Giving Non-Admin User Admin Privileges to One Program

Similar Messages

• Giving any logged user certain privileges on a page

  Hi
  How does one give any logged in user the right to view a page, but hide the page from not logged in users?
  Regards

  1. Make the page not accessible to public in the page access tab
  2. Add the privilege to view the page (or all pages) to the AUTHENTICATED_USERS group - by editing the Privileges tab of the group in the Group Edit screen.

• Revoking User tables privileges from one user to other user thru DBA.

  Hi,
  I want to revoke the select privilege from user granted tables to other user from Sys/Dba roled user.
  Detail
  ---------------I have 3 users namely
  1.User1 (Role: Normal User)
  2.User2 (Role: Normal User)
  3.SYS (Role: DBA privileged user)
  User1 has created a table called Table1 and grant the select privilege to User2.
  Is it possible that sys (DBA privileged user) user can revoke the select privilege of table1 from user2??.
  Thanks,
  Natarajan.U

  You can not revoke the privileges that were not granted by you or you will hit the error ORA-01927: cannot REVOKE privileges you did not grant.
  Even SYS/user with SYSDBA role can not revoke others grants.

• FAQ:  Giving non-administrative users of Windows 2000 and XP access to ATM Deluxe

  In order for a restricted user to launch the ATM control panel and add or remove fonts, they will need to have access to the following registry keys:
  HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Type Manager
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Type 1 Installer\Type 1 Fonts
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Fonts
  Adapted from material originally posted by Lance K

  Manuel,
  Unfortunately, I wasn't able to do this... I had to use advanced permissions on the %SYSTEMROOT% folder so that the specific group of users I have are the only ones allowed to write to it. It uses a temp file, and writes it to c:\winnt while it is working with it (which is only when ATM is writing changes to the atmreg.atm file at application close time)... so your user(s) will have to have only the "Create Files/Write Data" permissions to the whole of the winnt folder (and modify permissions on the atmreg.atm file) to use atm. I had to use a utility that traces thread, file & Registry access to determine how to make this work. This is the ONLY way, ATM is hard-coded to use atmreg.atm in the system root folder (as well as to use the temp file in the system root folder), and it needs create files/write data permissions on the system root folder to use the temp file. I hope this makes sense to you... if not, e-mail me [email protected] and I will send you my document for fixing the problem.
  Good Luck
  --Joe

• Can't run programs from non-admin account: redux

  Background: I have years of experience with PCs, very little with Macs. I work with children in a group home. The tech support people who set up this iMac (OS X 10.2) have long since departed, and no one in the organization has any clue as to what changes they made to this system, and I'm sure that those tech people made some changes. For example, in admin accounts other than "root," either there is no access to the Utilities folder or the folder has been well hidden.
  The Problem: The boys in this home will use a non-admin account. The programs I have installed for them will run under admin accounts but not under the "boys" account, which is non-admin. The system tells me that the account does not have enough access privileges to run the programs. (Program that had been installed before I got access to this iMac will run under the "boys" account.)
  In discussions on this forum several months ago, I thought the answers I got here had helped me solve the problem. Then, for administrative reasons, I did not touch the iMac until last week. What I thought had been solved is not solved.
  From "root," using the "Capabilities" option in the Accounts folder, I have added to the "Add other applications..." section the programs I want "boys" to have access to. But this doesn't work. When I log in to "boys," access is denied: insufficient access privileges.
  If I give up on this system, the boys will not be able to use this iMac, and that would be a shame.

  I realize that it sounds like I ignored all the previous advice before I drafted this latest post. But the first thing I did when I returned to the iMac was to look at the posts.
  I didn't touch the system for six months. I was waiting for approval from administration to upgrade the OS. By the time I got the approval, upgrading was no longer an option -- according to the manager of the local Genius Bar. This system is not capable of running 10.5, and Apple will no longer sell 10.4. I can find 10.4 on the Net, but those are private sellers and the price is too high.
  Now that I've got that out of the way, the current task: I have no idea why, but the gains I accomplished six months ago have disappeared. The "boys" account can run none of the software I installed. No one else has touched the system. (I live alone.)
  I logged on as "root" and went to Accounts. Using 10.2's Capabilities function, I tried to check all the boxes for "boys." But when I close the screen and then re-open it, the system has unchecked "Open all System Preferences"; "Change Password"; and access to "Utilities."
  At this point I cannot create new folders under "boys." "boys" can run software that was installed before I got the machine, but that's all.
  I have to assume that I inadvertently did something that wiped out my previous gains. But I ain't got a clue.

• ITunes 10.6.3.25 only opens with admin privileges

  A few days ago I tried to open iTunes, but for some reason it didn't. There was no error displyed nor anything shown. I've searched the web but I didn't find any solution. The only way I found to open it is by giving it admin privileges. I also tried unistalling every Apple program I have, but there's no solution.
  I'm running Windows 7 32-bit (that is up to date) and iTunes 10.6.3.25 (I guess it's up to date).
  What's wrong?

  That is troubling! 
  I downloaded the Kindle app on my iPad1 tonight, logged into my Amazon.com account and was able to download the books I had bought on my Kindle to my iPad!  I am a VERY HAPPY CAMPER!

• How to create a domain for a non-root user using the JES installer

  Some questions have been circulating on what are the steps to create a whole domain configuration using a non-root user. Here is one method that you can try....
  - Login as user "testuser", all operations are using the user I want to start the whole domain with
  - cd to the testuser home directory and created apptest (mkdir apptest)
  -created domain
  /opt/SUNWappserver/appserver/bin/asadmin create-domain adminuser admin adminport 4849 --domaindir /testuser/apptest testdomain
  Please enter adminpassword>adminadmin
  Please enter adminpassword again>adminadmin
  Please enter the master password>adminadmin
  Please enter the master password again>adminadmin
  - created nodeagent
  /opt/SUNWappserver/appserver/bin/asadmin create-node-agent user admin port 4849 password adminadmin agentdir /testuser/apptest testnode
  Please enter the master password>adminadmin
  - Start the domain
  /opt/SUNWappserver/appserver/bin/asadmin start-domain domaindir /testuser/apptest user admin testdomain
  Please enter password>adminadmin
  Please enter the master password>adminadmin
  Domain testdomain started.
  - Start the nodeagent
  /opt/SUNWappserver/appserver/bin/asadmin start-node-agent user admin agentdir /testuser/apptest/ testnode
  Please enter password>adminadmin
  Please enter the master password>adminadmin
  Command start-node-agent executed successfully.
  - create instance
  /opt/SUNWappserver/appserver/bin/asadmin create-instance nodeagent testnode user admin i1
  Please enter password>adminadmin
  Command create-instance executed successfully.
  - start instance
  /opt/SUNWappserver/appserver/bin/asadmin start-instance --user admin i1
  Please enter password>adminadmin
  Command start-instance executed successfully.

  And this can be used to the incident priority (same technique can be used for problems):
  private int GetIncidentPriority(EnterpriseManagementGroup emg)
  try
  //Get the incident settings class
  ManagementPackClass mpc = emg.EntityTypes.GetClass(new Guid("613c9f3e-9b94-1fef-4088-16c33bfd0be1"));
  //Get the emo for the incident settings
  EnterpriseManagementObject emo = emg.EntityObjects.GetObject<EnterpriseManagementObject>(mpc.Id, ObjectQueryOptions.Default);
  //Get the priority maxtrix and convert to XML
  if (emo[mpc, "PriorityMatrix"].Value != null && emo[mpc, "PriorityMatrix"].Value.ToString() != "")
  string sMatrixXML = emo[mpc, "PriorityMatrix"].Value.ToString();
  XmlDocument xmlDoc = new XmlDocument();
  xmlDoc.LoadXml(sMatrixXML);
  //Get the guid strings for impact and urgency (note - xml goes by urgency then impact)
  string sUrgencyGuid = "04b28bfb-8898-9af3-009b-979e58837852";
  string sImpactGuid = "11756265-f18e-e090-eed2-3aa923a4c872";
  foreach (XmlNode urgencynode in xmlDoc.ChildNodes[0].ChildNodes)
  if (urgencynode.Attributes.Count == 1 && urgencynode.Attributes["Id"].Value.ToString().ToLower() == sUrgencyGuid)
  foreach (XmlNode impactnode in urgencynode.ChildNodes)
  if (impactnode.Attributes.Count == 1 && impactnode.Attributes["Id"].Value.ToString().ToLower() == sImpactGuid)
  XmlNode prioritynode = impactnode.ChildNodes[0];
  return Convert.ToInt32(prioritynode.InnerXml);
  return 0;
  catch
  return 0;
  Rob Ford scsmnz.net
  Cireson www.cireson.com
  For a free SCSM 2012 Notify Analyst app click
  here

• Allowing non-admin users partial admin privileges

  Hi All
  I manage a number of Macs on a large corporate (PC-centric) network. Organisation policy prohibits giving users admin privileges. However, I want users to be able to do some admin tasks like installing software, but not to have admin privileges per se. The Parental Controls option for non-admin accounts does not offer sufficient functionality.
  All the Macs are stand alone (not managed accounts), and are accessible via Apple Remote desktop. Few of the Mac users are command line savvy, so any solution has to be invisible, or via a simple gui.
  Thanks in advance
  Dave Mitchelll

  Most software does not need to be in the Applications folder to run. Non-admin users can install most drag-and-drop software right inside their home folders and run the apps from there.

• Limited Admin Privileges/Specific Elevation of User Accounts

  I'm hoping to create an account on my laptop for my roommate.  I don't want him to have a full admin account, but he knows enough about computers that he could troubleshoot networking, and I want to enable him to install programs on the system.  I'm not sure what the best way to go about creating an account which can elevate itself for specific tasks; I've never modified my sudoers file before, and I don't know how to do so to grant him access to the privileges he should have.  I don't want to force him to use Terminal; I'd rather have him be able to enter a username/password for Admin privileges when prompted, whether that's his standard user account or a limited Admin account, but I want to make sure that account DOESN'T have access to modify anything in Users & Groups, can't create accounts with dscl, can't modify the keychain or hard drive partitions, etc. 
  Am I right in thinking the sudoers file is the best way to approach this?  How do I find out what processes to allow access to?  Does Network Preferences, for example, have any dependencies he will also need to be able to run?  Also, is there a good starting point/article on modifying the sudoers file for this type of thing anywhere?  <<clearly googling the wrong thing because my searches just tell me how to add someone to the sudoers file>>

  To modify network settings he needs to be able to unlock the preference pane. If you can unlock one pane you can unlock them all including Users & Groups.
  While it is more feasible allow him some latitude in the application installing scenario it's going to be a pain. The non-server version of OS X is just not setup for this. Either a user has admin privileges or he doesn't there is no part way.
  Again if you trust him then you should also trust him not to do what you don't want him to do. If you tell him he can do x but please don't do y and you think he won't abide by your rules then giving him any access is potential trouble.
  And again if he can get to the machine when you are not around he can do what he likes, privileges or no privileges.
  good luck,
  regards

• Delegated Admin and non-flat user/group structures

  Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
  The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
  I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
  Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
  # Ldap configuration.
  # List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
  # add additional hosts with ldaphost-<consecutive number>
  # Schema type is either "1" or "2".
  # Reconnect interval is in seconds
  # Group and people container is dn from organization dn (e.g ou=people)
  ldaphost-1=oucsldap01:389
  ldaphost-2=oucsldap02:389
  ldaphost-suffix=dc=DOMAIN,dc=NAME
  ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
  ldaphost-maxcount=50
  ldaphost-schematype=2
  ldaphost-reconnectinterval=60
  ldaphost-peoplecontainer=ou=People
  ldaphost-groupcontainer=ou=Groups
  ldaphost-orgadminrole=cn=Organization Admin Role
  While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
  Questions:
  1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
  2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
  Thanks,
  //Jim Klimov

  I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
  Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
  We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
  Hope this report helps others who would try to pioneer this path of messaging integration
  //Jim Klimov

• Non admin user - changes not saved (Safari settings, system prefs, etc.)

  iMac, 2 users, one is administrator and other is standard user. Recently, in the non-admin user account, it has become impossible to make any changes. For example, adding an application to the the Dock, after logging out and back in next time, the application is not in the Dock any more. Also, making changes to the prefs in Safari, changes are not saved.
  I noticed this after installing FireFox v4. I installed it as admin whilst in the non-admin users account. However, I don't believe that the installation of FF has anything to do with the problem, it just highlighted it. I've checked the permissions for the various directories that hold prefs info such as user/libraries/application prefs/etc. etc. and also Safari prefs. Nothing I can see that has changed in system prefs.
  Any ideas on what has caused the problem (kids are known to fiddle from within the non-admin account) and any ideas on how to fix it?
  Thanks

  Hi PPRuNe,
  You could try making the standard user an Admin too. To do this, make sure you are logged in to the standard user, go to System Preferences > Accounts > Standard user (you may have to unlock the padlock) > Allow user to administer this computer
  This will allow changes to be made without being prompted for a password all the time.
  However, if you had Parental Controls on, they probably won't work on an admin account because as an admin you have complete control over a computer, so the computer thinks there is no point in having the controls turned on. And if the kids are known to "fiddle," just think carefully!
  Hope this helps you.
  Chris.

• How to allow access to winrs for non-admin user?

  I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.
  All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
  # gives 4
  winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
  # Gives Winrs error: Access is denied.
  Configuration for my user is following:
  (Get-Item WSMan:\localhost\Service\RootSDDL).value
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
  (Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
  (In each security descriptor my user is given general access to protected object).
  So what security descriptor should I set to make my winrs query work for non-admin user?

  Hi Bunyk,
  I can not recreate the erroe you posted, and please also post the screenshoot in your convenience.
  I tested with a non-domain user but has the local admin permission of the remote computer, and this worked, before running the remote cmdlet in powershell, I also configured the TrustedHosts.
  In addition, the access denied could be also caused to the Protocol Filtering on the remote server, for more detailed information, please refer to this thread:
  winrs error:access is denied
  I hope this helps.

• User cannot change password option is automatically getting unchecked while giving domain admin rights

  user cannot change password option is automatically getting unchecked while giving domain admin rights

  Greetings!
  "Domain Admins" falls into the category of protected groups and it is included in ADminSDHolder process. It is normal and was designed in order to prevent the modification to these privileged groups. More information on the link below:
  AdminSDHolder, Protected Groups and SDPROP
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• A Solution for Enabling Sandbox activation by non admin users for testing (OIM 11gr2 PS2)

  I just wanted to post what i came up with as a solution the the problem of not being able to Test the effects of sandbox changes for non admin level users prior to their publication.  We are constantly making changes to the UI through sandboxes, the problem is rolling a sandbox back isn't easy, and we cannot be sure of the effects they will have on non administrative users until they are published, since the out of the box sandbox link isn't available to non Sysadmin level users.
  To allow these non admin user accounts to test the effects of sandbox changes in our development environment, I did the following (as always, follow at your own risk):
  Create and activate a new sandbox.
  Close all open tabs (including the Home and Sandbox tabs) and click the "Customize" link.
  Click the view -> source drop down in the upper left.
  After the source is visible, click the Accessibility or Sandbox link to find the area that you will add the new "UserSandboxTest" (call it whatever you want) link.
  Add a new commandImageLink directly in the panelGroupLayout: horizontal item before the "switcher" item (see the UserSandboxLink in my screen shot below):
  Edit the Link you just inserted, Entering whatever you want the link to display as in your browser in the "Text" field.
  Export the sandbox.
  Unzip the exported sandbox and navigate to the IdmShellV2.jspx.xml (path should be: \templates\mdssys\cust\site\site).
  Edit the IdmShellV2.jspx.xml file and find the new item you added in step 5.
  Add the following to the commandImageLink xml item: actionListener="#{pageFlowScope.uiShell.context.launchSandboxes}" rendered="#{oimcontext.currentUser.roles['SANDBOX_USER'] != null}".  Note: I used a new custom enterprise role, SANDBOX_USER, to control the display of the new link, You should substitute whatever EL conditions you need in the rendered property.
  Save your IdmShellV2.jspx.xml file and zip the contents back up, just like you would for any other customization.
  Import your newly edited sandbox back into the target environment.
  Publish the sandbox.
  This seems to work great for allowing us to test other sandbox changes effects on different types of users. 

  On step 10, adding the check to determine if the user should have access to the role ended up breaking access to the unauthenticated pages like the self registration page and the forgot userid/user login pages.  Non-authenticated users cannot execute the method to return the role, so that fails which leaves the page not loading.  To correct this I changed the rendered property to rendered="#{securityContext.authenticated}".  This prevents the link from displaying on non authenticated pages, but displays for anyone else who's logged on.  We only plan on using this in our development environment where no one but developers and system admins have access anyway, so it's not an issue that everyone will see the link.  I wouldn't recommend putting this in an environment where end users will be logging in and testing without developing a method (or finding another way to limit the display) that can be called by unauthenticated users to prevent them from seeing the link.

• How do I allow access to non admin network users to disk volume?

  I would like to allow access to a specific volume (disk) on one of our networked macs (Mac1) to all users. I've set user accounts on Mac 1 for all network users. These users are "regular" users, not admin. They can access this disk (and all others on Mac1) if I log in as Admin set Users to Admin. If I do this, then users have access to ALL data on all disks. If I do not, leaving them as "regular" users, when they log in they only see public folders. How can I allow access to the one disk volume without making network users admin? I tried changing various settings for the volume in Finder Info (everone else=read/write; ignore permissions) with no luck.
  Thanks
  iMac, ibooks, G5, Tibook   Mac OS X (10.4.4)  

  Your observations are correct - by default, an "admin" user connecting over AFP can choose from available "volumes" (default) or "shares", whereas a non-admin user can only mount "shares".
  By default, the only "shares" on an OS X client machine are the users' "Public" folders, and unlike pre-OS X Macs, it isn't easy to configure your own share points. Apple's official statement is that users wanting this functionality should buy OS X Server.
  However, it is possible to create an arbitrary share point using 3rd party software called "SharePoints" (donationware). I have never used it, but it seems to be well regarded. Alternatively, you can do it manually following the instructions in this hint & comments (especially apw8's):
  http://www.macosxhints.com/article.php?story=20011108161839416
  Once the external drive (or folder on the external drive) is configured as a share point, it should be possible for non-admin users to select and mount it once they connect over AFP.