Make OD accounts Local Admin!!!
Wondering if anyone might know how to do this if possible. Would like to take
a OD network account and give that user admin privileges on a particular station.
This is possible on the Windows side of the house, but i don't see a way to do
it on the Mac side. The only thing i can see is to make an account an Open Directory administrator which is not something i want to do.
Thanks in Advance!!!
Hi
Launch WorkGroup Manager and create a new Computer List. Don’t be tempted to use the default ones, call it something meaningful. Click the diaresis button (the one with 3 dots) and search for the client you are interested in, it should show itself in the discovery window. If you have given the client a unique name in the Sharing Preferences Pane then that should display itself making it easier for you to pinpoint the client. You could also add the desired client’s MAC address manually (which is actually a better way to do it). You can do this a number of ways but if you are sitting at the server and you know the client’s IP address just ping it using terminal. Let it ping a few times and then stop the ping with control+c, then issue the arp -a command. The resulting return will show you the MAC address against the IP address.
One you have added the client to the computer list you can select Access and restrict or allow access by Group. You get two options: "All Groups can use the computer" and "Restrict to groups below". Add a group that is populated with users that you want to be able to use that client. If you create a local admin account with the same name and password as exists in the LDAP node that should tie it up even further.
Its possible that this will work.
Tony
Similar Messages
-
How to make Windows 7 local admin user account transparent
Previously with Windows XP, I would use the autolog.exe to have the local windows account login transparently while the user would login via their novell credentials. My company would like to roll out Windows 7 now, but unfortuantely, we are unable to make the windows local account log in transparent. I do not want my users to know this password - also it would really confuse them as they are not tech savvy to understand it.
Is there a way that I can make this happen? If you need more information, please ask and I will provide. Not sure what other info may be required here.
I am using Novell Client 2 SP2 - i find the SP3 to be problematic, but if SP3 would resolve this, I am open to the idea.Kristaranglack,
> Previously with Windows XP, I would use the autolog.exe to have the
> local windows account login transparently while the user would login via
> their novell credentials. My company would like to roll out Windows 7
> now, but unfortuantely, we are unable to make the windows local account
> log in transparent. I do not want my users to know this password - also
> it would really confuse them as they are not tech savvy to understand
> it.
The easy solution is autoadminlogon:
https://wwwstage.provo.novell.com/su...php?id=7013307
But a far more elegant solution would be to use ZENWorks
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)
Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms -
Make mobile account with admin permissions without administrator INFO...
How do you bypass the admin permissions with mobile account? How do you make mobile account unlock things? You do you do the secret and rare system administrator login screen, where it says up on the top System Administrator, where nothing would be there? How to force your computer to go to single user mode, not command s or apple s, because that doesn't work for me? How do enable isight -camera without no admin password, no terminal? Is there extension for mac so that it will run and unlock things or open programs without administrator permissions? I need something that will UNLOCK MY macbook, please help. Where can I download password reset.APP for free that comes in the mac os x leopard disc? Thanks for the help...
Why don't you just use your OS X install disc? It has a password reset utility on it.
-
Local admin rights when Edit locally
Hello, all!
We have the same problem as in
Local Admin rights to "Edit Locally" ?
"The end users do not have administrator rights on their local PCs , they logon to the domain server with restricted rights. When it comes to portal, when trying to edit a document with "Edit locally" it is not possible to do is even if the user has all the rights for the document in the Portal KM configuration. When we make the user local admin, everything is OK"
We are on SPS14, Windows XP SP2. Domain users can run corresponding applications and can create dirs or files in a temp directory. We also utilize env. variable SAPKM_USER_TEMP but with no success.
Could yoã please suggest, how to find rights needed to execute Local Edit. Are there any way to trace this Docservice ActiveX?Hello Roman,
here a note which describes a solution for a user account wuth restricted rights:
The Edit Locally activex will be installed based on following
installation steps:
The browser will recognize that the KM DocService activex has to be
started.
In case of the activex isn't installed on the the PC, it will be
downloaded from the KM server (...etc/docservice/docservice.cab)
The browser will extract two DLLs from the docservice.cab file
(docservice.dll and sapkmprogressplayer.dll) and register them on the
local PC. To see if the installation succeed you can open within the
browser following dialog: Tools/Internet Options/Settings/View Objects,
look for program file SAP KM DocService Control.
Registry keys in following areas will be created:
Area HKEY_CLASSES_ROOT:
HKCR\AppID\{5F8983A6-347C-46B9-BA7A-1B87E5DAE0BC}
HKCR\ProgressPlayerMod.ProgressPlayer
HKCR\ProgressPlayerMod.ProgressPlayer.1
HKCR\CLSID
HKCR\TypeLib
Area HKEY_LOCAL_MACHINE:
HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Down
Downloaded Program Files/DocService.dll
HKLM\Software\Microsoft\Code Store Database\Distribution Units\
When finishing these steps successfully the installed version can be
located within the browser dialog Tools/Internet Options/Settings/View
Objects SAP KM DocService Control and den KM DocService will
start loading the document content from the KM server and starting the
corresponding application for editing.
Installation with restricted user accounts:
With restricted user accounts e.g. no access rights to create registry keys in the area of HKCR or HKLM etc., which lets the described installation fail, following installation procedure leads to success:
Register the needed DLLs manually on the PC (e.g. via a shell command script) with a user account having enough access rights.
1.1 Create an installation folder (don't use /windows/system32) on the PC and copy the DLLs (docservice.dll and sapkmprogressplayer.dll) to it (extract them from docservice.cab with a tool e.g. winzip).
1.2 Open a command shell on this installation folder.
1.3 Unregister possible existing versions with the following command:
"regsvr32 docservice.dll /U " and "regsvr32 sapkmprogressplayer.dll /U "
1.4 Register the both DLLs with: "regsvr32 docservice.dll" and "regsvr32 sapkmprogressplayer.dll "
1.5 If the two registration steps fail check the permissions to write
into the system registry.
1.6 The installation folder do not need special permissions, the linkage to the DLLs will be done via the system registry.
1.7 Additionally the following setting is mandatory to succeed the installation:
Disable the "ActiveX Version Check" function within the KM Configuration
SystemAdministration->SystemConfig->KnowledgeManagement->
->Configuration->ContentManagement->Utilities->Editing->LocalEditing-> ActiveX Version Check (Uncheck the checkbox)
Setting a different TEMP directory:
In cases that it is problematic to use the standard %TEMP% directory, setting the environment variable SAPKM_USER_TEMP pinpointing to a corresponding directory path (e.g. X:\SHARES\USERS\xxx\CheckedOutDocuments) will be also supported. If the access to that directory fails the standard %TEMP% directory will be used as fallback.
Hope this helps,
Michael
Message was edited by: Michael Braun -
Service accounts adding to Local admin group
Hello Everyone,
What are the risks with adding SharePoint service application service accounts to local admin group.
I see in many Microsoft blogs not to use farm account to create service application and better to use dedicated service account but i didn't see any articles why we shouldn't add dedicated service accounts to local admin group
I am facing some GPO issue and one my friend suggested to add service accounts to add local administrator group to fix this issue but i am not sure what the risks behind it.
Please let me know if you aware of risks.
Thanks SThe basic is that it increases your attack surface. If the service (and this goes for any application regardless of vendor or platform) has elevated access to the underlying system (e.g. Local Administrator, SYSTEM, root, and so forth) and that service is
compromised, there is the possibility that the entire server would be compromised.
Clearly, this is not a good situation.
Having said that, there are two scenarios where a service account in SharePoint must be a Local Administrator:
If you're running the Claims to Windows Token Service (C2WTS) as a Domain User. This account requires Local Admin.
If you're provisioning the User Profile Sync Service, the Farm Administrator account must be a Local Administrator during the provisioning process (reason being is that it makes calls to the SAM).
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
How to Reset Password of User while not connected to Domain using Local Admin Account
How to Reset Password of User while not connected to the Domain using Local Admin Account
(I have the use of a local admin account), and I want to help a user reset their password who has logged in the PC and had their credentials cached, but forgot this password.
In Local Admin Account :
When I go to Control Panel, users, users, manager user ; I cannot see any users in this window except the local admin account, and, so I cannot reset a user password this way.
When I go to lusrmgr.msc, then users ; the local admin account will display only.
If I go to command prompt and type "net user", this will not display any users who have logged in to the computer, and so I cannot use "net user" to reset a password.
I don't want to use any disks, 3rd party programs, or create a VPN connection to the domain. I just want to help a user who calls in and forgets their password.Hello Keith,
I know this is an old thread but I'm trying to better understand how I could change the domain password while not on the network. What I'm getting from your post is that you:
1. Create a local user account (not a domain user)
2. Login with that local user account
3. Connect to the VPN while logged in as a local user
4. Log out of the local account and login with the domain credentials
Now, my question is based on the assumption that the password created on the local account is the same password that one will use to login to the domain account? Also, is the local user account the same as the domain account?
Thanking you in advance! -
My macbook wont except my administrator name even after I reset my admin pasword and keychain login password so I am unable to install or make any account changes. I can't even install any software. Suggestions anyone? I've been at this for hours now....
Try Resetting the PRAM
-
Can't Login to Local Admin Account
Over the weekend I rebuilt an OS X 10.4.10 Server.
I created a local admin account, then set up DNS & OpenDirectory Master. I created some admin accounts in the domain.
I also set up a Panther Server as "Connected to a Directory System" and joined it to the Kerberos server on the 10.4 server.
All the clients are connecting to the domain, and everything is working except I can't log in to the 10.4 server with the local directory accounts anymore. I have created a new account in the local directory and tried changing the passwords, but nothing works for logging into the local directory admin accounts. With the exception that I am able to SSh into the local directory accounts.
Any suggestions?
Message was edited by: iGaryDoes this help?
http://docs.info.apple.com/article.html?artnum=307005
LN -
TS not enabling local admin account
Hi all
I am running sccm 2012 r2 and am having trouble with a ts not enabling the local admin account. WHat i am trying to do with the ts is add the machine to a workgroup, dont install config manager client and enable the local admin account with a password set
in the ts. It all works ok except for the local admin account remaining disabled.
Any ideas greatly appreciated.
Thanks
SCCM is a beastAs Torsten already said, the Task schould not be removed. (" This task sequence step is a required part of any operating system deployment."
http://technet.microsoft.com/en-us/library/hh846237.aspx#BKMK_SetupWindowsandConfigMgr) If you want to remove the CM Agent you could execute "ccmsetup.exe /uninstall" at the end of the TS. -
Network Account as Local Admin
Hopefully an easy question, is there a way to specify a network account in WGM that will act as an administrator account on a local machine? Ideally I'd like to have network account that I could log into that would give me administrator access to the machines on the network (that I've joined to that directory.
Unfortunately, I think the answer is no. There is a way of doing it, but it's a bit roundabout.
The account that you want to have local admin rights will have to be set up in WGM as a Mobile Account (in WGM select the relevant user, select Preferences, Mobility, Account creation/Creation tabs set to "Create mobile account......." = Always).
Sorry if I'm saying stuff you already know, but always best to start from the basics.
Mobile Accounts means the user account is copied from the server to the local machine and stored locally. It is then updated to and from the server at regular intervals. Once the account exists on the local machine, you can then go into System Preferences/Accounts, authenticate as the current local admin and select the "Allow user to administer this computer" check box.
The trouble is that you then have to do this for every computer you intend to manage, which is a bit of a pain.
So in summary, yes, it can be done, but probably considering the amount of work involved (depends to a certain extent on the number of machines you are administrating), it's almost easier to have a standard local account on each machine, which is the way I do it on my network.
You never know, there may be another way of doing it like you want, but I've never come across it or heard of it being done. If anyone out there knows any different, please feel free to enlighten us both, lol.
Message was edited by: MattLucas1505 -
Built-in Admin and local admin accounts can not logon locally
When I attempt to logon locally to a Windows 7client as the built-in administrator or local admin I receive the message "You can not logon because the logon method you are using is not allowed on this computer"
I can logon as a network administrator. I run gpedit.msc to see the current group policy.
Local Computer Policy/Windows settings/Security settings/Local policy/User Rights Assignment/Allow log on locally is set to EVERYONE, Administrators
Local Computer Policy/Windows settings/Security settings/Local policy/User Rights Assignment/Deny log on locally is set to NONE
This makes no sense as to why the local admin or built admin cannot logon.Hi,
What is the network environment? Are you in a domain? Group Policy processing has a precedence, local GPO has the lowest priority, please make sure that it's not overwritten by other GPOs.
After setting the policy, make sure to run gpupdate /force to update the policy.
Does this issue happen only on this specific computer? Another situation is that the profile is corrupted, delete the profile and recreate one, and check if it works.
Yolanda Zhu
TechNet Community Support -
Add domain account in local admin in unattended
I can use the following in unattended.xml to join user1 into domain1. Is there a way to be able to add user1 into local admin group in unattended.xml?
<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Identification>
<Credentials>
<Domain>domain1.com</Domain>
<Password>user1password</Password>
<Username>user1</Username>
</Credentials>
<JoinDomain>domain1.com</JoinDomain>
<MachineObjectOU>OU=Users,DC=domain1,DC=com</MachineObjectOU>
<UnsecureJoin>false</UnsecureJoin>
</Identification>
</component>Yes you can, check this:
http://technet.microsoft.com/en-us/library/cc749246(v=ws.10).aspx -
Hi,
I am trying to setup DFS replication on tow servers. I am local admin on the servers but NOT domain account. Is it possible to create Replication group anyway? or should i contact the Domain administrator to the job?
ThanksHi,
We cannot use local administrator to create a dfs replication group. By default, Domain Admins group can create a dfs replication group. You could also delegate to a user or group the ability to create replication groups and the user must add to the local Administrators
group on the namespace server.
For more detailed information, please refer to the article below:
Delegate the Ability to Manage DFS Replication
http://msdn.microsoft.com/en-us/library/cc771465.aspx
Best Regards,
Mandy
If you have any feedback on our support, please click
here .
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.” This is not ideal on many networks because the end users are not allowed to have local administrator access.
Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
practice.
Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
Please help.
Thanks,This is a hands off solution to allow all users that use a machine to be able to restore their own files.
1) Make these two cmd files and save them in c:\temp
2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
<addperms.cmd>
Cmd.exe /v /c c:\temp\addreg.cmd
<addreg.cmd>
set users=
echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
REG IMPORT c:\temp\perms.reg
Del c:\temp\perms.reg
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
posting is provided "AS IS" with no warranties, and confers no rights.
That's a good one! Thanks for that.
I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
========================================================================
$RC=setoption("WOW64AlternateRegView","on")
$DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
$uservariable = "%userdomain%\%username%"
If KeyExist ($DPMkey)
$Userstring=ReadValue($DPMkey, "ClientOwners")
If $Userstring == ""
WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
? "Key created"
else
If not instr($Userstring,$uservariable)
$Userstring = "$Userstring,$uservariable"
WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
EndIf
Endif
EndIf
==========================================================================
The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
=========================================================
$uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
=========================================================
The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP. -
Config manager client deployment script states the user is not a local admin
Guys I posted here a while back in regards to deploying config manager clients in a wan environment.One of the suggestions was to use Jason Sandy's script. I finally got around to playing around with the script however I ran into some strange problems
while testing.I am deploying this via the user side of group policy not the computer side. The script goes out and installs the client the problem is when our users click on any Citrix application the script pops up a message box stating "the user is
not a local admin". I don't see how that's the case because this group of users all have local admin rights on there systems. If I run this script as a domain admin or under the system account everything works smoothly. Citrix is the only application
that's doing this however this is a big deal because we deliver all of our enterprise apps using Citrix. So has anyone here ran into this before?Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as "Answered" as the previous steps should be helpful for many similar scenarios.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Maybe you are looking for
-
Problem with keyboard and IsReadOnly on a TextBox
The problem is that the Keyboard doesn't show up when focus on a TexBox following this steps: 1- On Page_Loaded set the TextBox property IsReadOnly = true (so you can't write/edit) 2- Try focus on the TextBox (important) 3- Tap a button that contains
-
Hi, i want to print a report WITH column 190. But i found the biggest format X_65_255 has only 170 column. any advice?
-
Cannot get on the internet no ip address
My computer stopped connecting to the Internet. Airport says there is no ip address. How can I fix it?
-
I need to load v3.6 onmy Asus tablet to support a program that won't run with newest version
i just purchased a Asus Transformer tablet. I need to use an online application, Angel, to participate in my college course. The college indicated that your latest version of Mozillia has compatibility issues with Angel. They have instructed us to us
-
Event Browser - Display Playhead Info iMovie 11?
Hello all, I've spent a great deal of time trying to get the playhead info to display in the event browser. It is important for this to work as I want to make a compilation video from 4 or 5 different feeds and have to sync the video to the recorded