Pwpolicy won't disable a local user account login!
Hello everyone. I have two macs. One mac is running OS 10.4, the other is 10.5. Neither of these computers are remotely managed nor are they bound to an open directory server. I have one local administrative account on each computer I want to leave on the computer but disable login access. I'm trying to use the command:
pwpolicy -a shortNameOfAdministratorAccount -u shortNameOfAccountToChange -setpolicy "isDisabled=1"
When I enter this in the terminal it asks for my administrative password for the account specified in shortNameOfAdministratorAccount. Once I enter it and press return the command returns no errors, just returns to the prompt. However, I can go back to the login window, click on the account I'm trying to disable, type in the password, and I can log in. I've tried running this command under different accounts, a root shell, etc.... Nothing seems to work. Any suggestions? Thanks.
xnav wrote:
I get this:
Path:~$pwpolicy -n /Local/Default -getglobalpolicy
usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0
Re. Tiger working without server, see [this|http://lists.apple.com/archives/fed-talk/2007/Dec/msg00035.html]. You may want to try the global query using 'sudo'.
You get that without sudo, though?
Interesting link. However,
sudo pwpolicy -n /NetInfo/DefaultLocalNode -getglobalpolicy
Password:
*Error: eDSInvalidRecordName : (-14133) for dsDoDirNodeAuth
Method = dsAuthMethodStandard:dsAuthGetGlobalPolicy
/NetInfo/DefaultLocalNode
- cfr
Similar Messages
-
How to disable a local user account ?
Does someone know that ?
Thanks in advance,
p.aHey p.a., thanks for the info. I did a little research myself and found two documents by Apple which deal, besides others, with this. Just want to share these info for future reference: 1) [Mac OS X Server User Management|http://images.apple.com/euro/server/macosx/docs/UserManagementv10.5.mnl.pdf] and 2) [Mac OS X Server Command-Line Administration|http://images.apple.com/server/macosx/docs/CommandLine_Adminv10.5.pdf].
I quote from the first (p.60).
*Disabling a User Account*
To disable a user account, you can:
--> Deselect the “User can access account” option in the Basic pane in Workgroup Manager.
--> Delete the account.
--> Change the user’s password to an unknown value.
--> Set password options to disable login. This applies to user accounts with the password type Open Directory or Shadow Password.
From the Command Line
You can also disable a user account using the dscl and pwpolicy commands in Terminal. For more information, see the users and groups chapter of Command-Line Administration.
I prefer the method via Workgroup Manager as part of the [Server Admin Tools|http://www.apple.com/support/downloads/serveradmintools1053.html]. There was some disagreement on whether the Workgroup Manager works on a client version machine some time ago, but I can confirm that it works really well on clients, too. (Hint: To start the Workgroup Manager for a local computer, type "localhost" as address - without the quotation marks.)
And again, the guide for Command-Line Administration states (p.106):
*Preventing a User from Logging In*
Sometimes it is necessary to revoke a user’s ability to access the computer. This involves preventing the user from logging in and then terminating the user’s processes. The latter can be done by forcing the user to log out and then killing remaining processes, or by just killing the user’s processes.
To prevent a user from logging in:
Disable the user account by entering the following command:
$ pwpolicy -a diradmin -u ajohnson -setpolicy “isDisabled=1”
Replace ajohnson with the short name of the user account and replace diradmin with the short name of your domain administrator account.
Note: The pwpolicy command only works for LDAP/Password server users. For a local user, use Workgroup Manager or the Accounts pane of System Preferences.
Regards,
floba
(MN428)
Message was edited by: floba -
Local user account is trying to autenticating against domain controller
Hi all. I am seeing a weird user logon issue on one of my laptop and on another user's PC. Both of the laptop and the PC is a member of our domain. However, on this particular laptop and PC, we are not login with a domain user account,
rather we've created a local user account, grant it the local admin access, and login with this local user account. Now, on my domain controller, I am seeing a bunch of account login failure message, which happens few times per minute and filling up
the domain controller security log. For the laptop, this is a clean build, with fresh Windows 7 installation, alone with MS Office 2010 and few third party application (eg: Adobe Reader, 7-ZIP, etc). I've checked all group policy to ensure there
are no service or connection that requires domain credential access that have applied to this laptop (or the PC). I am not sure why this local user is trying to authenticating to our domain controller. This user account doesn't exist in our domain.
The only thing I can think of is Microsoft Outlook 2010 might doing back ground authentication against the domain controller by using the current login user account, I just can't confirm this. Did anyone encountered this issue in their environment?
Thank you.
Below is a copy of the event.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 13/06/2014 8:56:27 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: domaincontroller.mydomain.local
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: dummy
Account Domain: l-sparet400sc
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: L-SPARET400SC
Source Network Address: 192.168.2.181
Source Port: 60720
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2014-06-13T12:56:27.263546000Z" />
<EventRecordID>299829083</EventRecordID>
<Correlation />
<Execution ProcessID="488" ThreadID="640" />
<Channel>Security</Channel>
<Computer>domaincontroller.mydomain.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">dummy</Data>
<Data Name="TargetDomainName">l-sparet400sc</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">L-SPARET400SC</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.168.2.181</Data>
<Data Name="IpPort">60720</Data>
</EventData>
</Event>its the service which is using the account info and authenticating against the DC to obtain service ticket and fails
Interesting log section is NULL SID which doesn't corresponds to any account name.
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
and the below section explains , the request is made over network, which is most of the times by the service
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
The below is assumed to be performed on a client which does not run mission critical production applications which has zero impact when you perform the below actions,
can you disable
a) Server service
b) Workstation service
c) Disable RPC dependent service and services which depend on RPC and test
Question:
What is the level of DC hardening you have in your environment ? -
Bug When Converting (Back) To Local User Account
I am using Windows 8.1 Pro and began by setting up a local user account, which is the Administrator account. I then successfully switched the account to a Microsoft account, with the same user name.
As a test, I then decided to switch back to a local user account.
The bug is that I was not permitted to use the same user name. I had to select a different user name. This defeats the purpose of transparently switching a from a Microsoft account to a local account.
Fortunately (for me) I had anticipated that something might go wrong and had performed a full system backup to a external USB drive before I began this switching test.
L.M.CohenWhile Windows 8.1 (Pro) allows you to create new User accounts, it is set up to "convince" you to create Microsoft-type user accounts, rather than local user accounts.
And if you try to convert a Microsoft-type account to a local user account,
with the same user name, it will not yet you do it. However it will allow you to convert in the opposite direction,
with the same user name.
So I started all over and carefully read the small print -- to learn that you can initially set up a local user account. But this is discouraged, but if you persist, it can be done -- even though it is implied that "the sky might fall."
This is disingenuous.
However now that I understand the dynamics, I have no more problems.
Regards,
L.M.Cohen
L.M.Cohen -
Dear Team,
Oracle 12c GRID Runclufy check failing with below error. Even After Changing Local Built in Administrator User Name also same failure reporting. Kindly help to resolve this Issue and Provide steps to Avoid this conflict.
Windows user account consistency check across nodes - Checks consistency of Windows user account across nodes Error:
PRVG-11818 : Windows user "MDCCOMMONLDAP\Administrator" is a domain user but a conflicting local user account was found on nodes "sep03vvm-401,sep03vvm-402" -
Cause: A conflicting local user account as indicated was found on the identified nodes. - Action: Ensure that the Windows user account used for Oracle installation and configuration is defined as a domain user on all nodes or as a local user on all nodes, but not a mixture of the two.
Check Failed on Nodes: [sep03vvm-402, sep03vvm-401]
c:\Oracle12c_software\Oracle12c_grid\grid>runcluvfy.bat stage -pre crsinst -verbose -n SEP03VVM-401,SEP03VVM-402
Performing pre-checks for cluster services setup
Checking node reachability...
Check: Node reachability from node "sep03vvm-401"
Destination Node Reachable?
sep03vvm-401 yes
sep03vvm-402 yes
Result: Node reachability check passed from node "sep03vvm-401"
Checking user equivalence...
Check: User equivalence for user "Administrator"
Node Name Status
sep03vvm-402 passed
sep03vvm-401 passed
Result: User equivalence check passed for user "Administrator"
Checking node connectivity...
Interface information for node "sep03vvm-402"
Name IP Address Subnet Gateway Def. Gateway HW Addre
ss MTU
PublicLAN 153.71.45.202 153.71.45.0 On-link 153.71.45.254 00:50
:56:91:05:30 1500
PrivateLAN 10.10.10.15 10.10.10.0 On-link 153.71.45.254 00:5
0:56:91:75:1B 1500
6TO4 Adapter 2002:9947:2dca::9947:2dca 2002::
00:00:00:00:00:00 1280
Interface information for node "sep03vvm-401"
Name IP Address Subnet Gateway Def. Gateway HW Addre
ss MTU
PublicLAN 153.71.45.201 153.71.45.0 On-link 153.71.45.254 00:50
:56:91:56:B6 1500
PrivateLAN 10.10.10.14 10.10.10.0 On-link 153.71.45.254 00:5
0:56:91:60:99 1500
6TO4 Adapter 2002:9947:2dc9::9947:2dc9 2002::
00:00:00:00:00:00 1280
Check: Node connectivity of subnet "153.71.45.0"
Source Destination Connected?
sep03vvm-402[153.71.45.202] sep03vvm-401[153.71.45.201] yes
Result: Node connectivity passed for subnet "153.71.45.0" with node(s) sep03vvm-
402,sep03vvm-401
Check: TCP connectivity of subnet "153.71.45.0"
Source Destination Connected?
sep03vvm-402 : 153.71.45.202 sep03vvm-402 : 153.71.45.202 passed
sep03vvm-401 : 153.71.45.201 sep03vvm-402 : 153.71.45.202 passed
sep03vvm-402 : 153.71.45.202 sep03vvm-401 : 153.71.45.201 passed
sep03vvm-401 : 153.71.45.201 sep03vvm-401 : 153.71.45.201 passed
Result: TCP connectivity check passed for subnet "153.71.45.0"
Check: Node connectivity of subnet "10.10.10.0"
Source Destination Connected?
sep03vvm-402[10.10.10.15] sep03vvm-401[10.10.10.14] yes
Result: Node connectivity passed for subnet "10.10.10.0" with node(s) sep03vvm-4
02,sep03vvm-401
Check: TCP connectivity of subnet "10.10.10.0"
Source Destination Connected?
sep03vvm-402 : 10.10.10.15 sep03vvm-402 : 10.10.10.15 passed
sep03vvm-401 : 10.10.10.14 sep03vvm-402 : 10.10.10.15 passed
sep03vvm-402 : 10.10.10.15 sep03vvm-401 : 10.10.10.14 passed
sep03vvm-401 : 10.10.10.14 sep03vvm-401 : 10.10.10.14 passed
Result: TCP connectivity check passed for subnet "10.10.10.0"
Check: Node connectivity of subnet "2002::"
Source Destination Connected?
sep03vvm-402[2002:9947:2dca::9947:2dca] sep03vvm-401[2002:9947:2dc9::9947:2dc
9] yes
Result: Node connectivity passed for subnet "2002::" with node(s) sep03vvm-402,s
ep03vvm-401
Check: TCP connectivity of subnet "2002::"
Source Destination Connected?
sep03vvm-402 : 2002:9947:2dca::9947:2dca sep03vvm-402 : 2002:9947:2dca::9947:
2dca passed
sep03vvm-401 : 2002:9947:2dc9::9947:2dc9 sep03vvm-402 : 2002:9947:2dca::9947:
2dca passed
sep03vvm-402 : 2002:9947:2dca::9947:2dca sep03vvm-401 : 2002:9947:2dc9::9947:
2dc9 passed
sep03vvm-401 : 2002:9947:2dc9::9947:2dc9 sep03vvm-401 : 2002:9947:2dc9::9947:
2dc9 passed
Result: TCP connectivity check passed for subnet "2002::"
Interfaces found on subnet "153.71.45.0" that are likely candidates for VIP are:
sep03vvm-402 PublicLAN:153.71.45.202
sep03vvm-401 PublicLAN:153.71.45.201
Interfaces found on subnet "2002::" that are likely candidates for VIP are:
sep03vvm-402 6TO4 Adapter:2002:9947:2dca::9947:2dca
sep03vvm-401 6TO4 Adapter:2002:9947:2dc9::9947:2dc9
Interfaces found on subnet "10.10.10.0" that are likely candidates for a private
interconnect are:
sep03vvm-402 PrivateLAN:10.10.10.15
sep03vvm-401 PrivateLAN:10.10.10.14
Checking subnet mask consistency...
Subnet mask consistency check passed for subnet "153.71.45.0".
Subnet mask consistency check passed for subnet "10.10.10.0".
Subnet mask consistency check passed for subnet "2002::".
Subnet mask consistency check passed.
Result: Node connectivity check passed
Checking multicast communication...
Checking subnet "153.71.45.0" for multicast communication with multicast group "
224.0.0.251"...
Check of subnet "153.71.45.0" for multicast communication with multicast group "
224.0.0.251" passed.
Check of multicast communication passed.
Checking the status of Windows firewall
Node Name Enabled? Comment
sep03vvm-402 no passed
sep03vvm-401 no passed
Result: Windows firewall verification check passed
Check: Total memory
Node Name Available Required Status
sep03vvm-402 4.9996GB (5242420.0KB) 4GB (4194304.0KB) passed
sep03vvm-401 4.9996GB (5242420.0KB) 4GB (4194304.0KB) passed
Result: Total memory check passed
Check: Available memory
Node Name Available Required Status
sep03vvm-402 3.6612GB (3839028.0KB) 50MB (51200.0KB) passed
sep03vvm-401 3.3152GB (3476244.0KB) 50MB (51200.0KB) passed
Result: Available memory check passed
Check: Swap space
Node Name Available Required Status
sep03vvm-402 5.8121GB (6094388.0KB) 4.9996GB (5242420.0KB) passed
sep03vvm-401 5.8121GB (6094388.0KB) 4.9996GB (5242420.0KB) passed
Result: Swap space check passed
Check: Free disk space for "sep03vvm-402:C:\Windows\temp"
Path Node Name Mount point Available Required Stat
us
C:\Windows\temp sep03vvm-402 C 82.6484GB 1GB pass
ed
Result: Free disk space check passed for "sep03vvm-402:C:\Windows\temp"
Check: Free disk space for "sep03vvm-401:C:\Windows\temp"
Path Node Name Mount point Available Required Stat
us
C:\Windows\temp sep03vvm-401 C 82.6112GB 1GB pass
ed
Result: Free disk space check passed for "sep03vvm-401:C:\Windows\temp"
Check: System architecture
Node Name Available Required Status
sep03vvm-402 64-bit 64-bit passed
sep03vvm-401 64-bit 64-bit passed
Result: System architecture check passed
Checking length of value of environment variable "PATH"
Check: Length of value of environment variable "PATH"
Node Name Set? Maximum Length Actual Length Comment
sep03vvm-402 yes 5119 100 passed
sep03vvm-401 yes 5119 129 passed
Result: Check for length of value of environment variable "PATH" passed.
Checking availability of ports "6200,6100" required for component "Oracle Notifi
cation Service (ONS)"
Node Name Port Number Protocol Available Status
sep03vvm-402 6200 TCP yes successful
sep03vvm-401 6200 TCP yes successful
sep03vvm-402 6100 TCP yes successful
sep03vvm-401 6100 TCP yes successful
Result: Port availability check passed for ports "6200,6100"
Starting Clock synchronization checks using Network Time Protocol(NTP)...
Checking daemon liveness...
Check: Liveness for "W32Time"
Node Name Running?
sep03vvm-402 yes
sep03vvm-401 yes
Result: Liveness check passed for "W32Time"
Check for NTP daemon or service alive passed on all nodes
Result: Clock synchronization check using Network Time Protocol(NTP) passed
Checking if current user is a domain user...
Check: If user "Administrator" is a domain user
Result: User "MDCCOMMONLDAP\Administrator" is a part of the domain "MDCCOMMONLDA
P"
Check: Time zone consistency
Result: Time zone consistency check passed
Checking for status of Automount feature
Node Name Enabled? Comment
sep03vvm-402 yes passed
sep03vvm-401 yes passed
Result: Check for status of Automount feature passed
Checking consistency of current Windows user account across all nodes
PRVG-11818 : Windows user "MDCCOMMONLDAP\Administrator" is a domain user but a c
conflicting local user account was found on nodes "sep03vvm-402"
Result: Check for Windows user account "MDCCOMMONLDAP\Administrator" consistency
failed
Pre-check for cluster services setup was unsuccessful.
Checks did not pass for the following node(s):
sep03vvm-402SEVERE: [FATAL] [INS-30131] Initial setup required for the execution of installer validations failed.
CAUSE: Failed to access the temporary location.
ACTION: Ensure that the current user has required permissions to access the temporary location.
Are you using a supported OS version (listed in the Install Doc) and following all of the steps in the Install Doc ?
HTH
Srini -
We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
We do utilize the same structure for user ID's.
I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
Thanks
MikeHey Mike,
The process is pretty straight forward. CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account. The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.
I recommend the following if you'd like to move to AD.
Run a DRS backup of CUCM. This is not necessary for the integration but is good practice in my opinion. I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD. Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.
Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts. That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc. If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username.
Create an account in AD that has read-only rights to your directory. Set the password to never expire. You will use this account later for the integration.
In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
Also in CUCM, navigate to the administration page and do the following:
Go to System > LDAP > LDAP System and Check the box to enable Synchronizing. Confirm the LDAP server type and attribute for User ID is accurate. This is typically Microsoft Active Directory and sAMAccountName respectively.
Go to System > LDAP > LDAP Directory
Click Add New
Give it a name (whatever you want).
Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
Enter the password for the account.
Enter the search base. This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain. If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
Select the option to perform a sync with AD on periodic intervals. The lowest interval you can set is every 6 hours.
Select either the telephonenumber or ipPhone field to be used for the user's extensions. This will be whatever you decided and populated in AD in an earlier step.
Add your primary and any backup domain controllers and ports. If they are just domain controllers and you are not using SSL then specify port 389. If they are also global catalog servers then you can do port 3268.
Click Save and Click the "Perform Full Sync Now" button.
I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD. To add this do the following:Go to System > LDAP > LDAP Authentication.
Click Add New
Check the box to use LDAP Authentication
Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section. Also add the same primary and secondary LDAP servers and ports you used earlier.
Click Save
You can go a step further and create a filter to only pull in the users within the search base you specified and apply that. For example, maybe only pull in users that have their ipPhone field populated. Let me know if you have any questions on that or any of the above.
I hope this helps! -
Local user account not working after trying to connect to windows domain
Newb Question
I was trying to log into a domain with my macbook today at work without success. I think I selected something that is telling my mac to search the domain for the user account, and NOT the local computer. So now when I boot it up the local user account isn't displayed, only 'other...'. When I click that it takes me to a log in text box that doesn't accept either my long or short user names. I booted up from the Snow Leopard disk and tried to change my password there, and that can see the local account there (and lets me change the password). However, when I boot back up from the HDD I get the same problem.
Is there a way of telling it to look locally rather than on the domain when logging in?you could reset password on the root account from the boot disk also while booted to the system disk, open startup disk, and make sure your computer is set to boot from the built in hard drive.
This will enable root, and hopefully you can log into the computer. try logging in with the user name 'root' and what ever password you set. if you do get in, you can go to apple menu, system preferences, accounts, login options.
Make sure to set display login in window to list.
also make sure that when you click on the join button under login options, that there is nothing there. as in blank. -
Adding Local User Account Alongside RADIUS
Greetings!
Currently every Cisco device authenticates with a RADIUS server we have on campus. I'm trying to add a local user account onto our switches and routers so that if the RADIUS server is unavailable or the switch looses connection we are able to use another login to access what we need. However when I add aaa authorization and authentication commands (no default) I think the switch cannot identify what is a RADIUS login and what is a local login. Depending on how we move commands around local will work and RADIUS will not, or RADIUS will work and local will not. Any suggestions on how to get both to work at the same time?
Thanks!
-NoahPerhaps I do not have a correct understanding of what you are asking. But let me explain a little and if that does not address your issue then perhaps you can provide some clarification.
You can not have Radius and the local account work at the same time - at least not in the sense that you can login and enter either one and expect it to work. What you can do (and what most people do) is to define one as primary (usually Radius) and one as backup (usually local account). Then when you attempt to login the device will attempt to use Radius, and if the Radius server is not available then it will use the local account.
If that does not clarify your issue then please help us understand better what your issue is.
HTH
Rick -
Migrating local user accounts/home directories to network user accounts
Hi,
I am planning on moving the user accounts from several Mac OS X client machines to a new Mac OS X Server machine (Quad core Xeon MacPro). I am very familiar with OS X client in a support environment, but do not have extensive experience with Server.
I read over the instructions in this article
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c6um3.html
and it appears to be fairly straight forward, although I do have some questions regarding the existing data (home folders) and how to set the clients to log in to the network account.
Previously, in the event that I have needed to move a person's home directory to a new computer or recover from a corrupt OS (and Archive&install was not an option), in OS X client I would:
1) Back up the home directory.
2) Erase/reinstall OS X client.
3) Log in as Root.
4) Go into "Accounts" pref pane and create user with same short name as original/backed-up home directory.
5) Replace the newly created home directory with the backed-up home directory.
6) Go into Terminal and chown/chgrp the home directory to username/staff, respectively.
This would result in a perfectly migrated user account. All settings and files working just as they did on the previous system/install of OS X.
First Question: Could I employee a similar method to retain the content and settings from the local user accounts on the server as I migrate them to network users? Moving the user accounts to the server as described, then running terminal to set proper ownership...
Second Question: What do I do on each client system to tell it to recognize the networked home directory for each user? Do I just change the user's home folder path in Netinfo Manager to the automount location?
Thanks in advance for any help you can offer,
-David
MacPro 2.66 Quad Core (MA356LL/A) Mac OS X Server 10.4.8A network account is really existing only on the server but if you use "portable homefolders" (Tiger client and server) you could "migrate" the local account to a "server" one by:
Login locally as another user with administrative rights.
Change the name of the old account folder in /Users.
Remove the "old" account locally (woun't remove the "old" folder as you changed the name) only Netinfo data.
Login using the serveraccount login/password thus creating a homefolder on the server.
Logout and back in, enable portable homefolder.
Logout and then in as a local admin and remove the new user folder.
Change the name on the old userfolder to what the new one had.
I'm not a 100% sure Netinfo has the server account UID now (added by logging in and creating the portable account?) but if it does:
(http://forums.macosxhints.com/archive/index.php/t-12077.html)
"Finding and changing UIDs across the filesystem is a one-liner command:
sudo find / -user UID -exec chown userName {} \;
(replace UID with the old UID number and userName with the new user name to associate file ownership.)"
(A portable account must have got some "kind" of UID?)
Let the machine "sync" with the server account.
If you want an "on network only" account I don't know what you need to remove locally afterwards.
HTH -
Lion server : local user account disappear after power outage
On the server computer.After power outage I restart server the machine starts up ok.At login screen local user name disappear but there's others account same as client computer.I can log in to network account but can't log in as local.
In sytem preference local user account is still there.
I don't want to reinstall lion server .
What can i do now?
Thank you for your assistance.It sounds like the user directory is damaged. You might try booting into the recovery partition, running Disk Utility, and doing a Repair Volume (and maybe a repair permissions) on the server volume.
-
What is the default admin user account login id and password in Windows 8?
Hi all,
The current admin acccount in Windows 8 system are changed to Standard and no other Admin account is available in the system.
What is the default admin user account login id and password in Windows 8?
Or
Is there way to change the User role for the account?
Please use Marked as Answer if my post solved your problem and use
Vote As Helpful if a post was useful.I am able to login as a Normal user, can not login as administrator.Hence can not install any software or change my user settings or create a new user.
What is the default admin password. How can i reset it form my user account
C:\Users\Amit>net user Administrator
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country/region code 000 (System Default)
Account active No
Account expires Never
Password last set 7/26/2012 12:57:03 PM
Password expires Never
Password changeable 7/26/2012 12:57:03 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/16/2013 1:16:30 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully. -
suddenly user account login requested, but was newer created (OS X 10.5.6), how to get access again?
No account ever created, or what?
If not 1.6 Server, then...
Reset OS X Password Without an OS X CD...
http://theappleblog.com/2008/06/22/reset-os-x-password-without-an-os-x-cd/
Admin Hack...
http://www.hackmac.org/?q=node/4
Starts up like the first time you buy a new Mac, but after filling in all that info again, you should have access to the computer and the other Users & files will still be there... give the new User a different name than an existing one.
http://www.macyourself.com/2009/08/03/how-to-reset-your-mac-os-x-password-withou t-an-installer-disc/ -
Making user account logins case sensitive?
Hi, just a quick question. Is it possible to make a user account login name case sensitive? Currently I can log on using upper or lower case for the login name however I would rather only the exact login name could be used.
ThanksI had already answered with example.
Re: Making user account logins/passwords case sensitive? -
Making user account logins/passwords case sensitive?
Hi, just a quick question. Is it possible to make user account login/passwords be case sensitive? At the moment they are case insensitive.
Thanks :)You can make only user account login case sensitive but not password.
SQL> create user "Test" identified by "tEST";
User created.
SQL> grant create session to "Test";
Grant succeeded.
SQL> conn test/test
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL> conn "Test"/test
Connected.
SQL> -
Scheduled disabling of particular user accounts
Recently, I've become concerned with my daughter's computer use. Is there a way of locking her out of the computer/disabling her user account at a scheduled time every night, for example 9PM to 6AM the following morning? A friend of mine suggested writing an applescript (though I am completely unfamiliar with it) to insert ;disableduser; in NetInfo Manager, or some perl alteration called pwpolicy, but I have no idea what he is talking about. Is it even possible to do what I want? And if so, can somebody dumb it down so I can execute it on my computer?
Mac OS X (10.4.3)Hi,
You may use "Extended Job Selection" SM 37 to filter on jobs.
I hope it will help.
Thanks,
S
Maybe you are looking for
-
My ipod is not detected on windows or itunes. My little Brothers does!
My whole fam just got ipod nanos for christmas... It was cool. Until mine just died. I plugged it into the computer to charge it, and it didnt work. Spent forever trying to figure it out. Later we got a wall charger and it charged perfectly. My siste
-
HT3529 How to text non apple phones
Others say I can use message to text anyone even if they don't have an iphone. I am having no luck getting this to work. What am I missing? Thanks!
-
Hi.. I want to be able to type quotes on my iPad like I did on my old computer using Microsoft word. What is the best replacement app on the iPad?
-
Tag base in HTML page from web repository
We are using EP 6.0 SP10 with KMC SP10 on host http://ep60:55000/. We want to configure web repository for http://example.com. We have created HTTP system "ExampleSite" in KM system landscape for web site "http://example.com", created web site "Examp
-
I can't get my iTV to connect to my computer
I can't get my iTV to connect to my computer