com/article.html?artnum=106214
  Then Safe Boot from the HD, (holding Shift key down at bootup), run Disk Utility in Applications>Utilities, then highlight your drive, click on Repair Permissions, reboot when it completes.
  The usual reason why updates fail or mess things up, is if Permissions are not fixed before & after every update, with a reboot... you may get a partial update when the installer finds it doesn't have Permissions to change one obscure little part of the OS, leaving you with a mix of OS versions.
  Some people get away without Repairing Permissions for years, some for only days.
  If Permissions are wrong before applying an update, you could get mixed OS versions, if Directory is the slightest messed up, who knows!
  If many Permission are repaired, or any Directory errors are found, you may need to re-apply some the latest/biggest updates.
  May even need to do an Archive and Install if you have room on the HD...
  http://docs.info.apple.com/article.html?artnum=107120
  I only use Software Update to see what is needed, then get them for real via...
  http://www.apple.com/support/downloads/
  That way I can wait a week or so, check the forums for potential problems, and get Permissions & such in order before installing.

• Assigning database roles on SQL Server db

  I am trying to set up a SQL Server adapter (not a database table adapter for SQL tables) to manage role assignment on a database 'test1' on my sql server ( 2000) 'sqlserver1' using IdM 7.1. I am trying to assign role1 to user tuser1 on test1. I am using 'sa' account so permissions should not be an issue.
  Per resource reference document, I mapped:
  userNametest1 <-> userNametest1
  rolestest1 <-> rolestest1
  My login for user 'tuser1' gets created on the SQL server. However the database and role assignment is not happening. I do not get any errors in the IdM admin pages from where I am testing this. Hence I am assuming I am not setting something right in the resource schema. I have tried different ways such as
  userNametest1 <->userName
  rolestest1 <-> roles
  and some more combination but none seem to work. How can i find out what my resource attribute mapping should be? If anyone has done this, can you please share how you got it work?
  Thanks in advance.

  Some more info.
  I have set up the out of the box MS SQL server adapter to connect to MSDE version of SQL server running on my local machine. I used the MSSQLServer Form provided in the samples folder and assigned it to an admin user and turned on the trace.
  I am able to create logins by assigning the resource to a user. Using the admin user I am able to see in the trace that the server Roles are also being retrieved fine. What I am not able to get is assigning a database to the user and then assigning db roles.
  Following the documentation (Resource Reference guide for IdM 7.1) I have created following attributes on the left hand side of schema.
  defaultDB,serverRoles,domain, userNameMyTestDb,rolesMyTestDb.
  No matter what I map the last two attribute I am not able to assign a db and dbroles to a user. I turned on sql profiler and then again used the admin user to view a test user using MSSqlServer form and it appears that the procedure sp_databases is not being called at all. I have decompiled the sql server class file and it appears there might be an issue with the way list of databases is being retrieved.
  Has any one seen this before? If you were able to get it to work, can you please give me information on the resource schema and any other settings you had to make to get it to work?
  Thanks in advance.

• Have lost my Administrator account  - can no longer make any system changes

  Since I had forgotten my Administrator Password on my son's Mac, I inserted a Leopard DVD, restarted the Mac while holing the "c" key and used the utilities menu to reset the password on my Administrator acount.
  After following the on screen steps to reset the computer, when I rebooted the Mac my administrator account was now completely missing.
  All that is left are two standard user accounts that work fine but do not allow me to install new hardware becasue they are not administrator accounts. What did I do wrong? and can I recover my Administrator account or promote one of the remaining standard user accounts to adminstrator level?
  Thanks in advance for any help

  Welcome to Apple Discussions!!
  What did I do wrong?
  Did you use a Leopard DVD on a Tiger system? That's what your post appears to be saying.
  and can I recover my Administrator account or promote one of the remaining standard user accounts to adminstrator level?
  You can use the appropriate one of these User Tips to promote one of the existing ones:
  I lost my admin user (Mac OS X 10.4 and earlier)
  I lost my admin user (Mac OS X 10.5)
  Be sure you use the right tip, and also to make the appropriate username substitutions.

• Domain Administrator account being locked up by PDC

  Hi everyone,
  My PDC is locking up my domain administrator (administrateur in french) account.
  System event logs :
  The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
  consider resetting the password of the account mentioned above.
  Level : Error
  Source : Directory-Services-SAM
  Event ID : 12294
  Computer : Contoso-PDC
  User : System
  There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
  I tried to change the name of the domain administrator account from "administrateur" to "administrator".
  Now there is "Audit failure" events poping up in the security event logs.
  Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
  Here is the detail log :
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: Administrateur
  Account Domain: CONTOSO
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: CONTOSO-PDC
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  On the PDC i checked :
  Services : None of them are started with the "administrateur" account
  Network Share : There is no network share ...
  Task Scheduler : None of the tasks are launch with the "administrateur" account.
  And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
  Any ideas?
  ps : Sorry for the probable english mistakes :(

  Hi,
  Thanks for you answers.
  San4wish :
  Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
  About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
  fixed this vulnerabilty.
  So i doubt its a conficker type worm.
  Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs.