Deny user based policy for a specific computer

Similar Messages

• I have a requirement where I have to give the list of users who can access a specific computer. I am new with PS. Do you have a script to list users that can access a computer object of AD ?

  I have a requirement where I have to give the list of users who can access a specific computer define in AD.
  I am new with PS.
  Do you have a script to list users that can access a computer object of AD ?
  I have executed the following script  but it does not give me the access rights of who can access the computer 'computername'
  How can i have this information. please help
  Import-Module activedirectory
  $computer=get-adcomputer "computername" -properties ntSecurityDescriptor
  $omputer.ntsecurityDescriptor.Access | select-object -expandproperty IdentityReference | sort-object -unique

  I would say that, since the OP has so little info, there are no policies in use.  It there were then this question would never be asked the way it is being asked.
  I had a client call with a letter from their insurance company; an accountant with malpractice insurance.  THey asked the same question inmuch the same way.  "What computer can you users access?"  The question should be more like
  "Do you have a policy that restricts access to computers and do you audit for compliance?"
  I have had other clients whose insurance asked the question in that way.  It produces a better view of what should be happening and how to show compliance.
  I recommend that companies being asked these questions by their legal departments or insurance companies should contract with a god computer security consultant to assist with answering these very tricky questions.  Of course if it is just you boss's
  curiosity  then you may need to discuss his requirements with him in more depth.
  ¯\_(ツ)_/¯

• Bypassing Execution Policy for a specific host

  Is is possible to have the execution policy set to remotesigned but have specific hosts set to bypass? I am administering an SCCM 2012 environment and I want to be able to run Powershell to check for the existence of packages or applications but it keeps
  erroring out that the script is not signed. I tried adding the server to wsman:\localhost\client\truestedhosts but that did not seem to work either. Is this possible?
  Thanks!
  Tony

  Hi Tony,
  I’m writing to just check in to see if the suggestions were helpful.
  If you need further help, please feel free to reply this post directly so we will be notified to follow it up.
  If you have any feedback on our support, please click here.
  Best Regards
  Anna
  TechNet Community Support

• User based Authorization for Documents

  Hi All,
  Is it possible to have following scenario?
  1)
  There is a folder A. Inside this folder there is a file abc.txt & xyz.txt.
  Now User 1 & User 2 both has access to folder A.
  User 1 can read / download the file abc.txt & xyz.txt
  User 2 can see only the name of the file inside this folder, but he cant download this file. And he can read / download xyz.txt file.
  and instead of user can it be given role based also???
  like abc.txt can be downloaded only by R&D role and noth any other users.
  The main perpose of this feature is to let user know there is a document stored in a particular folder but he can only see the name of this document.
  Regards,
  Purav

  Hi Jitendar,
  From permission we can do only read, write, read & write, Full control thats it.
  see the scenario I have given.
  User2 cant even read the file, he can only see the name of that file.
  I have seen the KM Permission link http://help.sap.com/saphelp_nw04/helpdata/en/4c/9d953fc405330ee10000000a114084/frameset.htm
  but still counldnt find the solution to my scenario.
  Regards,
  Purav

• Capturing user state........ Retaining files for a specific time?

  Capturing user state........ Retaining files for a specific time?
  Can I retain the user files/data for a specific time as a copy after capturing user states then restoring them? If so what's the procedure and location of the files?
  tconners

  If you are using a SMP, yes, this is built-in functionality. The files are located in the location(s) specified on your SMP configuration. You'll also need the computer association that created them because it contains the encryption key.
  Jason | http://blog.configmgrftw.com

• Software Updates Compliance Report for Specific Computer - DatePosted

  Hello, I am using the default report to know the Software updates compliance state for a specific computer. The business requirement is to get date the software update has been posted in the same report. So the report should contain columns as follows:
  Title
  Update Class
  Bulletin ID
  Date Released/Date Posted 
  Article ID
  Vendor
  Approved
  Installed
  Is Required
  Unique Up[date ID
  The default report shows up all the columns except the date posted. Please help me with a query with which we can get date released with all the other columns.
  Appreciate your help!
  Thanks

  Hi,
  Please refer to the link below:
  Troubleshooting SCCM Software Update Deployment Package distribution due to missing directories
  http://blogs.technet.com/b/ken_brumfield/archive/2013/01/10/troubleshooting-sccm-software-update-deployment-package-distribution-due-to-missing-directories.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Fault handling policy for a process in the fault-binding.xml

  Can I specify a fault handling policy for a specific process using fault handling framework 10.1.3.3?
  <process faultPolicy="DefaultPolicy"/>
  I cannot specify the name of the process according to the xsd :(
  Can this be achieved?
  I have a two different partner links in different processes having the same name. If I add the partner link to the fault-binding.xml what would be the result?
  Note: I cannot use bpel.xml to specify the fault policies as of now.

  The fault policy bindings file does not allow you to specify a specific fault policy for an individual processes. You can only do this for all BPEL processes (eg: process Level) or at finer grained levels such as partner link levels.
  You might be able to use the partner link level for any services that call the process in which you wnat to error handle (eg: Process C needs to be error handled. Process A and B call C so for the partner link names for invoking C could have the fault policy defined for them). Therefore any faults returned from C could propagate back to process A / B and be handled within by the policy outside of Process C. Obviously if this apporach was used you would not want to use process level definitions as C would continue to use this.
  If the partner links were of the same name, they should both be handled by the fault policy that is defined withiin the Fault policy (e.g Partner Link level definitions)
  An approach that can be used is to specify the fault policy within the bpel.xml file. The information would be added as follows:
  </partnerLinkBindings>
  <!-- Start of Definition-->
  <faultPolicyBindings>
  <process faultPolicy="AProcessFaultPolicy"/>
  <partnerLink faultPolicy="APartnerLinnkPolicy">
  <name>insertSSN_dbAdapter</name>
  <name>Another_Adapter</name>
  </partnerLink>
  </faultPolicyBindings>
  <!-- End of Definition -->
  </BPELProcess>
  </BPELSuitcase>
  However, I noted you said you were unable to do this. I wasn't sure if this was for technical/governamce reasons or knowledge reasons (unsure where to place to the details.
  Hope that helps and does not confuse matters
  Dave

• Limit 'Specific computer' report to a Software Update Group

  I'm trying to get the SCCM 2012 report 'Compliance 5 - Specific computer' limited to an updae group rather than reporting against every applicable patch.
  In the environment I'm working in we are only interested in reporting on compliance against an agreed list of 'released' updates (we don't release all updates to our server estate). When you start reporting with the 'Compliance 1  - Overall compliance'
  we can select our 'master' software update group here and get the correct compliance status. We can then drillthrough these status into the next report, 'Compliance 7' and the update group is passed through into this report along with the collection and relevant
  status.
  However when we drillthrough to the next report, 'Compliance 5 - Specific computer', the update group is not passed through or used in this report so we get a compliance status for the specific computer against every update. I want to use the update group
  in the last report to limit what's returned here.
  Can anyone help with this? I'm lacking the SQL expertise to be able to add the relevant code to the last report.

  I think you're looking for the Compliance 3 - Update group (per update) report. In this report you can select an update group and a collection and the report will return the compliance data of that combination.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude
  The report 'Compliance 3..' is a summary report for each patch against a collection. This is completely different from I'm trying to achieve which is a detailed breakdown of compliance against each patch in an update group for a specific computer.

• How to apply Software Restriction policy for specific user in local group policy object ?

  I am working on implementing user based software restriction policy programmatically for local group policy object.
  If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
  When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
  They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
  I achieved what i wanted but is it right to modify registry values ?  
  PS:- I am using Igrouppolicyobject API

  I achieved what I wanted but is it right to modify registry values ?
  You also can modify a registry programmatically based policy. Check this:
  http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to allow users to pick up a specific week for a report based on SSAS Cube

  hi Folks: 
     I have created a report which is pretty simple: for a specific week, I want to know the total values.   This specific week comes from a Fiscal Calendar hierarchy ( Year - Quarter - Month - Week) .
   Now, I want to create a parameter called @specificWeek to this cube based report so that users could pick any week they want ( no multiple values allowed).   I understand that I need to create a parameter @specificWeek and created a dataset to
  populate .
  After that, find a way to embed this paramenter into the main MDX query .
   Can someone show me how to do this?  
  Below is the sample from cube Adventure Works, I want to make the Hierarchy Date.FisCal Weeks as the parameter,
  how to implement? thanks
  --Currently using Reporting Service 2000; Visual Studio .NET 2003; Visual Source Safe SSIS 2008 SSAS 2008, SVN --

  hi Ayad:
    I've done the following steps
  1. In shared datasets, drag all fields I need in and drag the data hierarchy into the filter and check it as a parameter. 
  2. On the reportData pane, when I right click the datasets, I did not see any option says show hidden dataset. 
  3. WHen I run the report, it did not pop up the dropdown list for the week selection.
  Any ideas? thanks
  --Currently using Reporting Service 2000; Visual Studio .NET 2003; Visual Source Safe SSIS 2008 SSAS 2008, SVN --

• Report for workstation profile last modified timestamp / Hardware 05A - Console users on a specific computer

  SCCM 2012 has a report called Hardware 05A - Console users on a specific computer .
  I have configure Asset Intelligence to collect the SMS_SystemConsoleUser, but I get no information back from this report.
  What else needs to be configured to see information about who has used a machine?
  The goal is to determine what machines have used a particular administrative logon account and when it was last used on a machine (profile last modified date).
  Thanks.
  Steve

  There are two prerequisites, see:
  http://technet.microsoft.com/en-us/library/gg712306.aspx
  modify the Windows Security event log settings on clients to log all Success logon events
  enable the SMS_SystemConsoleUser hardware inventory reporting class
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Restrict access of "domain user" to specific computer

  I need to restrict access of "domain user" to a specific computer in the domain/
  I try to Do it by using "Active Directory Administrative Center"
  In Computers\Computer name\Properties\Extensions\Security
  I add the name of user and I marked deny to all and I canceled inheritance
  And yet the user can login to the computer
  I searched Policy that contradicts the security and I not found.
  With the "gpo" I was able to block, but I need necessarily used the Security
  Because of Security can be partial restriction.

  Hi,
  Based on your description, I understand that you want to allow some certain users to access specific domain
  computers.
  Please open ADUC (Activity Directory Users and Computers) and click User container. Then select that specific
  user account, open its Properties and navigate to Account tab. Please click
  “Log On To…” option to open Logon Workstations panel. In Logon Workstations panel, please change
  This user can log on to: All computers to The following computers. Then type the specific computer names. Please check if this can help you to achieve target.
  If anything I misunderstand or any update, please don’t hesitate to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Reloading JSP for a specific role's users

  Hi all,
  We have a web application using JSPs.
  Our application has users and roles. A user is associated to a role. These are defined in 2 tables:
  create table role
  ( id int not null primary key,
    name varchar(50) not null )
  create table user
  ( user_name varchar(50) not null primary key,
    user_password varchar(50) not null,
    role_id int not null foreign key references role(id) )
  For example:
  insert into role values (1, 'HR')
  insert into user values ('michaelK', 'password', 1)
  insert into role values (2, 'Payroll')
  insert into user values ('babarA', 'honest', 2)We have 2 tables where we store all our application's web pages and buttons on each page:
  create table web_page
  ( id int not null primary key,
    name varchar(50) not null )
  create table web_page_button
  ( id int not null primary key,
    name varchar(50) not null,
    web_page_id int not null foreign key references web_page(id) )
  For example:
  insert into web_page values (1, 'Personal_Info') // "Personal Info" Screen has 2 buttons: update and cancel
  insert into web_page_button (25, 'update', 1)
  insert into web_page_button (26, 'cancel', 1)We have a requirement that the administrator want the facility to enable/disable buttons on each web page for a specific role. So we have created a table where we define enable flag for each button of a web page w.r.t a Role:
  create table role_web_page_button
  ( id int not null primary key,
    role_id int not null foreign key references role(id),
    web_page_button_id int not null foreign key references web_page_button(id),
    enable_flag int not null )So if the administrator say that for users belonging to "Payroll" role the "Update" button on "Personal Info" Screen will be disabled.
  insert into role_web_page_button values (100, 2, 25, 0)The user first go to login.jsp and provide login information. If successful we store his user_name and role_id in the session as an attribute. We then redirect the user to index.jsp. In this jsp we have a header.jsp on top. This JSP remains there on all web pages user visit.
  In that JSP we generate one Javascript function getButtonEnableFlags(). This function defines each button's enable flag of each screen for the user's role_id. So when a user of "Payroll" role logins then this is generated:
  function getButtonEnableFlags()
    var buttonEnableFlags = new Object();
    buttonEnableFlags["Personal_Info::update"] = "0";
    return buttonEnableFlags;
  }We also have a javascript function which tells us the enable flag's value for a button of a screen.
  function getButtonEnableFlag(webpageName, buttonName)
    var buttonEnableFlags = getButtonEnableFlags();
    var keyName = webpageName + "::" + buttonName;
    return buttonEnableFlags[keyName];
  }Each Web Page after loading calls a common javascript function setupButtons(webpageName). This function receives a webpage name, picks all buttons on the form of that web page, then call getButtonEnableFlag(webpageName, buttonName) to get enable flag for each button and then set it.
  This solution is working fast and perfect. The javascript function getButtonEnableFlags() is generated once when user logins so each web page does not have to call the server to figure out enable flag for their buttons.
  I have created a maintenance screen for the Administrator which provides the facility to enable/disable buttons on each web page for a specific role. This screen updates the role_web_page_button table.
  Problem is if the Administrator makes any changes for a Role how can I reflect that change on the user's of that role which are already login in the system? For example suppose 2 users of "Payroll" role are login in the system and for "Peson_Info" web page the "update" button is disabled. Now administrator changes the "update" button of "Personal_Info" web page to enable for "Payroll" role through the maintenance screen. How can I reload the header.jsp on only those 2 user's computer?
  Thanks

  I suppose you can use AJAX to change the end-users JSP page that is displayed on his browser as he is vieiwing it.
  However, I suggest against changing permissions on a JSP page while the user is using it (I believe most programmers do not do that). If I was an end-user with a JSP page displayed and I suddenly see the 'update' button disapear, I would be very upset.I suggest waiting for the user to close his session (and not simpily navigate to another page within the session, but actually ending the session by either calling up another web site or closing the browser) and when he next logs into the applcation again, the button is gone. If the administrator does take away a permission such as an 'update' button, do you really need to deny permission to everyone right then? I think you can wait for users to log off.
  An alternative is to create a batch job that when the admin removes permission, the batch job runs at midnight to actually change the permission in the database. Since few people are logged on at midnight, few people will see the change while they are working.
  Another possiblity is when they click the update button, don't do an actual update to the database. Instead, redraw the page with the update button disabled (not removed) and add a note on the JSP page that the administrator has just removed permission for all users to update at this time.

• OIM - Email notification to a specific user based on a dynamic rule

  Hello, After creation of account in a particular target resource I need to send an email to a specific user based on the location of the user (e.g area admin).
  In the notification tab of process tasks, I see only "Assignee", "Requestor", "User", "User Manager"? How can I achive the above specified requirement?
  Before posting this question, I tried to search the forum for any previous posts related to this. But I couldn't find any. May be I was not searching with right key words.
  Any help is appreciated. Thanks in advance.

  You'll need to custom code an adapter to send the email, then you can send to any user you want. Create a new task and trigger it off the completion response code. You can use the following apis:
  tcEmailNotificationUtil sendMail = new tcEmailNotificationUtil(ioDatabase);
  sendMail.setBody("Type your body here or use a string variable");
  sendMail.setSubject("Type your subject here or use a string variable");
  sendMail.setFromAddress("[email protected]");
  sendMail.sendEmail("[email protected]");
  Just populate the above pieces with the information needed.
  -Kevin

• Microsoft Intune was unable to set the desired mobile device policy for one or more users due to the following error: A2CE0100

  Hi!
  We have fatal or critical error message on Microsoft Intune Portal but all agents are working just fine. Before opening support ticket we would like to hear comments from the experts on this forum. We would also like to fix this error before starting to
  manage mobile devices with Intune.
  Error message on Intune Portal:
  "Microsoft Intune was unable to set the desired mobile device policy for one or more users due to the following error: A2CE0100"
  Repeated: 19 times.
  Class: (System) Policy
  Random Fatal error message on C:\Program Files\Microsoft\OnlineManagement\Logs\PolicyAgent.log found from one Windows 8.1 client:
  2015-02-21 08:49:20:704 2852 1ab0 FATAL: DocumentProvider::IndicateToConsumer/pp->ProcessPolicies(NULL, NULL, NULL, NULL) failed with error 0x800704d5.
  That said, we are not facing any specific problem but we would like to find symptom of this repeating error message on Intune Portal . We would appreciate to get any thoughts about this case.
  Br.
  Jukka

  Hi Jukka,
  Mobile policy doesn't apply to clients using the Full Client download.  Please open a support case so the team can assist in further troubleshooting.
  Thanks,
  Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.