Installation rights to non-admin domain users

Similar Messages

• Non Admin System User in Oracle Linux

  When installing OL 6-3 I am asked to specify the root user and at the end of the installation a non admin system user.
  I am slightly confused as to the purpose of this non admin system user.
  Q1. What is if for / not for and how does it differ from root ?
  Q2. Is is really just the Desktop Admin user ( whereas root is the superuser for the server as a whole ) ?
  Q3. Now that I have specified this non admin user - how do I change this role to another user I have created ( I made a poor choice of username in the first place ! ) i.e. does this non system admin user have any specially designated roles or privileges at Linux level, which I need to enable on the other user that I now wish to be the non admin system user ?
  Advice greatly appreciated,
  Jim

  Jimbo wrote:
  When installing OL 6-3 I am asked to specify the root user and at the end of the installation a non admin system user.
  I am slightly confused as to the purpose of this non admin system user.
  Q1. What is if for / not for and how does it differ from root ?The viewpoint on modern *nix is that:
  - Logging in remtoely directly as root is often a bad thing to be discouraged, and may pose a security threat.
  - Generally logging in as root is a bad thing; best practice is to acquire superuser privileges only when needed.
  This is so much so that some (most?) distributions are preventing a direct login by root at all, and then need a
  >
  Q2. Is is really just the Desktop Admin userNo really, essentially each user can maintain (administer) his own desktop ... though I expect there are ways of restricting this.
  ( whereas root is the superuser for the server as a whole ) ?This is essentially true.
  >
  Q3. Now that I have specified this non admin user - how do I change this role to another user I have created ( I made a poor choice of username in the first place ! ) i.e. does this non system admin user have any specially designated roles or privileges at Linux level, which I need to enable on the other user that I now wish to be the non admin system user ?most gui tools running on root will realise root privileges are needed and ask for it.
  From a terminal window:
  To change to the root user use:
  su -
  to check to another user you may:
  su - otheruser
  ...... However this user may have trouble running a graphical program ...
  ( The alternative ssh -X otheruser@localhost .... is a simple way round this)
  >
  Advice greatly appreciated,
  JimJust as I finished preparing this I noticed Dude has already answered. I think we're saying essentially the same thing. I've fleshed things out a little more. Please be aware I could be had up for technical/conceptual inaccuracies in my reply; so please take as a general direction.

• How to alow non-default domain users to set share folders.

  From Messanger Express, users who are in non-default domains cannot set any share folders, and only get an error message "You do not have permission for setting permission". However, Users in default domain can do it without any problem in same server[iMs5.2].
  Is there any specific permission to allow non-default domain users to do it ?
  If yes, how to give this permission to these users ?
  Thanks & regards,
  Takuto

  In deed it is fix in the GA.Another way to set the alias table is to do it in the Admin client. If you add a connexion to a user there is a new 6.5 button "set alias" that allow you to set the default alias table for this specific user. But, it does not exit on a user group level.

• How do I allow access to non admin network users to disk volume?

  I would like to allow access to a specific volume (disk) on one of our networked macs (Mac1) to all users. I've set user accounts on Mac 1 for all network users. These users are "regular" users, not admin. They can access this disk (and all others on Mac1) if I log in as Admin set Users to Admin. If I do this, then users have access to ALL data on all disks. If I do not, leaving them as "regular" users, when they log in they only see public folders. How can I allow access to the one disk volume without making network users admin? I tried changing various settings for the volume in Finder Info (everone else=read/write; ignore permissions) with no luck.
  Thanks
  iMac, ibooks, G5, Tibook   Mac OS X (10.4.4)  

  Your observations are correct - by default, an "admin" user connecting over AFP can choose from available "volumes" (default) or "shares", whereas a non-admin user can only mount "shares".
  By default, the only "shares" on an OS X client machine are the users' "Public" folders, and unlike pre-OS X Macs, it isn't easy to configure your own share points. Apple's official statement is that users wanting this functionality should buy OS X Server.
  However, it is possible to create an arbitrary share point using 3rd party software called "SharePoints" (donationware). I have never used it, but it seems to be well regarded. Alternatively, you can do it manually following the instructions in this hint & comments (especially apw8's):
  http://www.macosxhints.com/article.php?story=20011108161839416
  Once the external drive (or folder on the external drive) is configured as a share point, it should be possible for non-admin users to select and mount it once they connect over AFP.

• Using TMG to prevent non windows domain users from accessing internet

  Hello!
  I'm using Windows server 2008 and use it to run my company's Domain and I have a copy of TMG Server 2010
  My question is if I installed the TMG on the my Domain server can I use it to prevent internet access for Non-Domain computers, and how it is done, I've looked around the internet but I couldn't find a way to do it so I thought I should ask here...
  Basically can TMG stop non-domain computers from accessing the internet ?
  thank you!

  Hi,
  configure all clients to Webproxy clients and create Firewall policy rules which allows HTTP and HTTPS only for windows users and groups from your Active Directory
  best regards Marc Grote - www.it-training-grote.de

• OBIEE administartion Login is failing for Non Admin Group User.

  Hi,
  I have created one user for testing and assigned given access to some groups other than Administrators. When i am trying to login in Administration tool getting error message as "Logon Failed". I am able to access the Presentation using the same login and also able to create answers.
  When i assign the administrators group to same user the login happened successfully.
  I am just wondering, in order to access the Administration tool, the user should be part of administrators group or i am missing some steps.
  Thanks

  As the name suggests Administration tool is for administrators.So if you trust a user to access the Admin tool then you supply the user with the Admin Password.

• How to disable access to Server Preferences to non-admin local users

  My apologies if this has been covered in other discussions. I am new to Mac OS X Server. I have just set it up on an iMac. I have set up a Standard user account as well as the Administrator user account. If I log in as the Standard user, I can still open Server Preferences and make changes to all the server settings (as if I had Administrator access). Is there any way to disable access to Server Preferences (and other Server Utilities) for Standard users?
  Many thanks.
  Greg

  Hi ,
  Please have a look in to this .
  EAC is now a web-based management console, you’ll need to use the ECP virtual directory URL to access the console from your web browser. In most cases the EAC’s URL will look similar to the following:
  Internal URL: https://<CASServerName>/ecp   The internal URL is used to access the EAC from within your organization’s firewall.
  External URL: https://mail.contoso.com/ecp   The external URL is used to access the EAC from outside of your organization’s firewall.
  Note : There is no virtual directory for EAC .If you want to use EAC internally or externally ,you need to use the ecp virtual directory to gain the access.
  Please reply me if you have any queries .
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• Majority of reports missing for non admin users

  I have followed the instructions here (SCCM 2012–Reporting in console for non-admins (Reporting User Role) v2) to allow non admin users the ability to view
  reports in the console. So far, so good. However, when viewing the reports with the non admin user, only about 100 of the 400+ reports appear.
  Am I missing something here?

  The custom reporting one in the link I provided, and also modified versions of the following:
  OS Deployment manager (removed rights to All driver related items (drivers and driver packages), Boot image packages (except read access), Operating system installation packages).
  Application Administrator (removed Application>Approve; Distribition Point>Set Security Scope; Distribution Point Group>Set Security Scope; Global Condition>Set Security Scope)
  The reports missing we care about primarily are Software ones (companies and products and files).

• A Solution for Enabling Sandbox activation by non admin users for testing (OIM 11gr2 PS2)

  I just wanted to post what i came up with as a solution the the problem of not being able to Test the effects of sandbox changes for non admin level users prior to their publication.  We are constantly making changes to the UI through sandboxes, the problem is rolling a sandbox back isn't easy, and we cannot be sure of the effects they will have on non administrative users until they are published, since the out of the box sandbox link isn't available to non Sysadmin level users.
  To allow these non admin user accounts to test the effects of sandbox changes in our development environment, I did the following (as always, follow at your own risk):
  Create and activate a new sandbox.
  Close all open tabs (including the Home and Sandbox tabs) and click the "Customize" link.
  Click the view -> source drop down in the upper left.
  After the source is visible, click the Accessibility or Sandbox link to find the area that you will add the new "UserSandboxTest" (call it whatever you want) link.
  Add a new commandImageLink directly in the panelGroupLayout: horizontal item before the "switcher" item (see the UserSandboxLink in my screen shot below):
  Edit the Link you just inserted, Entering whatever you want the link to display as in your browser in the "Text" field.
  Export the sandbox.
  Unzip the exported sandbox and navigate to the IdmShellV2.jspx.xml (path should be: \templates\mdssys\cust\site\site).
  Edit the IdmShellV2.jspx.xml file and find the new item you added in step 5.
  Add the following to the commandImageLink xml item: actionListener="#{pageFlowScope.uiShell.context.launchSandboxes}" rendered="#{oimcontext.currentUser.roles['SANDBOX_USER'] != null}".  Note: I used a new custom enterprise role, SANDBOX_USER, to control the display of the new link, You should substitute whatever EL conditions you need in the rendered property.
  Save your IdmShellV2.jspx.xml file and zip the contents back up, just like you would for any other customization.
  Import your newly edited sandbox back into the target environment.
  Publish the sandbox.
  This seems to work great for allowing us to test other sandbox changes effects on different types of users. 

  On step 10, adding the check to determine if the user should have access to the role ended up breaking access to the unauthenticated pages like the self registration page and the forgot userid/user login pages.  Non-authenticated users cannot execute the method to return the role, so that fails which leaves the page not loading.  To correct this I changed the rendered property to rendered="#{securityContext.authenticated}".  This prevents the link from displaying on non authenticated pages, but displays for anyone else who's logged on.  We only plan on using this in our development environment where no one but developers and system admins have access anyway, so it's not an issue that everyone will see the link.  I wouldn't recommend putting this in an environment where end users will be logging in and testing without developing a method (or finding another way to limit the display) that can be called by unauthenticated users to prevent them from seeing the link.

• Find out who has given local administrator rights to standard domain user?

  In my Organization i have faced problems with domain administrator, it seem that all of a sudden a standard domain user is having Local administrator rights. Can anyone please help me how to find out who has given local administrator rights to that standard
  domain user account? 

  Hi,
  Based on your requirement, you need to enable the auditing in your Active Directory to identify the user/ group changes and WHO made the change etc.
  Checkout the below steps to enable auditing for AD User Changes,
  1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
  2. Right click the Default Domain Controllers Policy, and then click Edit.
  3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Local Policies/ Audit Policy”.
  4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
  5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
  For Windows Server 2008 R2 and later versions, additional configuration is required in  “Advanced Audit Policy Configuration” section in Default Domain Controller Policy.
  1. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/DS Access.) 
      Enable Success auditing for the following settings
       - Audit Directory Service Changes
  2. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Management.) 
      Enable Success auditing for the following settings
      - Audit User Account Management
  After completing the audit settings, configure SACL in Active Directory Users and Computers console for enabling the geneartion of AD Change events in the eventlog as shown below,
  Checkout the below KB article on complete list on Event ID and Description for AD Changes,
  http://support.microsoft.com/kb/947226/en-us
  Regards,
  Gopi
  JiJi Technologies

• Software always installs to Domain Admin account on connected PC-cant install to Domain User account

  I have completed the following steps:
  Set up Windows Server 2012 R2 Essentials successfully
  Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
  The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
  Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
  credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
  All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
  Admin desktop-Not the Domain User account, etc. I've tried:
  Downloading a new copy of the software to the Domain User desktop & running it from there
  Right-click file, Install as Admin
  click file, Install as a different user
  Right clicking file, Properties>Compatibility & changing compatibility settings
  Right clicking file, Properties>Compatibility>Run as Administrator
  None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
  the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!

  Hi voltron5,
  Many programs may provide options: "install for everyone" or "just for current user", when you install them.
  Please check if there are such options during the installation process.
  If those three programs are all third-party applications. I suggest you should contact with the corresponding
  support and confirm this.
  If those three programs are Microsoft applications, would you please let me know specific information of those
  three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
  Hope this helps.
  Best regards,
  Justin Gu

• Want to configure a GPO "Stop (domain) users [having admin rights] from installing software"

  Want to configure a GPO "Stop (domain) users [having admin rights for some particular users]  from installing/uninstalling software"
  Requirements :-
  1. Domain user should not be allowed to install/uninstall any software's. Rest all the actions can be performed by the user like an administrator can do.
  Please suggest if possible then how can I implement the same.

  Hi Amar Chand,
  You can do so by using certain Group Policy settings to control the behavior of the Windows Installer, prevent certain programs from running or restrict via the Registry Editor. The Windows Installer, msiexec.exe, previously known as Microsoft Installer,
  is an engine for the installation, maintenance, and removal of software on modern Microsoft Windows systems.
  You can try the following method to resolve this issue:
  Method 1: Disable or restrict the use of Windows Installer via Group Policy
  Open “GPMC”, create a GPO linked to the correct scope. You can refer to this article
  Create a new Group Policy object.
  Right-click it, click Edit, and then navigate to
  Computer Configuration/Policies/Windows Components/Windows Installer.
  In RHS pane double-click on Disable windows installer.
  Click Enable and configure the option as required. "Always "option indicates that Windows Installer is disabled.
  This setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.
  Click Apply to save this configuration.
  Run gpupdate /force on the clients. 
  For your information, please refer to the following article to get more help:
  Managing options for computers through Group Policy
  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_wininstall_group_policy_computers.mspx?mfr=true
  Method 2: Restrict Programs from being installed via Registry Editor
  Open Registry Editor and navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\DisallowRun
  Create String value with any name, like 1 and set its value to the program’s EXE file.
  e.g., If you want to restrict msiexec, then create a String value
  1 and set its value to msiexec.exe. If you want to restrict more programs, then simply create more String values with names 2, 3 and so on and set their values to the program’s exe.
  Note: You may have to restart your computer.
  In addition, if you choose this method, you could deploy the registry configuration via GPO. Please refer to the following article:
  Configure a Registry Item
  http://technet.microsoft.com/en-us/library/cc753092.aspx
  Regards,
  Lany Zhnag

• JDK 1.6 u12 installation on Windows XP as non-admin user

  I am working on a machine which does not grant my user the admin rights. I had wanted to use JDK with Netbeans. The Netbeans was available as ZIP file, but it required pre-installed JDK. I am not able to install JDK (latest version 1.6 u12) as non-admin user. Is this even possible and how?
  Operating System : Windows XP (SP3)
  JDK Version : 1.6 update 12
  User : Non-Administrator
  Thanks,
  Akbar.

  Contact your admin and ask him to install or to give you local admin rights.

• Rights of a non-admin user

  When I install an application being an administrator, is the non-admin user able to modify anything in the new program folder?
  Vice-Versa: When I install an application which needs authentication being a non-admin user. Is this non-admin able to modify the program folder after installation with no authentication?
  To what security risks may I be exposed to when I always use a non-admin account? What can a script or application do?
  Can it cause code injactions or change my startup folder or anything unwated else(like hijacking my Safari or log my passwords)?
  Regards, Clemens

  the /Applications folder is only writable by administrators. Anything put inside cannot be modified by a non-administrator unless that non-administrator has been specifically given write access.
  To what security risks may I be exposed to when I
  always use a non-admin account? What can a script or
  application do?
  A script or application running under non-admin can only modify files that are writable by that user; i.e. the contents of the user's home folder and not much else.
  Can it cause code injactions or change my startup
  folder or anything unwated else(like hijacking my
  Safari or log my passwords)?
  Most of what you have listed are admin tasks; they can only be accomplished with an admin account, or from a non-admin account after admin authentication.
  As far as password logging, a malware running under a non-admin account could theoretically install a keyboard logging app inside your home folder, and transmit your keystrokes out without your knowledge. That's why it's important to practice safe computing even when running as non-admin.
  OTOH, a malware running under a non-admin account couldn't modify any existing applications to do this, whereas the same malware running under an admin account could. This is one more reason to save your admin account for tasks that need it and do everything else from a non-admin account.

• (Windows Server 2003) Cannot run SQLSERVERAGENT service under non admin user after SP1 Installation

  Hi All,
  I need a hand here, referring to this knowledge base on Microsoft (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q283811) i applied this knowledge base, and it worked, the MSSQL and SQLSERVERAGENT have run under local non admin account.
  But after i installed SP1, MSSQL service is ok, but SQLSERVERAGENT wont run. The warning message is : "Some service run and then stop if they have no work to do."
  Is there any way i can install SP1 but in the same time run SQLSERVERAGENT under local non admin account?
  Your assistance will be much appreciated
  thank you very much in advance.
  Felix Adhitya

  Please go to the windows services list and check that the service is configured as start Automatic first
  1. run -> services.msc -> look for a service named "SQL Server Agent" -> proporties
  2. make sure the startup type is Automatic
  3. start the service again.
  4. If it stop then post for us the full error message from the sql log file
  5. move to the "Log On" tab and check what Log on you are using (this will be used for next step if startup type Automatic did not help, therefore write this information).
  [Personal Site] [Blog] [Facebook]