IOS - local user privileges

Similar Messages

• Network User with Local Admin Privileges?

  I have a small network (around 25 clients total) that was setup prior to my arrival. Each client has its own unique local admin (each machine was setup by the individual user) and it's become somewhat daunting to support them.
  All of the machines are connected (but not specifically bound) to an Open Directory and each is accessible via Remote Desktop, however I cannot push software updates, etc. without local admin privileges.
  I'd rather not create an account on each machine, nor do I want to completely lock down each computer (I'd like them to still have the flexibility to be admins so they can install apps, etc.)
  Is it possible to authenticate against OD and obtain local admin privileges?

  Yes.
  You can wipe all account information and then recreate a common initial admin account. This will make administration far easier as all machines will have the same admin username/password combination. Next, bind all of the systems to the domain and create domain accounts for all users on the server (likely already exist). Log in as the domain accounts and migrate permissions to domain ids. Finally, promote the user to the local admin group through System Preferences > Accounts on the workstation. You must enable the account as a mobile account in Workgroup Manager first. If you do not, the account will not cache to the workstation and you will be unable to add it to the admin group.
  Also, in a workgroup of 25, I would recommend rethinking the decision to grant local admin access to end users. This is asking for trouble as you will have no control over when updates are applied or even if they are. In theory (and probably in practice), you will have 25 completely different machines configurations. This is far harder to manage and troubleshoot than 25 systems with different admin accounts.
  If you must provide some level of autonomy, while not trivial, you might want to consider modifying /etc/authorization and granting limited admin rights to the users.
  Hope this helps - congrats on the opportunity

• UAC - Standalone local user vs domain user

  Hi,
  I have an application that during first launch runs a regedit /s command to import some registry keys into the user's (HKCU) registry.
  I have discovered if I run the application logged in as a local user (No admin privileges) with a machine that is not joined to the domain, I can launch the application. I can also launch regedit manually with no UAC prompt.
  However if I join the machine to the domain and log in as a domain user (No admin privileges) then the application fails to launch due to a UAC prompt at the regedit /s stage and also trying to open regedit also results in a UAC prompt. Using the standalone
  local user on a domain joined PC also causes the UAC prompt to appear for both the application and directly launching regedit.
  Is this by design - as in the joining of a PC to the domain changes how UAC works? As a test I have moved both the user and computer in AD to a test GPO which has no GPO's applied except the Default Domain policies which have no UAC settings in them?

  Local group policy take precedence over domain.
  Group Policy processing and precedence
  http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
  Previously your uac prompt was not there, may be because you have disabled uac? Or did you run it logged under local admin/built in admin? 
  If uac is not disabled/altered uac prompt should be prompted for all the users except built in administrator.
  http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7
  Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

• Unable to enter to user Privilege EXEC Mode with catalyst 1900

  Hello
  I am setting up some lab network . I have 10  Cisco 1900 series switches . But when i try to power up it shows the below message. I am not able to get into user privilege mode.
  Catalyst 1900 Management Console
  Copyright (c) Cisco Systems, Inc.  1993-1997
  All rights reserved.
  Ethernet address: 00-C0-1D-81-43-65
  1 user(s) now active on Management Console.
  Enter password:
  Catalyst 1900 - Main Menu
       [C] Console Password
       [S] System
       [N] Network Management
       [P] Port Configuration
       [A] Port Addressing
       [D] Port Statistics Detail
       [M] Monitoring
       [V] Virtual LAN
       [R] Multicast Registration
       [F] Firmware
       [I] RS-232 Interface
       [U] Usage Summaries
       [H] Help
       [X] Exit Management Console
  Enter Selection:
  could you pls tell me how can i get into the user mode such as 
  Switch1#
  Thanks
  Navaz

  There were two versions of software for the 1900 series switches, one that purely menu based configuration and management and the Enterprise version, which had an option to exit the menu and get access to a CLI. Note though that this is not Cisco IOS.
  There's a post, Catalyst 1900 Enterprise software, on the forum from 2002 that will give you some more details. As indicated in that post there's an option to upgrade to the Enterprise edition, but you obviously need to acquire the software.
  As per the reponses from Richard and Leo, these are very old switches and depending upon what you're trying to do with them, may not serve your purpose.
  Regards

• AnyConnect and IKEv2 with IOS Local AAA

  Hi,
  Is it possible to utilise AnyConnect IKEv2 (terminating on an ASR1k) with the IOS Local AAA feature authenticate remote access using EAP-MD5, or is an external RADIUS server required to support user authentication? I was hoping to develop a standalone proof-of-concept using IOS Local AAA (with aaa attribute lists where appropriate) to store RADIUS 'User' and 'Group' profiles. However, I suspect I can only store the 'Group' profiles locally, and the user authentication requires an external RADIUS server supporting EAP-MD5 to support the tunnel method?
  Cheers,
  Matt

  Your NAT is nearly correct. There are just two small things:
  1) What do you want to achive with this rule and the corresponding ACL? "permit ip any any" on the outside interface is probably a bad idea. Better to configure the needed ports directly with object NAT and specific ACL-lines.
  nat (inside,outside) source static WAN interface
  2) The NAT-exemtion is nearly fine. This NAT-rule is typically configured with two more parameters:
  nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

• Anyone has experience combining local users with managed user?

  I thought this would be pretty common. We started with each user being a local admin user (12 mac systems in the office). We now got a snow leopard server and wanted to migrate everyone to a Open Directory user. We did hours and hours of research and found a few supported way to do this but having some problems....One way was to send out an invitation email from Server Preferences. When the user receives the email he can automatically convert current user into a managed user. However, the feature is suppose to synchronize password between these two users but it didn't for us, so now the user is left with a different password for the local account and OD account. What is going on? Any tips?
  This is taken from a book that I am reading:
  From a Mac OS X Server email invitation—If your network directory service is being hosted from a local Mac OS X Server that is being managed via Server Preferences, then you can bind it automatically from an email invitation sent by the server’s administrator. Clicking the “Automatically Configure My Mac” button in this email will open the Accounts preferences and bind your Mac to the Mac OS X Server and tie your local account to the server account. Again, this process will synchronize the account passwords and can automatically configure client services. Further, the invi- tation email can have clickable links to other services hosted from the server like file and web services.

  I too was thinking about this, but punted after realizing it was too messy. My current solution is to make a local user called 'localadmin' and make this same user on every machine, give it admin privileges, etc. That way, if someone wants to install some software, they can fast-user-switch to localadmin, do the install, and then reset to their actual login. Once the logins are tied to an OD server and you become a 'managed' user, the individual can change their password locally and it will indeed update the OD master.

• Add a local user to ASA 5512-x

  Hello people
  I am trying to add a local user to our newly purchased ASA firewall 5512-x.
  we do not have a Radius or AAA server
  I want to add a user who has 'view only' access level on the firewall, can I just add this new user without needing to bother with AAA?
  Cheers                  

  Hi,
  Interesting question, for me atleast. I don't think that with the very default configurations you will be able to actually separate what which user can do since if you use the "enable" password the user gains full access to all commands.
  I personally don't handle much of the AAA side of our ASA management. Therefore I have never had to handle the LOCAL AAA settings on the ASA and making sure that certain user can only done specific things.
  I took a quick look before posting and it seemed to me that by default the commands on the ASA are set so that very few commands are allowed for Privilege level 0 and rest are at Privilege 15 which is basically the highest level and to which you get to with the "enable" password.
  To have the ASA define which commands are allowed for the user you will need some AAA configurations on the ASA, the LOCAL username configurations with specific privilege levels and modified privilege levels for the commands that you want to allow for the specific user accounts with their specific privilege level.
  If you can specify the type of things this user should see then I could try to create a AAA configuration for you for this purpose. Would be good practise for myself since in our environments theres usually a separate AAA server involved.
  - Jouni

• Script to Temporary Elevate the admin rights to local user

  Hi Friends
  i believe this topic was already discussed , however i could not find a solution ..  please help
  i need a script ( vb/power shell/bat ) etc which will run on local user with admin privilege ( will package and make it available in application store / software center ( sccm 2012 ) , it will run with admin rights on local computer ) and grant admin privilege
  to the local user for 24 hours
  My previous org had same, however the source is a .exe file, so not very sure if they have converted script to exe for privacy
  Thank you
  Tanoj
  OSLM ENGINEER - SCCM 2007 & 2012

  Hi,
  Adds/Delets a global group name or user name to a local group.
  net localgroup [GroupName name [ ...] {/add |
  /delete} [/domain]]
  Reference:
  Net localgroup
  http://technet.microsoft.com/en-us/library/bb490706.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Remote archive by local user

  Hai all,
  I Installed Oracle10g on win2003 using local user (not domain user) with local administrative privileges (privileges only on the machine where installation is done) ...Currently there is one archive destination on the local machine)..when I tried to have a second destination on a remote drive,am getting the permission error and I'ce started the oracle service SID using Domain admin privileges.. even then,am getting the same error
  Any idea ?
  Kai

  Thanks Amardeep,
  It is a RAC Environment on windows 2003..Client want to have redudancy for archive logs..Currently there is one archive destination on SAN ASM..He wants to have one more destination of archive logs such that he doesnt want to lose archive logs at any POT.
  Any idea ?
  Kai

• Loosing Local Domain Privileges/Rights

  I have a network that spans across the country with over 30 branches. Due to the sensitivity of our business, all domain clients' administrators were renamed at the domain level using a GPO. The password is also set at the same GPO. The administrators group
  membership is also determined at the GPO. 
  However, there was need to grant user support officers (Their domain user accounts) local administrative permissions/privileges. This is also done at the GPO level on Windows 2012 domain. The users are added to a group (Local-Admins) and the group granted
  with client local administrative privileges by adding the group to the administrators Group at the GPO level.The issue is that some users are able to work as administrators of the local PCs but other are unable. That notwithstanding, the ones that are working
  sometime looses their local administrative privileges. What could be cause of this?
   

  You haven't really articulated much information about this.
  The local machines need to all get the policy applied against them so have you verified that the failures are configured to receive the updated policy?  RSoP or GPResult should help.
  This really isn't a Directory Services question, but rather a group policy question, so I am moving this thread to the gpo forum.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Shut down comp from local user

  Please, If I am login as root, there is an option Log Out and Shutdown computer. If I am login as local user, I can find only Log out button. How can I Shut down from local user? Thanks

  wmila wrote:
  OK, so anyway, how can I easy shutdown comp from local user?If you have a laptop use the power button. Otherwise you will need to use sudo, rback, or some other software program to elevate your privileges so you can use an admin type command.
  An easy way is to just open a terminal window and then su to the root user and issue the init 6 command.
  alan

• IPhoto Library shared among local users

  Does anyone know how to solve this problem:
  I want to have a single, global iPhoto library on my machine which is shared among all local users. In other words, I want to have a library where each user sees the same photos in it and where each user is allowed to add, remove or modify the photos within the library.
  What do I have to do to accomplish this?
  Kind regards,
  Michael

  I have done this for several years, using both iPhotos 4 and 5. My method wasn't very complicated, though, so maybe I did somehting wrong!
  Anyway, I took my iPhoto library from its original location, moved it to the "shared" folder found inside the "users" folder and reset the access privileges to the folder and all subfolders to enable free access for all users. That's it. In order to activate the shared library for each user you will have to delete the iPhoto folder inside each separate user's folder (make sure these are empty or backed up first, of course!). When you launch iPhoto it will give you the opportunity to find the library -- all you do then is to point it to your iPhoto library in the shared folder. Since you are now sharing the same library between users you shouldn't use iPhoto with several users active at the same time.
  As I said, though, when I saw that other reply with all the complicated stuff (I didn't read through it all, but it looked really impressive) I started fearing that I have done something wrong all along. But it has worked!
  Now I'm having difficulties, though -- I'm trying to use one library over my home airport network and that seems to be just way too slow for comfort.
  Kind regards,
  Oscar

• What happens to my local user data? -newbie question sorry

  Hi All,
  Firstly apologies if this seems a dumb question, I've scoured the forums but I require something that fits my specific situation.
  I've had a (my first) MacBook for about 9 months, built up a fairly healthy local user, setup just how I like it, MobileMe, iTunes, Chrome, iPhoto library, lots of other apps, etc etc and so forth.
  I'm setting up a Mac Mini Server, and was wondering what I can do to join the new server, but take all my settings/downloads/iTunes etc with me... I don't want it all stored on the server, but I come from a Micro$oft Windows background. With MS, when you add a PC to a domain, login with the appropriate user account, you have a fresh profile, no settings, no files, no customisations etc etc is this also the case when I hit that Join Network Account server button on my Mac? Will I get a blank fresh account on my Macbook?
  I'm guessing this must happen quite often as people start their way into Apple technology and build up a nice healthy local account before branching further into the Apple world...

  The two laptops I use everyday have access to all the servers via my network account. It is set so that my user account is listed as having "no home" So I log into the laptop with my local user account with a UID of 501 but access all the network services via the go menu and my network account of the same name but with a UID of 1034.
  For all other users in the company, if they are on a laptop, I use network accounts. The machines are managed to ask if the user wants to create a mobile account when they login. For permanently assigned laptop users, the answer is yes. This puts their home on the laptop and ties them to that machine. I use mobile account syncing to make sure their critical data is copied to the server for backup.
  By having the machine ask to create the mobile account, users can answer no and login to their network home. The use of the laptop may be needed temporarily if a regular workstation is down.
  Once in a while I will need to convert a local account to a network account. While a bit more laborious that setting it up correctly at the beginning, it can be done.
  But I never let any user account have the UID of 501. I would set that up as the local admin account I use for installing updates and performing other maintenance. If needed, I would back up the user data and erase and re-install the OS.

• SSO for application systems with local users?

  Hi all,  I'm new to Oracle Identity Management.  My company is going to implement SSO for inhouse applications.  However, some applications have their own local users (e.g. admin, guest, etc.) who have to login to the application system through the same interface.  We put all organization users in an Oracle enterprise Directory server, which is the authentication backend of the Access Manager.   After implementing webgate, such local users can't get authenticated.  I'd like to know if it's possible to configure particular users/applications to bypass SSO and use local authentication?     Thanks.
  Rgds
  /ST wong

  Possible solution is to create a new entry point for local users. Create two proxies one for actual user entry and another for local user. You can restrict n/w access to proxy with local login so that only few hosts based on your requirement who needs to access system with local accounts. This way you will have two web sites for single application.

• [SOLVED]How to send email to a local user?

  I have installed Mutt, msmtp, procmail and I can send and receive emails to/from remote hosts and I'd like to send email locally also (to the recipients on the same machine as the sender).
  When I try to send email to a local user from the root account -
  echo "Test message" | mail -s "Test subject" localuser
  then I get an error that connection to the port 25 is refused. Because the /etc/msmtprc file contains the 'localhost' as the default account's host, and on the local host I don't have a mail server listening on 25 port running.
  When I try to send email from a non-root account which has in /$HOME/.msmtprc file a real email account on a remote server, then of course there is an error that the domain for the email address 'localuser' is not recognized.
  How can sending email to local users be enabled?
  Last edited by nbd (2014-09-30 22:33:37)

  If I understand correctly, postfix it's a constantly running daemon. Seems to be an overhead for delivering only from time to time sent messages.
  ewaller wrote:
  > Out of the box, sendmail should be safe, but I think you have to enable local mail.
  Currently I have msmtp-mta installed, which is described as having sendmail functionality. If I install sendmail - will it be possible to send local email without running email daemons?