Changing Admin Group back to 501

Similar Messages

• Need to audit domain admin group changes

  Hi
  I have windows server 2012 domain controllers (4 Dcs). I want to audit changes happening to domain admin group. Recently somebody modified domain admin members. I want to trace out who did this ..
  Please let me know how to check it...

  Hi,
  Checkout the below steps to enable auditing for AD User and Group Changes,
  1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
  2. Right click the Default Domain Controllers Policy, and then click Edit.
  3. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/DS Access.) 
      Enable Success auditing for the following settings
      - Audit Directory Service Access
      - Audit Directory Service Changes
  4. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Management.) 
      Enable Success auditing for the following settings
      - Audit User Account Management
      - Audit Computer Account Management
      - Audit Security Group Management
      - Audit Distribution Group Management
  After completing the audit settings, configure SACL in Active Directory Users and Computers console for enabling the geneartion of AD Change events in the eventlog as shown below,
  Regards,
  Gopi
  JiJi
  Technologies

• Change the group selection in contacts back please!!!

  Why would you change something so intuitive into the cumbersome system.
  It was so easy before, if I want to see family contacts or work contacts I hit that option and they all appear. This select and deselect the ones I dont want is a pain.
  If something works well, don't just change it for the sake of an upgrade, leave it alone. Apple have always been good at nice interfaces, this is so stupid for a primary feature on a phone.
  Is there an option somewhere to have it work the old way?

  Hi
  Thanks for all,
          Problem i wrote to sap, Once transaction happend, it is not possible to change the group asset. I convienced my client no issue.
  Regards
  Maruthi.

• 4.0.8.2.4  Cannot start listener after changing user/group to nobody/nobody

  Installed OAS 4.0.8.2.4 and configured it. Everything is working fine with listener, plsql cartridge, Java cartridge and OSSWA. But if change listener's user/group from Oracle/Dba to nobody/nobody. Listener will not start. It hangs in as follows:
  ========================================================================
  Information: Listening on NORM port 80 address 0.0.0.0
  Information: wriorProcessInit: RMProxy IOR Bootstrap Service initialized
  Information: Adapter services initialized successfully
  Information: The server started successfully
  Server now running as process 15654
  OWS-08850: Oracle Web Listener 'www' started.
  Oracle Web Listener 4.0.8.2.4 Enterprise Edition - Release (Domestic)
  Copyright (c) Oracle Corporation 2000. All rights reserved.
  Information: Listening on NORM port 5502 address 0.0.0.0
  Information: wriorProcessInit: RMProxy IOR Bootstrap Service initialized
  ===========================================================================
  from the message above, we can see if it failed to start the "Adapter services"
  If we change the user/group back to Oracle/Dba, it starts fine.
  And also, we have under $ORACLE_BASE/admin, the listener ( name devl ) permission has been changed accordingly to the user/group change. We follow the instruction from OAS configuration to change user/group.
  ( Read access to the configuration file
  Read access to all files that provide content for servicing requests
  Read access to all imagemap files
  Execute access to all Oracle Application Server binaries and program files that the Web Listener must execute
  Write access to the log and error files
  Read access to user directories )
  Thanks.

  Thanks. After a few more days testing. We finally figure out where it went wrong. We changed user/group from node manager. ( from Oracle/dba, installer, to nobody/nobody). After that, we only changed $ORACLE_BASE/admin/ows/SITE_name/httpd-host_name/listener_name to be read and write accessed by nobody. We forgot to change owl.cfg to be read access to nobody/nobody. After we changed that. It starts fine.
  Thanks again.

• Admin group missing

  Hi,
  I'm a new Mac user and i used to dev on Linux.
  I'm french too so i apologize for my poor knowledge in English practice ..
  Anyway, i recently wanted to add the admin group to another user (Apache) just for a temporary test and when i tried to revert this change it seems that anyone on the system was impacted.
  Here are the commands i entered :
  > add the admin group :
  sudo dseditgroup -o edit -a www -t user admin
  > drop the group :
  sudo dseditgroup -o delete -a www -t user admin
  OR
  dscl . -append /Groups/admin GroupMembership monusername (with root user)
  These commands gave me an error :
  > first : Group not found
  > second :
  append: Invalid Path
  <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
  Any idea ?

  Please take these steps to restore administrator privileges to your account. This somewhat tedious procedure is only necessary if you've confirmed that no adminstrator account exists on the system.
  If you don't already have a current backup of all your data, you must back up before taking any of the steps below. Ask if you need guidance. You won't need the backup unless something goes wrong—which is always possible.
  Step 1
  Start up in Recovery mode. The OS X Utilities screen will appear.
  Step 2
  Take this step only if you use FileVault 2. Launch Disk Utility, then select the icon of the FileVault startup volume ("Macintosh HD," unless you gave it a different name.) It will be nested below another icon with the same name. Click the  Unlock button in the toolbar and enter your login password when prompted. Then quit Disk Utility to be returned to the main screen.
  Step 3
  Select
            Utilities ▹ Terminal
  from the menu bar. In the window that opens, type this:
  res
  Press the tab key. The partial command you typed will automatically be completed to this:
  resetpassword
  Press return. A Reset Password window opens. Select your startup volume if not already selected. Pull down the menu labeled
            Select the user account
  and select
            System Administrator (root)
  Follow the prompts to set a password. It's safest to choose a password that includes only the characters a-z, A-Z, and 0-9. I suggest you write down the password. If you don't write it down and forget it, you'll have to start over from Step 1.
  Select
             ▹ Restart
  from the menu bar.
  Step 4
  This step, like Step 2, applies only if you use FileVault. Log in as usual, then select
             ▹ Log Out...
  from the menu bar, or press the key combination shift-command-Q. Don't restart. You'll be returned to the login screen.
  Step 5
  At the login screen, click Other... Enter "root" (without the quotes) in the Name field, and enter the password you set in Step 3 in the Password field. You should now be logged in as root. This is a potentially dangerous condition. Do nothing while logged in as root except as indicated below. You'll be fine as long as you don't deviate from the plan.
  Open the Users & Groups preference pane. Select your usual administrator account in the list of users and check the box marked
            Allow user to administer this computer
  You'll be prompted to restart. Do that and log in as yourself—not as root. Your administrator status should now be restored.
  Step 6 (optional, but recommended)
  Follow the instructions in this support article under the heading "Disable the root user." You must authenticate in Directory Utility as "root" with the password you set in Step 3. Authenticating as another administrator won't work.
  Credit for this idea to ASC member wessongroup.

• Change a group of photos to meet length of audio

  Hi, I was wondering if anyone knew how to change a group of photos' length to meet the length of an audio clip? I know that you can individually change each photo length but I need help with selecting a group of photos and making them all fit the length of a music clip.
  Any help would greatly be appreciated. Thanks!

  You may want to try to repair your iPhoto Library.  Errors may have crept in.  Back up you library first.  Hold down the option and command keys when you start iPhoto.  This will bring up repair options.  Try the first two or three, one at a time, and see if it helps.
  You may also want to check out the iPhoto Library Manager App.

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• I recently inherited a power mac from my dad how do i change admin passwords and such so I can use it

  I recently inherited a power mac from my dad how do i change admin passwords and such so I can use it?

  And if you can't log into the machine at all, you'll need:
  Mac OS X: Changing or resetting an account password.
  You'll need a system recovery or Mac OS X install disc. Don't drop your Dad's user account, though. If he's got any serialized software, it may not function for all users on the machine, and you may need to go back to his account.

• Remove Send-As for domain admin groups

  With referring to below link.
  http://social.technet.microsoft.com/Forums/exchange/en-US/d2e97e64-536a-4c46-8e57-e0ac6a4ad64e/how-do-i-remove-domain-admins-send-as-settings-for-all-users?forum=exchangesvradminlegacy
  The solution work perfectly for normal user but for user whose member of Domain Admin as well, the send-as will revert back from Deny to Allow after a while.
  I have a user who member of domain admins group, say User A. Since we want to remove the send as for all users (including User A), I did followed the steps, Denied Send-As for Domain Admins group for User A.
  However, after for while it return back to Allow.

  The permissions on members of special groups is managed by the AdminSDHolder and SDProp.
  http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
  The way to deal with this is to give your domain admins (and any other admins) a separate account and to remove their "normal" account from any privileged groups (and to reset the adminCount property and "allow inheritance" on the "normal" account). Do NOT
  give the admins a mailbox.
  If you can't do that, then deny the Domain Admins group the "Send As" and "Receive As" permission at the organization level in the AD's configuration container. Use ADSIEDIT to do that here:
  CN=<Organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<tld>
  --- Rich Matheisen MCSE&I, Exchange MVP

• Users Admin Group in WS 2012

  Recently users got deleted from Admin group in the windows server 2012, is there any tracking enabled or how do I check when it was deleted and how deleted.
  I have gone thorugh security audit logs but could not find much information. please help.
  Thanks, Ram Ch

  Hi,
  If the auditing is not enabled for such changes that you won't see anything logged in the security log.
  http://www.windowsecurity.com/articles-tutorials/windows_os_security/Auditing-Users-Groups-Windows-Security-Log.html
  Basically you would need a GPO (if you are in AD domain) and enable "Audit Account Management" for success/failure if you want to see both type of changes. The GPO should be linked to where you have your servers/workstations placed (organizational
  unit).
  If you want to see changes on the domain security/distribution groups then the same GPO setting would be linked to Domain Controllers OU. Yo ucan either configure the default domain controllers policy or create a new one for this.
  Hope this helps.
  Regards,
  Calin

• Admin group does not exist - creating problems

  Hi,
  On my computer I have no my admin rights after an update (I think). All users are standard users. I have tried to resolve this situation by following the instructions in TS1278. This does not help. I can check (enable) "Allow user to administer this computer" but it does not stay checked. Logging out and in does not help.
  I have also tried creating a new user as an Administrator but it gets created as a Standard user. I did this by authenticating as root (enabled by the TS1278 actions).
  # dscl . -list /groups
  Lists the available groups and there is no group called 'admin' in there, perhaps this is the problem? Now my question is, how can I create a new admin group with the same id (80) as the admin group used to have?
  I do not know what removed the admin group.
  Thanks
  Christian

  See if this helps: I lost my admin user (Mac OS X 10.5) and OS X 10.5- Administrator user changes to standard.

• Which unity accts can I take off "domain admin" group after install

  Hi
  Unity 5.X in UM mode - Which unity accts can I take off "domain admin" group after install (ie unityinstall, unityadmin, UnityMsgStoreSvc, UnityDirSVC etc..)
  and if I do so, what is the impact or if I want to upgrade in the future?
  Thanks

  UnityInstall should be the most powerful account and is the only account that should be added to the Domain Admins group by the Permissions Wizard.  This is definitely true for Exchange 200, 2003, and 2007.  I've not dealt with a lot of customers on 2010 yet so this could have changed; however, I doubt it.  You can verify what I'm telling you here:
  http://www.ciscounitytools.com/Applications/Unity/PermissionsWizard/Unity403_411/Help/PWHelpPermissionsSet_ENU.htm
  This link will tell you what permissions and group memberships are set at a high level for all the Unity service accounts.
  To clarify what Jonathan said, by "downgrade" the UnityInstall account - the rule of thumb is this:
  Cisco supports that you DISABLE the UnityInstall account, if desired, after an installation.  This account should only be used during installation activities.  However, DO NOT DELETE the account in AD.  So, again - disabling the account is OK.
  Hailey
  Please rate helpful posts!

• List users in local admin group on all workstations

  Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
  that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
  csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
      $CurrentDate = Get-Date
      $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
      import-module activedirectory
       $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
       $output = "c:\temp\local admin audit $CurrentDate.csv"
       $results = @()
       $servers | ForEach-Object{
      $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
      $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
      $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
      $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
      $group =[ADSI]"WinNT://$_/Administrators,group"
      $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
      if($wmi)
         New-Object PSObject -Property @{
             DistinguishedName = (Get-ADComputer $_).DistinguishedName
             Server = $_
             Members = $members -join ";"
      } | Export-Csv $Output -NoTypeInformation

  I agree use GP it is more reliable and easier to manage.
  For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
  There is no issue with using Test-Connection and DNS.  AD/DNS cannot have the wrong names or your domain would crash.  Using Get-AdCOmputer instead of a file eliminates stale information.
  $csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
  import-module activedirectory
  #adjust Filter as needed
  $adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
  Get-AdComputer -Filter $adfilter |
  ForEach-Object{
  $props=@{
  Server=$_.Name
  IsAlive=$false
  DistinguishedName=$_.DistinguishedName
  Members=$null
  if(Test-Connection $_.Name -Count 1 -Quiet){
  $props.IsAlive=$true
  $group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
  $members=$group.Members() |
  ForEach-Object{
  $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  $props.Members=$members -join ";"
  New-Object PSObject -Property $props
  } |
  Export-Csv $csvfile -NoTypeInformation
  Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
  ¯\_(ツ)_/¯

• CSM per admin group using per device group

  I am looking to see if multiple admin and device groups can be created to limit certain administrators to administrate only certain devices but not others.
  For example:
  admin group "ag_na" (including user admin1 & admin2)  can make changes to device group "dg_na" containing (device 1, device 2) only
  admin group "ag_ca" (including user admin3 & admin4) can make changes to device group "dg_ca" containing (device30 & device31) only
  Any tips on if / how to do this?
  Thanks

  You can do it by integrating the CSM into an ACS v4.2 and doing RBAC. There you can define for which NDGs a user has which access policy.
  http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/installation/guide/aduser.html#wp1063220
  Unfortunately this is a short-therm solution as ACS v4.2 has been put to EoS and no real alternative methods are available today. Hopefully Cisco will come up with a new solution on the long-therm.

• How to change admin account and use folder from old account?

  Hi, I created a new admin account, and now I need to get all folders like Music, Documents, Video etc from old admin account. So, if I loged in as a new admin I see all folders with red sign in the coner and don't have permistion to see them or move. What are my options?
  I do have Time Machine backup from old admin account, but it also doesn't let me open folders from the new admin.

  Go back to the old account. Select one of the folders you moved to the Public folder and open the Info window. Click the lock icon and authenticate. Change the access permission for Everyone to Read. From the action menu (gear icon), select Apply to enclosed items. Repeat for each folder. Switch to the new account and try the copy again.