Network User with Local Admin Privileges?

Similar Messages

• Giving an OD Network User/Group local admin rights.

  Is there a way to manage workstation admin rights from the server?
  I ran into a problem with Lightroom that requires admin privileges to change the program preferences. We have alot of graphic art students with roaming profiles, spread out across 5 labs, that need to make this change. I would like to be able to add a group or all network users to the local admin group, for a few days, so the students can make the changes.

  This works on 10.5, not sure about 10.6.
  As root on the client.
  Upgrading legacy group for local admin group - this is from 10.4 days, not sure if you still need to do it.
  dseditgroup -o edit -f n -t group -n /Local/Default admin
  Nest OD group in local admin group
  dseditgroup -o edit -a DirectoryAdminGroup -t group -n /Local/Default admin
  Gen

• Local Network User with Local Only or Services Only Home Folder Setting

  Hi all,
  According to the OS X Server Advanced Administration Guide, under the "Choose a user’s home folder location" section, "If you choose Local Only, the user won’t have a home folder on the server and can’t log in using the account information stored on the server."  However, when I create a Local Network User account with a "Local Only" home folder, Server.app creates a home folder in that user's name in the User's directory of the Server itself.  According to the documentation that shouldn't happen, right?
  The documentation gives no mention to the "None - Services Only" setting for the Home Folder.  I will only be giving users access to DNS, File Sharing, NetInstall, Software Update and Profile Manager.  I believe all I need are "Local Network User" accounts.  However, the documentation confuses me on whether the Home Folder setting should be set to "Local Only" or "None - Services Only".  Can someone clarify this for me?
  Many Thanks!

  The idea is that a local home folder will get created, but the home folder will not be available to the outside world via services (e.g. Portable Home Directory). I don't believe anything in the services you provided requires a home folder. So, you should be able to get by with "None - Services Only".

• Network Users with network homes not really working for me

  I have with great pain setup a OS X Lion server on a Mac Mini that was supposed to be my central server to have 4 network users accounts and all the users data is stored on an external disk array with mounted network homes to the 2 iMacs and 2 Macbooks I have in my home.
  I have gotten it all working and all my Macs are joined to the Open Directory and each User can login as a network users on any of the Macs and get their files via mounted home directory from the server. The home directories on the server are backed up with Time Machine.
  I have found the following items that do not work proberly:
  1) Desktop backgrounds settings are just lost sometimes for whatever reason. Desktop background goes to default and you need to manually set back to the one you have selected. This happen mostly if users have their own desktop pictures.
  2) Keychain get's screwed up. The user often get the "Keychain doesn't exist to store ..." message and need to select to reset the keychain. Anything I have tried from "Keychain First Aid" to removing and have a new one created doesn't fix the problem. It keeps on coming back.
  3) iTunes Storage and AppStore are getting confused about authorized computers. This is because a user logs in from another computer and then iTunes store would tell the user this computer hasn't been authorized to play the purchase music. Same happens with iPhone apps from the AppStore. Apparently those two stores are not setup to hanlde network users proberly.
  4) Permission issues happen sometimes in Application like iPhoto where it would complain not being able to see photos or cannot add new photos to the library. Need to run a permission repair on the Iphoto Library to fix this.
  5) One critical one is that it's not really possible to restore files from Time Machine. The Time Machine backup is done on the server by an administrator account directly backing up the user directories. When you go into Time Machine on the server even the admin can drill down into the user directories so no restore possible. The individual users have no idea that there was ever a Time Machine backup done as Time Machine is not setup in their accounts on the individual Macs. This prevents any possible restore.
  I reckon that many of the problems are related to having only one location for ~/Library as the individual Macs are writing their user related settings into this directory in a central location. So what happens is when something on iMac 1 and then I log in on iMac 2 that might not exactly match this Macs config and it get's confused throwing one of the above erors.
  Trouble is witth central network home directory the way they mounted i can't exclude the ~/Library folder. The only option I can see is mobile account because I have seen in the preferences that when they sync the handle Library items differently.
  Does anybody have any experience out there with this sort of thing and can advise what's the best way forward?
  If i can't resolve this I'll go back to have network users with local home directories on each Mac and just setup for each user a network share to which they copy files if they want them available on other Macs. Not as nice but at least it works!
  As a said note I did this to make things easier but it has up to now cost me trouble then i had before!

  Haven't heard anything from anybody so probably to daunting a topic ...
  I have now moved on to try Portable Home Directories (PHD) and syncing ... what a disaster!
  First it took  me ages to get this right as the way the home directores are mounted on the clients from the server it's just weired which has to do with how AFP mounts are implemented. Since one AFP mount can't be mounted by several users on the same system they use a workaround of mounting it to a temp directory and then linking it back to where it should be. Of course this causes major problems.
  Okay it kind of worked so let's move on to syncing PHD. First of all on initial creation it only sync a small portion of the directory that should be okay but on some of my accounts it never went passed this stage. It said it's all synced but it only had synced the first 10% or so of the data. I wasn't able to make it sync anymore.
  On other accounts it correctly synced all the data down, or so I thought. Apparently a few sync session back and forth and 50-60% of the data was gone. On further investigation it turned out to be iTunes and iPhoto libraries. Turns out does don't sync probably via Home Sync!!!
  Apple product is not able to probably syncing Apple specific library files!!!!
  So here my warning to everybody: DO NOT USE PHD and HOME SYNC to sync your data as you will lose stuff if you have iTunes and/or iPhoto libraries with Lion OS X Server!!!
  The whole Lion Server experience has been a disaster for me. Now I have a server that does file sharing and time machine backup sharing. I can do the same thing with a standard Mac using those services. What's the point of Lion Sever for Home if nothing works proberly?

• Can I have a network user with the same name as a local user?!

  I have just set up Mac OS X 10.8 SErver with Open Directory.  I have about 20 machines that I will be setting up, some which have mainly been used localy and just used to tap into Shared Files, [historically], but am wanting to use network users for better backup and support.
  However some of the legacy accounts were not used on off the server...  What I have is the following :-
  a)    [Person A]  - They are a network user with Password [Password A]
  b)    The computer is [Person A], they have a Password [Password Old] (so it is different)
  I have Network Account Users turned on, with a green dot! (have domain all set up)
  However How do I connect using either a or b.  depending on what i feel like that day!
  ? Help any ideas.
  Ultimately I will have set up all my client machines with a client admin user and standard password... but I am not there yet!

  Moving from local (legacy) users to network users takes a one-time hassle of moving the contents of their local home folder contents up to the server. Using a finder copy never worked for me. What I finally found worked reliably was using rsync to copy the entire users local folder up to the server. Once on the server, move the files into place (if you didn't rsync them there directly. Finally, Chown all the files (on the server) to associate them with the correct userID on the server. If everything looks right on the server, you can test by trying to login as this user from another local Mac (but now as a network account), and hopefully their home folder looks like they expected.
  Note you will need admin access in the local machine and the server to rsync their home folder. You don't want to be logged into their account while trying to copy their files up to the server.
  If rsync is not your bag, a portable hard disk and/or disk image of their home folder is another way to move their stuff.
  Once you've verified that their network account got to the server ok, then REMOVE the local account.

• Network accounts with local home folders

  First of all sorry for my bad english.
  I want to obtain network accounts with local home folders.
  I have found this post very interesting to solve my problem.
  http://discussions.apple.com/message.jspa?messageID=2140595#2140595
  Following this indications I have obtained it but I dont see the Public folder of any home folder from the network.
  How I can solve this? I must share the Public folders manually? How? I have proven with SharePoints 3.5.4 and I have not obtained it.
  Thanks
  iMac Intel Core Duo   Mac OS X (10.4.6)  

  Hi
  Clients should be bound to Open Directory and be using the OD Master for their DNS. Launch WorkGroup Manager and authenticate to the LDAP node. If you have only a few Users you can do it at that Level if hundreds do it at Group Level. Select Preferences > Mobility. It's fairly obvious thereafter.
  After the home folder has been created you can make that account a local administrator if you wish.
  This assumes the Server has been configured as Advanced. Please don't take this advice if you've used anything else.
  Tony

• Deleting users with Delegated Admin

  Hope anyone can help with this:
  When I delete a user with Delegated Admin (For Messaging 5.x) the user
  seems to be deleted in iDA, but it is not deleted in LDAP.
  Therefore, I cannot re-use it's attributes (like E-mail address) for
  another (new) user.
  This causes all kind of problems.
  I can go into the Console and through away the user, then everything
  works again. But I expected iDA also to delete the user if I use the
  delete button.
  Any ideas? Did I forget something?
  Thanks in advance,
  Niels de Troye

  Hi..
  the nda does not remove the user... is put it in suspend mode...
  you have to run the imsimta purge command to remove the user.. or to wait
  the server to do that
  in a day or so....
  take a look at the manual to see how you can do that...
  "N. de Troye" wrote:
  Hope anyone can help with this:
  When I delete a user with Delegated Admin (For Messaging 5.x) the user
  seems to be deleted in iDA, but it is not deleted in LDAP.
  Therefore, I cannot re-use it's attributes (like E-mail address) for
  another (new) user.
  This causes all kind of problems.
  I can go into the Console and through away the user, then everything
  works again. But I expected iDA also to delete the user if I use the
  delete button.
  Any ideas? Did I forget something?
  Thanks in advance,
  Niels de Troye--
  Over and Out
  Giorgos Kiriakidis
  Technical Department
  NetSmart S.A.
  Panepistimiou 58.
  Athens 10678
  Hellas
  Tel +3013302608
  Fax +3013302658
  Email [email protected]
  This message contains confidential information intended for a specific
  individual and purpose,
  is protective by law. If you are not the intended recipient, you should
  delete this message.
  Any disclosure, coping, distribution or taking any action based on this
  message is strictly prohibited.

• Macbook crash when trying to autorize user with system admin account  in maverick

  macbook crash when trying to autorize user with system admin account  in maverick,
  Please help

  Hi Frank,
  Please refer to following operations and check if can help you.
  1.
  wmic /node:"HOSTNAME" /user:"ADMIN_USER" /password:"PASSWORD" logicaldisk
  Please replace HOSTNAME with IP address, then monitor the result.
  2. Please open Control Panel, select User Accounts and click Manage another account. Then select the user account which you will use in WMIC command. Then please select Change
  the account type and check if you have set it as Administrator. If no, please set it as Administrator and check if this issue still persists.
  3. Please refer to the following thread and check if can help you.
  WMI
  Remote "Access Denied"
  If this issue still persists, please let me know the edition information of Windows OS that this issue occurred
  in. Meanwhile, you described “The user account is a member of Administrators.” Would you please let me summarily know how operate?
  Hope this helps.
  Best regards,
  Justin Gu

• Can't print with user but can with local admin

  Hello All,
  I'm a Windows admin learning how to support Macs in a 2003 AD environment. Here's my problem. I have a Windows 2003 AD Domain and an office of Mac clients running OSX 10.3.9. I'm using AdmitMac version 1 to connect the Mac's to AD. There's been previous problems with Mac machines dropping from the AD domain. A quick fix of this problem involves re-adding the affected machine back to the AD via the Admitmac utility. A long term fix of this problem will be an upgrade to Admitmac version 3, but that's down the road.
  Anyway, when 1 client lost its AD authentication, adding the machine back to the AD caused the local user profile to not be able to print to the shared network printer anymore. Printing works when logged in as the local admin on the Mac, but not as the user. I've tried giving the user admin rights, reconnecting the printer, and re-adding the machine to the domain. All of this has not helped the situation.
  Does anyone have any ideas for a possible fix?
  Thanks and sorry for the long winded post.
    Mac OS X (10.3.9)  

  USB printers are a pain.. it might not work at all from windows.. that is just the reality.
  USB printers are local printers that plug into your computer.. save your $50.. and the cost of the next couple of sets of ink cartridges or toners and go and buy a network printer. ie one that is designed to work in a network.
  If you want to pursue this..
  1. How did you name the Express.. and its wireless?
  Names should all be short, no spaces and pure alphanumeric.
  2. What printer is it? If you plug it in via USB to the computer does it work?
  3. Once you have it working plugged into the computer change it to print to IP of the airport express and see if that works.
  You can do this without bonjour..
  See this video for example of setting up printing to Extreme (same thing) by printing directly to the TCP/IP port.
  http://www.youtube.com/watch?v=qTN1g846dRE
  It is windows 7 but 8 should be much harder .. naturally MS took away the easy access to everything .. but it is still there for the most part.

• How do I make a network account a local admin?

  I'm using Admitmac to get on a windows domain and every time I try to change the current logged in network account to be an admin the setting never stays, just reverts back to a network account. What do I need to do?

  In ADmitMac v3.2.2, there is a configuration setting to allow a user or group of users local administrator privileges.
  Please follow these steps:
  - Open Directory Access (/Applications/Utilities/) and unlock if necessary
  - Double-click ADmitMac
  - Double-click the domain name
  - Click the Admin tab
  - Check the "Map admin group to:" checkbox, and click "Browse..."
  - In the "Name" field, enter part of a group name or a domain user's account name, and click "Find"
  For example, "Domain Users", "Domain Admins", or "[email protected]"
  - From the given list, select the desired name and click "Add"
  - Click "Done", quit Directory Access, and Log Out
  To verify this setting:
  - Log in with a domain account
  - Open System Preferences and click the Accounts pane
  - The account listed under "My Account" will be the domain account
  - The item "Allow user to administer this computer" should be checked
  NOTE: In Mac OS X v10.3.x, this option is under the "Security" tab.

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• Can not add Domain User to Local Admin Group Win8.1

  Hello, 
  I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
  type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
  DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
  but 90% of them it won't allow me to add the local user to the local admin group. 
  DCs are running Win Server 2008 R2 Enterprise. 
  Any help would be greatly appreciated. 
  Thank You

  I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
  1)Create a new group in Active Driectory
  Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
  2.
  Create a new GPO
  Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
  3.
  Edit the newly created GPO
  Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
  4.
  Add your new Active Directory group to the Restricted Group
  Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
  5.
  Add the Restricted Group to the local administrator group
  In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
  6.
  Wait for GPO updates to apply to the workstations
  Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
  run "gpupdate /force" in a command window on that workstation.
  7.
  Add a user or group of users to the Active Directory Restricted Group
  When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
  Console.

• List users in local admin group on all workstations

  Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
  that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
  csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
      $CurrentDate = Get-Date
      $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
      import-module activedirectory
       $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
       $output = "c:\temp\local admin audit $CurrentDate.csv"
       $results = @()
       $servers | ForEach-Object{
      $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
      $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
      $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
      $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
      $group =[ADSI]"WinNT://$_/Administrators,group"
      $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
      if($wmi)
         New-Object PSObject -Property @{
             DistinguishedName = (Get-ADComputer $_).DistinguishedName
             Server = $_
             Members = $members -join ";"
      } | Export-Csv $Output -NoTypeInformation

  I agree use GP it is more reliable and easier to manage.
  For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
  There is no issue with using Test-Connection and DNS.  AD/DNS cannot have the wrong names or your domain would crash.  Using Get-AdCOmputer instead of a file eliminates stale information.
  $csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
  import-module activedirectory
  #adjust Filter as needed
  $adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
  Get-AdComputer -Filter $adfilter |
  ForEach-Object{
  $props=@{
  Server=$_.Name
  IsAlive=$false
  DistinguishedName=$_.DistinguishedName
  Members=$null
  if(Test-Connection $_.Name -Count 1 -Quiet){
  $props.IsAlive=$true
  $group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
  $members=$group.Members() |
  ForEach-Object{
  $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  $props.Members=$members -join ";"
  New-Object PSObject -Property $props
  } |
  Export-Csv $csvfile -NoTypeInformation
  Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
  ¯\_(ツ)_/¯

• Restart-Computer remotely with Local Admin

  Hello;
  I manage my company's server and AD infrastructure, containing hundreds of Windows 2012 R2 servers.  I also patch all of my servers monthly.  The biggest challenge in patching servers, is the fact that they need to be restarted every month, in
  order for the patches to finish installing.
  We have a certain group of servers, that need to have their restarts specifically scheduled.  The services offered by these servers are managed by a specific group of IT Pros.  However, this group of IT Pros do not have Local Administrative permissions
  on these servers (nor do they need it to do there jobs).
  I would like to enable this group to remotely restart these servers every month using the 'Restart-Computer' powershell command, without granting them Local Admin (that way, I won't need to get up at 3am every month to do this myself).  I've tried adding
  them to the following "User Rights Assignment": "Force shutdown from a remote system" and "Shut down the system".
  But, they still get an "Access Denied" error message.  What am I missing?  Is this even possible?  I've searched for hours now, but with no luck.

  Thank you for the reply, but I had already tried those suggestions.  Here's what I've tried so far:
  First, as I mentioned before, I've added the admins to the following "User Rights Assignment": "Force shutdown from a remote system" and "Shut down the system".  Then I temporarily added the admins to the "Allow log
  on locally" user rights assignment so that I may log on to the server as the admins and prove that the admins can indeed restart the local server.  From the server console, the admin was able to launch a powershell session and run the "Restart-Computer"
  command, and the server restarted perfectly. 
  So that part worked just fine.  But I would like to get the admins to remotely restart the servers, without granting them the "Allow log on locally".  Another thing I tried, was to create a new remote PSSession, and then run the Restart-Computer
  command from there.  At first, the New-PSSession gave me an access denied error message.  That's when I ran the Get-PSSessionConfiguration command, and I noticed that the "Builtin\Remote Management Users" group was allowed access. 
  So I added the Admins to that group on one of the servers.  Now the New-PSSession command worked.  But the Restart-Computer still gives me an Access Denied error message.
  Here are the commands that I am using.
  First, running the Restart-Computer from the admin's workstation:
  Restart-Computer -ComputerName SERVER01
  Second, running the Restart-Computer command from with a remote PSSession.
  New-PSSession -ComputerName SERVER01
  Enter-PSSession 2
  Restart-Computer
  Either way, I get an access denied message.

• Flash Player update Installation w/o local admin privileges

  Hi guys!
  I'm a trainee at a small "electrical retailer".
  We set up an Active Directory with a Windows 2011 Essentials last week.
  There are several Win XP and 7 Clients. Users have no administrative rights, but they can install Windows Updates (group policy).
  And here comes the problem: each time adobe flash player wants to download and install an update you have to promote with an administrator account.
  Is there a possibility to grant special rights to the adobe installer? Is there an opportunity to integrate flash player updates into the group policy oder WSUS?
  Thanks a lot!

  Just an update to Pat's post.  A full install, such as 11.2 will actually require admin privileges.  However, subsequent updates using the new silent auto update mechanism will work fine on a standard user account without admin intervention.
  Chris