Deny local admin users from logging on (or at least restrict them)

I have a fully managed environment (AD authentication, using managed preferences from OD) that I am testing before rollout.
My concern is that once preferences are managed, admin users will be able to create local admin accounts (I can't block the accounts pane otherwise users will not be able to change their passwords), then login and bypass preference management.
Is there a way for local admin accounts logging on to inherit a default set of preferences that are only applied when a local account (or someone not in one of my directory groups) logs in, or better still - DENY local admins from logging in, or deny anyone from being able to create new local accounts?
(Please don't suggest denying the users admin rights - it's not possible for political reasons).
Many thanks in advance!
FZ.

There is no root or admin privilege that controls root or admin privilege. You have it, or you don't.
I've been in exactly this case many years ago, and with replete with the politics of privileges and perceived prestige.
I ended up documenting the foibles of the privileged folks and the time spent on recovery and restoration and related for each event, and waiting for a sufficient accumulation of same (and that didn't take very long), and I then preemptively yanked the access.
Yes, the good folks squawked. Loudly. Yes, I got called onto the carpet.
The Designated Responsible Individual (DRI) was then left to ruminate and make a decision, and (with the assistance of the foibles-related documentation around the efforts and time and costs) made the call. The proffered alternative (with the costs and the design and time estimates ready) with a private subnet or private LAN and private services and and a dedicated firewall configured between the privileged folks and the production LANs to keep the good folks safe and secure. Here's what that'll cost...
Either way, you've punted the responsibility and the decision up the management chain to the DRI.
(Oh, wait, did I mention which way that firewall was going to be facing? No? Oops. Bummer.)

Similar Messages

  • Clients local admin user is managed - how can it be unmanaged

    Hi. I have a local user on all my client machines called admin with admin rights. Have had this same user with same password for many years for over 300 client machines from emacs to intel macs. With the 10.6.3-5 server update (major issues for the last6 months) with 10.6.2-5 intel imac clients, logging in as admin gives me a reduced dock. just finder and trash. Every use of any applications comes up with "you dont have permission to use the application "xyz". with 3 buttons Always Allow, Allow once and OK. entering admin and password always results in a second box with the same message. entering admin and password then allows me to use it. This behaviour does not happen on 10.5.8 clients and has never happened before.
    In system preferences it says administrator, admin is managed. clicking the lock and authenticating allows me to access the tick for Enable parental controls. If I click on the tick to remove it, it comes up with the message. "You cannot enable parental controls for an adminstrator account. Create a new user account etc." It is unticked but the tick comes back on restarting the system preferences and even restarting the computer immediately.
    I have tried deleting managed prefs etc but to no avail. I have tried removing the computer from the network account server and I get my dock back and can use applications but it still says I am a managed user. and I need the network account server for student logins. Any thoughts how to unmanaged local admin users on client machines to get back to the way it has been since 10.2.4 clients!!!

    Did you try creating a new admin user, and then using that new account to make the Change to unmanage your "admin" account?
    I don't think osx will let you create anaccount called admin these days, as security precaution. Perhaps that has something to do with your problem.

  • Removing admin user from planning application

    Hi,
    i have a small question that possibly u can answer easily.
    in workflow process when users click "change status", at promote and approve "admin" user comes up with in combo-box.
    we are sharing shared services with another project team so i dont wanna show "admin" to my users in that list cos i have "plnadmin" as application owner.
    by the way "admin" was deprovisioned from planning applications on HSS such that he cannot log-in to planning application. (user doesnot exists for this application message.)
    but he still exists in workflow process combo-boxes and "Administration->Application Settings->Assign application Owner" combo-box.
    how can i remove him ?
    thx,
    Version: 11.1.1.2

    Hi,
    In theory it should remove the admin user if they have been deprovisioned and the application owner assigned to another user. I did a quick check on 11.1.1.3 and it removed the admin user from the workflow and tables.
    Maybe it has not removed the user because a workflow was already in progress even though it worked for me.
    There are probably a number of ways to try and removing the user e.g. try restart planning service and log into the application to see if it syncs up with shared services (it should do if the property SYNC_USER_ON_LOGON is set to true, which is default for planning)
    Try stopping the workflow process and run a refresh, or go to access permissions for a member and click migrate identities to see if it clears the table.
    Final stage would be to manually remove from the repository tables.
    (sorry if I have not covered all areas, I sure somebody will give you different ideas or repeat what I say)
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin acc

    photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin access?

    Danny,
    Topic or subject titles should be clear, pertinent and concise so that individual users can tell at a glance if they can help or not.
    That field is not for attempting to fit your entire question in there.
    Please keep this in mind next time you post.  Thank you.

  • Can local admin users override mcx?

    Can a local admin user override managed computer settings?  ie, the "automatically hide dock" is set to hide in mcx, but a local admin wants to "always show". 
    Is this possible?
    In another post, I found an interesting statement that might apply, but don't know where to do this:
    (https://discussions.apple.com/message/5781831?searchText=Is%20there%20a%20way%20 for%20local%20users%20to%20override%20mcx%20settings#5781831)
    "There's a Workgroup Manager Computer settings that allows admin users to turn off managed preferences. Be sure this is disabled."

    Hi Don,
    Thanks for your suggestions.
    I find these two helpful links [1211821 - How to determine what folders the TEMP and TEMP variables are set to |http://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes_boj/sdn_oss_boj_erq/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/scn_bosap/notes%7B6163636573733d36393736354636443646363436353344333933393338323636393736354637333631373036453646373436353733354636453735364436323635373233443330333033303331333233313331333833323331%7D.do] and [1215142 - Exporting to disk file defaults to the Temp folder |http://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes_boj/sdn_oss_boj_erq/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/scn_bosap/notes%7B6163636573733d36393736354636443646363436353344333933393338323636393736354637333631373036453646373436353733354636453735364436323635373233443330333033303331333233313335333133343332%7D.do]. I also check the folder permissions and find that non-admin has full control to it.
    And during create report, two files ~DFC500.tmp and ~DFC493.tmp are successfully created into TEMP folder, but the mentioned error still comes up.

  • Will binding to AD stop local users from logging in?

    Hi,
    If I bind to an Active Directory domain with the Directory Utility, what will this do to the local existing users? Will they still be able to login afterwards?
    Thanks for any help,
    Richard

    Methinks you should be posting to the server forum.

  • How to reset local admin user password in

    Dear members,
    i want to reset local admin account(not administrator built-in), let say i have user adminlocal and member in administrator group. my question, how to reset this user via GPO in domain, because i have more than 5000 workstation in my environment. and how to
    generate summary of all workstation which are password reset.
    i've tried from this link,
    http://community.spiceworks.com/how_to/show/1966-how-to-change-local-user-or-admin-passwords-on-remote-computers
    using PSTools sysinternal from microsoft, but while i execute one PC on domain for sample using this script, they showing access denied
    anyone in this forum can help me to resolve this problem?.

    Dear,
    you can use Powershell to do this.
    I've found a script in the script center which can do this.
    http://gallery.technet.microsoft.com/scriptcenter/66a5b38f-cdf1-4126-aa0c-be65e16dd650/view/Discussions#content
    Set-Password -computer 'server' -user 'Administratorlocal' 
    You can create a loop in powershell to check all your servers which you've posted in a .txt file for example.
    $strcomputers = Get-Content c:\servers.txt
    foreach ($strcomputer in $strcomputers)
    $admin=[adsi]("WinNT://" + $strComputer + "/administratorlocal, user")
    $admin.psbase.invoke("SetPassword", "Whatever1")

  • Problems restricting AD users from logging in

    We previously had a Snow Leopard Server/client setup and used the magic triangle, placing AD users in an AD group and then nesting this within an OD group in Workgroup Manager.  This group was then given access to logon to our clients in the computer group pane (login preference > access) of workgroup manager and all other users were automatically dissallowed.  This worked perfectly and our system relies on this mechanism.
    Having replaced this system with Mountain Lion Server latest release and 10.8.4 clients, the same setup is not working.  We have not extended the AD schema (just for info).
    To restrict access to our clients to a particular user group, we place the users in the AD group, nest the AD group in the OD group and it appears to break the preference and give access to everyone.
    I have tried some other combinations to determine where the problem lays.
    1.     I explicitly give access to a single AD user - the single AD user can log in and no other users can log in.  This is working.
    2.     I explicitly give access to a single AD user and a deny to a second user.  The single AD user can log in, the second user cannot log in.  Other users cannot log in.  This is working.
    3.     I give access to a single OD group containing a nested AD group containing the single AD user that had access in (2).  I also explicitly deny a second user.  Now all AD users can log in except the one user I denied.  This is broken.  All users not in the nested AD group should be denied access.
    4.     I give access to the nested AD group directly instead of nesting within the OD group.  I also explicitly deny a second user.  Now all AD users can log in except the one user I denied.  This is broken and the same result as (3).
    There are some other quirks in Workgroup manager regarding the AD groups and users.  If I add an AD user directly to an OD group then it is displayed correctly until I change tab.  If I return to the tab again the name is "Not Found" with a "target" icon displayed to the left.  The ID is hexidecimal string.  The same occurs with AD groups.  I have read about this and the suggestion was to change the AD user groups to domain.local groups rather than global groups.  I did this and the AD groups then display correctly but this has not solved the login problem.
    If I use the Server.app to view the users and groups they show up correctly including an AD users added directly to the OD groups so this is better than workgroup manager but I cannot restrict access to the clients using Server.app.
    If anyone has any ideas of how to deal with this or workarounds I would really appreciate it.

    Methinks you should be posting to the server forum.

  • SCCM 2012 - Query Local Admin Users

    Hi Guys,
    I´m trying to get all users that are local admins of my network using sccm12.
    How it´s possible?
    Thank you.

    Hi,
    We can use the following query as follows
    SELECT DISTINCT SYS.Netbios_Name0, SYS.User_Name0, LocalAdminMembers.TimeStamp, LocalAdminMembers.Type0 as Object LocalAdminMembers.Account0, LocalAdminMembers.Domain0   FROM fn_rbac_GS_LocalAdminMembers0(@UserSIDs)  LocalAdminMembers JOIN fn_rbac_R_System(@UserSIDs)
     SYS ON SYS.ResourceID = LocalAdminMembers.ResourceID   WHERE   SYS.Netbios_Name0 LIKE @variable    ORDER BY SYS.Netbios_Name0
    To create a custom report
    1. Go to SCCM console – Reports – Create report
    2. Complete the Reporting Wizard. The MS SQL Report Builder will be opened up now
    3. Double Click the Table or Matrix which will open to select a new dataset window. Select ‘Create a dataset’
    4. Select the existing Data source connection and enter the data source credentials
    5. Under Design a Query window, Select “Edit as text” and copy the above query
    6. Next arrange the field as per the attached doc
    7. Choose the Layout of the Report and complete the wizard
    8. Right Click on report, where the empty area of report page and select properties. Go to reference tab, Click on assemblies. 
    Add following assemblie  -  SrsResources, culture=neutral 
    And Click OK.
    9. Select UserSIDs under Paramter and edit the properties
    10. Go to Default Value and select Specific Values and Add expression. Leave the rest of the tab as default and complete it
    11. Select Variable under Parameter and edit the properties
    12. Type Computer Name under Prompt field and leave the rest of the tab as default and complete it.
    13. Type Computer Name under Prompt field and leave the rest of the tab as default and complete it.
    You are done.
    Regards,
    Vinod

  • OD and local admin user

    I've setup some shares that are used by a few OD clients, but when I'm logged into the server as the admin user, I don't have any permission to those file/folders. Is there any way to over come this? I've created a group for the relevant users, but I can not add this group to the admin account in WGM. I only see this group when I'm looking at the LDAP accounts. Any help would be appreciated. Thanks.

    I just tried setting up an OD group with a local user included. I find that WGM does not show the user in the local group unless I search for him. Here are the steps that worked for me:
    1. Go to the OD /LDAPv3/127.0.0.1 node
    2. Click on the groups tab and select the group
    3. Hit the plus to add a member
    4. Pick /NetInfo/DefaultLocalNode at the top of the U&G drawer
    5. In the search field, type the first few letters of the admin user
    => The account name magically appears for me and I can add it to the group.

  • Local OS user from OAS

    Hi friends:
    I need to get the local OS user connected using db package.
    I am building a web application with web toolkit. I define a function with this code:
    function f_get_os_user_connected return varchar2 is
    v_os_user_connected varchar2(50);
    begin
    select sys_context('userenv', 'os_user')
         into v_os_user_connected
         from dual;
         return(v_os_user_connected);
    end f_get_os_user_connected;
    Then I use a procedure to get the OS user an printed into a html page using the following code:
    procedure ........
    v_current_os_user varchar2(50);
    begin
    htp.p('<td width=10% valign=middle align=center>');
    htp.p('<font color="0000FF" size=2><b>'||v_current_os_user||'</b></font>');
    htp.p('</td>');
    If I run the function with TOAD or sql*Plus i get the OS user: aemiranda, But when I use the web application, the OS user displayed is oracle.
    I guess this is because I am running the web application using OAS and the user in there is oracle.
    How can I get the local (user machine) OS user connected inside a procedure?
    Thanks a lot,
    Abdel Miranda
    Panama

    Thank you for your answer.
    But give me some ideas to do this:
    I am building (as I wrote before), a web application using web toolkit.
    This application is kind a forum (just like where we are right now), so every single created thread must show (and save) the user who create the note.
    So, this functionality must be irrelevant for the user connected. So, in my case, if the user aemiranda is connected to the web application, as soon as he press the save button to creates a new thread, the web application must get the user connected and save into the database table.
    This user, aemiranda, is not a database user, it is the local OS user connected in the PC. Why is not a database user? Because these application is only for developers environment. Is this environment, we can't connect to the database with our users, we use a public user, who has all priviledge's of the database objects.
    So, if aemiranda is connected to the PC, but is connected with superuser to the database when it use the web application, I need to write a procedure which get the OS user, aemiranda and use it to save it into the table.
    any ideas to do that.
    Abdel Miranda
    Panama

  • Same admin user from old iBook to new MacBook Leopard?

    I have an old iBook 10.4.11 and .Mac (MobileMe). I am going to buy a new MacBook. I won't be using the iBook anymore. I am admin user - minimal usage - I have a .Mac website, email, DSL (no networking), no synching to another computer.
    Can I create the admin user on the new MacBook with the same name, shortname, and password as the old iBook? One reason I want to do this is that it appears to be simpler as far as accessing the iDisk and transferring the .Mac (MobileMe) account to the new computer. Also it's the login I'm used to. There seems to be no reason to change it that I know of.

    Hi,
    Thanks for the quick reply! I don't plan to use Migration Assistant at all. I am hoping to set up the admin user, .Mac connection, and then pull mail settings and Safari bookmarks using this:
    http://discussions.apple.com/thread.jspa?messageID=1872713
    A few relevant files/folders have been copied to my iDisk>Documents using these instructions, like Mail and Safari bookmarks. I also have the iDisk>Sites (custom html .Mac webpages) folder. I have a few actual album CDs that I will insert and import into iTunes. I like the idea of a clean start with the MacBook and intel Leopard.

  • Removing printer icons from app switcher or at least making them useful

    does anyone have the following problem and has anyone found a solution:
    1. whenever i print something - and until i restart once i have printed - the icon for each printer i have used appears on the dock and in the task switcher (the cmd-tab thingy).
    2. on top of that, these icons are useless since even if i select them, it does not pull up the print queue of these printers or anything remotely useful.
    is this a bug or a normal behaviour? has anyone found a way to avoid these icons from appearing, or at least removing them after the printing has stopped and better, make the print queue accessible from switching from these icons?
    thanks in advance.

    Right click on the icon in the dock and select auto-quit. After you do that the printer driver will auto quit after each print.

  • Having problem with svchost.exe/ntdll.dll errors causing GPSVC (Group Policy Client) to crash preventing users from logging into the server.

    Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied
    to svchost.exe and therefore is protected from being manually restarted.
    I noticed the following errors when this occurs:
    Log Name:      Application
    Source:        Application Error
    Date:          7/23/2013 4:35:26 AM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Server1.xxx.xxx.net
    Description:
    Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
    Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
    Exception code: 0xc0000024
    Fault offset: 0x00000000000cd7d8
    Faulting process id: 0x46c
    Faulting application start time: 0x01ce877f9476ac07
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
        <EventRecordID>158950</EventRecordID>
        <Channel>Application</Channel>
        <Computer>AAW19XM2.agency.nwie.net</Computer>
        <Security />
      </System>
      <EventData>
        <Data>svchost.exe</Data>
        <Data>6.1.7600.16385</Data>
        <Data>4a5bc3c1</Data>
        <Data>ntdll.dll</Data>
        <Data>6.1.7601.17725</Data>
        <Data>4ec4aa8e</Data>
        <Data>c0000024</Data>
        <Data>00000000000cd7d8</Data>
        <Data>46c</Data>
        <Data>01ce877f9476ac07</Data>
        <Data>C:\Windows\system32\svchost.exe</Data>
        <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
        <Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
      </EventData>
    </Event>
    All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however,
    about 5 months ago a similar error fired on a non-virtual machine:
    Log Name:      Application
    Source:        Application Error
    Date:          2/27/2013 6:57:58 AM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      AAW29033
    Description:
    Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
    Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
    Exception code: 0xc0000024
    Fault offset: 0x00000000000cd7d8
    Faulting process id: 0x6c0
    Faulting application start time: 0x01ce14e1af313fd9
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
        <EventRecordID>286291</EventRecordID>
        <Channel>Application</Channel>
        <Computer>AAW29033</Computer>
        <Security />
      </System>
      <EventData>
        <Data>svchost.exe_gpsvc</Data>
        <Data>6.1.7600.16385</Data>
        <Data>4a5bc3c1</Data>
        <Data>ntdll.dll</Data>
        <Data>6.1.7601.17725</Data>
        <Data>4ec4aa8e</Data>
        <Data>c0000024</Data>
        <Data>00000000000cd7d8</Data>
        <Data>6c0</Data>
        <Data>01ce14e1af313fd9</Data>
        <Data>C:\Windows\system32\svchost.exe</Data>
        <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
        <Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
      </EventData>
    </Event>
    I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes
    the Group Policy Client service to stop?

    You still out there looking at things? If so I have an update. The issue hasn't stopped, even though it did seemingly die down for awhile, however, it is now back with a vengeance.
    I am able to force it to happen by killing the svchost process that is hosting GPSVC. If I run gpupdate /force, then logout/login it does get GPSVC running again. Furthermore, if I simply start svchost again via the Task Manager GPSVC starts running again.
    When I access the server remotely with KVM it acts just like it does as if I'm logging into it via Citrix/RDP which for Admin IDs gives an error saying "Failed to connect to a windows service. Windows could not connect to the Group Policy Client service...",
    however, normal user accounts just get a message when logging into the server "The Group Policy Client Service Failed the Logon. Access is denied."
    I haven't opened a case with Microsoft yet, but we about ready to because of the increase in these errors.
    If you have any further suggestions that would be great, otherwise I'll provide an update once I get word back from Microsoft.
    **EDIT -- apparently I mistook the the server's SCM's actions as my own. I was able to successfully crash the GPSVC service by killing the hosting svchost process, however, after I crashed it and let it sit crashed for awhile when I attempted
    to restart either by starting a svchost task, or running gpupdate /force it failed. Either that, or there is a timing issue where if we don't restart the svchost process, or run gpupdate /force quickly enough it won't be able to recover without a reboot.

  • Preventing "unavailable" (or locked) users from logging in

    So this seems like it should be simple to fix, but it's stumping me.
    An admin has a user open on the admin screen at the same time that user logs in to the /idm/user interface. The user receives the "yellow box" error "Your account is unavailable at this time. Please try again later."
    However, the login does not fail, and the user is sent to the menu page, executing any code that exists there. If there are any automated actions that kick off a workflow on that page (e.g., "force user to answer forgot password questions") this can easily put the user in an infinite loop, (they update their questions, the update fails, they return to the end user menu and are asked to enter the answers again).
    We've tried putting in code that checks the value of waveset.locked and logs the user out if true, but that value never gets set to true.
    Any suggestions on how to keep users out of the user interface when they are in this situation?

    Thanks for the response.
    Your description matches the behavior we see. But having our code unable to identify the locked status causes problems when you are trying to auto-update users.
    E.g., when we create accounts, we put an expiration date on the account in the form of a deferred task that will disable the user's account at some future date. When the user logs in to IDM, our main form checks to see if the user has such an expiration date, and if so, runs a workflow to remove the deferred task. (This is to keep unclaimed accounts from sitting around active forever).
    Our "code" looks like this:
    <Field name='Automatically remove account expiration'>
            <Disable>
              [Check for expiration]
            </Disable>
            <Field>
              <Display class='Javascript'>
                <Property name='required'>
                  <Boolean>false</Boolean>
                </Property>
                <Property name='script' value='[launch workflow to remove expiration]'/>
              </Display>
            </Field>
          </Field>If the user is locked, the workflow is launched, but of course it doesn't actually update the user (which is locked) and when it returns the user to the main page, the deferred task is still there, which kicks off the workflow again.
    So the user gets the error that the account is locked, but in the meantime, their browser enters an infinite loop.
    Another version of this error is if the user has had their password expired and logs in while their account is locked. The expired user form attempts to change the user's password, while the error stating "account unavailable" is shown.
    So what we're looking for is a way to detect on the form (or in the workflows) that the user is locked, so we can avoid calling the workflow that's going to fail if they are locked. That said, we are open to other workarounds if you've got em!
    Thanks again,

Maybe you are looking for