How do I prevent non-admin users from putting Lion to sleep?

Similar Messages

• How do I prevent other Mac users from changing my Airport Extreme Network Name and Password within the Airport Utility?

  How do I prevent other Mac users from changing my Airport Extreme Network Name and Password within the Airport Utility?  My company is using an Airport Extreme in our office now and I want to prevent other employees from messing with the network/settings.  Is there a way to place a password on the settings to allow only the admin to access the network name and password? 

  Hi - you have will have to change the device passwords on all the base stations and then don't give them to anyone except the administrators and tell them not to save them on their computers that use the older versions of the Airport Utility - for the newer versions like the mobile apps, as soon as you enter the pasword it is saved and is visible in the advanced pane along with the network password - so if anyone gets a hold of your iPad or iPhone, they can edit the whole network - I have this same issue with my networks in the office and it is inconvenient but doable - I hope this helps

• Is there any way to prevent non-admin user accounts to receive software update prompts?

  I am the admin account user on our MacBook Pro, and there is one standard user account on it as well. Generally we are both logged on so we can quickly switch between user accounts and 'spin the desktop'.
  For some reason, all the software update notifications seem to be received when the standard user account is the active one.
  I know that the standard user cannot actually update without my account password and my Apple ID, but a) The notifications confuse the non-admin user, and she gets flustered, and b) Even if she manages to cancel them from the notification area, she then has to remember to tell me verbally that she had had one.
  Is there any way to stop her receiving the update notifications altogether?
  Running OS X 10.8.2 on MacBook Pro.
  Thanks in advance.

  You should be able to do this by unchecking the software update service in the system preferences to prevent the system from running the check as the "_softwareupate" user and passing it to the notification service that broadcasts to all user accounts. Then you can check for the software update in an admin account using the following Terminal line:
  /System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdateCheck -Check YES
  This line can be scripted via Terminal services to run on a schedule (ie, every few hours), and if there are found updates it will launch the App Store for that account and present them. Granted this approach circumvents the notification service, but should work. To try this, open TextEdit on your computer and in a new document choose "Make Plain Text" from the Format menu.
  Then copy and paste the following text into the new document:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
            <key>Label</key>
            <string>local.softwareupdatecheck</string>
            <key>ProgramArguments</key>
            <array>
                      <string>/System/Library/CoreServices/Software Update.app/Contents/Resources/SoftwareUpdateCheck</string>
                      <string>-Check</string>
                      <string>YES</string>
            </array>
            <key>StartInterval</key>
            <integer>21600</integer>
  </dict>
  </plist>
  When done, save the document to your desktop as "softwareupdatecheck.plist" or anything as long as it ends with ".plist." Then get information on the file in the Finder to ensure its name ends with plist and not anything else like "plist.txt" (rename it accordingly in the Info window's "Name & Extension" section.
  With the file name appropriate, hold the Option key and choose the "Library" option in the Finder's "Go" menu. Then locate the folder called "Launch Agents" in the library and drag the text file to this folder. Then log out and log back into your account.
  This text file is a launch agent script that instructs the system to run the program arguments every 21600 seconds (6 hours) whenever the user is logged in. The program arguments here are simply those to check for software updates for the system. You can change this time interval to be any number of seconds you would like, but there are other options to use besides the "StartInterval" key for scheduling the task. This approach simply has it repeat every number of seconds, but you can use other options to have it only run on specific hours or days, or only have it run once when you log in, etc.
  If this works for you, then if you'd like to explore these other options write back here and we can go over them for you.

• Is there any way to prevent non-root users from rebooting the system?

  This question seems to be addressed many times on the web, but the problem is that none of the wannabe-howtos work on my system. In particular, this doesn't work and this doesn't work either, because (1) I need to keep policykit installed for udisks and other dependencies to function and (2) renaming (or removing) the file /usr/share/polkit-1/actions/org.freedesktop.login1.policy has (again) no effect on the users' ability to reboot and shut down the system. Even more surprisingly, adding the following to /etc/polkit-1/rules.d/20-disable-shutdown.rules has no effect at all:
  polkit.addRule(function(action, subject) {
  if (
  action.id == "org.freedesktop.login1.power-off" ||
  action.id == "org.freedesktop.login1.reboot" ||
  action.id == "org.freedesktop.login1.suspend" ||
  action.id == "org.freedesktop.upower.suspend" ||
  action.id == "org.freedesktop.login1.hibernate" ||
  action.id == "org.freedesktop.upower.hibernate"
  return polkit.Result.NO;
  As a result, ordinary users (not in the wheel group and with no special permissions) can simply reboot the machine by typing reboot. I remember that a simple polkit rule (as proposed on the Fedora forum) worked fine just a few months ago, but this doesn't work nowadays. The action IDs mentioned there are no longer listed in pkaction, so it's quite obvious that some changes (and bugs) have been introduced since then. I just need to prevent the users from rebooting the machine and to keep policykit installed. Is there any way to do this?

  karol wrote:Do said users have the ability to push the Power or Reset buttons?
  No, they don't.
  But come on, access permissions are a matter of principle rather than a matter of what you can possibly do with a hammer in your hand. That makes your question somewhat irrelevant to this issue. Imagine someone asking: "How can I protect my home directory from access by other users?" You would then probably ask: "Do said users have the ability to pull out the hard drive and mount it on their computer?"
  Even if the users had physical access to the ACPI buttons, rebooting the computer by mistake (via software) would still be much more likely than pressing (or even holding) the ACPI buttons by mistake.
  If I call rm -Rf / as a normal user, nothing should happen to the system in terms of availability to other users. Only my home directory and temporary files would vanish, but that's all. This is what permissions are there for. Similarly, when I type reboot as a normal user (no matter if I'm on SSH, on a local terminal or logged into KDE), it should be possible to simply disallow rebooting.
  The idea that users logged in locally can restart the computer may be fine for laptops under certain conditions, but it is a bad idea in almost all other cases. In a "kiosk" type environment, for example, the ability to reboot and get to the bootloader can be a huge security hole, unless all your disks are encrypted, and a huge "reliability hole" in any case. Suppose you use a desktop as a home server. You want everyone to be able to log in and to connect a USB flash drive (using polkit and udisks). But you simply don't want the machine to be rebooted. Why is such a simple thing so hard to do?
  Last edited by andrej.podzimek (2014-03-10 02:15:35)

• How can I restrict non-adminstrator user from openning Forefox in "safe mode"?

  I want to have parental control on the computer. I have added 'ProConn Latte' to Firefox which serves that purpose but my teenager figured out that he can simply open Firefox in "safe mode" (an option under the START menu) and bypass the control. I have already added administrator password security to MSWindows so that he can not work around his limited user settings but the Firefox loophole still remains.

  Another option you may consider exploring:
  The Safe Mode feature can also be disabled by modifying firefox files, that is explained in [https://support.mozilla.com/en-US/questions/664785#answer-128337 answer to ] ''How to *permanently* disable Firefox Safe Mode option?''
  Remember to password protect all admin accounts, including the normally hidden System Administrator account (which probably has no password set by default), but make sure you have that passwords secure somewhere, &/or have a password reset floppy.
  A determined & knowledgeable teenager will get past most things you attempt to do, especially if you are not actually watching the computer use; maybe even running a different OS from a CD. Quite possibly the teenager has unrestricted access to the internet elsewhere anyway.

• How to allow access to winrs for non-admin user?

  I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.
  All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
  # gives 4
  winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
  # Gives Winrs error: Access is denied.
  Configuration for my user is following:
  (Get-Item WSMan:\localhost\Service\RootSDDL).value
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
  (Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
  (In each security descriptor my user is given general access to protected object).
  So what security descriptor should I set to make my winrs query work for non-admin user?

  Hi Bunyk,
  I can not recreate the erroe you posted, and please also post the screenshoot in your convenience.
  I tested with a non-domain user but has the local admin permission of the remote computer, and this worked, before running the remote cmdlet in powershell, I also configured the TrustedHosts.
  In addition, the access denied could be also caused to the Protocol Filtering on the remote server, for more detailed information, please refer to this thread:
  winrs error:access is denied
  I hope this helps.

• How to allow non-admin users to install software updates of Java, FLASH and Adobe Reader?

  Hi all,
  I have a company (+150 users) and I would like  to allow users to update Java, FLASH and Adobe Reader only.
  These software are already installed in the hosts, but there are updates of the program every week and it needs to be updated.
  How can I give permissions to every user in the domain to do that? Just "Java, FLASH and Adobe Reader"
  Remember that I dont want distribute software because they were installed.
  I tried to enable "Enable user to patch evelated products" directive but it didn't work at my domain.
  is it possible?

  I have a method that works for FLASH player, but am trying to come up with a method for the other 2 myself.  To automate flash player, I created a Policy and added the following:
  Under Computer Config, Prefrences, Windows Setting, Files I created a new File Item.
  I set Action = Replace, Created a Source File named mms.cfg* (more below) and have the destination file as systemroot%\System32\Macromed\Flash\mms.cfg (or %systemroot%\SysWOW64\Macromed\Flash\mms.cfg for x64)
  I used notepad to edit the mms.cfg, and used the following in the body:
  AutoUpdateDisable=0
  SilentAutoUpdateEnable=1
  AutoUpdateInterval=0
  My non-admin users now update flash in the background silently and automatically.

• How to hide the page ribbon and quichlaunch for non admin users

  HI
  1 ) how to hide the ribbon in a page in sharepoint 2010 for non administrator users  
  2) how to hide quicklaunch also for non admin users
  in quick lanuch i want to hide links for all site content also.
  i used Document Center Template to create my web application.
  adil

  HI
  i did not get how i use this control 
  <Sharepoint:SPSecurityTrimmedControl
  runat="server"
  PermissionsString="FullMask">
  2
    <div>
  3
      <SharePoint:SPLinkButton
  id="idNavLinkViewAll"
  runat="server"
  NavigateUrl="~site/_layouts/viewlsts.aspx"
  Text="<%$Resources:wss,quiklnch_allcontent%>" AccessKey="<%$Resources:wss,quiklnch_allcontent_AK%>"/>
  4
    </div>
  5
  </SharePoint:SPSecurityTrimmedControl>
  adil

• Help-I want to move my stuff out of admin user account to a non-admin user account for security.  How can this be done?

  So... I have amassed loads of documents, videos, music, photos, etc. onto my MacBook Pro all under the admin user account I set up for myself.  I am the only one who uses the MacBook.  I now work virtually and am online at different free wifi spots, and I want to access all of my stuff under a non-admin user account for security reasons.
  I attempted to uncheck the "allow this user to administer this computer" box under my admin user account, but it is greyed out and I cannot.
  Is there an easier way to fix this than backing up all of my stuff and then moving it to a non-admin account?

  There is only one solution: create a new Standard user account and set it as your auto login account, if you use that feature.
  Using what you describe is mostly a false sense of security. Were someone to hack into the computer they could hack into the standard account, so you would not wish to keep any sensitive data in that account. Other things to consider:
  Turn on your Firewall in Security & Privacy preference panel.
  Use software to mask your online presence such as ProxyCap 2.03, MacProxy, Proxifier, or Hotspot Shield.

• Non admin user - changes not saved (Safari settings, system prefs, etc.)

  iMac, 2 users, one is administrator and other is standard user. Recently, in the non-admin user account, it has become impossible to make any changes. For example, adding an application to the the Dock, after logging out and back in next time, the application is not in the Dock any more. Also, making changes to the prefs in Safari, changes are not saved.
  I noticed this after installing FireFox v4. I installed it as admin whilst in the non-admin users account. However, I don't believe that the installation of FF has anything to do with the problem, it just highlighted it. I've checked the permissions for the various directories that hold prefs info such as user/libraries/application prefs/etc. etc. and also Safari prefs. Nothing I can see that has changed in system prefs.
  Any ideas on what has caused the problem (kids are known to fiddle from within the non-admin account) and any ideas on how to fix it?
  Thanks

  Hi PPRuNe,
  You could try making the standard user an Admin too. To do this, make sure you are logged in to the standard user, go to System Preferences > Accounts > Standard user (you may have to unlock the padlock) > Allow user to administer this computer
  This will allow changes to be made without being prompted for a password all the time.
  However, if you had Parental Controls on, they probably won't work on an admin account because as an admin you have complete control over a computer, so the computer thinks there is no point in having the controls turned on. And if the kids are known to "fiddle," just think carefully!
  Hope this helps you.
  Chris.

• A Solution for Enabling Sandbox activation by non admin users for testing (OIM 11gr2 PS2)

  I just wanted to post what i came up with as a solution the the problem of not being able to Test the effects of sandbox changes for non admin level users prior to their publication.  We are constantly making changes to the UI through sandboxes, the problem is rolling a sandbox back isn't easy, and we cannot be sure of the effects they will have on non administrative users until they are published, since the out of the box sandbox link isn't available to non Sysadmin level users.
  To allow these non admin user accounts to test the effects of sandbox changes in our development environment, I did the following (as always, follow at your own risk):
  Create and activate a new sandbox.
  Close all open tabs (including the Home and Sandbox tabs) and click the "Customize" link.
  Click the view -> source drop down in the upper left.
  After the source is visible, click the Accessibility or Sandbox link to find the area that you will add the new "UserSandboxTest" (call it whatever you want) link.
  Add a new commandImageLink directly in the panelGroupLayout: horizontal item before the "switcher" item (see the UserSandboxLink in my screen shot below):
  Edit the Link you just inserted, Entering whatever you want the link to display as in your browser in the "Text" field.
  Export the sandbox.
  Unzip the exported sandbox and navigate to the IdmShellV2.jspx.xml (path should be: \templates\mdssys\cust\site\site).
  Edit the IdmShellV2.jspx.xml file and find the new item you added in step 5.
  Add the following to the commandImageLink xml item: actionListener="#{pageFlowScope.uiShell.context.launchSandboxes}" rendered="#{oimcontext.currentUser.roles['SANDBOX_USER'] != null}".  Note: I used a new custom enterprise role, SANDBOX_USER, to control the display of the new link, You should substitute whatever EL conditions you need in the rendered property.
  Save your IdmShellV2.jspx.xml file and zip the contents back up, just like you would for any other customization.
  Import your newly edited sandbox back into the target environment.
  Publish the sandbox.
  This seems to work great for allowing us to test other sandbox changes effects on different types of users. 

  On step 10, adding the check to determine if the user should have access to the role ended up breaking access to the unauthenticated pages like the self registration page and the forgot userid/user login pages.  Non-authenticated users cannot execute the method to return the role, so that fails which leaves the page not loading.  To correct this I changed the rendered property to rendered="#{securityContext.authenticated}".  This prevents the link from displaying on non authenticated pages, but displays for anyone else who's logged on.  We only plan on using this in our development environment where no one but developers and system admins have access anyway, so it's not an issue that everyone will see the link.  I wouldn't recommend putting this in an environment where end users will be logging in and testing without developing a method (or finding another way to limit the display) that can be called by unauthenticated users to prevent them from seeing the link.

• Reader 9.5.1 Crashes after a few seconds for non-Admin users

  I have Adobe Reader 9.5.1 installed on some Citrix XenApp 5.0 servers that are Windows 2003.  Any time a non-admin user launches Reader it is open for a matter of seconds and then crashes.  It shows a Dr Watson crash in the error logs each time. If I logon as an Administrator, it works just fine.  I've tried reinstalling/repairing the installation to no avail. 
  Has anybody run into this in the past or does anyone have any ideas on how to fix it?

  My company is into same issue but thing is that I cannot uninstall the MS patch as it will be vulnerability for our servers and we have opened a case with MS and they have reveiwed the proc dump and now MS is asking to get this reviewed with Adobe. I'm not sure how to reach out to Adobe Support to get the fix from them. Any solution on this regard, it will be great help. Thanks, Sayed.

• Allowing non-admin users to use certain programs without authenticating

  I would like to allow certain programs to be run by non-admin users without forcing them to authenticate as an admin. Here is my example: I'm running Parallels Desktop with a VM to Windows. I want to allow my children to use this VM to access Windows programs. But, when starting a VM, the Mac OS requires an administrator to authenticate. Needless to say, I don't want my children to be administrators on the machine. I've been assured that this is not an issue related to how Parallels works (from the support team at Parallels). Instead, this is an issue with the Mac. i'm not sure one way or the other, but it seams useful to be able to (in general) allow non-admin users to use certain programs without forcing them to authenicate as administrators.
  There is only one summary in the Mac help on allowing non-admin users to change the time zone settings by directly editing the /etc/authorization file. Does anybody know if this procedure would work for other programs?
  Thanks!

  If you know what the requested right is, that procedure can be applied to any right in an application with a graphic interface by duplicating and modifying entries. The contents of that file don't control usage of sudo in the Terminal.
  (25922)

• Acrobat 7 requires admin password at every launch for non admin users?

  acrobat 7 requires admin password at every launch for non admin users?
  any one with a solution or similar problem?
  thanks for any help.

  I've been avidly following all of the threads regarding this issue...yet none of the solutions have worked for me. I've got 11 Mac users that do not use the Creative Suite..only Acrobat, Quark, etc. I've tried installing and re-installing through both Admin and User accounts, I've tried the AdobeBib XML change, I've tried enabling Root and installing, changing permission on the Acrobat folder, etc. all to no avail. I still get asked for Admin Authentication every time Acrobat and Distiller are opened (except on the Admin account side). This is happening on one particular Mac (G4, 1GB Ram, OS 10.4.3) for both Acrobat Standard 6 and 7 as well. The biggest issue that also happens in tandem with the Acrobat installs is the inability to print from Quark. I get the following error when printing: "The process "pictwpstops" terminated unexpectedly on signal 6." Because of the necessity to print Quark documents, I have uninstalled all Acrobat on the machines until we can get a fix. This resolves the printing problem with Quark. The only option left is to set up all users as Admin accounts - which I really do not want to do. Any other suggestions out there? I've got more information available if needed.

• JDK 1.6 u12 installation on Windows XP as non-admin user

  I am working on a machine which does not grant my user the admin rights. I had wanted to use JDK with Netbeans. The Netbeans was available as ZIP file, but it required pre-installed JDK. I am not able to install JDK (latest version 1.6 u12) as non-admin user. Is this even possible and how?
  Operating System : Windows XP (SP3)
  JDK Version : 1.6 update 12
  User : Non-Administrator
  Thanks,
  Akbar.

  Contact your admin and ask him to install or to give you local admin rights.