Cisco MeetingPlace One or More Local Admin Group
Hi All UC Experts,
I have a MeetingPlace 8.5 audio only, that is using in Hong Kong only. Now I want to share the MeetingPlace to my USA users to use too.
But I am thinking the administrative problem as below:
Can I create a USA local group for the USA users only? That should be a local USA admin, who can manage their USA users only.
Hi All UC Experts,
I have a MeetingPlace 8.5 audio only, that is using in Hong Kong only. Now I want to share the MeetingPlace to my USA users to use too.
But I am thinking the administrative problem as below:
Can I create a USA local group for the USA users only? That should be a local USA admin, who can manage their USA users only.
Similar Messages
-
Is it possible to disallow RDP for one member of local admins group?
Hello:
I have an application server which has a service account that is in the local admins group. Is it possible to disallow only that particular service account from being able to RDP into the server? Server is Windows Server 2003 SP2. Basically, I'm trying to
bypass this: Members of the local Administrators group can connect even if they are not listed. I understand that anyone using the service account could undo any restrictions I make, so what I'm trying to do would just be
a deterrent. I cannot disable RDP altogether since our regular sys admins need to be able to RDP into the server. Thank you.What if you specified the user and denied them rights to RDP to the server. A deny overrides every other permission, and if you can do this, then only that one user would not be able to RDP into the server, but other admins would be able to.
-
Local admin vs user placed in local admin group
what are the differences between the built-in and the user placed in the admin local group
. I noticed when installing Cisco's AnyConnect 3.x client as a user who has been elevated to the local admin group that when the install is complete the settings only apply to the specific user used during the install as opposed to when the built-in
admin (I am aware of the option for this) ...my question is are there any window applications that require well known security identifiers (sid).
or
simply put what are the differences between the built-in and the user placed in the admin local group..I experienced differences and wanted to know where I can get more informationHi,
Their are some subtle differences. The built-in administrator account SID is well known forprogramming logic by 3rd parties.
For the built-in admin, UAC is disabled by default. That means that the built-in admin never requires elevation. But, as we all know, UAC can be turned off by the user so even when an admin user launches a program, he will be elevated automatically.
The built-in admin account cant be deleted (though it can be disabled).
Karen Hu
TechNet Community Support -
On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.” This is not ideal on many networks because the end users are not allowed to have local administrator access.
Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
practice.
Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
Please help.
Thanks,This is a hands off solution to allow all users that use a machine to be able to restore their own files.
1) Make these two cmd files and save them in c:\temp
2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
<addperms.cmd>
Cmd.exe /v /c c:\temp\addreg.cmd
<addreg.cmd>
set users=
echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
REG IMPORT c:\temp\perms.reg
Del c:\temp\perms.reg
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
posting is provided "AS IS" with no warranties, and confers no rights.
That's a good one! Thanks for that.
I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
========================================================================
$RC=setoption("WOW64AlternateRegView","on")
$DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
$uservariable = "%userdomain%\%username%"
If KeyExist ($DPMkey)
$Userstring=ReadValue($DPMkey, "ClientOwners")
If $Userstring == ""
WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
? "Key created"
else
If not instr($Userstring,$uservariable)
$Userstring = "$Userstring,$uservariable"
WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
EndIf
Endif
EndIf
==========================================================================
The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
=========================================================
$uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
=========================================================
The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP. -
List users in local admin group on all workstations
Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
$CurrentDate = Get-Date
$CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
import-module activedirectory
$servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
$output = "c:\temp\local admin audit $CurrentDate.csv"
$results = @()
$servers | ForEach-Object{
$wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
$connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
$state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
$state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
$group =[ADSI]"WinNT://$_/Administrators,group"
$members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) }
if($wmi)
New-Object PSObject -Property @{
DistinguishedName = (Get-ADComputer $_).DistinguishedName
Server = $_
Members = $members -join ";"
} | Export-Csv $Output -NoTypeInformationI agree use GP it is more reliable and easier to manage.
For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
There is no issue with using Test-Connection and DNS. AD/DNS cannot have the wrong names or your domain would crash. Using Get-AdCOmputer instead of a file eliminates stale information.
$csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
import-module activedirectory
#adjust Filter as needed
$adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
Get-AdComputer -Filter $adfilter |
ForEach-Object{
$props=@{
Server=$_.Name
IsAlive=$false
DistinguishedName=$_.DistinguishedName
Members=$null
if(Test-Connection $_.Name -Count 1 -Quiet){
$props.IsAlive=$true
$group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
$members=$group.Members() |
ForEach-Object{
$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
$props.Members=$members -join ";"
New-Object PSObject -Property $props
} |
Export-Csv $csvfile -NoTypeInformation
Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
¯\_(ツ)_/¯ -
Service accounts adding to Local admin group
Hello Everyone,
What are the risks with adding SharePoint service application service accounts to local admin group.
I see in many Microsoft blogs not to use farm account to create service application and better to use dedicated service account but i didn't see any articles why we shouldn't add dedicated service accounts to local admin group
I am facing some GPO issue and one my friend suggested to add service accounts to add local administrator group to fix this issue but i am not sure what the risks behind it.
Please let me know if you aware of risks.
Thanks SThe basic is that it increases your attack surface. If the service (and this goes for any application regardless of vendor or platform) has elevated access to the underlying system (e.g. Local Administrator, SYSTEM, root, and so forth) and that service is
compromised, there is the possibility that the entire server would be compromised.
Clearly, this is not a good situation.
Having said that, there are two scenarios where a service account in SharePoint must be a Local Administrator:
If you're running the Claims to Windows Token Service (C2WTS) as a Domain User. This account requires Local Admin.
If you're provisioning the User Profile Sync Service, the Farm Administrator account must be a Local Administrator during the provisioning process (reason being is that it makes calls to the SAM).
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Can not add Domain User to Local Admin Group Win8.1
Hello,
I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
but 90% of them it won't allow me to add the local user to the local admin group.
DCs are running Win Server 2008 R2 Enterprise.
Any help would be greatly appreciated.
Thank YouI would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group
1)Create a new group in Active Driectory
Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
2.
Create a new GPO
Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
3.
Edit the newly created GPO
Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
4.
Add your new Active Directory group to the Restricted Group
Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
5.
Add the Restricted Group to the local administrator group
In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
6.
Wait for GPO updates to apply to the workstations
Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
run "gpupdate /force" in a command window on that workstation.
7.
Add a user or group of users to the Active Directory Restricted Group
When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
Console. -
Powershell add group to local admin group
how do I remotely use powershell to add a domain group to the local admin group on a machine?
thanksWhen using above, I got:
[DBG]: PS C:\>> $remoteComputer = 'xxx.xxx.xxx.xxx'
[DBG]: PS C:\>> $groupname = 'Admin-Group'
[DBG]: PS C:\>> $fqdn = 'subdomain.domain.com'
[DBG]: PS C:\>> ([ADSI]"WinNT://$remoteComputer/Administrators,group").Add("WinNT://$fqdn/$groupName"):
Exception calling "Add" with "1" argument(s): "Access is denied.
At line:1 char:1
+ ([ADSI]"WinNT://$remoteComputer/Administrators,group").Add("WinNT://$fqdn/$group ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
I am wondering how $remoteComputer authenticate? -
Sync one or more local calendar with a google calendar
i need, i guess an app, that let me sync one or more local calendar on mymac with the google calendar suscribed in ical
The calendars reside on different servers and as far as I know there isn't a way to sync between them. You can, of course, add your Google calendar to your devices and continue to use Google to keep it in sync. If you open the Calendars app on your devices and tap Calendars on the top left, then tap Show All Calendars, your Google and iCloud calendar events will appear together your calendar. You will only need to decide which one you wish to use as your default when adding new enteries, then set this in Settings>Mail,Contacts,Calendars>Default Calendar.
-
Need to Query Local Admin Group
I wrote (copied) some PowerShell code that will add a Domain User to the Local Admin Group using ADSI.
$GuestPC = "WinNT://DOMAIN/UserName,user"
$AdminGroup = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
$AdminGroup.add($GuestPC)
I want to add an If - Else statement to check if the Domain User is already in the Administrators group.
I found this code:
$members = @($AdminGroup.psbase.Invoke("Members"))
$members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
This code actually lists the members of the Administrators Group. Maybe its early or I did not get enough sleep, but I cannot figure out how to just query the Administators group for $GuestPC and if it is there don't do anything, but if it is not there
add it using the above code.
Something easy for someone out there I hope?
Matt
Matt DillonFinally found the answer on Google. Just need to add -cnotcontains "GuestPC" in side a If-Then
Matt Dillon -
Add Local Users to the Local Admin Group
I am looking either via GPO or Third Party Tool. I would like to add 6 Users to the Local Admin Groups on all the computers running Windows 7/8. I want to Create a Group called "OUR Local Admins" and add these 6 local users (Not domain
Users) to this Group and then nest this Group into the Local Admin Group Built-in into Windows 8
Thank u> local users (Not domain Users) to this Group and then nest this Group
> into the Local Admin Group Built-in into Windows 8
You cannot nest local groups.
Greetings/Grüße,
Martin
Mal ein
gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me -
coke bottle design refreshment (-: -
Adding a domain user to Local Admin Groups using MDT 2012
I don't know if this will help anyone, but it did me after weeks of searching. If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No".
But the administrators accounts page will only appear if you choose to join a domain.Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
<Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
<Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
</Pane>
Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
Story :^).
Keith Garner - keithga.wordpress.com -
Giving an OD Network User/Group local admin rights.
Is there a way to manage workstation admin rights from the server?
I ran into a problem with Lightroom that requires admin privileges to change the program preferences. We have alot of graphic art students with roaming profiles, spread out across 5 labs, that need to make this change. I would like to be able to add a group or all network users to the local admin group, for a few days, so the students can make the changes.This works on 10.5, not sure about 10.6.
As root on the client.
Upgrading legacy group for local admin group - this is from 10.4 days, not sure if you still need to do it.
dseditgroup -o edit -f n -t group -n /Local/Default admin
Nest OD group in local admin group
dseditgroup -o edit -a DirectoryAdminGroup -t group -n /Local/Default admin
Gen -
Af:tree group by one or more view attribute(s)
Hi.
How to create af:tree with one or more levels based on one or more attribute's group by?
I have a view with two attributes (Attr1 (possible values are 1 or 2) and Attr2 (value is string like name)). I want to create tree with root level of Attr1 and childer of Attr2.
Example:
+ - 1
| - - - 'Name1'
| - - - 'Name2'
+ - 2
| - - - 'Name3' Do I have to create new view object (based on same table with only distinct data) for each level in tree? Or is there any "better" way of doing this?
RegardsYou are right !!
The problem is inside the report generated by Oracle Reports
The XML code, which I retrieve running the report request is the following:
<?xml version="1.0" encoding="&Encoding"?>
- <!-- Generated by Oracle Reports version 6.0.8.20.2
-->
- <MODULE1>
- <LIST_G_MANAGER_NO>
- <G_MANAGER_NO>
<MANAGER_NO>1000</MANAGER_NO>
<MANAGER_NAME>Anil Passi</MANAGER_NAME>
</G_MANAGER_NO>
- <G_MANAGER_NO>
<MANAGER_NO>1001</MANAGER_NO>
<MANAGER_NAME>Martin</MANAGER_NAME>
</G_MANAGER_NO>
</LIST_G_MANAGER_NO>
</MODULE1>
and the problem is the "&" !!!
So, inside Oracle Reports, when I try to generate the XML code from a preexisting report, the encoding variable is not set.
Now, I'm trying to understand how to set it, but I didn't find nothing....
Somebody knows where can I find a Report's configuration file in order to set this "encoding" ?
Thanks
Alex -
Adding users in Local Administrators Group using GP Restricted Group
Hi Experts.
I have approx 200 servers. There are user1, user2 and user3 which I have added in
Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local
Administrators member.
Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.
In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.
Any idea?
Regards Suman B. SinghHi,
How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group;
and then we can use Security Filtering to apply the specific GPOs to specific computers.
Regarding security filtering, the following article can be referred to for more information.
Security filtering using GPMC
https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
Filter Using Security Groups
https://technet.microsoft.com/en-us/library/cc752992.aspx
Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific
computers.
Regarding GPP Local Users and Groups, the following article can be referred to for more information.
Configure a Local Group Item
https://technet.microsoft.com/en-us/library/cc732525.aspx
How to use Group Policy Preferences to Secure Local Administrator Groups
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
Regarding Item-Level Targeting, the following article can be referred to for more information.
Preference Item-Level Targeting
https://msdn.microsoft.com/en-us/library/cc733022.aspx
Best regards,
Frank Shen
Maybe you are looking for
-
SAP versus NF-e (Layout PL_006c)
Olá, Gostaria de receber um feedback de algum membro da SAP referente ao status da implementação para a solução completa da NF-e (R/3, PI, GRC..) para atender a demanda do novo manual de integração v4.0 (layout PL_006c). Estamos prestes a iniciar uma
-
How to: IT Virtualization career with VMware as rock-solid foundation
Hello all, I'm considering exactly what the title says. I've spent the better part of the past month reading/watching about the topic. I mainly researched the VMware product line (really, an ecosystem), along with Certification paths. I'm leaning tow
-
Exchange 2010 in a Exchange 2013 Environment
I am trying to install Exchange 2010 in an Exchange 2013 environment which was migrated from Exchange 2007 earlier. Exchange 2010 sp1 Mailbox and Hub roles installed fine however I cannot install the CAS role. Saw some references to change the OAB to
-
Rollover hyperlink in external HTML page
Gentlefolk; I have an HTML page that contains a list of URLs. This page is imported into a dynamic text field in Flash. This part works fine. I would like to create a mouseOver (or other process) whereby when the cursor is moved over the links, the l
-
new macs do not have a cd drive...