OnBeforeLogin - Preventing Login

Similar Messages

• Prevent Login Twice

  All,
  I'm tryinig to think of a way to prevent a person from logging into an application more than once at the same time. IE, the user logs into and application, then turns around to a different computer and attempts to login there. I wish to prevent that second login. At the moment, I can't think of a way to prevent that since each session gets a new session id.
  Any thoughts are appreciated!

  Hello,
  In theory...easy.
  In practice...incredibly difficult to do successfully (i.e. almost every way can be circumvented).
  There are two solutions to this that I'd recommend if you really want to go down this route. Neither of them is APEX specific really -
  1) Use client-side certificates. This will install an SSL certificate on the users computer, this will force a user into using a single machine to connect to your site. Obviously this has limitations (if their machine dies then they can't login from another machine). However it does work and lots of sites use this method (my online Bank used to use this method).
  2) Use hardware. In other words issue your users with a hardware-key, such as the RSA key devices which they need to use to generate a one-time (time and key specific) code which they need to enter to login to the website. The advantage of this is that they can use the hardware device from different machines, it makes 'sharing' of the code much more difficult (the key cannot be physically shared easily, however it could be bypassed by reading out the code over the phone etc).
  So, there are a couple of options if you really want to do this, however it's very much an effort/reward scenario, in other words you can spend a huge amount of effort trying to stop people from logging in more than once, but is that effort worthwhile in terms of what you're trying to protect (only you can decide that).
  There are a few other methods I haven't mentioned (I'm sure other people will chime in), however it's definitely an area fraught with potential problems really.
  John.
  http://jes.blogs.shellprompt.net

• Prevent Login Dialog Box Popup In EssVConnect

  Using VBA code to automate worksheets. Our site updates and switches servers about every 2 hours. Code works great when 'server' is up but when switched and we don't know which one is active, the EssVConnect pops up the Login Dialog box requiring us to switch server names and press OK. This means it is not automated. We want to prevent the box from appearing and get a bad return code instead so we can cycle through all the servers until we find one that is active. Documentation implies it will do this. We have tried setting all messages off (EssVSetGlobalOption(5, 4)) but that does not seem to work for the dialog box. Any suggestions?

  I am trying to remember if there are any issues and I think there is.. If I remember correctly, the EsbInit will not do what you want if called from within Excel VBA when the Essbase add-in is loaded because the C API used within the Excel add-in has already initialized the API with the wrong setting. You could try it..
  Further, the result of EsbAutoLogin is to get an context handle (hCtx). The problem is, then, that you can't use that context handle to do Excel add-in operations. The opposite situation, where you can get the hCtx from a worksheet connected to Essbase is not only possible but is the recommended way to combine the VB API with the Excel add-in. Look at the GetHctxFromSheet function to see how to use that capability.
  The only solution I can think to do what you want to do is to create an ActiveX EXE in VB 6 and have that ActiveX EXE call the EsbInit, etc and validate the server you need to login at a specific time. As it runs in a separate process and loads the Essbase API dlls at your command (EsbInit), you can control everything there. You can then use the CreateObject command in VBA to instance the object and call methods on it; your method will check the login for a specific server can could return the appropriate error message for you so you could validate which server is currently available and then call that server in your EssVConnect call.
  Tim Tow
  Oracle ACE
  Applied OLAP, Inc

• Various process crashes prevent login to main user account

  Here's a good one. I can't log in to my main user account; here's the recap:
  Computer was acting slow and pausing a lot over past couple of weeks; I put it down to internet slowness at first, but after awhile I began closing down less-critical processes like .mac synchronization, mySQL, etc. Can't recall running any new installs recently, or updates, except perhaps Firefox.
  Checked the logs, saw that my old pal mdimport was crashing repeatedly, like every 15 seconds or so. That will slow things down! So I turned off the Spotlight indexing for all categories, and eventually made the hard disk a private item. mdimport still crashing.
  Ran permissions repair; some problems fixed, nothing too alarming in the logs (I think). Verified the hard disk; no problems found.
  At some point the main account became unable to log me in. The login window accepts a password and disappears, but after a little while a blue screen appears, and the login window returns. I am able to log in using a secondary more-or-less virgin account on this machine, which seems to work fine.
  Console logs reveal the constantly crashing mdimport, triggered anytime I attempt to log in using the main account. Secondarily, the loginwindow process is crashing on login (main account only) and crashdump itself is consistently crashing just afterwards. Occasionally another process called lsregister will crash at the login attempt, sometimes other processes too. More worryingly, there are reported IO errors from the kernel.
  I've reset the pram, I've reset the nvram. I've booted from a 10.5 system disk and re-run disk utility for permissions and repair disk. I tried safe mode.
  I've attempted to rsync my main user account to another computer while booted to target disk mode; rsync (running on the remote machine to which I'm copying the files) copies the many gigabytes in my Documents folder, but chokes consistently at some files in my Library ("former iDisk.dmg", App Support/firefox/profiles/etc, also some Growl files) with "Input/output error (5)."
  Anyone have any good theories? Many thanks in advance.
  --David H

  Thanks for your reply; I checked out the links but nothing seems too directly related. I'm vaguely aware of what mdimport does, but I certainly have seen it crash a lot.
  At this point, I'm finally able to log back in to my main account, which (with some caveats/questions below) seems to be working.
  To get back to this point, I used the terminal utility Applejack to clear caches, check plists for corruption, and clear virtual memory. I also manually deleted a loginwindow plist and some Library/Caches/com.apple.LaunchServices/ files. Something in there seemed to help, and I'm finally back in to the main user account. There was definitely no getting into this account before I tried these steps.
  Applejack is found at http://applejack.sourceforge.net/.
  I still have some troubling log entries, and some blips in several files. While subsequently backing up my user account, rsync consistently tripped on several files in /Library/Application Support relating to Firefox and Growl, in /Library/iCal, and also a couple of image files (out of tens of thousands) in my Pictures folder. So I deleted these files; the only concern so far is the iCal file which was called "corestorage.ics." And now that I've started iCal, it looks like I still have data; but my console log shows about 70 lines of "Calendaring data empty." Ugh. Nothing like losing data but not knowing what was lost.
  Also troubling in the system log: I have several entries of "kernel[0]: disk0s3: I/O error" (though not in the latest reboot cycle). Hard to tell if these belong in the same category as the many cryptic and possibly alarming messages seen there, or if this is a real warning of a failing hard disk, or of other corrupt files the system is running into. Again, disk utility has repeatedly found no problems.
  (Also I have several hundred entries of "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metada ta.framework/Versions/A/Support/mdimportserver: _TIFFVSetField: tiff data provider: Invalid tag "Copyright" (not supported by codec)", which I hope relate to mdimport seeing many jpg images that have copyright metadata. I'm hoping that problem will go away now that they're marked "private" as far as Spotlight is concerned.)
  At least I'm back in the account. I'm trying to decide whether to archive & install system 10.5; I'd prefer to reformat a misbehaving disk, but then you gotta have pretty serious confidence in your backups. Alternatively if the rumors are true I'm hanging on for one of the new laptops; I'd prefer that to replacing the hard drive again in this diabolical case. (Price you pay for sleek, I guess.)
  Time will tell.

• Temporarily prevent login items while using FileVault2

  Hi everyone,
  in the past you could hold down shift while logging in and this would temporarily disable your login items so no windows would pop up. This still works in 10.9, but only when I am on the regular login screen. I am using FileVault so I have to enter my user password before the boot process and this user will get logged in. How can I achieve the shift key behaviour with FV enabled?
  Thanks
  Björn

  Is it simply not possible?

• How to prevent login page in same browser when user is already authenticated

  Hello,
  I am using Jdev 11.1.1.6 with ADF security implemented in my application.
  I have Login.jspx that redirects the user to Home.jspx on successful authentication. User can either enter Login or Home Page URL.
  Please consider following scenarios:
  a) User is not authenticated in current browser session
    a.1) if user enters Home page URL then Login page is displayed and redirected to Home page on authentication
    a.2) if user enters Login page URL then Login page is displayed and redirected to Home page on authentication
  b) User is already authenticated in current browser session, a new tab is opened and
    b.1) if user enters Home page URL then it directly shows Home page (already authenticated)
    b.2) if user enters Login page URL then Login page is displayed -- this is the issue, it should either directly take user to Home page or invalidate the existing session and let user proceed with new.
  How do I achieve this? Any help is highly appreciated.
  Thanks,
  Jai

  Thanks Frank and everyone for your help.
  I am able to achieve what Frank suggested using phase listener. We don't have a custom phase listener but I created one and instead of configuring at global level, just defined the ControllerClass in the pageDef of my login page.  
  Code from afterPhase is:
      public void afterPhase(PagePhaseEvent pagePhaseEvent) {
          if (pagePhaseEvent.getPhaseId() == Lifecycle.INIT_CONTEXT_ID) {
              FacesContext fctx = FacesContext.getCurrentInstance();
              String viewRootId = fctx.getViewRoot().getViewId();
              if ("/pages/login.jspx".equalsIgnoreCase(viewRootId) &&
                  ADFContext.getCurrent().getSecurityContext().isAuthenticated()) {
                  try {
                      String homeViewId = "pages/home.jspx";
                      ControllerContext controllerCtx = null;
                      controllerCtx = ControllerContext.getInstance();
                      String activityURL =
                          controllerCtx.getGlobalViewActivityURL(homeViewId);
                      fctx.getExternalContext().redirect(activityURL);
                  } catch (IOException ioe) {
                      _logger.logException(ioe);
  My only concern here is that I am hardcoding the login and home page url. Is there a better way to implement this?
  Thanks,
  Jai

• Javascript prevents login

  Recently, perhaps after an upgrade to Safari 5.1.4 (and using Lion) I am having problems signing into to one of my favorite bicycle forums (mtbr.com or roadbikereview.com).  I've discovered that it won't recognize me if I have javascript enabled on Safari.  If I turn off javascript, I can sign in without any problems.  This wasn't always like this and only began happening in the last month.  I can't track down why or what caused it but it's definitely something to do with javascript.  I've tried reinstalling Safari by downloading it form apple.com, but that doesn't work.  I've tried reseting Safari, but that doesn't work. 
  I've emailed the website administrators but they don't think anyone else is having a problem and they test it on their own computers.  So, I suppose I need help trying to resolve this as it's quite annoying having to enable and disable javascript just to log in to these two forums that I visit quite often.  Has anyone else had issues with javascript preventing them from being able to log in to a website?  If so, any idea how to fix the problem?
  Thank you

  Does the issue persist with version 5.1.5?
  http://www.apple.com/safari/download/

• "other password policy" preventing login

  In trying to set up a network account, once I've entered the password and hit OK, I get the error msg: Unable to enable login due to other password policy.    This leaves the account in the "Disabled" status.  I've been all through all the places where I can think would relate to password policy and can't find any issue.  Local accounts are set up and working fine.  Any experience with this "other password policy" would be appreciated.   It just can't be that hard!
  Thanks a bunch.

  I'm having the same problem. One of my users is disabled, and ik can't re-enable him due to the error:
  Unable to enable login due to other password policy settings.
  And I'm 100% sure the password adhere's to the password policy.

• [SOLVED] read only filesystem prevents login

  Hi everyone.
  I have this problem after changing from initscript to systemd and adding an external ntfs-3g drive to /etc/fstab. when i log in i get this message and xfce4 doesnt start :
  -bash: /home/bb/.xlog : read-only file system
  ls -la /
       gives output  rwxr-xr-x   for /home
  i also tried
  #mount -o remount,rw /dev/sda4 /
      with no results.
  when i try to change /etc/fstab entries i get an error message saying that system is read-only...
  chmod and chown dont work either with the same error message
  how am i supposed to change something in a read-only system?
  Last edited by memax (2012-11-15 17:39:45)

  i ve not removed 'ro' from booting cmd and / is mounted with rw,relatime,data=ordered 0 1   in /etc/fstab  as options

• Does the update prevent login?

  Hi,
  Just updated Adobe Story App. Now I can't log in. Rebooted etc, internet connection good.
  Any thoughts?
  David

  What’s the error you are getting ? can you send a snapshot to me at [email protected]<mailto:[email protected]> ?

• Login window crashing

  Hello, I'v got an odd intermittent issue.... After entering my (correct) credentials into the login window the login window appears to freeze and prevents login.
  I can move the mouse just fine, but the loginwindow becomes unresponsive. Trying other accounts on the Mac yields hte same results. I can drop into a shell by logging in as >console and I can login just fine in through safemode.  This had me suspecting thrid party addins, but the problem persists when all addins (that I could find..) are disabled.  This problem origionally happened a month ago and the fix was to remove third party launche agents/darmons.  However the problem surfaced again today with some weirder results. The loginwindow froze, I sshed in and triggerd a reboot. The next login attempt caused iCal to pop up through the frozen login window (I also opened quicktime and got a screen recording). I was able to get terminal open via spotlight. I launched Finder manually, but I couldn't get the dock to open. This problem is really annoying becuase I was using my laptop all day without issue.
  Throughout, the way I've been toubleshoot this I would ssh into the mac from another Mac and grabbed the contents of system.log (below). I can see loginwondow crashing out in the log. I can also "kick it" with launchctl but I get the same result.
  I've also all of Onyx's cleaning routines, manually purged Cache and Application Saved State folders, repaired permssions, and ran Daily/Weekly/Monthly tasks to no avail.
  I don't really don't want to reinstall Lion if at all possible, any advise would be great. Thank you!
  MacBook pro 15" Mid 2011
  8GB RAM
  Mac OS X 10.7.2 server
  bash-3.2# tail -f /var/log/system.log
  Nov 30 22:57:59: --- last message repeated 1 time ---
  Nov 30 22:57:59 Tesseract loginwindow[421]: Login Window Started Security Agent
  Nov 30 22:57:59 Tesseract airportd[425]: _doAutoJoin: Already associated to “Emerald”. Bailing on auto-join.
  Nov 30 22:57:59 Tesseract SecurityAgent[432]: Echo enabled
  Nov 30 22:57:59 Tesseract SystemUIServer[437]: 3891612: (connectAndCheck) Untrusted apps are not allowed to connect to or launch Window Server before login.
  Nov 30 22:57:59 Tesseract SystemUIServer[437]: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
  Nov 30 22:57:59 Tesseract SystemUIServer[437]: _RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.
  Nov 30 22:57:59 Tesseract com.apple.SystemUIServer.agent[437]: _RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.
  Nov 30 22:57:59 Tesseract com.apple.SystemUIServer.agent[437]: Creating secondary hot key connection failed, 1000
  Nov 30 22:57:59 Tesseract SystemUIServer[437]: ICNInitialize failed: -536870212
  Nov 30 22:58:21 Tesseract SecurityAgent[432]: User info context values set for sonic84
  Nov 30 22:58:21 Tesseract SecurityAgent[432]: Login Window login proceeding
  Nov 30 22:58:22 Tesseract loginwindow[421]: Login Window - Returned from Security Agent
  Nov 30 22:58:22 Tesseract loginwindow[421]: USER_PROCESS: 421 console
  Nov 30 22:58:22 Tesseract applepushserviced[93]: Unable to bootstrap_lookup connection port for 'com.apple.iCalPush': unknown error code
  Nov 30 22:58:22 Tesseract airportd[425]: _doAutoJoin: Already associated to “Emerald”. Bailing on auto-join.
  Nov 30 22:58:22 Tesseract applepushserviced[93]: <APSCourier: 0x7fbdbbb07660>: Stream error occurred for <APSTCPStream: 0x7fbdbda00ff0>: Error Domain=APSTCPStreamErrorDomain Code=-65563 "DNSServiceQueryRecord() failed" UserInfo=0x7fbdbda01c20 {NSLocalizedDescription=DNSServiceQueryRecord() failed}
  Nov 30 22:58:22 Tesseract com.apple.launchd.peruser.501[374] (com.apple.ReportCrash): Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
  Nov 30 22:58:22 Tesseract com.apple.launchctl.Aqua[459]: com.apple.RemoteDesktop.agent: Already loaded
  Nov 30 22:58:22: --- last message repeated 1 time ---
  Nov 30 22:58:22 Tesseract com.apple.launchctl.Aqua[459]: load: option requires an argument -- D
  Nov 30 22:58:22 Tesseract com.apple.launchctl.Aqua[459]: usage: launchctl load [-wF] [-D <user|local|network|system|all>] paths...
  Nov 30 22:58:22 Tesseract loginwindow[421]: -[__NSCFConstantString count]: unrecognized selector sent to instance 0x107fe38e0
  Nov 30 22:58:22: --- last message repeated 1 time ---
  Nov 30 22:58:22 Tesseract loginwindow[421]: (
                      0   CoreFoundation                      0x0000000107e90286 __exceptionPreprocess + 198
                      1   libobjc.A.dylib                     0x0000000107cfdd5e objc_exception_throw + 43
                      2   CoreFoundation                      0x0000000107f1c4ce -[NSObject doesNotRecognizeSelector:] + 190
                      3   CoreFoundation                      0x0000000107e7d133 ___forwarding___ + 371
                      4   CoreFoundation                      0x0000000107e7cf48 _CF_forwarding_prep_0 + 232
                      5   loginwindow                         0x00000001056b72c9 loginwindow + 74441
                      6   loginwindow                         0x00000001056b7293 loginwindow + 74387
                      7   loginwindow                         0x00000001056b4646 loginwindow + 63046
                      8   CoreFoundation                      0x0000000107e7fa1d -[NSObject performSelector:withObject:] + 61
                      9   Foundation                          0x00000001071aae44 __NSThreadPerformPerform + 214
                      10  CoreFoundation                      0x0000000107dfeb51 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
                      11  CoreFoundation                      0x0000000107dfe3bd __CFRunLoopDoSources0 + 253
                      12  CoreFoundation                      0x0000000107e251a9 __CFRunLoopRun + 905
                      13  CoreFoundation                      0x0000000107e24ae6 CFRunLoopRunSpecific + 230
                      14  HIToolbox                           0x000000010c4be3d3 RunCurrentEventLoopInMode + 277
                      15  HIToolbox                           0x000000010c4c563d ReceiveNextEventCommon + 355
                      16  HIToolbox                           0x000000010c4c54ca BlockUntilNextEventMatchingListInMode + 62
                      17  AppKit                              0x0000000105e233f1 _DPSNextEvent + 659
                      18  AppKit                              0x0000000105e22cf5 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135
                      19  AppKit                              0x0000000105e1f62d -[NSApplication run] + 470
                      20  loginwindow                         0x00000001056aa142 loginwindow + 20802
                      21  loginwindow                         0x00000001056a9bf0 loginwindow + 19440
  Nov 30 22:58:22 Tesseract com.apple.launchd.peruser.501[374] (com.apple.launchctl.Aqua[459]): Exited with code: 1
  Nov 30 22:58:22 Tesseract UserEventAgent[17]: CaptiveNetworkSupport:CNSServerRegisterUserAgent:187 new user agent port: 48435
  ^C
  bash-3.2# launchctl unload /System/Library/LaunchDaemons/com.apple.loginwindow.plist
  bash-3.2# launchctl load /System/Library/LaunchDaemons/com.apple.loginwindow.plist
  bash-3.2# reboot

  Well I may have answered my own question. I removed the contents of /Library/Internet Plug-ins and removed third-party preference panes. I can login just fine now.
  Oddly, I can still login just fine after re-installing fresh copies of said plugins and preferences...
  Here is a link to the movie I mentioned in my last post (~7MB): http://www.sonic84.com/files/LoginWindowCrashing.mov
  for the record, I removed:
  Pref panes:
  Flash Player
  Flip4Mac WMV
  MacFUSE (Tuxera)
  Perian
  Tuxera NTFS
  Internet Plugins:
  CitrixICAClientPlugIn.plugin
  Flash player.plugin
  Flip4Mac.plugin
  JavaAppletPlugin.plugin
  QuickTime.plugin
  SharePointBrowserPlugin.plugin
  SharePointWebKitPlugin.webplugin
  Silverlight.plugin
  flashplayer.xpt
  iPhotoPhotocast.plugin
  nsIQTScriptablePlugin.xpt

• Login items - not in user prefs

  My wonderful imac os x - tiger 10.4.7 opens 3 items (safari, mail and ichat) that are not in the startup items list.
  As the initial login takes ages I want to remove them, but as they don't appear in the list under accounts/login items I can't.
  I have tried adding them so they do appear and then deleting them, but that doesn't fix it, they still open on login.
  Any ideas how I can fix this.

  "Login Items" can be specified in at least three different places. The usual one (written to by the "Accounts" pref pane) is the "~/Library/Preferences/loginwindow.plist" file in each user's "home" folder, but if the items aren't appearing in the pref pane, they are probably listed in one of the other locations.
  The other user-specific file is in the "~/Library/Preferences/ByHost" folder, and is called the "loginwindow.xxx.plist" file, where the "xxx" usually represents the MAC address of the built-in ethernet card, so will vary from computer to computer. If present, try moving or deleting that file to see if that prevents the unwanted items from opening.
  The computer's main "/Library/Preferences" folder can also contain a "loginwindow.plist" file, but any items listed in that file will open at login for all users. "Admin" privileges will usually be required to remove or make changes to this file.
  Also, note that a computer's administrator can set up "login items" for "managed" users, through 'mcx_settings'. Again, this isn't something that an individual user can override themselves.
  This probably isn't what you are after, but unless explicitly prohibited in 'mcx_settings', it also is possible during any given log in to prevent login items from opening by holding down the "Shift" key while logging in, but it would be necessary to do this every time.

• Making an account unable to login, but available over network

  I have the same group of employee user accounts on all iMacs in my airport network, but I would like to prevent certain users from logging into certain machines. Changing the account password on the forbidden machine is not the answer, since the users need to access files on the machine through the network (connecting as their own username). Long ago there was a simple way to prevent login to a valid account. Is that still possible?

  So it sounds like you want to give other users access for file sharing, but not the ability to log in while physically sitting in front of the machine. If the file sharing is over AFP, a "sharing only" account may be suitable in this scenario:
  ..."You can share files on your computer with other users on a network by creating a sharing only account. A sharing only account allows users to connect with your computer just like a server. However you cannot physically log into a computer using a sharing only account name like you can with most other accounts."...
  http://docs.info.apple.com/article.html?path=Mac/10.5/en/11776.html
  It also may be necessary to configure individual shared folders appropriately and place the items to be accessed within them (see "System Preferences" > "File Sharing" > "Shared Folders").

• How to survive an ACS audit with aaa-reports!

  For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
  Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
  Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
  Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
  Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
  Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
  Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
  Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
  Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
  In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
  Below are some additional TDA specific tips:
  Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
  Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
  Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
  Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
  Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
  Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
  The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
  For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm

  .

• Some Tabs Not Working in System Preferences

  Mac Pro E2008 14Gb/2Tb.  Installed Mavericks over OS X 10.8.4 with no problems.  Was having some problems with selected fonts not showing up in Pages 5.0.  Ran some font diagnostic software, which isolated some problem fonts.  Subsequent to this I noticed that some Tabs do not work in some preference panes.  In particualr, tha advanced tab in Security and Privacy does not work and the advanced tab does not work in Network Preference pane.  Neither does the + tab in that pane but the - does.  Also cannot edit the three locations that I have in my system.
  Found that all is restored when logged into the root account and also into a Maintainence admin account.  I also ascertained that in my faulty account, after taking out the login items plist and starting with no login items, the fault was still there.  Similarly booting into safe mode did not restore the faulty tabs.  I ran font book and deleted all questionable fonts and moved all the user fonts to the /library/fonts folder.  After each action I restarted rather than logging out.  I have tried deleting the systemuiserver.plist and removing the relevant network plists from the user/library/preferences folder.  I have also removed the com.appl.network.eapoiclient.plist and com.apple.systempreferences.plist.  I have also made invisible files visible and gone through the whole system folder/library folder and ~/library folder and deleted old preferences and obsolete files back to 2004 with the result that my system now loads very much quicker, which is an obvious bonus.  However, the problem still remains and is obviously something to do with the main user account.  If I go into root or my maintainence account, I can change or edit some settings which "stick" when I log back into my main account.  I have carried out the mail and iBook update in the mean time which has not changed anything.
  I have also ran diskwarrior and corrected the disk directory, repaired permissions, reset ACL's and emptied various caches using tinker tool system and mavericks cache cleaner.  I have I think very thoroughly inspected the library and ~/Library folders.
  So, synopsis  (1) Definitely the main account.  (2) No logins or safeboot are not the culprits. 
  Whilst not earth shattering and hopefully 10.9.1 may solve the problem, I would be very grateful if anyone could add any further possible problem areas to look at or suggest possible further solutions. 
  <Email Edited By Host>

  Hey there, sounds like you've done a lot of the groundwork already although it's not entirely clear what about the preference panes aren't working. There is further isolation that could be performed however if the issue is isolated to your user account as you mentioned then renaming the home folder library preferences, logging out and back in (preventing login items if any) and testing may give you the results you are looking for. If that works I would copy the files from the renamed Preferences folder *not replacing* existing files when prompted (of course if it doesn't work replace the existing Preferences folder with the original renamed Preferences entirely). The same type of troubleshooting also applies to the user library itself however please be careful about launching apps after renaming the ~/library or the contained prefs folder and before copying unaffected plists and/or supporting files back as unexpected results may follow (i.e. lost or missing data). Also if you are eligible for support (which you almost certainly are as you have very recently installed a new OS) I'm sure Applecare may help find a solution.