Block \ deny option to deploy mandatory advertisements to collections
In CM 2007; I was able to write an SQL trigger on insert\update and attach it to a database table so when anyone made a required\mandatory advertisement to the all systems or all desktops and workstations collections it would rollback the transaction. This
worked really well and kept my colleagues from deploying mandatory Task sequences to every computer by mistake :)
I do not want to make it so that other users cannot create other collections, or have to manually assign permissions every time a new collection is created to the users.
I modified the trigger to work with CM2012, but alas it does not work. For some reason ALL advertisements are hitting this trigger, not just mandatory\required ones. This is despite the fact that optional ones have the value offertypeid = 1.
ALTER TRIGGER [dbo].[tr_ERRORON_MANDATORY_ADV_ALLSYSTEMS]
ON [dbo].[ProgramOffers_G]
AFTER INSERT,UPDATE
AS
IF EXISTS (Select CollectionID, Offertypeid from dbo.programoffers_g where CollectionID in ('SMS00001','SMSDM003') AND (Offertypeid = '0'))
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
RAISERROR ('Cannot Create Mandatory Advertisement to the all systems group due to SMU Policy.', 16,1)
ROLLBACK TRANSACTION
END
You might be able to do something with a WMI trigger on the CM provider. But IMO the real advantage of CM12 is RBA, particularly in lager orgs.
Why do all CM12 staff need access to all devices? Why can't you restrict most of the admins to just Workstations or a subset of workstations?
http://www.enhansoft.com/
I did more research, it seems that collections cannot be controlled used rba.
"There are no procedures to configure collections for role-based administration. Collections do not have a role-based administration configuration; instead, you assign collections to an administrative user when you configure the administrative user. The
collection security operations that are enabled in the users assigned security roles determine the permissions an administrative user has for collections and collection resources (collection members)."
Basically I am the sys admin; and we have four users at two sites. I want to make sure they do not deploy anything mandatory to all systems as has been mistakenly done in the past which is a HUGE problem.
It looks like I can go to administration->security->Administrative Users -> security scopes and modify the account name properties, go to security scopes, press only the instances of objects that are assigned to the specified scopes and explicitly
add collections which they can administer.
That works great; but these other users will be the ones creating collections and managing applications not me. I do not want them to have to contact me each time they create a collection so I can add it to their security scope. Is this correct?
Similar Messages
-
I'm using Mail 7.3 but can't find a "Block Senders" option - as exists in Outlook - as a way to prevent repeated spam and advertising landing in my Inbox. Anyone have a solution for this? I've had a look at the Message Rules option but that doesn't seem to offer a fix. Thanks
You should be able to manage the problem with Rules, if you are happy to just delete the emails without you ever seeing them.
In Mail>Preferences>Rules, create a new rule with these options:
Description: Give a name to the Rule, such as Delete or Block Sender
On the line started 'If' choose 'Any' from the drop down menu and on the next line select 'From' and 'Contains', and then input the email address of the unwanted sender
Under 'Perform the following actions' choose 'Delete'.
As other senders you want to block send you unwanted emails you can add them to the rule by clicking the '+' sign against the line you added the email, if you have an email from that sender on screen when you edit the rule - they should appear there automatically. -
Is it possible to create non mandatory advertisement ,to rech client fast.
We want to create a non mandatory advertisement ,which can reach the client fast
is there any way to create a non mandatory advertisement to reach the client fast.
anyone has any idea???thanks Garth
Yes , I thought in mandatory it will go fast, thanks for clearing the doubt,
actually we were deploying the applications through mandatory task sequence at the time of machine build
we wanted this particular application to advertised fast so that it will sit in rap after immediate execution of task sequence we have to run this.
Previously we were using it as non mandatory advertisement and it was taking too long to reach the client.
now I got the solution :
http://social.technet.microsoft.com/Forums/systemcenter/en-US/b0224409-e4f9-4f51-8cb3-bd3506dc5963/is-it-possible-to-create-mandatory-advertisement-without-force-run?forum=configmgrswdist -
"Block EDIT option*" for all WEBI Reports with Administrator Account
Hi,
I had opening CMC with Administrator Account.Due to some reasons i want to "Block EDIT option" for all WEBI Reports.Just Viewing is sufficient.In the same way for Universe"Blocking EDIT object option".Instead of Administrator guide reference (chap no 18 &19)option.Could you help in steps resolving issue.Thanks in advance.
Regards,
Swapna.Hi Swapna,
You could perform the following steps:
1. Login to CMC.
2. Go to Folders >> Manage >> Top Level Security
3. Click on Add Principal and add the user or group for which you have to set the security.
4. Click on assign Security >> Advanced tab >> Add/Remove Rights.
5. Select Content >> Web Intelligence Report
6. assignt "Edit Object" right as denied and click on apply ok.
This would help you to block edit option for only webi reports and all the webi reports in your environment.
Regards,
Nakul -
Jabber For Windows - Calender Integration Option on deployment
We're about to roll out Jabber for Windows to several hundred clients, and have an issue with the Outlook Integration option setting. Our users are migrating from Lotus Notes to Microsoft Outlook and once migrated to Outlook, will get Jabber for Windows. The problem we have is when installing Jabber for Windows, in many cases it takes IBM Lotus Notes as the default calendar integration, instead of Microsoft Outlook. (Notes is left on users pc as they still need to use Notes to access some backend databases)
We will have to issue intructions to users to go in to File>Otions>Integration and make sure Microsoft Outlook is selected, but past experience tells us they won't actually read them!
Does anyone know any way of setting on option on deployment to ensure Microsoft Outlook is selected ?
Thanks
KelvinHi David,
there is an known issue where default MAPI file can't be opened on some PCs. To confirm this - we would need PRT from computer where issue can be reproduced.
If you still have same problem then create a problem report (Start menu > Cisco Jabber > Cisco Jabber Problem Report) and attach with this thread. If you are not comfortable to attach report here, then raise a TAC case for further assistance.
Regards,
Nebojsa -
Is it possible to create mandatory advertisement without force Run
Hi All
1.We want to create the mandatory advertisement with without force run and want to run it from RAP
2. I already knows that if I will create non mandatory advertisement it will sit in RAP and will not run.
But I want to implement point 1 as I want content to be downloaded in cache quickly and want to run it manually from RAP.Hi Jason
thanks for the reply ,I got answer from your different post ,we can give longer future date to avoid execution of mandatory application .
http://social.technet.microsoft.com/Forums/systemcenter/en-US/a327e7ce-58aa-40d5-8fdd-35df1bc414f1/sccm-advertisement-precache-download-mandatory-but-not-force-run?forum=configmgrswdist
actually what I wanted , is to download the application in advance in cache and execute later in future date
every time I was selecting as soon as possible so it was forced run, now I made it future date working accordingly because I am running it from RAP now.
Many Thanks Jason -
How to block delete option in va01 , va02, va03
hi,
i like to know how to block delete option in va01 , va02, va03. I need to block the delete option in the menu to delete the sales order by the user.
Please reply ASAP.
<removed_by_moderator>
Please read the "Rules of Engagement"
thanks in Advance,
With best regards,
sathies
Edited by: Juan Reyes on Jul 29, 2008 1:05 PMHi,
Do a user trace in st01 for that transaction and find which auth object it is refering to and the auth value then maintain the values accordingly.
Regards,
Vamshi. -
Block HTTP Options request in DBMS_EPG
We are having some trouble opening HTML pages from Office tools in combination with the Embedded PL/SQL Gateway on a Oracle 11g database.
When we open a public Apex page from word or Excel it will prompt for XDB username / password.
We open the page like this: http://epg-host:8080/apex/f?p=111:1
When we open the same page from the same Apex application using the Oracle HTTP Server instead of the Embedded PL/SQL Gateway, Word and Excel won't prompt for a username and password.
I used Wireshark to see the difference in HTTP traffic. Microsoft Office will do a HTTP Options request on the "directory" of the page (for the url http://epg-host:8080/apex) before opening the page. The HTTP Options request results Error 401 Unauthorized, that’s why Word/Excel ask the user to login.
With a HTTP Send Tool I have send the Options Request to the Embedded PL/SQL Gateway and to the Oracle HTTP Server, these are the different responses:
Options for http://epg-host:8080/apex/
The remote server returned an error: (401) Unauthorized.
MS-Author-Via DAV
DAV 1,2,<http://www.oracle.com/xdb/webdav/props>
Content-Length 147
Content-Type text/html; charset=UTF-8
Date Thu, 10 Nov 2011 10:05:56 GMT
Server Oracle XML DB/Oracle Database
WWW-Authenticate Basic realm="XDB"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>401 Unauthorized</TITLE>
</HEAD><BODY><H1>Unauthorized</H1>
</BODY></HTML>Options for http://apache-host:7778/apex/
The remote server returned an error: (501) Not Implemented.
Allow
Connection close
Content-Length 252
Content-Type text/html; charset=iso-8859-1
Date Thu, 10 Nov 2011 10:15:44 GMT
Server Oracle-Application-Server-11g
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>The server does not support the functionality required to fulfil the request.</p>
</body></html>I do not really understand why the Options Request results in Unauthorized. I would like to change the behavior of the Embedded PL/SQL Gateway so that it does not throw the "Unauthorized" error. Any other error would be good, but Unauthorized results in a Login prompt.
Does anyone know how to configure the Embedded PL/SQL Gateway so it will not result in the unauthorized error? It doesn’t matter if I have to block the Options requests or grant extra authorization.Thanks for your reply. When we open the page in the browser we do not get the Login-prompt, the allow-repository-anonymous-access is already set to true.
The login-prompt only occurs when we open the page from Word/Excel, that's when the HTTP-Options request is send.
Opening an Apex page in the browser only results in a HTTP-Get request, Word/Excel will send HTTP-Options followed by the HTTP-Get request. -
Select option-high as mandatory
Hi,
I have a requirement where both low and high field of select -option should be mandatory.
Code i have written is :
s_vendor for lfa1-lifnr obligatory.
But only the low field is made obligatory.How to make high field as oblogatory too?
Thankshi,
use the following code....
tables : sscrfields.
select-options : s_vendor for lfa1-lifnr.
at selection-screen output.
loop at screen.
if screen-name CS 'S_VENDOR'.
screen-required = 'X'.
modify screen.
endif.
endloop.
at selection-screen.
if sscrfield-ucomm = 'ONLI'.
if s_vendor-low is initial or s_vendor-high is initial.
clear sscrfields.
message 'Fill in all required fields' type 'E'.
endif.
endif
Regards,
Siddarth -
Why is my popup blocker under "options" deselected every time I start Firefox?
I notice that my popup blocker under "options" is deselected every time I start Firefox.
For possible causes see the [[preferences are not saved]] article.
-
Block / Deny ICMP Traffic cisco asa 5512-x
hi expert
I have cisco asa 5512x for configure as firewall and sslvpn.
my customer want block/Deny icmp traffic from interface outside without block anything.
i've configure form cli :
icmp deny any outside
but from outside can't open sslvpn url and asdm.Hi,
Access for the Anyconnect/ASDM does not depend on the ICMP permit/deny commands on the ASA device.
If you want to block the Pings to the ASA interface use the command:-
icmp deny any outside etc.
What do you mean by "i can ping from outside." Plzz explain.
Thanks and Regards,
Vibhor Amrodia -
I need to know how to block the option menu on firefox because my students are able to change the connection option bypassing the proxy that should block them when it's not alloud surf on the web. Thank's
See http://kb.mozillazine.org/Locking_preferences
<code>//
lockPref("network.proxy.type", 1);
lockPref("network.proxy.http", "");
lockPref("network.proxy.http_port", "");
</code>
See:
http://kb.mozillazine.org/network.proxy.type
http://kb.mozillazine.org/network.proxy.%28protocol%29
http://kb.mozillazine.org/network.proxy.%28protocol%29_port -
Finally block is optional??
I want to know if finally block is optional? I tested this myself, and
the following yield the same output.
void f()
try
{ //code1
catch()
finally
{ //code2
void f()
try
{ //code1
catch()
//code2
please advise. thanks!!I'm not sure what you're asking, and your sample code tells us almost nothing, but I'll take a guess.
You're thinking finally doesn't do anything, because you can just put the code after the catch block, right?
Here's some more realistic code: void foo() throws IOException {
InputStream ins = null;
try {
Bar bar = new Bar(); // this might throw BarException
ins = bar.getAnInputStream();
ins.read(); // etc.
// do stuff with what we read from ins
catch (BarException exc) {
// log, handle, whatever
finally {
// cleanup, for example ins.close();
// OR we could cleanup here, you think, right?
} If the try block completes without any problems, or if a BarException is thrown and we don't rethrow anything from the catch block, then, yes, you could put the cleanup after the finally block.
However, what happens if bar.getAnInputStream() returns null? Or if there's an IOException creating or reading the stream? In that case, we jump out of our try block as soon as the exception occurs--the IOException or the NPE if we try to call read() on a null stream reference.
In this case the try block stops what it's doing and control passes to the finally block, after which we leave the method (well, leave the try statement for the next enclosing try, but there isn't one in this method, so we leave the method).
If we throw an uncaught exception (anything other than IOE, in this example) or even if we call return from inside the try block, the finally block will always be executed. The code following the finally block won't be executed in these cases.
¶ -
I've tried using "Service Advisor" option in CAM to try to collect support data I get the error "The device has been unregistered from this application. Please close this service advisor window.".
How to fix this?
Thank youHi.
1. You can use command line for collect support data.
/opt/SUNWsefms/bin/supportData -d <array_name> -p /tmp -o supportdata
Result : /tmp/supportdata.zip
2. For trubleshuting current problem, please show result of:
cd /var/opt/SUNWsefms/store/Reports
for i in report* cache*
do
echo $i
perl -ane '/[^[:ascii:]]/ and print;' < $i
doneHow many arrays registered in the CAM ?
Check that for this array work next point in CAM:
-> Trubleshuting -> FRU
-> Trubleshuting -> Events
Regards. -
MTU option of IPv6 router advertisement ignored
I recently turned up an IPv6 tunnel from Hurricane Electric (http://tunnelbroker.net/) to my home router, which is a Cisco 1921 ISR. The IPv6 tunnel works great, save for one small problem. That being that the MTU of the tunnel is 1480 and the MTU on my Mac is 1500. If I manually set the MTU on my Mac to 1480, everything works as expected. However, part of IPv6 autoconfig is setting the MTU for situations like this where there is a tunnel or the more common PPPoE, both of which require a lower MTU. The router is configured to set this option, and I can see it via tcpdump and radvdump:
[root@strongbad]# tcpdump -i en0 -n -XX icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:36:09.218626 IP6 fe80::ca9c:1dff:fed6:17a0 > ff02::1: ICMP6, router advertisement, length 64
0x0000: 3333 0000 0001 c89c 1dd6 17a0 86dd 6e00 33............n.
0x0010: 0000 0040 3aff fe80 0000 0000 0000 ca9c ...@:...........
0x0020: 1dff fed6 17a0 ff02 0000 0000 0000 0000 ................
0x0030: 0000 0000 0001 8600 1266 4000 0708 0000 .........f@.....
0x0040: 0000 0000 0000 0101 c89c 1dd6 17a0 0501 ................
0x0050: 0000 0000 05c8 0304 40c0 0027 8d00 0009 ........@..'....
0x0060: 3a80 0000 0000 2001 0470 e9ba 0001 0000 :........p......
0x0070: 0000 0000 0000 ......
[root@strongbad]# radvdump
# radvd configuration generated by radvdump 1.6
# based on Router Advertisement from fe80::ca9c:1dff:fed6:17a0
# received by interface en0
interface en0
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag off;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 1800;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvSourceLLAddress on;
AdvLinkMTU 1480;
prefix 2001:470:e9ba:1::/64
AdvValidLifetime 2592000;
AdvPreferredLifetime 604800;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
}; # End of interface definition
You can plainly see the MTU is at 1500, when it should be 1480:
[root@strongbad]# ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:16:cb:ab:af:0d
inet6 fe80::216:cbff:feab:af0d%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.44 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2001:470:e9ba:1:216:cbff:feab:af0d prefixlen 64 autoconf
media: autoselect (1000baseT <full-duplex>)
status: active
[root@strongbad]# netstat -in
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 16384 <Link#1> 800471 0 800471 0 0
lo0 16384 ::1/128 ::1 800471 - 800471 - -
lo0 16384 fe80::1%lo0 fe80:1::1 800471 - 800471 - -
lo0 16384 127 127.0.0.1 800471 - 800471 - -
gif0* 1280 <Link#2> 0 0 0 0 0
stf0* 1280 <Link#3> 0 0 0 0 0
en0 1500 <Link#4> 00:16:cb:ab:af:0d 24352460 0 36285322 0 0
en0 1500 fe80::216:c fe80:4::216:cbff: 24352460 - 36285322 - -
en0 1500 192.168.1 192.168.1.44 24352460 - 36285322 - -
en0 1500 2001:470:e9 2001:470:e9ba:1:2 24352460 - 36285322 - -
fw0 2030 <Link#5> 00:1c:b3:ff:fe:9b:6d:d0 0 0 0 0 0
en1 1500 <Link#6> 00:1c:b3:b0:41:f0 0 0 0 0 0
vmnet 1500 <Link#7> 00:50:56:c0:00:01 0 0 0 0 0
vmnet 1500 172.16.130/24 172.16.130.1 0 - 0 - -
vmnet 1500 <Link#8> 00:50:56:c0:00:08 0 0 0 0 0
vmnet 1500 172.16.123/24 172.16.123.1 0 - 0 - -
On my Mac in System Preferences > Network > Ethernet > Advanced > Ethernet the "Configure" value is set to "Automatically". I discovered a manual sysctl setting that looked promising, but had no noticeable effect:
[root@strongbad]# sysctl -w net.inet6.ip6.accept_rtadv=1
net.inet6.ip6.accept_rtadv: 0 -> 1
I'm running the latest version of Snow Leopard (10.6.7) on my Mac, and there doesn't appear to be any updates for it. Just for fun, here's the kernel banner:
[root@strongbad]# uname -a
Darwin strongbad.local 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386
Any ideas on how to get my Mac to honor the MTU in IPv6 router advertisements and set the MTU automatically?
Thanks in advance,
-LexI was wrong. The MTU in IPv6 router advertisements is not ignored by my Mac. In fact, it works great. A few things threw me off here:
1. The IPv6 MTU is not relected in ifconfig and netstat output if it's different than IPv4.
2. The MTU size was wrong. The IPv6 MTU also has to account for ADSL PPPoE overhead the same as any other protocol. PPPoE adds 8 bytes overhead per packet. That means with the 6in4 tunneling overhead of 20 bytes, the true MTU for an IPv6 packet over a 6in4 tunnel over PPPoE is 1472.
3. The firewall was correctly configured to pass ICMPv6, so PMTUD was working. However, this created the illusion that some destinations were working and some were not. I wrongly assumed that mucking with the MTU to and from 1480 was making a difference. In reality, it was PMTUD doing its thing, albeit slowly and on a strict destination by destination basis.
In sum, setting the MTU on the router interface closest to my Mac to 1472, made it all work beautifully. I had to wait for a few route advertisements to pass by, but my Mac did end up doing the right thing.
One last thing worth noting. On a Cisco router, setting the "ipv6 mtu" to something non-default will be reflected in the IPv6 route advertisements it sends out.
Hope this helps,
-Lex
Maybe you are looking for
-
I downloaded and ran the update to Firefox. It said it was successful and then the welcome page etc. came up. However, after I had closed down and started up again the "old" version came up when I clicked on the Firefox icon with the usual comment th
-
Changing Win 8.1 Pro Store App Installation Folder
I have a Dell Venue 8 Pro tablet with Windows 8.1. The c:\ is very limited capacity at only 24GB. With the OS only on the c:\ I just have 8.6GB of free space. So I have added a 64gb SSD to the machine and want to install all my apps on it and not
-
Dynamic structure names in cfloop
I have designed a web application that allows users to enter a number of records on one form – for example computer skills. The user can add up to 20 different computer skills. On another form, the user's recorded computer skills are shown as a numbe
-
Web content not showing up anymore.
My article inside have a container that contain a HTML/JS web content. Once I edit the html content and update the article, the container is empty. I remove the article and upload again still get the same result, it is empty. How can I solve this pro
-
Custom sort pivot table columns with Essbase as the data source
Is it possible to sort columns in a pivot table according to an arbitrary value that I define when the data is coming from Essbase? For example, say I have a dimension called Soda, with values Coke, Diet Coke, Dr. Pepper and Diet Dr. Pepper. I create