Limited Administrator

Similar Messages

• Problems on Large Network, Limited Administrative Pull

  Alright, well I am full of problems here. First let me share the problem. I am on a very large network, over 100 sites, and Tens of thousands of computers, 99% of which are Windows machines. The respect and support for Macs in this school district is non existant, so there is not going to be any favours to help out with these problems, like opening ports. I am merely a Tech Support student at the school, the only one that is willing to help with the little Mac lab we have. We have over 600 computers at the school, only 21 Macs.
  The department that owns the Macs, Yearbook Departement, purchased Apple Remote Desktop 2 last year, a week before 3 came out. Since it was bought, there has been nothing but troubles. I know it is version 2, I am not sure if there are any updates installed. I am hesitant to do that, because I have to go to every machine and upgrade the software.
  Now to the problem, I have looked around and seen really nothing on the specific problem I am having. The issue that I have is when opening Remote Desktop, I see maybe a few machines connected, and it varys which ones they are. All the others either say, Offline, or something like "Remote Desktop not Enabled" Which I know for a fact it is enabled. What I need to know is, what can I do about this? I am just a student with the Admin password for the Macs, that is all I have, and all I can get. If any favour is asked to make it work, I will more than likely be laughed at and made fun of, even by older so called "Pros." It is very immature it seems.
  So the run down of some "fixes" I have seen have been this. Opining ports, not an option, Static IP's, not an option, fowarding ports, not an option, the only thing I have access to are the Macs and the Admin Mac. Also, I have had problems when starting up Remote Desktop and getting an "Unexpectedly Quit" dialogue. And one more question related to licensing. If we own the Unlimited license, can the Remote Desktop Admin software be installed on more than one Admin machine, the school is planning to get a few more Macs for video production. Currently the Macs we have run Panther and Tiger, should be the newest updates of each.
  Thanks for any help, I really need the answers quick, school is about to get out and I am a Senior, so I probably wont be back. And I really feel bad for the Yearbook teacher, because I am the first time anybody has really helped her out with any problems or not poked fun at her or completely ignored her.
   PowerBook G4 15"   Mac OS X (10.4.7)   1.67 Ghz, 1G RAM, 128MB VRAM, 80G HD, DL SuperDrive

  > Well, the DHCP addresses are on a 3 day lease, so it
  shouldn;t reset unless we have a long weekend. If the
  IP on the computer does change, how does the ARD
  Admin find the computers again? That is what seems to
  be the problem, after IP's change, the Admin computer
  can no longer find it.
  One way is to rescan the network looking for the machines. This is not a desirable way to do it, but it works...most of the time.
  The better way is to have the machines check in on a daily basis and update their information. In ARD2, select machine(s), click on Manage -> Set Reporting Policy. By default it is set for midnight, change this to sometime during the day when you know the admin and client machines will be on. Click on Set.
  An important note is that the admin machine should always keep the same IP so the client machines can find it. If the admin machine's IP changes frequently, rescanning may be the only option.

• Limit Administrator Access to only OS Level functions on a Windows 2003 (and up) Domain Controller Server

  <p>I have read several articles such as:</p><p>1.&nbsp; <a href="http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS">http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS</a></p><p>2.&nbsp;
  Active_Directory_Delegation.doc</p><p>Consider that a domain controller, doing no other functions than domain based functions (ie no file server, printer or app server) - is managed in two parts:&nbsp; The OS-only level, to read log files,
  server health monitoring, install OS-level Micrsoft security patching and the second part being Domain management level - Users and Computers, Domains and Trusts, etc).</p><p>For a given domain controller server, an outsourced support&nbsp;group&nbsp;needs
  to be responsible for the OS-only level access - they need no access to the Domain management level functions so they can fufill contractual obligations (SLAs) for server uptime, patching etc.&nbsp; </p><p>For the same given domain controller
  server above, there is an internal (non-outsourced) support group that will perform all Domain management level functions only.&nbsp; They want to manage the Domain on the Domain Controller servers, want the Outsourcer to manage the VM and OS-related tasks,
  but DO NOT want them to be able to access and change information in Users and Computers, Domains and Trusts etc.&nbsp; </p><p>With that explaination, would putting the Outsourcer's AD-based account IDs in the Server Operators group alone be
  sufficient to allow OS-level management, like patching, reboots, etc but disallow access to Domain Management functionality (Users and Computers etc) - or does it need to be a combination of built in groups and delgated rights?</p><p>Please consider
  that I am seeking a technical solution here&nbsp;- do not respond with "either trust your Domain Administrators or keep your junior admins from the server" as that is not a viable solution.&nbsp; </p>
  Jason B. Allen

  Hi Jason,
  According to your description, you want to assign the OS-level management and Domain management rights to two groups separately, right?
  Based on my research, members of Server Operators group don’t have sufficient rights to install updates for Domain Controllers, you can refer to this article below:
  Default groups
  http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx
  You can configure Allow non-administrators to receive update notifications group policy so that non-administrative users will be able to install all optional, recommended, and important updates content for which
  they received a notification, except some updates which contain User Interface, End User License Agreement and so on, which still require domain admin credentials.
  To enable non-administrator users the ability of logging onto and shutting down DCs,
  Allow logon locally and Shut down the System rights should be granted.
  In addition, reading logs and monitoring server performance rights are included on Performance Log Users and Performance Monitor Users groups.
  More information for you:
  Step 5: Configure Group Policy Settings for Automatic Updates
  http://technet.microsoft.com/en-us/library/dn595129.aspx
  User Rights Assignment
  http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
  I hope this helps.
  Amy Wang

• How can I give administration permissions to a specific user+group on wiki?

  How do I give administration capabilities to a specific user for only ONE specific group on my wiki server, not all of them.
  Anyone know the simplest way to do this?

  Really all I'm looking to do is to keep my web site exactly the same but limit the reading and writing capabilities of some users on specific groups/wiki pages/blogs but still allow them to read and write to other specific ones that somehow I would designate.
  For example: I'm setting up a group for multiple users (about 15), and they each have their own page within that group, however i want to give them very limited administration capabilities on the site, all I want them to be able to do is to edit their own page, NOTHING else in the group
  there's gotta be a way to do this without 3rd party software installation that seems complicated enough on it's own, isn't administration capabilities a fundamental part of wikis?
  Someone has to have gone through something similar, any help?

• MDM Security Requirements

  Hello All:
  I am new to MDM Security Administration and would like to know how and what controls are available in the system. (Example controls on able, fields etc)?
  I am trying to compile a Task/Function Matrix which will help the functional teams convey their access requirement in the system.
  Help is much appreciated.
  Khurram

  Hi Khurram,
  I am new to MDM Security Administration and would like to know how and what controls are available in the system. (Example controls on able, fields etc)?
  I am trying to compile a Task/Function Matrix which will help the functional teams convey their access requirement in the system.
  MDM security is largely maintained by the presence of roles and users. We can have roles defined in MDM which will have proper authorizations. We can then create users and then assign them roles so that we can maintain the security in MDM. This all can be done through MDM console.
  These authorizations ensures that only users who have access or read/write authorization will be able to perform theie respective tasks.
  This is what is mentioned in SAP Help documentation in this regard.
  A.              MDM Repository Security
  A traditional SQL DBMS allows you to define basic user-level security to prevent unauthorized access to the database. You can specify the tables to which each user has access, granting at the table level either: (1) no access to the table; or (2) complete read/write access to the table, including access to all of its fields and records.
  By contrast, MDM supports a dramatically more flexible multidimensional security scheme that provides much more granular control over which users can access an MDM repository, which functions they can perform, and which tables, fields, and records they can access. The MDM security scheme includes:
  ●      Users. A user represents an entity that can connect to and access the MDM repository. Each user has a user name and password, and is assigned one or more roles that collectively specify the complete set of privileges for that particular user.
  ●      Roles. Each role specifies a set of privileges to access each of the MDM repositoryu2019s tables, fields, lookup record values, and records, and to perform each of the repository functions. The same role can be assigned to more than one user.
  ●      Privileges. For each repository function, you can either prevent or allow the role to perform the function, and for each table and field, you can grant the role full read/write access or read-only access.
  ●      Constraints. For the Masks table and some lookup tables (those referenced by at least one single-valued lookup field and no multi-valued lookup fields), you can specify the set of masks or lookup values that should be visible and accessible for the role.
  Precisely defining each role u2013and then assigning one or more roles to each useru2013 provides very fine control over who can access an MDM repository and how they can access it.
  You can define repository security from within the MDM Console by working on the following administrative tables, which are located under a repositoryu2019s Admin node in the Console Hierarchy tree:
  ●      Roles. Defines the sets of functional permissions, access privileges, and record constraints that can be assigned to MDM user names.
  ●      Users. Defines the MDM user names that can access the MDM repository and manages their role assignments.
  Within a SQL-based DBMS, you can use views to precisely control field- and record-level access by various users. However, views are cumbersome to manage, and more importantly, degrade system response, often creating severe performance bottlenecks.
  B.                  Console-Level Repository Security
  Recall that MDMu2019s multi-level security model supports granular, role-based repository access to functions and data from within MDM client applications. This multi-level security model extends to administrative functions within the MDM Console itself.
  The MDM Console security scheme includes:
  ●      Users
  Repository administrators must connect to an MDM repository with an MDM user name and password before any administrative tasks can be performed in the MDM Console.
  ●      Roles
  The roles assigned to an administratoru2019s MDM user name determine which administrative functions are permitted or restricted for that administrator in the MDM Console.
  ●      Privileges
  Administrative, Schema, and Change Tracking functional groups on the Roles table enable granular control over access to all MDM Console functions.
  With these features, you can precisely define limited administrative roles for each of your administrators or administrative tasks. You can then assign these targeted roles to users instead of the Admin role, which retains full access to all MDM privileges.
  Kindly go through the link below to get additional info:
  http://help.sap.com/saphelp_mdm550/helpdata/en/8e/9f9c427055c66ae10000000a155106/frameset.htm
  Go to ->Repository maintenance->MDM repository security
  You will find enough information.
  Hope it helps.
  Kindly reward points if helpful
  Thanks and Regards
  Nitin Jain

• Printing in Leopard, how to escape lockdown?

  OSX 10.5.4 server and client, with mostly network home users.
  We have installed postscript drivers for these large multi-function Canon printer/copier units on each floor - we've found an interesting issue where our users need to supply an admin password the first time they select one of these Canon priners - when I take a look at the info for the admin password dialog box, I can see that /usr/sbin/lpadmin is requesting the right for system.preferences
  Now, ideally I would like to be able to make this behavior stop but I know that printing in Leopard has become "more secure" -- in WGM that checkbox to "allow users to modify printer list" only works for 10.4 clients -- so I have decided that one way to circumvent this behavior would be to let some of my users be able to modify their systems. We're a school, so I'd want to allow my faculty and staff users to supply their username and password to make changes to printing, but not my student users.
  I thought I could add my "allstaff" user-group to my sudoers file, and either allow them to run /usr/sbin/lpadmin or allow them to modify system.preferences but I haven't figured out the correct context to make it work.
  I got the idea to modify the sudoers file via the "Neutered Admins: Creating a Limited Administrator Account within OS X" presentation by White & Pooser from this year's Macworld, but they didn't go into much detail on how to make this work in a network-user environment.
  The second issue I have is if I can find a way to let my "allstaff" group modify printer-lists, how do I get this out to my 300+ desktop and laptop machines? If there was a way to next my "allstaff" user-group in the admin group +on my machines+, then I could conceivably get MCX to hand that info down to them, correct?
  Any ideas or comments?

  Hi
  Just tried and with the photo showing in the main photoshop window hold the shift/apple(cmd)/4 keys and you will see a cross hair, click and drag that from the top left of the window to the bottom right and release.
  You should now have a grab of the pic on you desktop.
  Tony

• Script for mapping drives?

  Is there a script or anything out there that will automatically map a users H: drive on a network. We do not have any apple servers and I was wondering if it would be possible to do. Also is there anyway for a local user to add printers without giving them the local admin passwords? I work for a University and we are starting to deploy MACs so any help would be greatly appreciated. Thanks.

  This probably isn't the best forum for asking these questions since this forum is specifically for issues with installing Mac OS X Server, but here are a couple of resources to get you started:
  Automounting shares:
  http://www.bombich.com/mactips/automount.html
  Running scripts on login/logout:
  http://www.bombich.com/mactips/loginhooks.html
  I don't know of any way for a user to be able to add a printer without having administrator rights, but you might check out the video from MacWorld 2008 on creating a Limited Administrator Account on this page:
  http://www.macworldencore.com/online/presentation.asp#
  and see if that would help. There are a lot of resources available for managing Macs; check out some of the other videos on the MacWorld site, and explore http://www.afp548.com/ as well.
  If you have further questions, you'll be most likely to get quick and accurate answers if you post in the appropriate Mac OS X area:
  Mac OS X 10.5 Leopard
  Mac OS X 10.4 Tiger
  Regards.

• Zones vs Micropartitioning

  I am trying to position the advantages of Zones vs the micropartitioning capabilities of other vendors for management. I am not that familiar with HP's or IBM's implementation of micropartitioning. Can anyone provide a comparison/contrast.
  Thanks
  Terry Adams
  [email protected]

  Thats a huge topic. I tried to write a paper detailing all the various software and hardware paritioning technologies out there, namely to make Zones look really good. After a week of work on it I gave up.
  But here's the quick version:
  1) Linux: User-Mode Linux, VServers, Xen. All 3 of these are just too unstable for serious production use. VServers and Xen can be handy and are stable enough for Apache webservers and small edge applications, but not for the timid right now.
  2) HP: vPars. 1 Partition per CPU. If you've got a 4 CPU system, you can run 4 partitions. Thats it. Central management is limited, administration a pain.
  3) IBM: LPARS: The IBM solution can go both ways, hardware and software.. in so much that they just share the same name. Hardware paritioning is a mess requiring an external system controll (a small Linux box) similar to the SSP of older StarFire's. The software solution is similar to HP's.
  Ok, the #1 problem with the HP and IBM solutions is that you really are paritioning hardware. You dedicate devices to the parition, you allocate CPUs to the paritions, etc. Supposedly you can have some limited ability to dynamically reallocate as needbe, but I think thats more theoretcial than anything because reallocation would certainly require a reboot (same problem as Sun DR with things like Oracle).
  The problem ALL of them suffer from is complicated administration. All of these methods run their own individual instance of the OS. To install HP vPars they recommend/require that you use an install server to install all the instances of HP-UX. Either way, you've got this massive mess on any of these systems, all these diffrent OS installs to manage, and patch seperately, etc. Really, the software implementations aren't much diffrent in practical terms than a hardware solution on these platforms.
  Zones are more flexable, more powerful, less hastle, and more managable than any other solution avalible. On the blogs we saw an Ultra10 with a single CPU running 80+ zones! He scripted the creation. Try that with vPars or LPARS! Just like usual, IBM does something the hard way just to do it and then HP tags along doing it worse.
  Please note that I've never personally used vPars or LPARS, but I'd like to try 'em. My research is based on the manuals for these products on the vendor sites.
  Long live Zones!
  benr.

• Please Help:  OSX Server at home  vs Commercial Dedicated Hosting.

  I've been considering a dedicated hosting service like GoDaddy or 1and1. I ultimately want to have an ecommerce site with downloadable products ranging from 1mb to 1gb. Most of these commercial hosting companies charge a lot for little bandwidth, storage, and ram. I would like to know if getting a business Internet service and running snow leopard server would suffice for a young web developer looking to for a better bang for buck. I already have a mac pro. Any help is greatly appreciated.

  Depends on if you're looking at shared, reseller, or true dedicated hosting (only user on the server). I would only use dedicated because of the need to have more administrative privileges when running an eCommerce site.
  I already had reseller hosting and I was looking at dedicated for running an eCommerce site. You're looking at $135.00 per month starting price for dedicated. That's why I chose the OSX server for myself. I got a static IP, moved all my sites to the OSX server, cancelled my reseller account and I'm saving $15/month. Only 78 more months of savings to payoff the Mac mini server.
  There are pros and cons to both.
  OSX
  PROS: you have full access to anything on the server; you can install any patches, upgrades, accelerators, etc. when ever you want; only monthly fee is the electricity and internet (both of which you're already using).
  CONS: takes a while to learn for beginners; possibility to mess something up, security is all on you; backups are all on you; downtime based on your power grid and ISP.
  HOST
  PROS: they're probably going to do some backups and security checks for you; up-time is 99.9%; faster connection; stronger firewalls; tech support
  CONS: the high monthly cost; limited administrator privileges;
  I'm sure I have left some information out but you just need to do all your research until you're ready to make a jump. I went back and forth for 6 months before just driving to the Apple store one day and pulling the trigger.

• How can I stop IT from forcing my home page?

  IT is forcing my home page to one of their choice. I can partially overcome this by supplying a target to the quick-launch icon. But when I hit <ALT-HOME> I go to their page, not mine. Changing Tools->Options->Home Page doesn't work. They have blocked it from being saved. I have limited administrator privileges, but apparently not enough to thwart their nefarious schemes. Any suggestions?

  Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.com/kb/Safe+Mode
  You can open the <b>about:config</b> page via the location bar and do a search for <i>jzip</i> via the Filter at the top of the about:config page.<br />
  You can reset all <i>jzip</i> related prefs that appear bold (user set) via the right-click context menu to their default values.
  See also:
  *http://kb.mozillazine.org/Preferences_not_saved
  *https://support.mozilla.com/kb/Preferences+are+not+saved

• Extend Guest Network

  My apologies if this has been asked before. I've searched the forum and I can't find any particular posts which explicitly states that this cannot be done.
  I have an early 2009 Time Capsule(500GB) which is my main wireless AP which is connected to my Cable Modem. I have set up the Guest Network Access and it is working flawlessly. However there are some major blindspots on the ground floor of my house so I just recently bought an Airport Extreme to extend the network off the TC wirelessly.
  As expected my network reception throughout the house is now excellent however it seems that the Guest Network wasn't extended. Is this by design or is it due to my configuration? I really want to extend the guest network as well or else my guests will have to go all the way up to the 2nd floor at least to access my network.

  If it is not a bother may I know why this is not possible? Is it due to technology constraints or due to Apple's own decision?
  Apple has not provided a lot of detail surrounding the design of their Guest network option on the new AirPorts & Time Capsules. It is believed to be an implementation of VLAN technology ... with (currently) limited administration offerings.
  If you have a requirement to provide isolated wireless networks, you would have to look at another vendor's solutions to do so. One example would be the Cisco RVS4000 which provides L2 switching capability.

• Can I downlaid Firefox on my Administrator account but have it not be accessible to the Limited User Account?

  I have Windows XP and want to know if I can download and use Firefox on the Administrator account only and it not be accessible to the limited user account. The reason is is we don't want our kids having access to to more than one tab at a time. any suggestions?

  Yes you can,
  # locate firefox.exe file in a directory similar to C:/program files/mozilla firefox/firefox.exe
  # right click it, select '''properties'''
  # add access to your account and remove any entries for other accounts you don't need.
  Please let us know whether that works for you.

• How to run IE with administrator privileges on limited user account?

  Hello,
  I have a domain user who needs to access a certain web application on the internet using IE and to do so we have to add this website to IE Trusted Sites Zone and also allow Pop-ups, the issue now is that the domain user has a limited account on this PC (Windows
  8.1) and changing these settings is not available. I only have (General-Connections-Programs) taps available under IE Internet Options for this user.

   web application is not working just like before. Did i miss something?  
  Not necessarily.  Some users have a problem with security packages which are "protecting" their registry.  Also, during a beta I discovered that elevation of the Internet Options dialog and trying to do a RIES had resulted in the
  Administrator's Profile being nuked, not the one that was being targeted.  Perhaps you are seeing a symptom from something like that? 
  FWIW I would run ProcMon to find out what is going on.  It would be best if you had two cases, one which worked and one which was the problem case.  Then you could save both traces as .PML files and open them later to compare them in two separate
  ProcMon tasks.  That way you can just filter coarsely to find a significant divergence in the two traces and then refine your analysis from there.  Otherwise, if you don't have a clear hypothesis to test or know exactly what you are looking for you
  could try using the  Category Is Write  filter.  That would show changes which were being done in both the Registry and File system.
  Good luck
  Robert Aldwinckle

• WRT610N FTP Administration: Limited Options

  I'm wondering if there's a way go get more options for FTP administration, or if there's someone I can contact for feature requests.  Basically, while an FTP server is quite a useful feature, the administration options are very limited, especially for security.
  It would be nice if home directories can be set for individual users, and be able to set directory permissions rather than just relying on permissions based solely on group permissions.  More important than anything else, is the ability to monitor the FTP site.  I set up a syslog viewer on my local machine, but its limited to only the connections being made and broken, not allowing to view directory access.
  Any input will be appreciated.
  Thanks

  The features are limited under administration...

• Where is the "Limited" Option on Workgroup Manager for User Administration Capabilities

  Hi, on Lion Server wen we create an OD User, in Privileges window, we had the Administration capabilities: "Limited" Option, but on Mountain Lion there´s only Full and None Options.
  There´s another way tio limit the acces to users?
  OPTIONS ON LION SERVER:
  OPTIONS ON MOUNTAIN LION SERVER:

  I think you have just gotten the updated layout that Google started rolling out last month: http://insidesearch.blogspot.com.au/2012/11/spiffing-up-your-search-results-page.html
  People have been publishing methods for reverting the layout, which mostly involve replacing some of Google style rules with new (old) ones. For example (I haven't tried it myself):
  Greasemonkey userscript: http://userscripts.org/scripts/show/152796