Query for local admins

Similar Messages

• Flash Player works only for Local Admins

  Hi!
  We have about 40 computers in our organisation with the same problem: Since few weeks the Adobe Flash Player (ActiveX) works only, when the user has administrative privileges. If a normal user wants to watch youtube-films or other flash objects, there will only appear a message that (a new) Adobe flash player must be installed to view the content (or so). It looks like there is no Adobe Flash player installed. But if the user is a local admin, everything works fine - on the same computer.
  Under Software Adobe Flash Player is displayed as installed.
  We have WinXP Professional SP2/SP3 32bit running on 4-year-old Maxdata computers. And few new computers (also WinXP Professional SP2/SP3 32bit)
  Confusing: There are few computers where flash works for everyone! It seems, that especially the computers that are new don't have this problem.
  I've tested everything: Using the MSI-file, using the EXE-file. Uninstalling the MSI, uninstalling the EXE. Using Version 14, 16 and now 26. Uninstalling everything by the offical Adobe flash player uninstaller. Installing the software as administrator, installing the software via GPO. I've deleted system32/macromed/flash. I've used Microsoft subinacl - with the offical adobe reset_fp10.cmd. I edited system32/macromed/flash so that everybody has write rights on this folder.
  But nothing works. It's always the same: Videos in the IE are only shown for admins.
  And now, I've no idea, what else I could do?!
  Anyone else?
  Greetings from Germany
  Peter

  Pat, is this the one?
  http://forums.adobe.com/thread/729200?tstart=0
  eidnolb

• Query for Local Currency(GBP)  and System Currency (USD).

  Can someone help me with this query. Currently this query returns "Document Curreny" and ":System Curreny"(USD),  but I need it to return "Local currency" (GBP)  and "System Currency." USD. I am not sure how to change it to reflect LC & USD. This query works for DC and SC. I need LC an SC. Thanks Danielle Select T4.[SlpName] as 'Sales Employee', T0.cardname as 'Customer',T0.Docdate as 'Invoice Date', T0.docnum as 'Invoice Number', T0.Taxdate as 'Month Of Service',isnull(T0.U_AIS_DVISFSO,T3.U_AIS_DVISFSO) as 'SO#',T0.NumAtCard as 'PO#', isnull(T0.U_AIS_DVIAdvNm,T3.U_AIS_DVIAdvNm) as 'Advertiser', isnull(T0.U_AIS_DVIOpptyNm,T3.U_AIS_DVIOpptyNm) as 'Campaign',T1.Dscription,-T1.Quantity as 'Impressions',T1.Pricebefdi as 'CPM', Case T0.CurSource When 'C' Then T0.DocCur When 'L' Then T5.MainCurncy When 'S' Then T6.SysCurrncy End As 'Currency DC', Case T0.CurSource When 'C' Then -T1.TotalFrgn When 'L' Then -T1.LineTotal When 'S' Then -T1.TotalSumSy End As 'Total Bef Discount DC', Case T0.CurSource When 'L' Then -T1.[LineVat] When 'C' Then -T1.[LineVatlF] When 'S' Then -T1.[LineVatS] END As 'Vat Tax DC', Case when t1.visorder = 0 Then (Cast(Round((Case T0.CurSource When 'L' Then -T0.DocTotal When 'C' Then -T0.DocTotalFC When 'S' Then -T0.DocTotalSy End), 2) As DECIMAL(18,2))) ELSE 0 END As 'Doc Total DC', Case when t1.visorder = 0 Then (Cast(Round((Case T0.CurSource When 'L' Then -(T0.DocTotal - T0.PaidToDate) When 'C' Then -(T0.DocTotalFC - T0.PaidFC) When 'S' Then -(T0.DocTotalSy - T0.PaidSys) End), 2) As DECIMAL(18,2))) ELSE 0 END As 'Balance after Payment DC', ISNULL(T6.SysCurrncy,'USD') As 'Currency SC', -T1.TotalSumSy As 'Total Bef Discount SC', -T1.[LineVatS] As 'Vat Tax SC', Case when t1.visorder = 0 Then (Cast(Round(-(T0.DocTotalSy), 2) As DECIMAL(18,2))) ELSE 0 END As 'Doc Total SC', Case when t1.visorder = 0 Then (Cast(Round(-(T0.DocTotalSy - T0.PaidSys), 2) As DECIMAL(18,2))) ELSE 0 END As 'Balance after Payment SC', T0.docstatus, 'Credit Memo' AS TransactionType, T0.CurSource,T0.[Comments],T0.[U_InvoiceAdj], T0.[U_DV_AdjustInvReason],T1.[U_DVIInvName], T1.[U_InvoiceAdj], T1.[U_DV_AdjustInvReason] from ORIN T0 left outer join RIN1 T1 on T0.docentry = T1.docentry left outer join RDR1 T2 on T1.Baseentry = T2.docentry and T1.baseline = T2.linenum left outer join ORDR T3 on T2.docentry = T3.docentry left outer join OSLP T4 ON T0.Slpcode= T4.Slpcode Left Join OADM T5 On T0.CurSource = 'L' Left Join OADM T6 On T0.CurSource = 'S' Where T0.[DocDate] >= '[%1]' AND T0.[DocDate]  = '[%1]' AND T0.[DocDate]  <= '[%2]'

  Hi,
  Try this:
  Select T4.[SlpName] as 'Sales Employee', T0.cardname as 'Customer',T0.Docdate as 'Invoice Date', T0.docnum as 'Invoice Number', T0.Taxdate as 'Month Of Service',T0.NumAtCard as 'PO#', T1.Dscription,T1.Quantity as 'Impressions',T1.Pricebefdi as 'CPM',
  Case T0.CurSource
  When 'L' Then T0.DocCur
  When 'L' Then T5.MainCurncy
  When 'S' Then T6.SysCurrncy End As 'Currency LC',
  Case T0.CurSource
  When 'L' Then -T1.TotalFrgn
  When 'L' Then -T1.LineTotal
  When 'S' Then -T1.TotalSumSy End As 'Total Bef Discount LC',
  Case T0.CurSource
  When 'L' Then -T1.[LineVat]
  When 'C' Then -T1.[LineVatlF]
  When 'S' Then -T1.[LineVatS] END As 'Vat Tax LC', Case when t1.visorder = 0 Then (Cast(Round((Case T0.CurSource When 'L' Then -T0.DocTotal When 'C' Then -T0.DocTotalFC When 'S' Then -T0.DocTotalSy End), 2) As DECIMAL(18,2))) ELSE 0 END As 'Doc Total LC', Case when t1.visorder = 0 Then (Cast(Round((Case T0.CurSource When 'L' Then -(T0.DocTotal - T0.PaidToDate) When 'C' Then -(T0.DocTotalFC - T0.PaidFC) When 'S' Then -(T0.DocTotalSy - T0.PaidSys) End), 2) As DECIMAL(18,2))) ELSE 0 END As 'Balance after Payment LC', ISNULL(T6.SysCurrncy,'USD') As 'Currency SC', -T1.TotalSumSy As 'Total Bef Discount SC', -T1.[LineVatS] As 'Vat Tax SC', Case when t1.visorder = 0 Then (Cast(Round(-(T0.DocTotalSy), 2) As DECIMAL(18,2))) ELSE 0 END As 'Doc Total SC', Case when t1.visorder = 0 Then (Cast(Round(-(T0.DocTotalSy - T0.PaidSys), 2) As DECIMAL(18,2))) ELSE 0 END As 'Balance after Payment SC', T0.docstatus, 'Credit Memo' AS TransactionType, T0.CurSource,T0.[Comments] from ORIN T0 left outer join RIN1 T1 on T0.docentry = T1.docentry left outer join RDR1 T2 on T1.Baseentry = T2.docentry and T1.baseline = T2.linenum left outer join ORDR T3 on T2.docentry = T3.docentry left outer join OSLP T4 ON T0.Slpcode= T4.Slpcode Left Join OADM T5 On T0.CurSource = 'L' Left Join OADM T6 On T0.CurSource = 'C' Where T0.[DocDate] >= '[%1]' AND T0.[DocDate]  <= '[%2]'
  Thanks & Regards,
  Nagarajan

• Query for admin folder ID

  I am trying to query for the admin folder ID knowing only the name of the folder. For example, I have a folder named abc and it is in another folder named xyz. xyz is on the rootadmin folder and I have no trouble retreiving that folder ID when I query. I just can't seem to query for the id of abc.
  I am using the plumtree.server api 5.0.1. Also, the documentation for the Plumtree API overview for .net incorrectly creates a multi-demitional array for objects as
  Object[][] zzz = new Object[3][2]; This is for Java I beleive. To do what you need in C#, do this
  Object[][] = new Object[3][];for(int i=0 ; i<3 ; i++){   zzz[i] = new object[2];}
  This creates an array that can be passed to the API.
  public int SearchFolderID(string folderName){IPTAdminCatalog ptAC = (IPTAdminCatalog)objSession.GetAdminCatalog();IPTAdminFolder rootFolder = ptAC.GetRootAdminFolder();//This will be returned if not found.intfolderID = -1;//This will limit the query results to just the property ID and the name.intnPropertiesToQuery = PT_PROPIDS.PT_PROPID_OBJECTID;Object[][] filter = newObject[3][];for(inti = 0; i<3;i++){      filter[i] = newObject[1];}filter[0][0] = PT_PROPIDS.PT_PROPID_NAME;filter[1][0] = PT_FILTEROPS.PT_FILTEROP_EQ;filter[2][0] = folderName;
  IPTQueryResult ptResult = rootFolder.QuerySubfolders(nPropertiesToQuery,1,0,0,-1,filter);
  if(ptResult.RowCount() >= 1){     for(inti=0;i<ptResult.RowCount();i++)    {          folderID += ptResult.ItemAsInt(0,PT_PROPIDS.PT_PROPID_OBJECTID);    }}
  returnfolderID;}

  I think that the code below has a bug. When it looks for a folder, it ONLY looks for folders that are a direct child of the root folder. The line:
  IPTQueryResult ptResult = rootFolder.QuerySubfolders(nPropertiesToQuery,1,0,0,-1,filter);
  will perform a query that returns all DIRECT CHILD subfolders of the ROOT folder that have the indicated name. In your example, this will work for the folder called "xyz", but will NOT work for the folder called "abc", since the abc folder is not in the root folder.
  One option would be to do this search recursively. First, find the folder object called XYZ in the root folder. Then open that folder object. Then using THAT object, call QuerySubfolders on it, something like:
  XYZFolder.QuerySubfolders(nPropertiesToQuery,1,0,0,-1,ABCfilter);
  This will require some substantial changes to your code, I think, because you'll have to record the intermediate folder objects somewhere (i.e. in your current code you never open the XYZ folder, but this change would necessitate making calls on that object.) You'll probably want a function that takes in an AdminFolder object and a subfolder name, opens the subfolder, and returns it. Then you can call that function repeatedly, walking down the folder path.
  P.S. There's another thing I don't understand about your code. Your code does "folderID += ...", but why would you want to increment the folderID? Shouldn't it read "folderID = ..."?

• Giving an OD Network User/Group local admin rights.

  Is there a way to manage workstation admin rights from the server?
  I ran into a problem with Lightroom that requires admin privileges to change the program preferences. We have alot of graphic art students with roaming profiles, spread out across 5 labs, that need to make this change. I would like to be able to add a group or all network users to the local admin group, for a few days, so the students can make the changes.

  This works on 10.5, not sure about 10.6.
  As root on the client.
  Upgrading legacy group for local admin group - this is from 10.4 days, not sure if you still need to do it.
  dseditgroup -o edit -f n -t group -n /Local/Default admin
  Nest OD group in local admin group
  dseditgroup -o edit -a DirectoryAdminGroup -t group -n /Local/Default admin
  Gen

• Deny local admin users from logging on (or at least restrict them)

  I have a fully managed environment (AD authentication, using managed preferences from OD) that I am testing before rollout.
  My concern is that once preferences are managed, admin users will be able to create local admin accounts (I can't block the accounts pane otherwise users will not be able to change their passwords), then login and bypass preference management.
  Is there a way for local admin accounts logging on to inherit a default set of preferences that are only applied when a local account (or someone not in one of my directory groups) logs in, or better still - DENY local admins from logging in, or deny anyone from being able to create new local accounts?
  (Please don't suggest denying the users admin rights - it's not possible for political reasons).
  Many thanks in advance!
  FZ.

  There is no root or admin privilege that controls root or admin privilege. You have it, or you don't.
  I've been in exactly this case many years ago, and with replete with the politics of privileges and perceived prestige.
  I ended up documenting the foibles of the privileged folks and the time spent on recovery and restoration and related for each event, and waiting for a sufficient accumulation of same (and that didn't take very long), and I then preemptively yanked the access.
  Yes, the good folks squawked. Loudly. Yes, I got called onto the carpet.
  The Designated Responsible Individual (DRI) was then left to ruminate and make a decision, and (with the assistance of the foibles-related documentation around the efforts and time and costs) made the call. The proffered alternative (with the costs and the design and time estimates ready) with a private subnet or private LAN and private services and and a dedicated firewall configured between the privileged folks and the production LANs to keep the good folks safe and secure. Here's what that'll cost...
  Either way, you've punted the responsibility and the decision up the management chain to the DRI.
  (Oh, wait, did I mention which way that firewall was going to be facing? No? Oops. Bummer.)

• Adobe Premiere Elements gives error for non admin account

  Hi
  When a New Video project is created within the applciation it gives an error of Premiere Elements has encountered an error [..\..Src\Core\Preferences.cpp-338] (seems to occur during the importquicktime section). Follwed by a Runtime Error "this application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
  This works fine for local admin account but we work within a school were the the end users are not local admins and also have a redirected app data folder. I've ran Process Monitor and there were several access denied reg keys that have now all been allowed but the issue still remains.
  Thanks
  Jayk0

  I think you will have to contact Adobe, not other users in a user to user account
  My understanding is that ALL versions of Premiere... Elements and Pro... must use an Admin account to run properly
  Adobe contact information - http://helpx.adobe.com/contact.html
  Help for Download & Install & Setup & Activation
  http://forums.adobe.com/community/download_install_setup
  Next link has a "Chat Now" button near the bottom
  http://helpx.adobe.com/x-productkb/policy-pricing/activation-deactivation-products.html

• Remote Computer Management Using Local Admin Credentials?

  As per your requirement, I would suggest you to have a look on Lepide remote admin tool that allows to remotely administer single or multiple computers in the entire network simultaneously spread across multiple domains. Tool is free.

  If you are running as a standard user on your workstation and need to user the Computer Management mmc to remotely manage a second Windows workstation on your domain, how do you do this without using a domain account that is local admin on the remote system?If you open computer management locally first, you are prompted by UAC for local admin credentials on your local machine before you can even open Computer Management. If you provide those credentials and then try to connect to the remote computer using the mmc interface, you will get access denied errors if the administrator account isn't the same on both systems. It just fails without prompting for alternate credentials.Is there any workaround to get it to prompt and allow you to enter the local admin user credentials for the remote PC?I know you can get around this by using a...
  This topic first appeared in the Spiceworks Community

• Need to Query Local Admin Group

  I wrote (copied) some PowerShell code that will add a Domain User to the Local Admin Group using ADSI.  
  $GuestPC = "WinNT://DOMAIN/UserName,user"
  $AdminGroup = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
  $AdminGroup.add($GuestPC)
  I want to add an If - Else statement to check if the Domain User is already in the Administrators group.  
  I found this code:
  $members = @($AdminGroup.psbase.Invoke("Members"))
  $members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
  This code actually lists the members of the Administrators Group.  Maybe its early or I did not get enough sleep, but I cannot figure out how to just query the Administators group for $GuestPC and if it is there don't do anything, but if it is not there
  add it using the above code.  
  Something easy for someone out there I hope?
  Matt
  Matt Dillon

  Finally found the answer on Google.  Just need to add -cnotcontains "GuestPC" in side a If-Then
  Matt Dillon

• SCCM 2012 - Query Local Admin Users

  Hi Guys,
  I´m trying to get all users that are local admins of my network using sccm12.
  How it´s possible?
  Thank you.

  Hi,
  We can use the following query as follows
  SELECT DISTINCT SYS.Netbios_Name0, SYS.User_Name0, LocalAdminMembers.TimeStamp, LocalAdminMembers.Type0 as Object LocalAdminMembers.Account0, LocalAdminMembers.Domain0   FROM fn_rbac_GS_LocalAdminMembers0(@UserSIDs)  LocalAdminMembers JOIN fn_rbac_R_System(@UserSIDs)
   SYS ON SYS.ResourceID = LocalAdminMembers.ResourceID   WHERE   SYS.Netbios_Name0 LIKE @variable    ORDER BY SYS.Netbios_Name0
  To create a custom report
  1. Go to SCCM console – Reports – Create report
  2. Complete the Reporting Wizard. The MS SQL Report Builder will be opened up now
  3. Double Click the Table or Matrix which will open to select a new dataset window. Select ‘Create a dataset’
  4. Select the existing Data source connection and enter the data source credentials
  5. Under Design a Query window, Select “Edit as text” and copy the above query
  6. Next arrange the field as per the attached doc
  7. Choose the Layout of the Report and complete the wizard
  8. Right Click on report, where the empty area of report page and select properties. Go to reference tab, Click on assemblies. 
  Add following assemblie  -  SrsResources, culture=neutral 
  And Click OK.
  9. Select UserSIDs under Paramter and edit the properties
  10. Go to Default Value and select Specific Values and Add expression. Leave the rest of the tab as default and complete it
  11. Select Variable under Parameter and edit the properties
  12. Type Computer Name under Prompt field and leave the rest of the tab as default and complete it.
  13. Type Computer Name under Prompt field and leave the rest of the tab as default and complete it.
  You are done.
  Regards,
  Vinod

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• Photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin acc

  photoshop cs6 crashes with "appcrash - module ig75icd64.dll; no problem for a local admin user however. i've tried giving specified user full access to photoshop.exe and set it to Win XP compatibility. how do i fix this without giving user local admin access?

  Danny,
  Topic or subject titles should be clear, pertinent and concise so that individual users can tell at a glance if they can help or not.
  That field is not for attempting to fit your entire question in there.
  Please keep this in mind next time you post.  Thank you.

• Local admin priveleges required for Mobile Client

  Anyone overcome a problem with the mobile client requiring local admin priveleges to run?

  hi peter,
  pls see the below urls.......
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/953928ff-0701-0010-43a0-b18b5e6ffeed
  The Passwords Control Panel has a "Remote Administration" tab that
     works only if you have networking installed. If you use a central
     server, you can assign administrative privilege to a SUPERVISOR or
     Domain Admin.
     First, install File & Print Sharing for either MS networks (for a pure
     Win95 or NT domain network) or NetWare (For NetWare networks). If you
     use FPS for NetWare, keep SAP advertising OFF. In addition, install
     the Remote Registry service from Network Control Panel, as a Service
     (in ADMINNETTOOLSREMOTREG on the CD-ROM) on the remote machines. You
     can do this (and even enforce this) when you install Win95 as well.
     Now, if the workstations use User level security (highly
     advisable on NT Domains and NetWare networks), Setup will
     automatically enable remote administration for ADMIN and SUPERVISOR
     (NetWare) or DOMAIN ADMINS (NT Domain). If the stations use passwords
     instead of user lists (Share level security), or you don't have a
     central server, you will need to manually enable Remote Administration
     and supply a password to each station. Remote Administration settings
     will differ with each type of network client installed.
     Once done, you (the administrator) can control computers via Network
     Neighborhood. Right-click on any Win95 station and select
     "Properties". You will see a "Tools" tab that lets you edit the
     Registry, view network activity, or even browse the hard drives, on
     the remote computer. REGEDIT and POLEDIT also works on these stations.
     Of the tools listed, Remote Registry service is the biggest service
     (250 KB). To free up memory so you don't slow down the machines, check
     out How to Prevent Random Hard Drive Access, which also frees
     lots of memory for these services.
  7.6.3.1. ...on a Windows NT network?
     Install FPS for MS networks, install Remote Registry service, and
     enable User level security. Remote Admin privileges are
     automatically given to anyone in the Domain Admins group on the domain
     controller. Re-boot. Then, go to another Win95 station, log in as
     Administrator (or anyone else in Domain Admins) and get properties on
     the remote station from Network Neighborhood.
     WARNING: This service will allow you to remotely edit an NT Server's
     Registry! I was able to get in to several (but not all) Registry keys
     on my own NT server by logging in as a member of Domain Admins. I'd
     hate to think what could happen to my poor server if someone ran
     REGEDIT on this network with malicious intent!
     WARNING: Remember the NetWare C$ bug? It's back, this time in FPS for
     Microsoft networks! Now if you perform a Remote Admin session on a
     Win95 station and view its hard drives, the Admin shares
  machinec$) remain active, available for read-only viewing when a
     user types
  machinec$ from Start Menu/Run. This bug may have always
     been around, but I suspect it emerged with Service Pack 1.
  7.6.3.2. ...on a Peer Win95 network?
     You don't need to install Remote Registry service on the workstations
     to use peer to peer remote administration. You only need a file and
     print sharing service. When you use the Admin tools, the target
     computer will prompt you for a password.
     Be sure to set this password on all the workstations you want to
     administer remotely.
     NOTE: According to the Remote Registry readme files, Remote Registry
     service only works if you use User Level Security from a central
     server.
  7.6.4. ...user level access?
     User Level access spares us the potential of lost passwords and
     multiple, security-killing, cached passwords, because the passwords
     remain on the central security provider. You need only log in once and
     type your password once, and you have access to any resources shared
     on the network that have you on their access list.
     Enable User Level security from Network Control Panel, in Access
     Control. Pick a security provider (the name of an NT domain, NetWare
     server, or other central server if your client/service software allows
     for it). The next time you re-boot, all your share requesters and
     password requesters will have user list requesters in their place. You
     could also enforce user level security via system policies.
     If the server is a NetWare 4.x server, you will need to set a Bindery
     context on it. This will allow all NDS clients access to any Win95
     stations sharing resources via FPS for NetWare.
     Unusual combinations to avoid:
  FPS for MS networks, using a NetWare server as security provider
         (WFWG stations can't get access then! Win95 machines could get
         access, however)
  FPS for NetWare, using an NT server as a security provider (Quite
         impossible, as the NCP server doesn't recognize NT security)
  FPS for NetWare, using Share level security (It won't let you; NCP
         servers don't allow separate logins)
  7.6.5. ...server-based setup and MSBATCH.INF
  thanks
  karthik

• Is it possible to disallow RDP for one member of local admins group?

  Hello:
  I have an application server which has a service account that is in the local admins group. Is it possible to disallow only that particular service account from being able to RDP into the server? Server is Windows Server 2003 SP2. Basically, I'm trying to
  bypass this: Members of the local Administrators group can connect even if they are not listed. I understand that anyone using the service account could undo any restrictions I make, so what I'm trying to do would just be
  a deterrent. I cannot disable RDP altogether since our regular sys admins need to be able to RDP into the server. Thank you.

  What if you specified the user and denied them rights to RDP to the server.  A deny overrides every other permission, and if you can do this, then only that one user would not be able to RDP into the server, but other admins would be able to. 

• How to allow access to winrs for non-admin user?

  I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.
  All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
  # gives 4
  winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
  # Gives Winrs error: Access is denied.
  Configuration for my user is following:
  (Get-Item WSMan:\localhost\Service\RootSDDL).value
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
  (Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
  (In each security descriptor my user is given general access to protected object).
  So what security descriptor should I set to make my winrs query work for non-admin user?

  Hi Bunyk,
  I can not recreate the erroe you posted, and please also post the screenshoot in your convenience.
  I tested with a non-domain user but has the local admin permission of the remote computer, and this worked, before running the remote cmdlet in powershell, I also configured the TrustedHosts.
  In addition, the access denied could be also caused to the Protocol Filtering on the remote server, for more detailed information, please refer to this thread:
  winrs error:access is denied
  I hope this helps.