Give OD Users local admin access

Similar Messages

• Photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin acc

  photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin access?

  Danny,
  Topic or subject titles should be clear, pertinent and concise so that individual users can tell at a glance if they can help or not.
  That field is not for attempting to fit your entire question in there.
  Please keep this in mind next time you post.  Thank you.

• How to give an user permission to access centain Transformations?

  I would like to know how to give an user permission to access centain Transformations in one InfoArea only. I already limited the selection in one InfoArea now. I want users can only Display Transformations for all the InfoObjects under this InfoArea. Does anyone know the detail steps? Thanks!

  HI,
  are you working under Analysis Auth (BI7) or Reporting Auth (BW 3.X)?
  If you work with the new concept you can restrict your authorization by using theinfoobjet: 0TCAIFAREA.
  before you Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV also when you restrict your auth by infoprovider you can choose the infoarea hierarchy
  hope it help
  Regard's

• No User, No Admin Access -- Clean install?

  The only user on my laptop does not have admin access so i tried to run this to get admin rights:
  +I lost my admin user (Mac OS X 10.4 and earlier)+
  +If you are unfortunate enough to delete your only admin user, or remove his admin capability, then as long as you have another user with login capability, you can give that user admin rights as shown below. You can then re-create the original user or reinstate the admin capability using NetInfo Manager.+
  +Print this post out in a mono-spaced font, and type carefully, paying attention to spaces and punctuation, since you cannot copy/paste in Single User mode.+
  +Caution: in single user mode you have root privileges. Be careful! Substitute the name of 'youruser' below.+
  +Boot into single user mode (Command-S) at startup which will eventually get you a shell prompt (ending in #). Then type the following:+
  +fsck -fy+
  +Repeat the above until it says your disk is OK. Then continue with+
  +mount -uw /+
  +nicl -raw /var/db/netinfo/local.nidb -merge /groups/admin users youruser+
  +If you get a message saying "invalid path", then type these two commands first:+
  +nicl -raw /var/db/netinfo/local.nidb -create /groups/admin gid 80+
  +nicl -raw /var/db/netinfo/local.nidb -create /groups/admin passwd '*'+
  +and then repeat the "nicl ... -merge" command. Then:+
  reboot
  +You will now be able to login as 'youruser' and have administrative privileges.+
  +Membership of the 'admin' group is the only thing that distinguishes administrative users from ordinary users.+
  Now the computer will boot up but NEVER comes to the desktop. I think my best option is to just clean install. however, the computer will not let me boot from a CD (nor did it before i messed up the user). Is there a way i can wipe the harddrive another way or some other way to reinstall the OS?
  thanks

  I ran the 10.3.9 combo as a stand alone update

• ACE and ANM RBAC - Single user with Admin access

  Goodday,
  I would like to confirm if one can only assign a single user Admin access to a context via RBAC (either on ANM or ACE native RBAC through ACS). So is this true or not?
  If so, would I be correct in assuming this excludes the default Admin user.
  Also, what do you do if you need to provide Admin access to more that one user? Can it be done?
  Thanks
  Paul

  Actually multiple users can assinged to the pre-defined ADMIN role in ACE RBAC such as the following:
  myaceisnamedthis/Admin(config)# username Bob password weakpass role Admin domain default-domain
  This is also true in ANM, where the user's RBAC is a cross product of the ANM defined role and domains (which is at the ANM level so that it can span multiple ACE devices and contexts).
  In both cases, the AAA can be used for authentication, though authorization is performed by ACE/ANM themselves.
  Cheers,
  David K.

• Across Domains Local Admin Privileges

  Hi
  I have two domains and for this discuss domain A and domain B there is one way trust between the domains that trust is that domain A trust domain B.
  I want to be able to give users local admin access when users from domain A login into a machine from domain B with there user account from domain A.  What is the best practice to accomplish this access for the users.

  Hi,
  Thanks for your post.
  It seems like you could give the domain users local admin right.
  Firstly, if you want the use account from domain A to access domain B, you need to create the trust from Domain B to A.
  Then you have to use Restricted Groups.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/c756996c-f562-4b18-9c61-33349961c622/giving-domain-users-local-admin-rights?forum=winserversecurity
  Regards.
  Vivian Wang

• Network User with Local Admin Privileges?

  I have a small network (around 25 clients total) that was setup prior to my arrival. Each client has its own unique local admin (each machine was setup by the individual user) and it's become somewhat daunting to support them.
  All of the machines are connected (but not specifically bound) to an Open Directory and each is accessible via Remote Desktop, however I cannot push software updates, etc. without local admin privileges.
  I'd rather not create an account on each machine, nor do I want to completely lock down each computer (I'd like them to still have the flexibility to be admins so they can install apps, etc.)
  Is it possible to authenticate against OD and obtain local admin privileges?

  Yes.
  You can wipe all account information and then recreate a common initial admin account. This will make administration far easier as all machines will have the same admin username/password combination. Next, bind all of the systems to the domain and create domain accounts for all users on the server (likely already exist). Log in as the domain accounts and migrate permissions to domain ids. Finally, promote the user to the local admin group through System Preferences > Accounts on the workstation. You must enable the account as a mobile account in Workgroup Manager first. If you do not, the account will not cache to the workstation and you will be unable to add it to the admin group.
  Also, in a workgroup of 25, I would recommend rethinking the decision to grant local admin access to end users. This is asking for trouble as you will have no control over when updates are applied or even if they are. In theory (and probably in practice), you will have 25 completely different machines configurations. This is far harder to manage and troubleshoot than 25 systems with different admin accounts.
  If you must provide some level of autonomy, while not trivial, you might want to consider modifying /etc/authorization and granting limited admin rights to the users.
  Hope this helps - congrats on the opportunity

• Help needed restricting users admin access to devices using ACS 4.2

  I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.
  The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).
  Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.
  So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?

  Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
  So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?
  This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.
  Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip.

• GPO - 2012 - Enforce Local Admin Right

  Hello,
  Just wondered if there was a way to deploy a GPO to enforce local admin rights for individual endpoints.
  We need a way to control who has local admin rights to what, but in this case we need to say grant local admin rights to Users A, B and C on workstations D, E and F only. 
  Other than creating a GPO 'per workstation' I don't see a way.  DFL / FFL will be 2012.
  Anyone got any ideas?
  Thanks
  Stuart

  Hello
  Thank you for the reply.  This issue is a little hard to grasp and to explain clearly.  I understand what you have said, I am fairly proficient with Group Policy.
  I want to be able to give one single user, access to one single PC and control it centrally.  I think that is a better way of explaining it.  So if I have 100 PCs and 100 users, and say 20 of those users needs to have admin rights on their own
  PC only and not on other PCs. 
  That is what I am trying to accomplish.  If I great a security group called 'Desktop Admins' then link a GPO to an OU where the 100 PCs are, then security filter by the security group, then everytime I add in a user, they will get local admin rights
  to all 100 PCs.  However I only wanted to grant them local admin rights on one PC.  That being their PC.
  I want to manage this centrally rather than remotely assigning local ACLs.  I also like GPO because if a local admin user decides he/she wants to give their mate local admin rights on their PC, GPO will overwrite it.
  Hope that makes sense
  Much Appreciated

• Local admin rights when Edit locally

  Hello, all!
  We have the same problem as in
  Local Admin rights to "Edit Locally" ?
  "The end users do not have administrator rights on their local PCs , they logon to the domain server with restricted rights. When it comes to portal, when trying to edit a document with "Edit locally" it is not possible to do is even if the user has all the rights for the document in the Portal KM configuration. When we make the user local admin, everything is OK"
  We are on SPS14, Windows XP SP2. Domain users can run corresponding applications and can create dirs or files in a temp directory. We also utilize env. variable SAPKM_USER_TEMP but with no success.
  Could yoã please suggest, how to find rights needed to execute Local Edit. Are there any way to trace this Docservice ActiveX?

  Hello Roman,
  here a note which describes a solution for a user account wuth restricted rights:
  The Edit Locally activex will be installed based on following
  installation steps:
  The browser will recognize that the KM DocService activex has to be
  started.
  In case of the activex isn't installed on the the PC, it will be
  downloaded from the KM server (...etc/docservice/docservice.cab)
  The browser will extract two DLLs from the docservice.cab file
  (docservice.dll and sapkmprogressplayer.dll) and register them on the
  local PC. To see if the installation succeed you can open within the
  browser following dialog: Tools/Internet Options/Settings/View Objects,
  look for program file SAP KM DocService Control.
  Registry keys in following areas will be created:
  Area HKEY_CLASSES_ROOT:
  HKCR\AppID\{5F8983A6-347C-46B9-BA7A-1B87E5DAE0BC}
  HKCR\ProgressPlayerMod.ProgressPlayer
  HKCR\ProgressPlayerMod.ProgressPlayer.1
  HKCR\CLSID
  HKCR\TypeLib
  Area HKEY_LOCAL_MACHINE:
  HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Down
  Downloaded Program Files/DocService.dll
  HKLM\Software\Microsoft\Code Store Database\Distribution Units\
  When finishing these steps successfully the installed version can be
  located within the browser dialog Tools/Internet Options/Settings/View
  Objects SAP KM DocService Control and den KM DocService will
  start loading the document content from the KM server and starting the
  corresponding application for editing.
  Installation with restricted user accounts:
  With restricted user accounts e.g. no access rights to create registry keys in the area of HKCR or HKLM etc., which lets the described installation fail, following installation procedure leads to success:
  Register the needed DLLs manually on the PC (e.g. via a shell command script) with a user account having enough access rights.
  1.1 Create an installation folder (don't use /windows/system32) on the PC and copy the DLLs (docservice.dll and sapkmprogressplayer.dll) to it (extract them from docservice.cab with a tool e.g. winzip).
  1.2 Open a command shell on this installation folder.
  1.3 Unregister possible existing versions with the following command:
  "regsvr32 docservice.dll /U " and "regsvr32 sapkmprogressplayer.dll /U "
  1.4 Register the both DLLs with: "regsvr32 docservice.dll" and "regsvr32 sapkmprogressplayer.dll "
  1.5 If the two registration steps fail check the permissions to write
  into the system registry.
  1.6 The installation folder do not need special permissions, the linkage to the DLLs will be done via the system registry.
  1.7 Additionally the following setting is mandatory to succeed the installation:
  Disable the "ActiveX Version Check" function within the KM Configuration
  SystemAdministration->SystemConfig->KnowledgeManagement->
  ->Configuration->ContentManagement->Utilities->Editing->LocalEditing-> ActiveX Version Check (Uncheck the checkbox)
  Setting a different TEMP directory:
  In cases that it is problematic to use the standard %TEMP% directory, setting the environment variable SAPKM_USER_TEMP pinpointing to a corresponding directory path (e.g. X:\SHARES\USERS\xxx\CheckedOutDocuments) will be also supported. If the access to that directory fails the standard %TEMP% directory will be used as fallback.
  Hope this helps,
  Michael
  Message was edited by: Michael Braun

• Domain Admin access to workstations

  A relatively simple question yet I haven't found any firm answers.
  We have a 2008 R2 domain with all 2008 R2 servers/DC's running Windows 7 workstations. I want to know if a user that is a member of the domain admin security group has LOCAL admin access to any workstation that is joined to the domain
  BY DEFAULT (no GPOs applying, no scripts running at logon, etc)?

  Hi,
  to my knowledge and observation the domain admins group is always added to the local administrators group as part of the domain join process. So yes, domain admins are local admins unless do something against it.
  Regards,
  Lutz

• Local Admin Rights - add / remove ?

  Is there a way to add and remove local admin rights for users at logon / logoff in Server 2008?
  Workstations are XP sp3 and Windows 7 Sp1.  We have users who move from computer to computer and they need local admin access but we would prefer to not have Domain Users have local admin rights to all PCs.

  Hi,
  As far as I can see we can add user to local admin group at logon, but the user should relogon to get the membership, and if we also remove the user from local admin at logoff, then this equal to do nothing.
  To add a domain user to a single computer as local administrator using GPO, I would like to suggest you go through the below similar threads:
  Use GPO to add a single admin user to only one computer on the domain.
  http://nerddrivel.wordpress.com/2013/05/24/use-gpo-to-add-a-single-admin-user-to-only-one-computer-on-the-domain/
  How do I add a domain user to a single computer as local administrator using GPO
  http://social.technet.microsoft.com/Forums/en-US/0a3eda5c-28ef-418e-a13d-f47fe0bf1bc3/how-do-i-add-a-domain-user-to-a-single-computer-as-local-administrator-using-gpo
  Granting Local admin rights via Group Policy to a particular computer
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/4ceff330-0b72-4ed2-a55a-3089b504d2fc/granting-local-admin-rights-via-group-policy-to-a-particular-computer?forum=winserverGP
  Hope this helps.
  Regards, Yan Li

• Need to provide local administrator access without domain administrator rights

  Hi All,
  I need to provide local admin access to one account in windows environment without providing domain administrator rights.
  Windows 2008 DC. Desktops : windows 7
  So that we can use this account to install agents like SCCM\SCOM in all servers & desktops.
  Need suggestions.

  Hi,
  I agree with Senne, in addition, we can also use net command to perform local group management.
  More information for you:
  Add a member to a local group
  http://technet.microsoft.com/en-us/library/cc772524.aspx
  How to Make a Domain User the Local Administrator for all PCs
  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Provisioning varying admin access levels by Planning plan types

  How can I provision admin access levels by plan types? For example, I'd like to grant a user full admin access to one plan type, but limit their access for another plan type within the same application? The plan type I want to limit them to is basically a workforce plan type which I do not want to allow them to have any admin access to. Anyone know how to do this?

  I took a look at the blog and my current setup design mostly follows what is on the blog. I too have a workforce plan type along with other plan types in the Planning application. What I'm trying to see if it's possible is to setup a user with admin access to manage and modify the member outlines for 2 out of the 3 plan types in Planning, but not give him access to the workforce plan type as that has sensitive compensation information. But it appears that if he's granted admin access to modify the application outline, then he would be able to grant himself access to the workforce members, which then means I can't provision him with limited admin rights while also preventing him from access to the workforce information.

• Query for local admins

  What is the query for finding out who all has local admin access on there workstations?

  Here are some examples:
  http://portal.sivarajan.com/2011/09/search-ad-and-list-local-administrator.html
  http://portal.sivarajan.com/2011/10/search-ad-collect-local-admin-group.html
  http://portal.sivarajan.com/2011/04/list-local-administrator-group-members.html
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.