Limited Admin Privileges/Specific Elevation of User Accounts

Similar Messages

• Limiting iTunes and QuickTime to one User Account in WinXP

  I'm the Dad and the admin on my XP machine.
  I have 3 non-admin accounts for the kids.
  Only 1 kid has an iPod and uses iTunes.
  No one else uses or needs iTunesHelper, iPodService, or QTTASK.EXE.
  I know that I can kill each service inidividually from Task Manager, but the non-admin accounts can't. They suffer the slowdown caused by these services running from the background and constantly going out to the web for un-needed and unwanted activities such as checking the Apple Store, etc.
  I don't want this behavior.
  I want to prevent these services from loading and running for all User Accounts except the one.
  Please give me steps to limit these services!!!
    Windows XP  

  As far as I can tell, this is NOT a solution.
  As I try to allow the one User Account to load and run the services, ALL accounts are forced to load and run them.
  As I try to disable the services from loading and running on other accounts, they won't load and run on the one User Account that I want them to.
  Does ANYone know of a way to disable iTunes, iPodHelper, and qttask from loading on selected User Accounts?
    Windows XP  

• Ahh.. new update for ipod limits music to only 5 apple user accounts

  please help, i recently downloaded the new software for my ipod. untill recently, i would grab music off my friends computers. now i have purchased some videos and when i try to add to my ipod is says "only 5 user accounts alowed" i searched every one of the songs on the ipod and i could only find three accounts.. why is this happening to me?? anybody else run into this problem?

  Try a restore "as new". This will completely wipe the iPod and re-install the firmware. A sync should transfer everything in the library to the touch (assuming sync settings are what you want). If this doesn't do it, a trip to the Apple store would be appropriate.

• Create limited access user account

  Is there a way to create a user account for my child where I can make invisible (or inaccessible) the drives that I use for my work? I haven't found that option in Parental Controls.

  David Eells wrote:
  Thanks for your reply. There's a little confusion, as each drive lists three names:
  Two list Me, (unknown) and everyone
  Two list System, admin and everyone
  One lists Me, staff and everyone.
  What I was expecting was for each drive to list Me (primary account with Admin privileges), Admin (secondary account I created with Admin privileges), and Guest (child's account with limited privileges).
  no, that's not how unix permissions work. they list permissions for drive owner, primary group and everyone. it also lists ACLs if any are present which give specific rights to various individual users but those would have to be set by hand and won't show up by default. group "staff" includes every user with an account on your computer. "everyone" means absolutely everyone including remote users without accounts. it's even lower than the guest account which at least does have an account and as such is a member of staff. so what you need to do is remove all permissions from staff and everyone. You can also add rights to various individual accounts and groups. for example, it would make sense to give read+write access to the admin group. this will exclude guest and parental controlled accounts but would automatically include any admin accounts you may have.

• Software always installs to Domain Admin account on connected PC-cant install to Domain User account

  I have completed the following steps:
  Set up Windows Server 2012 R2 Essentials successfully
  Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
  The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
  Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
  credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
  All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
  Admin desktop-Not the Domain User account, etc. I've tried:
  Downloading a new copy of the software to the Domain User desktop & running it from there
  Right-click file, Install as Admin
  click file, Install as a different user
  Right clicking file, Properties>Compatibility & changing compatibility settings
  Right clicking file, Properties>Compatibility>Run as Administrator
  None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
  the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!

  Hi voltron5,
  Many programs may provide options: "install for everyone" or "just for current user", when you install them.
  Please check if there are such options during the installation process.
  If those three programs are all third-party applications. I suggest you should contact with the corresponding
  support and confirm this.
  If those three programs are Microsoft applications, would you please let me know specific information of those
  three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
  Hope this helps.
  Best regards,
  Justin Gu

• Any unintended consequences to separate admin & user accounts?

  Hi all,
  I work on a single-user system, but I have wondered if there were any security advantages to having a separate admin and user accounts. I found an unrelated advantage - Parental Controls. Lacking self-discipline, I find myself working too late at night. Setting up Parental Controls might help me get more sleep, but this requires a separate admin account. I would need to create a separate account with admin privileges, then remove those privileges from my existing user account. Are there any unintended consequences to having one's user account not have administrator's capabilities? I do software development, but so far that is all in the user space, ie. application vs. drivers. Any unintended consequences to setting up Parental Controls on my user account?
  Thanks,
  Scott

  You need at least one Admin account on the machine.
  There is a security advantage running most tasks as "general user" on another account as the Applications and other folders/system can't be modified unless the Admin password is used. (in General user)
  I run as General all the time, there is a slight hassle with installing programs into the Applications folder or moving things around in there, but it's worth it for the extra security and I don't do it too often.
  Also Software Update won't run automatically neither. But it's best to wait for the others to go first sometimes and then proceed carefully.
  However I don't know the effects with software development, your might be doing it in Admin space now and have no issue, but once you got to General you'll have to enter your password more often.
  Try it and see how it goes, you can always go back to Admin.
  Create another Admin account, log into it, change your Admin Account to General User and log out and into it.

• Question about User Accounts and bugs

  Hello!
  I'm a developer and just started this iPhone app project so I'm not really experienced with all this cocoa/Mac/iPhone world yet.
  The thing is: I'm having this crash on the app running on the simulator, but this ONLY happens with my main user account. Doesn't happen on the device, on another account on the same computer or my coworkers computers.
  I haven't found what's causing this, so I'm thinking about deleting my account and recreating it.
  Is deleting an user account like formatting it?
  Is there anything that I could try before deleting it? Like restoring permissions or the OS with the dvd... These are things that I read about Mac Support.
  Any ideas?

  roam wrote:
  Is deleting an user account like formatting it?
  No, deleting it removes it. Like, put in the trash and then empty it.
  Importantly you should create a new user account with Admin privileges and from that new account delete the older one. Doing it this way still leaves you with Admin control of your computer.
  Before you delete an account... as to your particular problem, there are particular forums concerned with application development. Click on the link below for more specialized forums regarding iPhone app development and your coding error.
  http://discussions.apple.com/category.jspa?categoryID=164
  Yeah, I created another account with Admin privileges, I'm just reluctant to the idea of having to config everything again in the new account. I tried Stack Overflow and iPhoneDevSDK, will try the Apple's forum now.
  Thanks mate.

• Visual Admin -- Granting login to other users

  I want to be able to allow other user accounts to get into Visual Admin.  I gave these user accounts the super_admin role, but I still get the Error while connecting.  Can someone point me to documentation on doing this if it's possible.  I search help.sap.com, notes on service.sap.com, and all of SDN but didn't find anything.
  Thanks.
  Regards,
  Mel Calucin
  Bentley Systems

  Thanks!  It works!
  Regards,
  Mel Calucin
  Bentley Systems

• Need local PHD user account to have admin privileges

  We are starting to use PHDs and have given our teachers admin level privileges so they can install their own software, have access to certain system prefs, etc. When connected at school to the network, all works well. When at home, they do not have admin privs. Is there a way to make their local account part of the local admin group, on a global basis, so that we don't have to spend the time to go to every machine again.

  SYSDBA should never be used for anything other than backups and patching.
  Which of these two activities do you think appropriate for a user account?
  My answer is the same as Sybrand's. What you are asking is totally inappropriate.
  Far better to tell us specifically which actions you wish to perform and we will
  help you with the specific permissions you require.

• Several user accounts with admin privileges.

  When I try to open a different adim account in the user folder, it says I don't have permission. How can I open the other user account?

  You can't, in the Finder. The only thing special about an Admin account is you can temporarily elevate your privileges to perform certain tasks. That does not include viewing other user's home.
  You can access it from the Terminal.

• How do you use Time Machine to restore a specific users account?  I can't do it from the user screen because I am not allowed.  I can't do it from the admin because I can't see other users in Time machine.

  I can't restore my user account from the users screen because I get an alert that Mac OS needs something.  I can't restore in TimaeMachine from the Admin screen because I can't see other users home folders.  What can I do?

  See Pondini's TM FAQs for starters.

• AUDIT action (create, delete, privilege escalation, set and change password from users account and group) users and admins in Solaris 10

  Hello.
  in Solaris 10 i need auditing process create, delete, privilege escalation, set and change password and etc... from users account and group.
  I set settings:
  in file syslog.conf:
  *.info;mail.none;cron.none;audit.notice            @IP-Remote-syslog-server-SIEM
  in file   /etc/security/audit_control:
  dir:/var/audit
  flags:lo,ad,ex,cc,am,no,fc,fd
  minfree:20
  naflags:lo
  plugin:name=audit_syslog.so;p_flags=lo,ad,ex,cc,am,no
  in file   /etc/security/audit_user:
  root:lo,ad:no
  Now I see in the logs only the fact of a connection via SSH and run processes on behalf of users. Creation. delete users, change passwords for some reason do not is logged.
  Many users. For each individual write permissions in the file /etc/security/audit_user not possible, it is likely to forget any new user (or there is a possibility in this file one line to describe the audits for all accounts?)
  Where is the mistake?

  You are most likely hitting Bug 15779000 user/role/groupadd/mod/del don't audit their use.
  And the fix is only available in S11.2.
  -- Renaud

• User accounts, directory structures and selective access privileges

  Bought a new MacBook Pro back in April and only now am I getting down to using it. I was thinking of creating the following user accounts in the hope of creating a scheme that allows selective access to certain folders:
  Root -a super user account
  Admin - I don’t think I should be logged in as the administrator all the time
  Jai Gill - my main account with all my work files including client information that is organised in a Workflow folder containing a Projects folder and a Clients folder (within which, each of my clients has a folder)
  Show Time - a secure Simple Finder type account for when I am running a client specific presentation or workshop to ensure all data for other clients is kept secure and away from prying eyes.
  When using the Show Time account, I would like to set it up so that only those files relating to the client in question are available for use. For instance, if I am running a workshop for Client G, I only want the folder for Client G available for use in this account and not any other clients. A few hours or days later, this could change to Client B or F or J etc so I need a way to easily secure the current client’s data and switch over to the other client’s data i.e., put away work and pull up new work.
  Would it be possible to create a scheme using aliases placed in Show Time’s Documents folder pointing at a client folder in my documents folder to allow this to happen? Would I have to create a group with the right access privileges to enable this to happen? Or is there an alternative method based on using the Shared files folder and some sort of script or application to create a duplicate of a client folder and use a scheme to synchronise it with the original client folder?
  Is this possible in Mac OSX? Any thoughts? Ideas? Applications/utilities that already enable this to happen?
  MacBook Pro   Mac OS X (10.4.9)  

  Hi Kiraly
  I cracked it today. Took a couple of hours to figure out some idiosyncrasy but I'm now set.
  Here's what I did:
  1. Got a copies of Sharepoint, Workgroup Manager and ChronoSync.
  2. Logged into the MacBook Pro as myself, went into System Preferences and used the normal approach to set up an account for a user called Show Time
  3. Using Workgroup Manager, created an addition workgroup called macshow
  4. Made myself and Show Time members of macshow
  5. Attached the MBP to my G5 using my 2gen iPod's FireWire cable and cranked it up in target disk mode
  6. Using ChronoSync, did a 'bi-directional' synchronisation of my Workflow folder into a location in the MBP's Shared folder (going to do this all the time)
  7. Shut down, detached then restarted the MBP and logged on as myself.
  8. Located the Workflow folder in the Shared folder and by getting information, set that folder and all it's contents to be owned by me but accessible and R/W for the group macshow
  9. Went two levels into the Workflow folder [Workflow/4 Delivery/Client T] and using SharePoint, made the folder Client T accessible to the group macshow.
  10. Logged in as Show Time and accessed the Shared folder to find that my scheme had worked and I had access to the folder for Client T and all it's contents.
  11. Logged out and went back in under my ID and now using System Preferences, crippled the Show Time account down to Simple Finder with access limited to just a handful of applications like KeyNote, Word, Excel, Powerpoint and Safari.
  12. Went back in as Show Time and it went into Simple Finder and thereafter, everything works great. Workflow showed up as did the folder for Client T plus all its contents. Opened a few documents and presentations and they wrked great.
  New learning points for me:
  1. I had to log out then log back in to make the access privileges stick when using the Show Time accounts
  2. A number of locked Excel files prevented access privileges being set - had to locate and unlock each
  3. Using both SharePoint and Workgroup Manager may be seem to be overkill but it works as these two applications helped in getting the groups sorted out as well as access to a specific folder.
  The best part of the above scheme is that I can at anytime, using SharePoint, change the client folder being shared with the user Show Time through the use of the group macshow i.e., change Client T back to my group and then pick say Client J or any number of other client folders and assign them to the group macshow.
  Thanks to you and the others who have posted on this and all other threads on this topic, I have sorted this out in one go.
  Jai
  PS in case you're wondering why it took me so long to get down to do it, it is something called client work. And may there be more of it too!
  iMac G5 and MacBook Pro   Mac OS X (10.4.10)   MacUser since 1984

• Does Firefox respect user account control rules for windows xp sp3, anything to do specifically to enable that ?

  xp sp3
  1.5g R / 2.46g P4
  <u>edit information copied from System Info troubleshooting: </u>
  More Information
  *1)Does Firefox latest version obey/confirm to the rules for user account control for windows xp sp3 ?
  * 2)Need I do anything specific at the time of installation and/or setting up/configuring preferences ?
  *3)Or do I need to install Firefox separately for the limited users or in each users account ?
  *4)Would it be possible/desirable/necessary to install it directly into some folder of the user other than the common program files folder ?
  *5)In any of these situations, should I or should I not make the installation with 'Run As' admin privilege.
  *6)If I install separately for the user/s, with/without admin privileges, will the install write to , or enable user activity to write to, the other common windows folders(where user write is otherwise disallowed).
  Please kindly clarify. I am waiting for an answer before I reinstall Firefox and a lot of other apps(these were done earlier before creating the user accounts. Please note that I do not mind installing separately for any/all users. But security will be my preference as much as possible(PARANOIA). I am having to deal with a couple of users who cant understand all this and the folks are too old to understand.
  Thanking you in anticipation
  neoser
  ------------

  A far as I recall from when I did use XP the procedure was to install Firefox using an Admin account, preferably the Administrator account.
  By doing that the Firefox installer would create Firefox within the programs directory. And each separate user account could then use Firefox. Importantly each user account has a Firefox profile and so have their own separate and individual bookmarks, cookies, passwords, cache etc.
  IIRC UAC was not available for XP. Permissions and what you could do would also differ; I seem to remember; depending on whether it was using FAT or NTFS. In some setups a knowledgeable admin account user could probably fully access any other account.

• Network User with Local Admin Privileges?

  I have a small network (around 25 clients total) that was setup prior to my arrival. Each client has its own unique local admin (each machine was setup by the individual user) and it's become somewhat daunting to support them.
  All of the machines are connected (but not specifically bound) to an Open Directory and each is accessible via Remote Desktop, however I cannot push software updates, etc. without local admin privileges.
  I'd rather not create an account on each machine, nor do I want to completely lock down each computer (I'd like them to still have the flexibility to be admins so they can install apps, etc.)
  Is it possible to authenticate against OD and obtain local admin privileges?

  Yes.
  You can wipe all account information and then recreate a common initial admin account. This will make administration far easier as all machines will have the same admin username/password combination. Next, bind all of the systems to the domain and create domain accounts for all users on the server (likely already exist). Log in as the domain accounts and migrate permissions to domain ids. Finally, promote the user to the local admin group through System Preferences > Accounts on the workstation. You must enable the account as a mobile account in Workgroup Manager first. If you do not, the account will not cache to the workstation and you will be unable to add it to the admin group.
  Also, in a workgroup of 25, I would recommend rethinking the decision to grant local admin access to end users. This is asking for trouble as you will have no control over when updates are applied or even if they are. In theory (and probably in practice), you will have 25 completely different machines configurations. This is far harder to manage and troubleshoot than 25 systems with different admin accounts.
  If you must provide some level of autonomy, while not trivial, you might want to consider modifying /etc/authorization and granting limited admin rights to the users.
  Hope this helps - congrats on the opportunity