Preventing "unavailable" (or locked) users from logging in

Similar Messages

• Deny local admin users from logging on (or at least restrict them)

  I have a fully managed environment (AD authentication, using managed preferences from OD) that I am testing before rollout.
  My concern is that once preferences are managed, admin users will be able to create local admin accounts (I can't block the accounts pane otherwise users will not be able to change their passwords), then login and bypass preference management.
  Is there a way for local admin accounts logging on to inherit a default set of preferences that are only applied when a local account (or someone not in one of my directory groups) logs in, or better still - DENY local admins from logging in, or deny anyone from being able to create new local accounts?
  (Please don't suggest denying the users admin rights - it's not possible for political reasons).
  Many thanks in advance!
  FZ.

  There is no root or admin privilege that controls root or admin privilege. You have it, or you don't.
  I've been in exactly this case many years ago, and with replete with the politics of privileges and perceived prestige.
  I ended up documenting the foibles of the privileged folks and the time spent on recovery and restoration and related for each event, and waiting for a sufficient accumulation of same (and that didn't take very long), and I then preemptively yanked the access.
  Yes, the good folks squawked. Loudly. Yes, I got called onto the carpet.
  The Designated Responsible Individual (DRI) was then left to ruminate and make a decision, and (with the assistance of the foibles-related documentation around the efforts and time and costs) made the call. The proffered alternative (with the costs and the design and time estimates ready) with a private subnet or private LAN and private services and and a dedicated firewall configured between the privileged folks and the production LANs to keep the good folks safe and secure. Here's what that'll cost...
  Either way, you've punted the responsibility and the decision up the management chain to the DRI.
  (Oh, wait, did I mention which way that firewall was going to be facing? No? Oops. Bummer.)

• Problems restricting AD users from logging in

  We previously had a Snow Leopard Server/client setup and used the magic triangle, placing AD users in an AD group and then nesting this within an OD group in Workgroup Manager.  This group was then given access to logon to our clients in the computer group pane (login preference > access) of workgroup manager and all other users were automatically dissallowed.  This worked perfectly and our system relies on this mechanism.
  Having replaced this system with Mountain Lion Server latest release and 10.8.4 clients, the same setup is not working.  We have not extended the AD schema (just for info).
  To restrict access to our clients to a particular user group, we place the users in the AD group, nest the AD group in the OD group and it appears to break the preference and give access to everyone.
  I have tried some other combinations to determine where the problem lays.
  1.     I explicitly give access to a single AD user - the single AD user can log in and no other users can log in.  This is working.
  2.     I explicitly give access to a single AD user and a deny to a second user.  The single AD user can log in, the second user cannot log in.  Other users cannot log in.  This is working.
  3.     I give access to a single OD group containing a nested AD group containing the single AD user that had access in (2).  I also explicitly deny a second user.  Now all AD users can log in except the one user I denied.  This is broken.  All users not in the nested AD group should be denied access.
  4.     I give access to the nested AD group directly instead of nesting within the OD group.  I also explicitly deny a second user.  Now all AD users can log in except the one user I denied.  This is broken and the same result as (3).
  There are some other quirks in Workgroup manager regarding the AD groups and users.  If I add an AD user directly to an OD group then it is displayed correctly until I change tab.  If I return to the tab again the name is "Not Found" with a "target" icon displayed to the left.  The ID is hexidecimal string.  The same occurs with AD groups.  I have read about this and the suggestion was to change the AD user groups to domain.local groups rather than global groups.  I did this and the AD groups then display correctly but this has not solved the login problem.
  If I use the Server.app to view the users and groups they show up correctly including an AD users added directly to the OD groups so this is better than workgroup manager but I cannot restrict access to the clients using Server.app.
  If anyone has any ideas of how to deal with this or workarounds I would really appreciate it.

  Methinks you should be posting to the server forum.

• How can I prevent ordering unless a user is logged in?

  I am trying to modify a WebTools system that any visitor can browse the products but ordering can only be carried out by logged in users.  Is there some existing piece of code I can wrap around the "add to basket" icon, for example, that will only display it when a user is logged in?
  I appreciate I may have to write some custom code which I have no problem in doing.  What variables to I need to check for to find out if a user is logged in?
  Thanks for any help.
  Regards
  C

  Hi,
  You should add this code to PartsListBlock.ascx, PartPriceBlock.ascx, search.aspx.
  On PartsListBlock.ascx and search.aspx you just need to hide column add to cart and price:
    if (userID != "") {
               PartsListGrid.Columns[7].Visible = true;
               PartsListGrid.Columns[8].Visible = true;
              } else {
               PartsListGrid.Columns[7].Visible = false;
               PartsListGrid.Columns[8].Visible = false;
  on PartPriceBlock.ascx you need to hide price and add to cart button:
               if (userID != "") {
                  sysOriginalPrice.Visible = false;
                  AddButton.Visible = true;
              } else {
                  sysOriginalPrice.Visible = false;
                  AddButton.Visible = false;
  Greg.

• Having problem with svchost.exe/ntdll.dll errors causing GPSVC (Group Policy Client) to crash preventing users from logging into the server.

  Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied
  to svchost.exe and therefore is protected from being manually restarted.
  I noticed the following errors when this occurs:
  Log Name:      Application
  Source:        Application Error
  Date:          7/23/2013 4:35:26 AM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server1.xxx.xxx.net
  Description:
  Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
  Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
  Exception code: 0xc0000024
  Fault offset: 0x00000000000cd7d8
  Faulting process id: 0x46c
  Faulting application start time: 0x01ce877f9476ac07
  Faulting application path: C:\Windows\system32\svchost.exe
  Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
  Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
      <EventRecordID>158950</EventRecordID>
      <Channel>Application</Channel>
      <Computer>AAW19XM2.agency.nwie.net</Computer>
      <Security />
    </System>
    <EventData>
      <Data>svchost.exe</Data>
      <Data>6.1.7600.16385</Data>
      <Data>4a5bc3c1</Data>
      <Data>ntdll.dll</Data>
      <Data>6.1.7601.17725</Data>
      <Data>4ec4aa8e</Data>
      <Data>c0000024</Data>
      <Data>00000000000cd7d8</Data>
      <Data>46c</Data>
      <Data>01ce877f9476ac07</Data>
      <Data>C:\Windows\system32\svchost.exe</Data>
      <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
      <Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
    </EventData>
  </Event>
  All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however,
  about 5 months ago a similar error fired on a non-virtual machine:
  Log Name:      Application
  Source:        Application Error
  Date:          2/27/2013 6:57:58 AM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      AAW29033
  Description:
  Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
  Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
  Exception code: 0xc0000024
  Fault offset: 0x00000000000cd7d8
  Faulting process id: 0x6c0
  Faulting application start time: 0x01ce14e1af313fd9
  Faulting application path: C:\Windows\system32\svchost.exe
  Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
  Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
      <EventRecordID>286291</EventRecordID>
      <Channel>Application</Channel>
      <Computer>AAW29033</Computer>
      <Security />
    </System>
    <EventData>
      <Data>svchost.exe_gpsvc</Data>
      <Data>6.1.7600.16385</Data>
      <Data>4a5bc3c1</Data>
      <Data>ntdll.dll</Data>
      <Data>6.1.7601.17725</Data>
      <Data>4ec4aa8e</Data>
      <Data>c0000024</Data>
      <Data>00000000000cd7d8</Data>
      <Data>6c0</Data>
      <Data>01ce14e1af313fd9</Data>
      <Data>C:\Windows\system32\svchost.exe</Data>
      <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
      <Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
    </EventData>
  </Event>
  I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes
  the Group Policy Client service to stop?

  You still out there looking at things? If so I have an update. The issue hasn't stopped, even though it did seemingly die down for awhile, however, it is now back with a vengeance.
  I am able to force it to happen by killing the svchost process that is hosting GPSVC. If I run gpupdate /force, then logout/login it does get GPSVC running again. Furthermore, if I simply start svchost again via the Task Manager GPSVC starts running again.
  When I access the server remotely with KVM it acts just like it does as if I'm logging into it via Citrix/RDP which for Admin IDs gives an error saying "Failed to connect to a windows service. Windows could not connect to the Group Policy Client service...",
  however, normal user accounts just get a message when logging into the server "The Group Policy Client Service Failed the Logon. Access is denied."
  I haven't opened a case with Microsoft yet, but we about ready to because of the increase in these errors.
  If you have any further suggestions that would be great, otherwise I'll provide an update once I get word back from Microsoft.
  **EDIT -- apparently I mistook the the server's SCM's actions as my own. I was able to successfully crash the GPSVC service by killing the hosting svchost process, however, after I crashed it and let it sit crashed for awhile when I attempted
  to restart either by starting a svchost task, or running gpupdate /force it failed. Either that, or there is a timing issue where if we don't restart the svchost process, or run gpupdate /force quickly enough it won't be able to recover without a reboot.

• How do I prevent users from logging into my machine in single user mode?

  I established an standard accounts for my family.  My son figured out that if he logs into the machine in Single User mode that he logs in as the root user.  He then proceeded to create another user with administrative privileges and change his account to administrator then delete the other account.  Funny thing about this is that as much as OS X is secure from outside threats a simple command-s gets you right into the very heart of the machine......

  You can set a firmware password. The firmware password only allows you to start up in normal mode, so if you try to start in single-mode user or safe mode, your Mac will ask you for a password.
  The process to turn it on depends on the OS X version you have. Open  > About this Mac, check the Mac OS X version and follow the steps depending on your OS X version.
  If you have 10.7 or 10.8:
  1. Hold Command and R keys while your Mac is starting up.
  2. After starting up into OS X Utilities, go to Utilities menu (on the menu bar) > Firmware Password Utility, and enable the firmware password.
  3. Restart the Mac.
  If you have 10.6 or older:
  1. Insert the Mac OS X disc and hold the C key while your Mac is starting up.
  2. Choose your language, go to Utilities menu (on the menu bar) > Firmware Password Utility, and enable the firmware password.
  3. Restart the Mac.
  Also, this will protect your Mac against thieves because they won't be able to erase the hard drive without knowing the firmware password. Don't forget the password, because only Apple can reset it if you don't know this password

• Way to prevent certain OD users from logging into certain computers?

  Hi, I have a machine group of computers I don't want some network users logging into.  Can I do this somehow? 

  Hi
  Yes.
  Select the desired Computer Group. Click on the Preferences Icon. Click on the Login Icon. Click the Access Tab. The rest should be fairly obvious.
  HTH?
  Tony

• Virus preventing users from logging in?

  Over the weekend our anti-virus began sending out alerts about blocked web traffic, This morning when I came in I looked at the computer, when I got to his desk the user was trying and failing to login. Having locked out his account with so many failed attempts I used my credentials to login and was told my username and password was incorrect (I verified multiple times I hadn't miss typed anything). I went back to my desk and used RDP to connect and login. Ran multiple virus scans and cleaned around 50 viruses. I am still unable to login using correct credentials. Are the login issues related to the amount of viruses or are they just coincidentally. 
  This topic first appeared in the Spiceworks Community

  I have a userwho recently got a new windows 7PC and was wondering if its possible to transfer the saved password off their old windows 7PC.I having searching and used easy transfer a few reg edits as well as the following:http://backsettings.com/internet-explorer-backup.htmlhttp://www.nirsoft.net/utils/internet_explorer_password.htmlhttp://mozbackup.jasnapaka.com/http://www.nirsoft.net/utils/pspv.htmlI have nosuccess. Although I am aware that usersneed to know their passwords and notbe relying on Internet Explorer to remember it for them. This user is the owner of the company and I told him I would explore every option.

• Using TMG to prevent non windows domain users from accessing internet

  Hello!
  I'm using Windows server 2008 and use it to run my company's Domain and I have a copy of TMG Server 2010
  My question is if I installed the TMG on the my Domain server can I use it to prevent internet access for Non-Domain computers, and how it is done, I've looked around the internet but I couldn't find a way to do it so I thought I should ask here...
  Basically can TMG stop non-domain computers from accessing the internet ?
  thank you!

  Hi,
  configure all clients to Webproxy clients and create Firewall policy rules which allows HTTP and HTTPS only for windows users and groups from your Active Directory
  best regards Marc Grote - www.it-training-grote.de

• Lock user from disabling ssh?

  Our users use local accounts on each machine. Some of them like to disable ssh. Any way to lock them out of changing these preferences? They are admin accounts.

  Aside from going down the route of client management, you could set up a root crontab which simply switched on SSH every hour or whatever. You may even be able to push the crontab out to the machine (as file /var/cron/tabs/root) via ARD (but I've never tried rewriting the actual crontab file - so be warned).
  so line in crontab...
  @hourly /sbin/service ssh start
  Has to run as root (I think) rather than in user's crontab.
  -david

• How to Stop Certain Users from Logging in to The Wiki?

  While the Wiki Server in Mountain Lion Server allows me to restrict who can create new wikis, it does not seem to allow me to restrict who can login. If I setup a 'Test User', and give this user access only to the FTP service on the server, this user can still use his credentials to login to the Wiki. In fact, every user that is listed on server - for any service - can login.
  Once logged in, even if the user has been prohibited to create new wikis, they seem to still be given a 'my documents' space on the wiki server, in which they can create pages, and where they can still upload files.
  There are, therefore, several users that I don't want to be able to login to the wiki, at all. Can wiki login access be restricted?

  Try:
  1) create users and uncheck access to all services for each user,
  2) create a group with access to File Sharing and FTP,
  3) edit the group to add users, then
  4) Create Group Wiki
  Does that get you closer to the behavior you seek? Users will still see the main Wiki page, but won't have access to any of the individual wikis unless they're a member of that group's Wiki.

• Will binding to AD stop local users from logging in?

  Hi,
  If I bind to an Active Directory domain with the Directory Utility, what will this do to the local existing users? Will they still be able to login afterwards?
  Thanks for any help,
  Richard

  Methinks you should be posting to the server forum.

• Preventing windows XP from logging into Load Balancer

  With Windows XP support essentially ended earlier this year, I was wondering if there was a way to prevent a computer running XP from logging into my hosted environment via RDP (Terminal Services 2008R2) protocol. Let's say for example that someone has a
  windows XP machine compromised with a key logger...I would need a way to prevent that computer from logging into my environment.
  I've looked at trying to get a GPO to block RDP Client settings based on protocol however XP and Vista share the same V7 RDP protocol.
  Any Suggestions?
   

  Hi,
  Thank you for posting in Windows Server Forum.
  From your description it seems that you want to block particular windows XP computer to access the RDS Server. If this is the case, then you can do following different steps.
  You can configure RD Gateway with RD CAP and RD RAP policy to control the access from computers and users and force the computer to use the RD Gateway setting.
  The other one, you can filter traffic in your router or firewall to deny traffic to the terminal server from certain ports or IP addresses. (Quoted form below thread).
  More information.
  exclude computers from access to terminal server
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/09695fb9-3344-4f0a-b8c9-2c48c1704e5b/exclude-computers-from-access-to-terminal-server
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• To lock users in ALV list using BAPI

  hi
  i've displayed a list of users who are not logged for 90 days on ALV and i want to lock selected users on that particular list using BAPI.
  help me with this
  regards
  pradeep

  Hi,
  Provide a checkbox on ALV to select records for locking. Provide LOCK button. When this button is clicked call BAPI : BAPI_USER_LOCK. This will lock the user from logging to sap.
  To unlock use bapi : BAPI_USER_UNLOCK.
  Best regards,
  Prashant

• Hide locked users in UWL people search

  Hi,
  I would like to hide the locked users from displaying in the UWL people search results for example while selecting an assignee during Forward task or selecting a nominee during Substitution.
  Based on the SDN search does not looks like we can modify the standard WD components for UWL such as UWLUserAction or UWLSubstitution. Is there any other way of achieving this? Appreciate all help.
  Thanks!!

  If you want to customize the UWL substitution people picker search results, please refer to the following blog:
  How To Customize UWL Substitution People Picker Search Results
  If you want to restrict the users available when setting up substitution, please see the following link:
  http://wiki.sdn.sap.com/wiki/pages/viewpage.action?pageId=202081897
  Also, have a look at the following thread:
  Re: Substitution Rules in UWL
  In the forum link above, Jigar mentioned a way to control the substitution from the HRUS_D2 table in the backend system. This seems to be a viable option to me.
  Hope that helps !!
  Thanks,
  Shanti