Create local admin from workgroup manager

Similar Messages

• Exporting users from Workgroup Manager to Excel

  Hi all,
  Just wondering if anyone knows of a way to export users from Workgroup Manager in a "normal" format, eg CSV or Excel etc? Or if a program exists to post-process the current exported file?
  The current file has bits like this in it:
  <key>kAPOPRequired</key>\
  <string>APOPNotRequired</string>\
  <key>kAltMailStoreLoc</key>\
  <string></string>\
  <key>kAttributeVersion</key>\
  <string>Apple Mail 1.0</string>\
  <key>kAutoForwardValue</key>\
  <string></string>\
  <key>kIMAPLoginState</key>\
  <string>IMAPAllowed</string>\
  <key>kMailAccountLocation</key>\
  Which I would like to remove, or put into various columns in Excel.
  Sadly we are moving to Windows, so I need to get everything out of OD into a format that can be imported into AD. So basically a spreadsheet with firstname, lastname, email address, location/address, group memberships etc etc.
  Any help appreciated

  Thanks Andbrowny
  I gave it a go, but got a strange error, does this mean anything to you?
  admin$ sudo ldapsearch -LLL -H ldap://127.0.0.1 -b "cn=users,dc=my,dc=domain,dc=net" > userexport.ldif
  Password:
  SASL/GSSAPI authentication started
  ldapsasl_interactive_binds: Local error (-2)
  additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)
  I suspect my OD is screwed, as slapd maxes out all 8 cores every few days, and takes out the mail server as a side effect.
  The Linux link wasn't applicable to this, all the commands and paths are different to MacOS X unfortunately.

• Server Admin and Workgroup Manager is sloooow

  When running Server Admin or Workgroup Manager directly from my client macbook, connected to one of our leopard servers, it is painfully slow. I mean painfully.
  It takes a minute to connect while I stare at this spinning wheel, some actions never stop spinning the wheel. Sometimes it just stops and everything is working great.
  If I run the admin tools locally, connected through remote desktop its working much better, but can still be quite slow when connecting sometimes.
  Any ideas?

  I had a similar problem with a new xserve, setup with the factory pre-install leopard 10.5.2 it defaults to the server FQDN (myservername.com) for server admin with no DNS setup it takes ages to finaly get SA to open because it can't resolve itself.
  deleting server.myservername.com once SA fianaly responds it reverts to server.local and responds
  once DNS is configured correctly, no more issues.
  this particular server went on to develope regular OD crashes and AFP problems with OD crashing and when users logged in/out nd AFP having to be restarted when OD crashed and I decided to rebuild it.
  the DVD was 10.5.1, on bootup it was far worse than the factory pre-install when opening SA
  I upgraded to 10.5.2 combo before turning on any services , even when I got DNS working it was slow to respond nothing like as bad as without DNS but still slow. DNS checked out fine. The only way I could get it to respond normally was to add the domain name to Search domains in network preferences.
  something I did notice with the DVD install in server setup the local address defaulted to .private SA expects .local and the server name wasn't automatically filled out when I entered the server FQDN. the factory pre-install automaticly filled out the server name and used .local
  there is an edit button near the server name once you click on that it changes the name from .private to .local
  I didn't notice the .private the 1st time around and with the .private things where far worse. SA wouldn't respond at all even with 127.0.0.1

• Preventing local admin from changing root password

  Is it possible to prevent a local admin from changing the root password? I would like to set up a computer so that the user has admin rights, but cannot change the root password via a terminal shell to gain root access.

  I can't provide you with details, but I'm sure that all you need to do is to edit the sudoers file. It needs to be edited with <visudo> when logged in as root in a Terminal. The location is </private/etc/sudoers>, but you don't need to know that when using <visudo>. From a first look I'd suppose you only have to uncomment the %admin line, but better get some more information. I never did this myself.

• Admin Group deleted from Workgroup Manager

  Hello,
  Apple set up our Workgroup manager so we could give users permission on our iTunes U site thru our LDAP server. One of the groups that was created was the administrators group which allowed anyone that was on that list to administer the site. Accidentally, yeah right, we deleted the group and I can not remember exactly what it was called and how to recreated it to be able to manage the site again. We no longer have any kind of admin rights and are freaking out just a bit.

  I'm not sure I understand the problem fully but I'm going to take a stab in the dark at a workaround.
  I'm understanding essentially that you need to get back into your iTunes U site, figure out the credential your group provides, and put that back in as an admin.
  A further assumption I have is that half of that problem is #1 GET IN and the other half is #2 FIGURE OUT CREDENTIAL.
  Attack #1: Find posts about Wolamaloo [sic] (formerly iTunes U access) from Richard Wolf. Use this and your shared secret (if you've lost this you might be in really deep) to log on to your iTunes U site as a generic administrator. Use this temporarily to do administrator tasks and then later to repair the Access list with your credential from #1.
  Attack #2: I'm shakier about this because I'm not sure I understand how Apple would be doing anything with your LDAP infrastructure. Anyway in my case I'd call up the LDAP folks in our office of information technology and beg them to either tell me what we were using before, or barring that give me access to some kind of script or LDAP browser that just let me look at my own LDAP attributes. I'd be on the lookout for something in my isMember, eduCourseMember, eduPersonEntitlment attribute and ours is of the form urn:mace:duke.edu.....iTunesU:administrator. I'm taking some longshots here.

• Server admin not seeing directory users from workgroup manager

  I am setting up a new Xserve with Snow Leopard (get 'em while we can). We have eight other XServes running Leopard or Snow Leopard server. On those machines we have set up file sharing over AFP. The machines are connected to our Active Directory server and our users authenticate using their domain passwords. All of our other servers were setup in Leopard and were upgraded to Snow Leopard. We have not had any issues authenticating to those boxes.
  This is the first one that we have actually setup new-out-of-the-box in Snow Leopard. I can set Workgroup Manager up to connect to our AD, and can see and search my domain users and groups in Workgroup Manager. When I try to set up my File Shares in Server Admin, none of my domain users show up-only local accounts.
  What have I missed? In Leopard, when I connected to the domain, the users immediately became available in Server Admin. Not so in SL, at least on this box.
  Help?

  Hi
  The first thing to check is if you've bound the Server to the AD Domain. The second thing is if the /Active Directory/All Domains is in the Search Policy. If you don't do either of these WorkGroup Manager won't display anything coming from the AD Schema.
  In 10.6 Apple moved the Directory Utility from where it used to be in /Applications/Utilities and made it part of the Accounts Preferences Pane. Perhaps it's this change that's confusing you? I would not advise doing this but it's also possible you used the Server Setup Assistant to do most of the configuration? If you did maybe something went wrong at that stage (won't be the first time) and you need to manually bind the Server instead?
  As ever make sure this server is using the same NTP Server as the others.
  Tony

• Clients local admin user is managed - how can it be unmanaged

  Hi. I have a local user on all my client machines called admin with admin rights. Have had this same user with same password for many years for over 300 client machines from emacs to intel macs. With the 10.6.3-5 server update (major issues for the last6 months) with 10.6.2-5 intel imac clients, logging in as admin gives me a reduced dock. just finder and trash. Every use of any applications comes up with "you dont have permission to use the application "xyz". with 3 buttons Always Allow, Allow once and OK. entering admin and password always results in a second box with the same message. entering admin and password then allows me to use it. This behaviour does not happen on 10.5.8 clients and has never happened before.
  In system preferences it says administrator, admin is managed. clicking the lock and authenticating allows me to access the tick for Enable parental controls. If I click on the tick to remove it, it comes up with the message. "You cannot enable parental controls for an adminstrator account. Create a new user account etc." It is unticked but the tick comes back on restarting the system preferences and even restarting the computer immediately.
  I have tried deleting managed prefs etc but to no avail. I have tried removing the computer from the network account server and I get my dock back and can use applications but it still says I am a managed user. and I need the network account server for student logins. Any thoughts how to unmanaged local admin users on client machines to get back to the way it has been since 10.2.4 clients!!!

  Did you try creating a new admin user, and then using that new account to make the Change to unmanage your "admin" account?
  I don't think osx will let you create anaccount called admin these days, as security precaution. Perhaps that has something to do with your problem.

• Error -14135 Creating New User In Workgroup Manager

  Hello,
  I'm running 10.5.8 on a Mac Server, and until today have had no issues adding new users with a preset I've created in Workgroup Manager. Today, I've received the message:
  Got unexpected error
  Error of type eDSRecordAlreadyExists (-14135) on line 1268 of SourceCache/WorkgroupManager/WorkgroupManager-361.2.1/PMMUGMainView.mm
  This error appears before I'm even able to enter any information.
  I would appreciate any suggestions! Right now I'm running Disk Utility and repairing permissions. I haven't found any other ideas online.
  Thank you!

  Following is the text from Note for Custom Password Validation logic:
  Customers who wish to use their own password validation logic may do
    so by writing their own Java classes that implement the
    oracle.apps.fnd.security.PasswordValidation Java interface.  The
    interface requires 3 methods to be implemented:
    1) public boolean validate(String user, String password)
      - This method takes a username and password, and then returns true
    or false, indicating whether the user's password is valid or invalid,
    respectively.
    2) public String getErrorStackMessageName()
      - This method returns the name of the message to display when the
    user's password is deemed invalid (i.e., the validate() method returns
    false).
    3) public String getErrorStackApplicationName()
      - This method returns the application shortname for the
    aforementioned error message.
    After writing the Java class to perform customized password
    validation, the customer must then set the value of the profile option
    SIGNON_PASSWORD_CUSTOM to be the full name of the class.  If, for
    example, the name of the Java class is
    oracle.apps.fnd.security.AppsPasswordValidation, then the value of the
    SIGNON_PASSWORD_CUSTOM profile option must be
    oracle.apps.fnd.security.AppsPasswordValidation.  Note that AOL/J
    will attempt to load this class dynamically.  Hence it is necessary to
    make the class accessible by AOL/J.  This means that in Forms, the
    class must first be loaded into the database using the loadjava
    command.
  You will need to apply the following patches for 11.5.1:
     1344802
     1363919
     1472974
     1351004
     1377615
  You will need to apply the following patches for 11.5.2:
     1377615

• Can't create computer account in Workgroup Manager

  Hi everybody !.
  I am installing a new Xserve with Mac OS X Server 10.5.6 and I am having some trouble with computer accounts in Workgroup Manager.
  I have a couple of PCs with Windows XP that I have added to the Windows domain created by Mac OS X Server with no problem,and they do appear in my computer account list, with the name PC_NameX$.
  My Xserve also appears in this list with the name ServerName.DomainName$
  But my iMacs (with Mac OS X 10.4.11) are not listed. When I try to create their accounts, I write their names and their MAC address but when I push the button "Save", Workgroup Manager says that I can't create this account because there is a computer with that name and that MAC address yet.
  I can't find a solution for this problem by myself. Could anybody give some advices to solve it ?.
  Many thanks.

  Hi Mabel,
  In my computer list appears my Windows computer names (followed by a "$" symbol, i.e., name$) and my Xserve name followed by domain name and a "$" symbol, i.e, name.domain$. Finally, there is a Guest account I added a few days ago (without "$" symbol).
  No iMac is listed here. When I try to add them manually, I write "Name", "Short Name" and "Ethernet ID" fields, and when I push "Save" button, I get this message:
  "The name you have chosen conflicts with a name assigned to another computer. You can’t assign the name “Pollux” to two different computers. Remember that names are not case-sensitive when checking for conflicts." (Pollux is the name I gave to one of the iMacs).
  If I change this name and use another one, but I don't change "Ethernet ID" and then push "Save", the message is:
  "The ethernet address you have chosen conflicts with an ethernet address assigned to another computer. You can’t assign the ethernet address “00:17:f2:d3:38:95” to two different computers."
  So, It seems that WGM knows Name and Ethernet ID from this iMac because it does not let me type them again, but I have not typed this information before nor the iMacs are listed in computer list.
  This is what I don't understand.
  I have have read chapter 6 "Setting Up Computers and Computer Groups", the one that starts on page 105, from top to bottom. I have not found a single clue that helps me solving this problem. Here explains the procedure when everything is working properly.
  Finally, another piece from the puzzle. There is an iMac, that always connects to Directory with Airport interface. I have tried to add this iMac, manually. Well, I get the name conflict message, the Ethernet ID conflict message (with its airport id) and... an Ethernet ID message when I type its Ethernet ID. It seems Directory knows this Ethernet ID even, it has never been used to connect to it.
  Is there some detail I am missing ???.
  Kind regards.

• Is it possible to restrict a local admin from accessing/viewing AD accounts on a Domain Controller?

  I am working on determining if I can have a separate administrator group handle patching and performing maintenance on four servers that are DCs of their own AD domain, but restrict these administrators from the ability to see the active directory user
  accounts in that AD domain?

  Hello,
  Since you are talking about domain controllers I have to say there are no Power Users group in them. Actually the local user management will be disabled as soon as you promote a server to a domain controller. The only option which is left here is to grant
  Administrators handle the job. In case of RODC you can go through what Albert suggested.
  However since domain controllers are sensitive and plays a key role in your environment I strongly recommend not to allow non administrators to perform maintanance or other related tasks (At least for domain controllers). 
  Another option you have left for your patch management is to use a member server like WSUS to automatically install updates on your DCs.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Users Disappeared from Workgroup Manager

  All I see is the admin user. All Users and Groups are gone.
  Strange thing is that I can still view the LDAP tree from another machine and see all the users and groups. Command line access to the Kerberos system also shows the users existing there as well. LDAP and login authentication is working just fine. Searches against the Directory also work from AddressBook on client machines on the network...
  If I add a new user via WGM, that user will appear as expected. I also see that new user in LDAP and Kerberos.
  I cannot create a user in WGM with one of the existing usernames either. I have also tried an Archive and Restore of the Open Directory data. Still only admin showing.
  Any ideas? I'd like to get these users back and viewable so they are selectable in setting permissions/access for other services...

  Update. From the backup I just made, I can see all of the users in the backup.ldif file. Is there a way I can import them back into Open Directory?
  One other strange thing. If I go to the Settings tab in Server Admin, and into Access, I can see some of the users listed as their apple-generateduid value - not as their usernames.
  This leads me to believe there was a linking thread that was broken somewhere. Strange. Very strange.

• WebMin, Server Admin and Workgroup Manager

  I saw a fairly recent post where it was stated that "Using webmin/virtualmin will break SA and WGM sooner or later." I assume that means that SA and WGM will no longer be reliable, or usable at all, but that the services provided by Tiger Server will not be affected. Can anyone tell me if this is correct? Or give details on just how SA and WGM break? And is anyone successfully using WebMin exclusively for working with OS X services -- mail and Web in particular? Thanks to whomever...

  I am using Webmin to help configure things that are in-there, but have no GUI in SA or WGM. Apache and DNS are good examples where SA lacks a big bunch in configurability.
  The usual precautions work fine in this situation. Always have a current backup, and have another even more current one ready before doing major experiments with configuration.
  Always log off with any other utlity before starting to alter settings with another utility. That will save you from tools cross-writing to config files, potentially getting you into trouble.
  The /usr/bin/sudo admin lecture bringt it down to the point: Think before you type.
  Regards MacLemon

• Create dynamic webpages from Content management system

  We have a requirement where the user would add a content for a "type = adCampaign". This content (for this type)then should create a dynamic webpage.
  The html template (for the dynamic page) remains the same. Only the images and the static content changes.
  Does anyone know how to achieve this?
  I was looking at adTargetContent tag. Does anybody have any examples of this usage.
  Thanks for your help in advance.

  Hi,
  Have you looked into the personalization and campaign management features in WLP 8.1? It sounds like they will do what you need, but if not, please give us some more details about what you're trying to do.
  Cheers,
  Skip

• Hide Create Flight Link from Travel Manager Page (TRIP Tcode)

  Hi,
     As we all know that after executing TRIP tcode we have the travel manager page which has 4 options.
  1)  Create Travel Request  
  2)  Create Flight, Hotel, Car Rental, Train ... With Ref.  
  3)  Create Travel Expense Report ... With Ref.  
  4)  List of All Trips   
  Can someone tell me how to hide the 2) option in this travel manager page. Also the user is not able to see create travel expense link in my open trips under subsequest activities column.
  Kindly Suggest.
  With warm regards.
  Edited by: Aman Ahuja on Jan 22, 2009 12:36 PM

  Hi,
  Go to "Define Schema and Individual Field Control" in IMG, and here you can hide and display various fields and tasks. Select the schema which is related to the TRIP (transaction) - i.e. the fast entry (99)
  regards

• How to create HMAC256 Key from Key Manager (SAP SWIFT Integration Package)

  Hi,
  I am not sure how to create key HMAC Key. There is 2 input
  Key id = .............
  Key value = .................
  I have tried many times but still having below errors message.
  com.sapcons.xi.swift.CryptServiceException: Parameter key Value is invalid
  Is there any documentation on this ?
  Thank You and Best Regards
  Hidayat

  Solved.
  Key Value Length must be 32 bytes.
  The first 16 digit must be at least 1 number, 1 upper case, 1 lower case.
  The seconds 16 digit also the same.
  each character cannot repeated more than 7 times per each halft.
  There is no documentation about this, i just extract the SCA file and check the program logic.