Need to provide local administrator access without domain administrator rights

Similar Messages

• Need to provide local machine overrides

  Hi,
  Our users have their home directories served up from a network file server. For certain machines we now need to provide local home directories for some, but not all, users, i.e., dave logs into machine foo and gets /Users/dave but on machine bar he gets /server/fs0/dave. Fred, on the other hand, gets /server/fs0/fred on both machines.
  We've used a per machine mapping in our ODS which makes ALL users get the /Users/username on foo, but we ideally want to make this a per user decisions.
  I thought I'd found how to do this when I saw the per machine Accounts ACL in the Workgroup Manager but, sadly, that doesn't appear to allow for overriding the home directory setting.
  Any help much appreciated,
  Dabe

  Hi,
  I agree with Senne, in addition, we can also use net command to perform local group management.
  More information for you:
  Add a member to a local group
  http://technet.microsoft.com/en-us/library/cc772524.aspx
  How to Make a Domain User the Local Administrator for all PCs
  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Install Oracle XE in a domain without domain administrator credential

  Hi,
  I work in a company. My Windows 7 64b and my login are identified in a Windows domain. For test purpose, I would like to install Oracle XE on my computer so that I can connect on it.
  I tried many things and I had always credential problems or Oracle problems. As I understand the behavior of Oracle :
  - if you install it being connected to the domain, you enter during the install a system password that is useless : the domain administrator password should probably be used
  - if you logged in the domain but you disconnect your network cable, you cann connect with the given system password
  - if after installation you change SQLNET.AUTHENTICATION_SERVICES to (NONE) then you can connect but Oracle isn't started. From the logs, it seems that Oracle hadn't the correct password itself to initialize itself
  - if you create, on your computer, a local account with administratror credential, it works all fine from this account but not from your domain account !
  My question is : how to install Oracle XE being identified on the domain, without needing administrator credential ? Or once Oracle is installed and authentification set to local, is it possible to initialize Oracle again ?

  how to install Oracle XE being identified on the domain, without needing administrator credential Add your domain login to the local administrators group. Per the XE install guide for Windows, the installing user must have administrator rights on the host. See the section "Permission Requirement for Installing Oracle Database XE" at:
  http://docs.oracle.com/cd/E17781_01/install.112/e18803/toc.htm#BABIHEJC
  Also note the System Architecture requirement, Intel x86, which is not X64. Not to say that it won't work, but there will be challenges getting a successful installer run with a Windows X64 OS.

• Strange profile when I access with Domain Administrator accout

  Hello,
  It's the first time that I got this issue (I used to install Windows 2008 Server R2 many times a month) :
  These are different steps :
  - Windows 2008 Server R2 installed normally
  - access with local administrator (account : administrator)
  - doing updates
  - creating new local user (account : admin)
  - add this user to local administrator group ( group : Administrators)
  - access with that new admin user
  - delete administrator profile and disable that user
  - restart
  - add the server to a domain and then restart
  - access to the server with domain administrator (account : domain\Administrator)
  - then there's no mention of the domain administrator name in the profile
  hatem

  I'd check it again in between each of the steps you mentioned to see where it happens. Can't make much from the last screen shot since its blacked out. It may have been a one-off and will not happen next time.
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Is it possible to set up ADFS without domain admin rights in Windows 2012 R2?

  I've set up Windows 2012 R2 on my development box and want to enable the ADFS feature to test claims based authN. In ADFS 2.0, you could opt to install standalone and local admin privileges would be enough to install ADFS and authenticate against the domain
  AD.
  However, with the new ADFS, after installing the feature it asks to enter the credentials for an account that is a domain admin. Is it still possible to configure ADFS without domain admin privileges?

  Hi,
  According to my research, if you want to set up AD FS in Windows server 2012 R2, each computer
  that functions as a federation server must be joined to an Active Directory domain.
  Besides, AD FS requires a certificate for SSL server authentication on each federation server in your federation server farm. Furthermore, you need a membership in
  Administrators on the local computer to install the AD FS role service.
  For more detailed information, please refer to the links below:
  How to deploy AD FS in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn303423.aspx
  Best regards,
  Susie

• Desktop icon won't allow me (administrator) access without me giving permission

  I am the administrator of this system. For a month or two, my clicking on the firefox desktop option requires "administrator's permission." (Private home system)
  Security Certificate is out of date also.

  Check that you do not run Firefox as Administrator.
  Right-click the Firefox desktop shortcut and choose "Properties".
  Make sure that all items are deselected in the "Compatibility" tab of the Properties window.
  * Privilege Level: "Run this program as Administrator" should not be selected
  * "Run this program in compatibility mode for:" should not be selected
  Also check the Properties of the firefox.exe program in the Firefox program directory.

• Limit Administrator Access to only OS Level functions on a Windows 2003 (and up) Domain Controller Server

  <p>I have read several articles such as:</p><p>1.&nbsp; <a href="http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS">http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS</a></p><p>2.&nbsp;
  Active_Directory_Delegation.doc</p><p>Consider that a domain controller, doing no other functions than domain based functions (ie no file server, printer or app server) - is managed in two parts:&nbsp; The OS-only level, to read log files,
  server health monitoring, install OS-level Micrsoft security patching and the second part being Domain management level - Users and Computers, Domains and Trusts, etc).</p><p>For a given domain controller server, an outsourced support&nbsp;group&nbsp;needs
  to be responsible for the OS-only level access - they need no access to the Domain management level functions so they can fufill contractual obligations (SLAs) for server uptime, patching etc.&nbsp; </p><p>For the same given domain controller
  server above, there is an internal (non-outsourced) support group that will perform all Domain management level functions only.&nbsp; They want to manage the Domain on the Domain Controller servers, want the Outsourcer to manage the VM and OS-related tasks,
  but DO NOT want them to be able to access and change information in Users and Computers, Domains and Trusts etc.&nbsp; </p><p>With that explaination, would putting the Outsourcer's AD-based account IDs in the Server Operators group alone be
  sufficient to allow OS-level management, like patching, reboots, etc but disallow access to Domain Management functionality (Users and Computers etc) - or does it need to be a combination of built in groups and delgated rights?</p><p>Please consider
  that I am seeking a technical solution here&nbsp;- do not respond with "either trust your Domain Administrators or keep your junior admins from the server" as that is not a viable solution.&nbsp; </p>
  Jason B. Allen

  Hi Jason,
  According to your description, you want to assign the OS-level management and Domain management rights to two groups separately, right?
  Based on my research, members of Server Operators group don’t have sufficient rights to install updates for Domain Controllers, you can refer to this article below:
  Default groups
  http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx
  You can configure Allow non-administrators to receive update notifications group policy so that non-administrative users will be able to install all optional, recommended, and important updates content for which
  they received a notification, except some updates which contain User Interface, End User License Agreement and so on, which still require domain admin credentials.
  To enable non-administrator users the ability of logging onto and shutting down DCs,
  Allow logon locally and Shut down the System rights should be granted.
  In addition, reading logs and monitoring server performance rights are included on Performance Log Users and Performance Monitor Users groups.
  More information for you:
  Step 5: Configure Group Policy Settings for Automatic Updates
  http://technet.microsoft.com/en-us/library/dn595129.aspx
  User Rights Assignment
  http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
  I hope this helps.
  Amy Wang

• I am developing a flex web application which needs to access Other domain ,is there any other way other than cross domain policy available ? please help

  i am developing a flex web application which needs to access Other domain (Payment Gateway API),is there any other way other than cross domain policy available ? please help.
  we donot have access other domain thats why we want other solution..

  All the paths to CFCs are the same in my live production site.  Can you be more specific as to what you mean by "RemoteClass aliases in your AS Classes and CFCs (if any) are correct."?  How will the app know that the CFC is on http://myLiveSite.com instead of http://myDevSite.com?  The only line of code that I have noticed that points to a URL is the endpoint in a file called _Super_XXX.as.  And at the top of that file it says that the file is not meant for editting.
  To clarify...I see your app/code all exists on a server access via a web browser so I can understand that everything still works when deployed.  Mine is a mobile app so when I am developing and testing on my local computer the URL points to my local development machine.  However when I deploy it to a mobile device like a tablet and run the app, it needs to be able to access a cfc on a remote server via a different URL ie. my http://myLiveSite.com/myCFC.cfc instead of http://localhost/myCFC.cfc
  Thanks for your help!  I will now take a look at your thread.
  Message was edited by: ace0215

• NFS write access without local user

  Hi,
  I try to get write access to NFS from one to another linux system without local user account and group.
  System 1. /etc/exports -->set nfs share /backup
  Folder /backup all files owned by oracle:oinstall
  oracle(104):oinstall(106) 664
  System 2. user: root(1):root(1)
  #>mount -t nfs .....
  All files are owned by userid 104 and groupid 106
  I can get write access If I change userid and group id on system 2 to 104/106 but I think that could be smart way.
  Does anyone know the right was to get write access without have a same local user(id) and group(id)
  Thanks
  *T                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

  You can try the following in your /etc/exports file:
  /backup   *(rw,insecure,all_squash,anonuid=104,anongid=106)
  Then reload the exports file using the command "service nfs reload"The above will allow rw access to the /backup directory and map all requests to the nobody account and remap the nobody account uid and guid to 104 and 106 of the nfs server system. The insecure option is required by some PCNFS clients. For more detailed information please check the exports man page.

• TS1544 I am the administrator of my MacBook Pro, which I share with my kids. One of them forgot his password, so as the admin I changed it for his account, but  when I try to see his account, it says I need to provide the keychain password. How can i get

  I am the administrator of my MacBook Pro, which I share with my kids. One of them forgot his password, so as the admin I changed it for his account, but  when I try to see his account, it says I need to provide the keychain password. How can i get it? I have no idea how to sort this out...

  First, make sure caps lock is not on.
  You must back up all data before continuing, unless you've already done so. If you need to back up but can't log in, ask for instructions.
  If the user account is associated with an Apple ID, and you know the Apple ID password, then maybe the Apple ID can be used to reset your user account password.
  Otherwise*, boot into Recovery mode. When the OS X Utilities screen appears, select
  Utilities ▹ Terminal
  from the menu bar. In the Terminal window, type this:
  res
  Press the tab key. The partial command you typed will automatically be completed to this:
  resetpassword
  Press return. A Reset Password window opens.
  Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
  Select your username from the menu labeled Select the user account if not already selected.
  Follow the prompts to reset the password. It's safest to choose a password that includes only the characters a-z, A-Z, and 0-9.
  Select
   ▹ Restart
  from the menu bar.
  You should now be able to log in with the new password, but your Keychain will be reset (empty.) If you've forgotten the Keychain password (which is ordinarily the same as your login password), there's no way to recover it.
  *Note: If you've activated FileVault, this procedure doesn't apply. Follow instead the instructions on this page:
  If you forget the password and FileVault is on

• I-Cal: I need to grant administrative access to my assistant...

  I need to grant administrative access to my assistant so that she can make scheduling edits to my i-Cal.  I still need to have full administrative access to the calendar as well.  How does one grant dual access?

  Try booting into safe mode.
  http://support.apple.com/kb/HT1564

• Use of domain administration port breaks session access?

  WLS 8.1.2;
            We have a third-party app deployed in a pretty basic cluster setup (two managed servers, each on a separate machine). When accessing the main web app, it works fine. If/when we enable the domain-wide administration port (DAP)(after enabling SSL on each server), we can no longer access the application - we get the exception shown below.
            Note - if we shut down one of the two managed servers with DAP enabled, the app works. If we disable DAP and run both managed servers using SSL, the app works.
            What have done wrong?
            tia,
            Rick
            <snip>
            ####<Jun 9, 2005 10:26:49 AM EDT> <Error> <HTTP Session> <OYARSA4> <ep01> <ExecuteThread: '9' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-100060> <An unexpected error occurred while retrieving the session for Web application: ServletContext(id=247422,name=eprovision-client,context-path=/eprovision-client).
            java.lang.SecurityException: User <anonymous> does not have access to the administrator port.
                 at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
                 at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
                 at weblogic.cluster.replication.ReplicationManager_812_WLStub.create(Unknown Source)
                 at weblogic.cluster.replication.ReplicationManager.trySecondary(ReplicationManager.java:1064)
                 at weblogic.cluster.replication.ReplicationManager.createSecondary(ReplicationManager.java:997)
                 at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:391)
                 at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:376)
                 at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:370)
                 at weblogic.servlet.internal.session.ReplicatedSessionData.<init>(ReplicatedSessionData.java:95)
                 at weblogic.servlet.internal.session.ReplicatedSessionContext.getNewSession(ReplicatedSessionContext.java:304)
                 at weblogic.servlet.internal.ServletRequestImpl.getNewSession(ServletRequestImpl.java:2472)
                 at weblogic.servlet.internal.ServletRequestImpl.getSession(ServletRequestImpl.java:2169)
                 at weblogic.servlet.security.internal.SecurityModule$SessionRetrievalAction.run(SecurityModule.java:637)
                 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
                 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
                 at weblogic.servlet.security.internal.SecurityModule.getUserSession(SecurityModule.java:612)
                 at weblogic.servlet.security.internal.FormSecurityModule.stuffSession(FormSecurityModule.java:404)
                 at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:391)
                 at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:197)
                 at weblogic.servlet.security.internal.FormSecurityModule.checkA(FormSecurityModule.java:181)
                 at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
                 at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3539)
                 at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2585)
                 at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
                 at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
            Caused by: java.lang.SecurityException: User <anonymous> does not have access to the administrator port.
                 at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:910)
                 at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:844)
                 at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:222)
                 at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:794)
                 at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:570)
                 at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
                 at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105)
                 at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
            </snip>

  An unexpected error occurred while retrieving the session for Web application: logContext.
            Cause might Failed to retrieve the session from persistent store.
            pl. check your configuration
            Prasanna Yalam

• HT3986 Using Boot Camp 4 and Windows 7.   Try to change name of the C: drive and get the dialog "You will need to provide administrative permission to change the name".  How do I change the C: drive name?

  I tried to change name of the C: drive and get the dialog "You will need to provide administrative permission to change the name".  How do I change the C: drive name?

  Forgot to specify:
  Im using an older Unibody Macbook (back when they were not all macbook pro's) 2008ish with Snow leopard 1.6.8
  The thread you linked me to, Eric, shows the guy 'Niganit' with the eXACT SAME PROBLEM as me! He seems to have found out the problem but I dont see his resolve.
  I just dont have the option to install windows 7 in any other form that a cd
  a picture;

• Built-in domain Administrator account not given full access to new Exchange 2013 server

  I migrated from Exchange 2010 to 2013 over the weekend.  I cannot log into the EAC with my domain administrator account I use to log into all my other servers.  I also cannot run the clean-mailboxdatabase cmdlet logged in as this user.  I
  had no trouble moving mailboxes from the old server to the new server with this account though.
  This account is a member of: Domain Admins, Enterprise Admins, Exchange Full Admin, Exchange Organization Admin, Organization Management, Schema Admins, Server Management.
  I can log into the EAC with another admin account that has the same memberships as the Administrator account.
  I tried giving the account the role of "Databases" as suggested by others to fix the clean-mailboxdatabase issue but that did not work for me either.
  The Administrator mailbox has been moved to the new database on the Exchange 2013 server.  The Exchange 2010 has been decommissioned and is turned off.

  Hi,
  Based on my research, to retrieves the mailbox statistics for the disconnected mailboxes for all mailbox databases in the organization, we can try the following command:
  Get-MailboxDatabase | Get-MailboxStatistics -Filter 'DisconnectDate -ne $null'
  http://technet.microsoft.com/en-us/library/bb124612(v=exchg.150).aspx
  Additionally, The Identity parameter specifies the disconnected mailbox in the Exchange database and it can be display name instead of mailbox GUID.
  http://technet.microsoft.com/en-us/library/jj863439(v=exchg.150).aspx
  Hope it can help you.
  Thanks,
  Angela Shi
  TechNet Community Support

• Cannot access Exchange Mgmt Shell - user "Domain\Administrator" isn't assigned to any management roles

  This is a new domain-joined Server 2012 member server with no data. Domain Administrator account is in the Organization Management group. Domain functional level is Server 2012.
  Setup /m:RecoverServer fails because "...server roles are already installed..."
  Uninstall fails because the "mailbox database contains one or more mailboxes..." which I can't delete.

  Hi,
  I recommend you refer to the following article to troubleshoot the issue:
  https://social.technet.microsoft.com/wiki/contents/articles/14874.error-the-user-domain-localusersadministrator-isnt-assigned-to-any-management-roles-on-exchange-2010-management-console.aspx
  we may try to propagate the RBAC permissions for the user again! procedure is as below:
  1.
  Open Windows Powershell as  “Run As Administrator”
  2.
  Load the setup Snapin with the command: Add-Pssnapin *Setup*
  3.
  Run the commands one after the other to propagate the RBAC to the user who is logged on to the Exchange Server.
  a. Install-CannedRbacRoleAssignments  –InvocationMode Install
  b.
  Install-CannedRbacRoles
  c.
  Install-CannedRbackRoleAssignmentsRAP
  d.
  Install-CannedAddressLists
  Thanks.
  Niko Cheng
  TechNet Community Support