Members of domain groups with administrative privileges no longer admins?
Have a strange behavior that I am not sure how to fix.
Using OS X 10.6.7 native Active Directory client to bind to domain. I have directory utility configured to allow administration for a domain group. At first things worked great and members of those domain groups were indeed admins on the machine however the next day one of these users logs in and they are no longer admins. If you run directory utility again using a local admin account you can see that those domain groups are still configured to allow administration but none of those users show as being admins. Then suddenly, as if I did anything, those users show as being admins again. Why? I don't understand how this can flip back and forth like that.
Was this ever solved?? We have the same issue with 10.8.3. It seems a network connection to your AD servers is required when logging in. Otherwise the check cannot be made and the user never receives admin rights. A huge problem for users with laptops that work offline.
Similar Messages
-
Access Denied when trying to access shared folders on the server with administrative privileges
I have problem accessing shared folder on the server machine from Windows 7 machine even if I try to access it with administrative privileges (server Administrator account). I will try now to explain better my situation.
In my company, we have small network infrastructure with one main server machine (HP ProLiant server) with Windows Server 2012 R2 installed and couple of desktop machines. The network is administrated by me.
On Windows Server we have installed and setup DHCP, DNS, Remote Access and Routing, File and Storage and Active Directory services. Desktop machines are having Windows 8.1 Pro, Windows 8.1 or Windows 7 Home Premium installed on them. In Active
Directory I have created domain, User groups and Users for employees in my company and so far, I didn't added desktop machines to the domain.
Also, I've created one folder on the server which should contain different projects data for network users and I have set access permissions and security for this folder and shared it on the network (I've added couple of users to one user group and I
gave Full control to this group over this folder). When I try to access this folder from network, I've been asked for login credentials (normally), where I just type in one of users username and password who has been given access permissions to (who is member
of group with full control over the folder). From Windows 8.1 Pro and Windows 8.1 machines I can access and work on this folder without any problems.
The problem comes with Windows 7 machines. On Windows 7 machines (I have also tried this with Windows 7 Ultimate in VMWare) I can access server, I can see its shares, but as soon I try to access folder I've created for projects, I get Access Denied message
with request for User login credentials. Whichever user account I use (even servers main Administrator account) I keep getting this message over and over and I'm unable to access it at all.
I have also tried to access the server through VPN (from local or outside) but I'm getting the same error again. Also I've tried to add these Windows 7 machines to the domain and login with domain user but the result is the same. Turned off both firewalls
(on server and desktop machines, which I know is unnecessary, but lets try it), still same case. I've tried couple more things with registry editor on desktop machines which I found on different forums and websites but still no luck. And now I don't know
what else I can do.
Does anyone knows what's the problem here, have I set something wrong, have not set something I should?Hi MeipoXu,
thanks for your response. I will first answer on your question.
Yes, the main issue is that we can see the folder when we access the server but we cannot access its contents from Windows 7 machines. I have tried on two machines, one with Windows 7 Home Premium version and the other one with Windows 7 Ultimate version
and the situation is the same.
As you recommended, I've checked Network Discovery and File and Printer Sharing and the situation is next: File and Printer Sharing is turned on all layers (Private, Public and Domain) while Network Discovery is off for all layers too. I don't know if this
is normal thing but Network Discovery cannot be turned on in Windows Server (I'm able to select Turn on Network Discovery and apply the changes, but when I get back to this settings page, I again see that it's turned off, so I assume this can't be changed
at all).
I also tried with icacls in command prompt and everything seems to be ok there regarding permissions. Share permissions are set to Full control to Everyone and Security permissions are set to Full control only for Administrators and the user group I've created
for employees in my company. The confirmation for this is that on Windows 8 machines you can access this folder without any problem and without getting any message connected with access permissions with any user account within this user group. This share is
created through File and Storage Services service in Server Manager panel.
And then something came up on my mind. I went in Server Manager to check shared folder settings in File and Storage Services and under Settings page I saw that "Encrypt data access" has been enabled (I enabled this option because I thought
I will get more security with this option). I asked my self what would happen if I disable it, tried it and now everything works ok on Windows 7 machines too. Now I assume that Windows 7 doesn't have this feature implemented or there are some
settings which needs to be set on Windows 7 machines to make this encryption thing work with Windows Server. So basically, I will let this feature off for now until I find out more about it and how to implement it to work with all operating systems.
I want to thank you once more for your kind help! -
My 'run with administrative privileges' script no longer works - help
Hey all. I have an applescript that shuts down the computer that I made a while back. I pulled it out today to use it and it no longer works. Here's part of the code I'm having trouble with:
do shell script ¬
"sudo shutdown -h now" password "myadminpassword" with administrator privileges
On old machines this worked great, I would just put the admin password where myadminpassword is and it would work perfectly. Now though, I run it on my machine and I get the prompt to enter my admin username and password before it will shutdown.
Now this is going on a remote install so I need it to work. Any ideas? The machine is running snow leopard, but it seems to still work on an old leopard macbook pro.Well, for one, do not use sudo in do shell script.
The whole 'with administrator privileges' part takes care of elevating your privileges. sudo has no place in do shell script.
Don't know if that's your issue, but it's the first thing I'd fix.
If that doesn't help, are you running the script as your admin user?
Nowhere in your script are you defining the username to run the command as, therefore it will attempt to run as the current user who may not be the same as your admin user, nor have the same password. You might need to include the username:
do shell script "shutdown -h now" user name "admin" password "myadminpassword" with administrator privileges -
I am unable to update mozilla firefox. I have user account with administrator privilege.
Try to run the installer as Administrator via the right-click context menu (Run as Administrator).
-
Error inserting image file in Excel 2013, it's working with administrator privileges
When I tri to insert image file like .JPG in Excel 2013, I get an import error. It's working fine with administrator privileges.
I check, graphic filter (registry values) and made also an Office repare. But i have still the problem.
My computer: Windows 8.1 64 bits, Office 2013 32 bitsTry to check the grant permission for the Excel property itself.
Try to insert image from other path, e.g. D:\ to check if we still receive the error.
Try to run Excel with safe mode. ("Excel.exe /safe") and perform th insert action without any add-ins interrupt. Thanks.
Tony Chen
TechNet Community Support -
Blackberry Media Sync Failed To Initialize - Run With Administrative Privileges
I've downloaded the Blackberry Desktop Manager (4.7) and everything works fine except for the Blackberry Media Sync which fails to initialize and needs to be run with administrative privileges. Anyone experience this and how did you correct the administrative privileges situation. I am using a BB Bold. TYIA
BlackBerry Media Sync has just been updated to version 2.0.
I suggest you download it and see if the issue is solved.
The search box on top-right of this page is your true friend, and the public Knowledge Base too: -
Open application with administrative privilege
Can anyone point me to resources on how to execute a command in Java to open an application with administrative privileges - similar to the windows runas command - but will accept the login and password in the command?
First figure out how to do it at the command line (it's beyond me). Then use Runtime.exec() to run the command. You'll have to use the Process's output stream to respond to the password prompt, and it's possible that might not work if Windows isn't prompting on stdin.
-
Do Shell Script .. with Administrator Privileges ... ?
hi everyone!
I have a script that have multiple lines like this:
do shell script " ... " with administrator privileges
do shell script " ... " with administrator privileges
Mac OS X 10.4 does it right(?) by asking ONCE for an admin login/password, and would run both lines above ... but 10.2 (and 10.3?) asks TWICE for the password using the same code. What am I doing wrong? I want all versions 10.2-4 to ask only once ... Any ideas?
Thank you!!
CassIf you would prefer that your script would not ask for a password to get admin privileges, then this uses the keychain:
set aVariable to do shell script DefinedAsVariable password getPassw() with administrator privileges
-- The Handler --
The following handler assumes you have a password in your keychain called ASPW (could be anything you want) saved as a generic key. To do that, open your Keychain Access (in Utilities) application, choose file New, and in the sheet give it a name, enter your account name and type the password you want to use (your admin password in this case). OK. Now find the new password and double-click it. Under the attributes tab change Kind to generic key (it will be Applications). This makes for a fast search because there aren't many of them. Switch to the access control tab and select the "Allow all applications to access this item" button. Enter your admin password in the dialog that appears, and you are done. The first time you run the script, you'll have to click "Always Allow" in the dialog that appears - perhaps several times. After that, it won't ask.
to getPassw()
tell application "Keychain Scripting"
launch
tell current keychain to ¬
tell (some generic key whose name is "ASPW")
return password
end tell
end tell
end getPassw -
How do we open folders with administrator privileges?
I am trying to open the folder Documents and Settings on my local machine. I am the administrator, the computer is not on a network, and it is a standalone machine.
Hello Milo,
Thanks for the reply, I was just able to try your response today for the first time.
I will type in exactly what I put in the command line
icacls "D:\saved shit\" /grant administrators:F
D:\saved shit" /grant administrators:F: The filename, directory name, or volume label syntax is incorrect.
Successfully processed 0 files; Failed processing 1 files
After this I enabled the "hidden admin" account and logged on that account to find I was able to edit the folder's permissions and I can now go into that folder. The problem remains though that every folder and file within D:\saved shit is now inaccessible
to either the administrator account or my original account with administrator privileges.
When I attempt the icacls solution you posted for the subfolder D:\saved shit\My Documents it gives me the same message I wrote earlier.
Sorry for the wall of text and I really do appreciate your help. My end goal is just to have the default permissions set for all the files and subfolders so I can access them again.
Thank you for your time! -
With Administrator Privileges Error: Authentication Failed
i have an applescript app with the following line:
do shell script "/System/Library/StartupItems/CiscoTUN/CiscoTUN restart" with administrator privileges
When I run this script in Script Editor, I'm prompted for the admin username/password, but when I run the script saved as an application, i receive:
"Authentication failed."
I've tried this script with and without "sudo" preceding the rest of the shell script, but it behaves the same either way.
Any clue why "with administrator privileges" is working in Script Editor but not when the application is run alone? Thanks!Hello
My wild shot in the dark.
If you have not saved your script as application bundle, try saving it as such.
Applet as application bundle contains universal binary while applet as (non-bundle) application contains ppc binary, which is run via Rosetta in x86mac.
This might make difference.
H -
Applescript "with administrator privileges" and without Password prompt
i,
I have to configure some phone settings in the central VOIP/VPN/Gateway Router via a ssh (with certificate) command.
There is only a option to allow or disallow the ssh access in the router. Therefor I wrote a applescript to allow only the specific ssh command "set /Setup/Voice-Call-Manager/Call-Router/Call-Routing/". To avoid the configuration access for anyone and to hard code passwords I have to execute this script with root permissions (do shell script "/usr/bin/su - " & user & " -c " & "'" & cmd & "'" with administrator privileges"). In any other unix implementation I can use "chmod 4755; chown 0:0". Even I compiled the Applescript and stored it as Carbon App, I get a user/password prompt.
How can I avoid this prompt or authorize the script/app in any way?
Thanks HenriI agree, but to use the private key of the applescript caller opens any user the ability to change any WLAN key, VPN settings or delete the admin account, not a good idea....
Therefor I would like to run the applescript with root, "su - <adminuser> ssh router set ....".
This restricts the access to the router config to this applescript and I would like avoid the hard coding of the root password in the applescript.
I tried also the add the command to /etc/sudoers, this work fine from the command line but how to call "sudo applescript" from the desktop without entering the admin password?
Thanks
Henri -
How can IT departments set up basic users to run Captivate with Administrator privileges?
As we all know, on WinVista and Win7 or later systems Adobe Captivate must be launched with Run As Administrator privileges in order to function correctly and not crash. But the problem here is that in many corporate environments general users are not allowed to have Administrator access to their own work PCs. This presents something of a dilemma for IT departments with Adobe Captivate users.
Some time ago on this forum one of the Adobe technical staff chimed in on a thread about the Run As Administrator command and explained the technical steps required to set up a Group Policy in WinVista/Win7 that would allow a basic user to always launch Captivate with the necessary admin privileges even though they did NOT have Administrator access to any other app on their PC.
I have searched in vain to find that particular thread and post, so I've started this thread in the hope that someone at Adobe can again chime in to detail the necessary steps again.
So is there anyone there that can help out?DOH! my bad.....I/we run WinXP at present and no UAC.
However, all may not be lost, try some of these options as posted on teh MS Technet forums....An admin person may need t do this first to enable this for that user...
Apologies for misundeerstand situation. ;-( hate it when that happens!
Try these two options:
Using Compatibility Mode
NOTE: This will allow you to always have the program run as an administrator when you open it.
1. Right click on the program shortcut or program .exe file, then click on Properties, and on the Compatibility tab. (See screenshots below)
NOTE: If you are doing this while logged on as a standard user instead of an administrator, then you will need to also click on the Change settings for all users button and type in the administrator's password.
http://www.sevenforums.com/attachments/tutorials/12832d1243933304-run-administrator-compat ibility_mode1.jpghttp://www.sevenforums.com/attachments/tutorials/12832d1243933304-run-administrator-compat ibility_mode1.jpghttp://www.sevenforums.com/attachments/tutorials/12832d1243933304-run-administrator-compat ibility_mode1.jpgUAC, then click on Yes to apply permission to allow the program to run with full permission as an administrator.
2. To Always Run this Program as an Administrator
A) Check the Run this program as an administrator box, and click on OK. (See screenshots above)
3. To Not Always Run this Program as an Administrator
A) Uncheck the Run this program as an administrator box, and click on OK. (See screenshots below step 1)
4. Open the program.
5. If prompted by
NOTE: If you are doing this is while logged in as standard user instead of an administrator, then you will need to provide the administrator's password before the program will run as administrator.
Using Advanced Properties
NOTE: This will allow you to always have the program run as an administrator when you open it.
1. Right click on the shortcut of the program, then click on Properties.
2. Click on the Shortcut tab for a program shortcut, then cllick on the Advanced button. (See screenshot below)
http://www.sevenforums.com/attachments/tutorials/12834d1243933304-run-administrator-advanc ed_properties1a.jpghttp://www.sevenforums.com/attachments/tutorials/12834d1243933304-run-administrator-advanc ed_properties1a.jpghttp://www.sevenforums.com/attachments/tutorials/12834d1243933304-run-administrator-advanc ed_properties1a.jpghttp://www.sevenforums.com/attachments/tutorials/12836d1243933304-run-administrator-advanc ed_properties2.jpghttp://www.sevenforums.com/attachments/tutorials/12836d1243933304-run-administrator-advanc ed_properties2.jpghttp://www.sevenforums.com/attachments/tutorials/12836d1243933304-run-administrator-advanc ed_properties2.jpgUAC, then click on Yes to apply permission to allow the program to run with full permission as an Administrator.
3. To Always Run this Program as an Administrator
A) Check the Run as administrator box, and click on OK. (See screenshot below)
4. To Not Always Run this Program as an Administrator
A) Uncheck the Run as administrator box, and click on OK. (See screenshot above)
5. Click on OK. (See screenshot below step 2)
6. Open the program.
7. If prompted by
NOTE: If you are doing this is while logged in as standard user instead of an administrator, then you will need to provide the administrator's password before the program will run as administrator -
User Groups Missing - Administrative Privileges are Inaccessable
I really can't figure this one out - somehow all of the system's user groups have somehow been removed from my mac therefore disabling any administrative privileges, other than the root user. Even when logging in as root and selecting my user as an administrator, it doesn't recognize the privileges and I remain a 'Standard' user.
I've even tried removing the setup file (/var/db/.applesetupdone) in hopes that completing the initial setup with a NEW user again would allow an admin and reset the groups. This proved pointless as even the newly created user is merely a 'Standard' user and still cannot be activated as an admin from root.
I've already run just about every self-repair function that I have, and none of them see a problem. If anyone has a method to fix this without reinstalling leopard, please let me know - I can reinstall leopard if need be, but I would really rather just fix the problem.did it really happen to all groups? then perhaps a reinstall is in order. if it only happened to the admin group you can fix its directory services entry as described here
http://discussions.apple.com/thread.jspa?messageID=10043721�
credit to biovizier for that method. -
CS5 Updates only with Administrator Privileges?
Hi!
I installed CS5 Design Premium on several PCs in the company as administrator, the Users dont have administrator-privileges. The problem is, that CS5 does prompt for updates very often at the moment, and the users cant apply them. Is there a way to let them apply the updates without administrator privileges? I dont want to update this much PCs on my own and i dont want to give the users admin privs, of course
Cheers & thanks for help,
ChrisWe made a "hack" to get this possibillity under CS4.
You have to look into "runaspc.exe" in order to get it to work.
That's the way we did it.
Not an ideal solution but Adobe has not yet managed to their updates to work with eg WSUS or similar.
They have however released their Adobe Update Server, but that doesn't help one bit as the update procedure still needs administrative rights. -
How to run IE with administrator privileges on limited user account?
Hello,
I have a domain user who needs to access a certain web application on the internet using IE and to do so we have to add this website to IE Trusted Sites Zone and also allow Pop-ups, the issue now is that the domain user has a limited account on this PC (Windows
8.1) and changing these settings is not available. I only have (General-Connections-Programs) taps available under IE Internet Options for this user.web application is not working just like before. Did i miss something?
Not necessarily. Some users have a problem with security packages which are "protecting" their registry. Also, during a beta I discovered that elevation of the Internet Options dialog and trying to do a RIES had resulted in the
Administrator's Profile being nuked, not the one that was being targeted. Perhaps you are seeing a symptom from something like that?
FWIW I would run ProcMon to find out what is going on. It would be best if you had two cases, one which worked and one which was the problem case. Then you could save both traces as .PML files and open them later to compare them in two separate
ProcMon tasks. That way you can just filter coarsely to find a significant divergence in the two traces and then refine your analysis from there. Otherwise, if you don't have a clear hypothesis to test or know exactly what you are looking for you
could try using the Category Is Write filter. That would show changes which were being done in both the Registry and File system.
Good luck
Robert Aldwinckle
Maybe you are looking for
-
How can I transfer books from kobo ipad app to another ipad
How can I transfer books from kobo ipad app to another ipad with a kobo ipad app.
-
Using MS-Sharepoint as a content server from ECC 6.0
Hi, gurus. From the [SAP Content Server Installation Guide|https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/cfa73246-0a01-0010-71b4-bc21ccb45c99&overridelayout=true] ...you will find this information: You can find a description of the SAP Cont
-
Enabling tabbing to controls on DW CS 4 Mac in Find and Replace
I have used Dreamweaver on Windows for many years. I'm now working on the Mac. I have configured OS X Leopard for improved keyboard access to UI controls. This allows me to tab to dropdown (or popup) menu and use the keyboard to quickly select menu i
-
Discount for students is Applicable for mac cs5 web, even for online 2yr students
discount for students is Applicable for mac cs5 web, even for online 2yr students, like Univ of Phoenix Online division - 2yr degree Information Technology?
-
hi, in my main dialog program, i created a selection screen using statements selection-screen.... i activated it and was able to see that at runtime.. i noticed that the same selection screen was listed in the tree in SE80 under my package under scre