How to allow non domain users to map to print drivers?
Greetings,
We have a Windows Server 2008 (non R2) 32 bit server that acts as print server. It's also on a domain. Users who are on the domain can easily add the print driver simply by going to device and printers and clicking Add Printer and selecting Network since
I list it in the AD.
The problem arise with well over 100 realtors that walk in and out and need to print. These users are not on the domain. They need to have the print drivers on their computers. I'm hoping we can at least get them to map to the drivers as opposed to unending
local installs.
The management does not want to hear about security, and wants the simplest possible way for their realtors to get up and printing from their computers when they arrive to the office.
Any advice is welcomed.
Thank you!
In the end they got a domain user account that they share to add printers...
Thanks for sharing in the forum. Your time and efforts are highly appreciated.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Similar Messages
-
Hi all,
I have a company (+150 users) and I would like to allow users to update Java, FLASH and Adobe Reader only.
These software are already installed in the hosts, but there are updates of the program every week and it needs to be updated.
How can I give permissions to every user in the domain to do that? Just "Java, FLASH and Adobe Reader"
Remember that I dont want distribute software because they were installed.
I tried to enable "Enable user to patch evelated products" directive but it didn't work at my domain.
is it possible?I have a method that works for FLASH player, but am trying to come up with a method for the other 2 myself. To automate flash player, I created a Policy and added the following:
Under Computer Config, Prefrences, Windows Setting, Files I created a new File Item.
I set Action = Replace, Created a Source File named mms.cfg* (more below) and have the destination file as systemroot%\System32\Macromed\Flash\mms.cfg (or %systemroot%\SysWOW64\Macromed\Flash\mms.cfg for x64)
I used notepad to edit the mms.cfg, and used the following in the body:
AutoUpdateDisable=0
SilentAutoUpdateEnable=1
AutoUpdateInterval=0
My non-admin users now update flash in the background silently and automatically. -
"Unable to check revocation" error while checking CDP from non-domain user account
Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian -
Non Domain User Access to Report Server
HI Team,
I am Back with another question. These days i am working on SSRS web services as a part of that i need to provide user access to non domain users to the report manager which is residing in a virtual machine and also when i use the report service web service
URL it is asking for virtual machine's windows credentials and as per my client's requirement i should not be prompted with VM'S windows credentials.
Also, we are providing end users with a login page and this login page is connected to a separate User's database in the VM and how to register these non domain users in the report server database
and also reort manager. please help me out of this issue.
Thank you.Hi NB515,
In Reporting Services, if we connect to Report Manager out of domain, then we need provide a domain username and password can we access to it. If you want to skip this step, you can configure anonymous access for the report server. However,anonymous access
is not recommended as it may give direct access to your report server or report projects to any one who know the URL of your Reporting Services. But in case you still want to try it, you can refer to the link below to see it:
http://blog.quasarinc.com/ssrs/sql-server-reporting-services-2012-anonymous-access/
If you have any questions, please feel free to ask.
Regards,
Charlie Liao
TechNet Community Support -
How to make none root user to connect to TCP Port (web ports)
how to make none root user (any user)
to connect to TCP Port 80 or port 81 or any port less than 1024
cause i have web server i want to run and stop service with none root userand on port 80 and port 81
can you help me and give me stepsI believe Solaris 9 also has RBAC control. If so then all you need to do is present the uid with the PRIV_NET_PRIVADDR privilege. See the privielegs(5) manpage for more information on the subject.
This privilege will allow the userid to bind to ports < 1024. You can give a user this privilege either by using usermod (you will probably need the auth_attr(4) manpage as well) after which you need to login again. Or you can try using ppriv to modify the privileges on the users shell. -
Lync for Mac 2011 - non-domain user logins
How can a non-domain (external) mac user join a lync meeeting? We've installed the client, they have a live.com account (and a skype login if that can help), but we can't login using their live.com id, always returning a failed login error message (check
password, username ...).
Authentication is set to non kerberos, manual config, using TLS with this server:
sipdir.online.lync.com:443
logs follow:
Microsoft Lync 14.0.7 (131205)
MacOS version 10.9.1 (build 13B42)
2014/02/25 21:16:49.330 SIPService::OnEvent(IApplicationLayerEvent &), type: 0, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:16:50.075 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x0, oldState: 0, newState: 10, direction: 0
2014/02/25 21:16:50.082 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:16:50.084 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.477 Office Communications Server LOGON STARTED: USER = {[email protected]}
2014/02/25 21:18:00.478 SIPService::Logon
2014/02/25 21:18:00.514 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.755 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.756 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.762 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.762 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.764 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.764 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.785 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x0, oldState: 10, newState: 20, direction: 0
2014/02/25 21:18:00.817 InternalConnect, NLResolveAddress returned: 0
2014/02/25 21:18:00.819 IsLocalAddress, 'sipdir.online.lync.com' is not a local address
2014/02/25 21:18:00.819 FShouldUseProxy, is returning 1
2014/02/25 21:18:00.819 Connecting to sipdir.online.lync.com (port 443)
2014/02/25 21:18:01.513 InternalConnect, NLCreateConnection returned: 0,
2014/02/25 21:18:01.514 InternalConnect, NLCopyConnectionBinding returned: 0,
2014/02/25 21:18:06.041 FShouldUseProxy, is returning 1
2014/02/25 21:18:06.836 FShouldUseProxy, is returning 1
2014/02/25 21:18:10.802 SIPService::OnEvent(ILogonCredentialManagerEvent), type: 0
2014/02/25 21:18:10.802 Login (1) failed with error: (0.0)
2014/02/25 21:18:10.976 SIPService::OnEvent(ILogonCredentialManagerEvent), type: 6
2014/02/25 21:18:10.983 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x80ef0191, oldState: 20, newState: 10, direction: 1
2014/02/25 21:18:10.983 void SIPService::OnLogoffResult(HRESULT), hr: 0x80ef0191
2014/02/25 21:18:10.986 void SIPService::LogoffEx()
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 2, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.988 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.988 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.990 SIPService::OnEvent(IApplicationLayerEvent &), type: 8, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.998 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0Judging by your post (because you are using sipdir.online.lync.com) are you a Lync Online subscriber? Or does the user only have a Windows Live/Skype account?
Basically if you're using Lync Online, you can just sign-in using your Lync Online user name, which will either be something like [email protected] or if you have set custom domains it will just be [email protected]
It won't work with Skype/Windows Live accounts.
If you have an on-premise Lync externally you will connect through your Edge with the Mac client, or if inside the LAN you may need to install the root certificate from your internal Certificate Authority if you're using an internal issued rather than public
(GoDaddy, Verisign, Digicert, etc.) certificate.
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
www.lynced.com.au | Twitter
@imlynced -
Allowing non-admin users to use certain programs without authenticating
I would like to allow certain programs to be run by non-admin users without forcing them to authenticate as an admin. Here is my example: I'm running Parallels Desktop with a VM to Windows. I want to allow my children to use this VM to access Windows programs. But, when starting a VM, the Mac OS requires an administrator to authenticate. Needless to say, I don't want my children to be administrators on the machine. I've been assured that this is not an issue related to how Parallels works (from the support team at Parallels). Instead, this is an issue with the Mac. i'm not sure one way or the other, but it seams useful to be able to (in general) allow non-admin users to use certain programs without forcing them to authenicate as administrators.
There is only one summary in the Mac help on allowing non-admin users to change the time zone settings by directly editing the /etc/authorization file. Does anybody know if this procedure would work for other programs?
Thanks!If you know what the requested right is, that procedure can be applied to any right in an application with a graphic interface by duplicating and modifying entries. The contents of that file don't control usage of sudo in the Terminal.
(25922) -
Allow Non-Admin Users Update Software Installed In Their Computers
Hello All;
At our location, we have several users who are not always in the office. In some instances, the imac or macbook pro ask for several updates such as Office 2011, and Adobe CS 5 and 6. And, the second issue, these users are not part of the administrator group or ever will be the administrator of their computers.
Is it possible to adjust the authorization file to allow non-admin users to run these sort of updates?
or
Is there a product on the market that can push updates to all these different programs?
Thanks KindlyIs there a product on the market that can push updates to all these different programs?
Apple Remote Desktop, for one. -
How do you enumerate domain users mapped drives????
I'm migrating file shares from Windows 2003 file cluster to a Windows 2012 R2 DFS shares. Unfortunately, users that are mapped to those shares off the file cluster are not being mapped via GPO or logon script. I discovered that users have manual static mappings
that reconnect at logon. This, of course, makes it difficult to notify users or update network mappings. The answer? To see who mapping to those shares. Yes, I've looked at Open Files from Computer Management but I also need to double check this against a
script that can enumerate domain users mapped drives.
I've tried the following and it returns nothing:
"GET-WMIOBJECT -CLASS WIN32_MAPPEDLOGICALDISK -COMPUTERNAME "NAME" | SELECT NAME, PROVIDERNAME"
Any know of powershell script that would work??? Thanks!here are two similar questions, the responses to which might be of help:
http://social.technet.microsoft.com/forums/windowsserver/en-US/46881e57-62a4-446e-af2d-cd2423e7837f/report-on-remote-users-mapped-drives
http://social.technet.microsoft.com/Forums/en-US/56ba81a4-3836-48f9-ae7b-7e774c12655e/query-remote-xp-machine-for-list-of-mapped-network-drives-of-current-logged-on-user?forum=winserverpowershell
The long and the short of it is that it is not that easy to accomplish remotely. The simplest solution appears to be to run a script in the context of the logon session whose drive mappings you want.
Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate. -
Non-domain user authentication against SSAS on Active/Passive Cluster
Hello,
We have an Active/Passive SQL Server setup (DB1 & DB2 Servers) connected to a cluster for SQL & SSAS. I have a web server not on the same domain that I am trying to authenticate with SSAS. This works OK if I set the website to impersonate
myUser and I add local account myUser as an Admin on SSAS for the active server (DB1). But when this fails over to DB2 then it fails to authenticate. SSAS won't allow us to add myUser as an admin for local accounts on both DB1 & DB2 as it errors
adding the second one. Could anyone advise how such a scenario should be approached?
We have tried creating a domain user too which DB1 & DB2 can of course both share but I don't think the web server can impersonate this with being not part of the domain.
Thanks.Hi Jcorker,
According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
In SSAS we can use the solution below achieve the requirement.
1.Create new domain account and impersonate the web site with that.
2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
http://technet.microsoft.com/en-us/library/cc961481.aspx
Regards,
Charlie Liao
If you have any feedback on our support, please click
here.
Charlie Liao
TechNet Community Support -
How to prevent a rdp user from mapping drives on the server ?
Hi,
User A from Domain A (using Win7 pro) is able to rdp to Server Z (Windows Server 2008) which is in Domain Z and is able to map drive.
My question is : How do I prevent User A from mapping any drive in Server Z ?
Please advise. TIA !Hi,
if a user has access to the other share there is no way to prevent that user from mapping a drive.
However, you can remove the "map Network drive" functionality via policy, please see
http://msdn.microsoft.com/en-us/library/ms812045.aspx
That does not prevent users from mapping their drive manually using the "net use ..." command from a shell. While it is possible to restrict running of the net command, I do not recommend that (see
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b5012142-cfe9-4b24-99b9-d7ff3b84f0f4/what-security-policy-blocks-use-of-the-net-command-for-nonadmin-users?forum=winserverGP).
( What you may consider when having Shares cross-forest, you can remove that authorized users permission from the share replacing it by DOMAIN\Domain users groups, etc. So access to the share is limited instead of using a share that a user has access to.
Please Keep in mind that even when you remove the Network drives a user can still Access the resource via UNC. )
Regards,
Martin -
How can a non dba user manipulate the dump file outside of oracle ?
I have a business request to allow a none DBA database user to dump his tables and he can move his dump file on the Unix box from a file system to another file system. This user has a none oracle unix account. When using traditional exp, this is not a problem. But in expdp, all dump files are owned by oracle. Does anybody know how to change the ownership without a DBA involved?
Unix: Sun Solaris
DB: 10g
Storage: sand diskBetty wrote:
following option 1, problem is now the command in the shell script like chmod 744 doesn't allow this none dba user to change the permission, since he doesn't own the file. you can test yourself:
changepermit.ksh 755
chmod 744 dump.dmpSo have the script owned by oracle:dba change the owner!
$ echo "" > bla
$ ll bla
-rw-rw-rw- 1 jeg users 1 Nov 10 16:53 bla
$ chmod 640 bla
$ ll bla
-rw-r----- 1 jeg users 1 Nov 10 16:53 bla
$ chown smk bla
$ ll bla
-rw-r----- 1 smk users 1 Nov 10 16:53 bla
$ echo "" > bla
/usr/bin/ksh: bla: cannot createNote you'll have to move it unless you let oracle write to it. -
Allowing non-administrator users to deploy workflows
I need to allow users who do not have admin group access on the server to deploy workflows. How can I do this? Is there a group to which I add them (_pcastserver didn't work)? Ideally, I would like to enable persons in a few Active Directory groups to deploy workflows, but if they need to be individual user IDs, that's (marginally) acceptable.
Thanks,
CharlesFrom our Apple Sales Engineer:
"The closest thing to allowing non-administrators to be able to submit workflows would be to configure users or groups as Podcast Producer administrators only. They would then be able to submit workflows, and however be able to configure Podcast Producer within Server Admin.
Server Admin --> Server --> Access --> Administrators --> Podcast Producer
Add a user or group and grant the ability to administer. They will not have the ability to administer the server or escalate to root privileges."
These users still have access to Administer Podcast Producer with Server Admin though. -
Allowing the domain users Group to SCCM 2012 Remote Control
Hi There,
been working on this issue for the last few days now and its frustrating the crap out of me. My company has requested for all Domain users to be allowed to Remote Control to everyone's computer. This is so that users will be able to show each other how to
use in house application. In SCCM 2012 console, I've added the Domain users to the Premitted viewer tab. I've also added the domain user group to the administrative user section, added the Remote operator role and assigned the
ALL security scope to it. On another machine, i run the CMRCviewer to this machine and it prompts for username advising me the one i provided isn't authorized. when i check on the targeted machine, i can see domain users populated in the ConfigMgr
remote control user group
It seems only domain admins have rights to Remote control in. i've only got one client setting defined (default policy).
the interesting thing is the following layout
WINDOWS XP ---> WINDOWS 7 prompts for username
WINDOWS 7 -----> WINDOWS XP works
WINDOWS XP -----> WINDOWS XP works
WINDOWS 7 ------> WINDOWS 7 prompts for usernameHi Dave,
1) yes domain users is part of the configMgr remote control users". CMRCSERVICE.log shows the following
=== Starting security handshake ===
CmRcService
11/03/2013 10:44:29 AM
4808 (0x12C8)
HandshakeWorker failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Security filter server: DoHandshake failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
m_pSecFilter DoHandshake() failed. CmRcService
11/03/2013 10:44:29 AM 4808 (0x12C8)
DoHandshake failed on server side.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to do Handshake in Server.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to create security context.. Security Handshake failed.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to validate Security requirement..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to complete the RDP connection..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
i've confirmed this user is part of domain users as well. -
Allowing non-Administrator "Users" to use AEBS (1)
I'm getting tired of always having to "Authorize" other "Users" on my computer without Administrator Privilege when they wish to connect to my "Closed" AEBS. How can I work around this issue so all "Users" can conect to the AEBS?
It seems that I have originally stated the happenings incorrectly. It should been titled.
Allowing non-Administrator (or Standard) "Users" to use the Airport Card freely
I am both the 'Administrator' and the 'User' in this scenario.
I log in as the 'User', without "Allow user to Administer this computer" checked in System Preferences. This is for enhanced security while surfing at home and also when using open networks on the road. This way an Authentication by the Administrator is required every time when changes to Mac OS X are about to occur.
And, as far as I am aware, MY 'User' keychain has all the passwords I need to do what I need to do.
It's when I am logged in as the 'User' and I go to 'Turn Airport on' (in the Apple Menu) that I get the 'Authenticate' window asking me to "Type an Administrator's name and password to make changes to Mac OS X".
How do I get around having to 'Authenticate' every time 'User" needs to turn the Airport on?
Maybe you are looking for
-
OK, so I'm clearly a newb. I thought if I asked a question, it would post, and now I'm being told to post a comment, so I'm asking the same question again. Sorry I sound like an idiot. I'm new to this apple/mac stuff. Why does iTunes/iPhone 4S insist
-
MSI K7N2 Delta ILSR (MS 6570) trouble With ATA card
Hi, i have major trubble. Ihave two 300gb, two 120gb and two 80gb harddrives + 1 DVD burner and 1 CD burner with ultra DMA 100 PCI card and it works fine without using the sata or ide3 raid function. I purchased an new PCI ATA 133 card and the system
-
Server error: Class: UCF Acroform Method error Message: Could not send mess
Hi Gurus, I'm having a problem with displaying PDF file in the portal. I tried reinstalling Adobe 9. Tick and untick the option Display PDF in browser. But still encountering the error. Is it something to do with IE version? Please Help. Thanks in ad
-
Everytime a scan a document that needs to be rotated upright, it lets me do it while I am in the file, HOWEVER, when I save and reopen, is saves as UNROTATED......what am i doing wrong?
-
Photo Booth gone please help!
I dont know how this happened, but after emptying the trash stated to hang, I force shut down my MacBook, and now Photo Booth is no where to be scene. I can not find the Photo Booth installer on the MacBook restore disc. Please help!