R12 using domain user account

Hi All,
Our architecture is R12.1.3 Apps and 11.2.0.3 database.we are trying to clone from PROD to test.
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ppclone15db.ppgpl.co.tt)
(PORT=1524)))
The command completed successfully
ECHO is off.
Listener DB15 has already been started.
ECHO is off.
addlnctl.cmd exiting with status 0
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
oracleserviceTest is created with path executable /orant/bin oracle.exe instead of ORACLE_HOME/bin oracle.exe.
we are doing rapidclone using Domain user account (with local administrator privilege)
As per metalink note id 406982.1 Note: On Microsoft Windows, Rapid Clone is not currently certified for use from Domain User Accounts
kindly provide us suitable solutions to overcome rapid clone issue in windows machine.
Regards,
Dinesh

Hi,
As a workaround, always keep a copy of your configuration files like (XML files, .ora files etc) from the TEST environment before removing all the files for cloning.
Original files can be copied over from backup copies and can be reused after running the autoconfig.
You can take a backup of your existing Oracle services running on windows for TEST environment before removing it for Clone.
To view the oracle services running and their location on windows OS you can view the services by:
go to Run --> services.msc to get to the services page.
Regards
Neeraj Sharma
Edited by: NeSharma on Jul 9, 2012 2:13 AM

Similar Messages

CSACS servcies fail to start when using domain user account

I have installed CSACS 3.3 on a member server in a Windows 2003 domain. The member server is running Server 2003, too.
I created a user account in Active Directory and configured the CSACS services to log on as this account. Through Group Policy I granted the user the "log on as a service" and "act as part of the operating system" privileges per the Installation Guide for Cisco Secure ACS for Windows. I verefied that the policy has taken affect on the CSACS server.
The CSACS services fail to start as this user account. The error messages are non-specific. If I add the user to the local administrators group the services start just fine.
Anybody know what I might be missing?
Thanks in advance.
Colin

Did you ever figure this out? I'm running into the exact same problem. Same version of ACS and everthing. CSLog is the only service that started.

"Unable to check revocation" error while checking CDP from non-domain user account

Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.

What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian

SSAS issue with Domain user account

Hi
I have SSAS 2008 R2 set up running on Windows Server 2012 Standard.
The server is registered as a part of domain.
I have had an issue of domain user accounts accessing to a cube and it's starting to get worse. There has been no problem with a local user account (I set up a few for testing purpose).
I ran the role report from BIDS Helper and it finds all the domain user accounts invalid.
It looks like SSAS is not talking well with the domain server (Windows 2003 server standard) to verify user credentials. But the thing is that everyone is ok with the domain server except for SSAS. IT does not have a clue what's going on here and everything
is just pointing at me right now.
I'd like to know if there is anyway to monitor that communication between SSAS and domain server for user credential verification and any guideline on how to resolve it. Most of time, it just works again.. like 10 minitues later.. it resolves by itself.
But this time, not!!!
All I know is that 1. Registering the server as a part of domain 2. use domain user account to set the security.
MY IT department has set up network monitoring tool and says that they are 100% percent working (No connection loss. It's monitoring Active directory as well). The application installed is 'ManageEngine Applications Manager'
I don't know what to do here.
P.S Will it be related something like 'Error
while Add user to SSAS Server - The trust relationship between the primary domain and the trusted domain failed' but it's all the domain accounts including mine are not working.
Cheers!!!

First check your DNS servers setting on the server you have SSAS installed. You should only use the IP addresses of the DNS servers (e.g. Domain Controllers) of your domain. Active Directory relies on proper DNS server settings. Adding public DNS servers,
even if they are on the bottom of the list, will mess up name resolving Active Directory names. This should have been done when IT had provisioned the server. Same goes for own workstation if you run your development/management software not on the server.
Second make sure SSAS is running under a service account that has access to Active Directory. This can be either a domain account, the local system account, or the network service account. Running SSAS under a local account or the local service account will
not work because local accounts do not have access to Active Directory. Running SSAS under either a Managed Service Account or a Virtual Account will not work because those features require the domain at least the Windows Server 2008 R2 functional
level.
Third make sure the account you use to log on to SSAS is a domain account and has appropriate permissions in SQL Server and SSAS. Local accounts and SQL Server account do not have access to Active Directory

Should I use Managed Service Accounts or individual, Domain User accounts?

I'm setting up a new SP 2013, and I'm trying to be very granular as it relates to "Least Privilege".
I'm trying to figure out which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint services.
At face value, I *think* any service could be successfully run using an MSA and yet any installation of either SQL Server 2012 and/or SharePoint 2013 should be done using a Domain User account created for that specific purpose (i.e., SP_FARM, SP_ADMIN, SQL_ADMIN,
etc.). In fact, I *think* the installation would HAVE to be done with an actual Domain User account, because (unless I'm wrong), MSA's do not have a shell and therefore CAN'T log on...which is by design?
Here's a Microsoft TechNet article that lists many of the accounts I'm referring to:
https://social.technet.microsoft.com/wiki/contents/articles/14500.sharepoint-2013-service-accounts.aspx
Note that it says MOST of the accounts are Domain accounts, but I don't *think* all of these need to BE
Domain accounts - I think MOST of them could be created as MSA's and assigned to run the specific service without any problems whatsoever?
So again, my question is: which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint service or to even perform a
successful installation of the software?
Ed

No, script 1 does not create Active Directory Managed Service Accounts (see here:
http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx) These are not applicable to SharePoint and are not mentioned in any of those scripts, look at the PowerShell
commandlets, they are very different.
Script 1 creates active directory users. These are, as far as AD cares, just standard user objects. There is nothing at all special about them in AD.
At some point you would install SharePoint using those accounts, during that process they get resisted in SharePoint as SharePoint Managed Accounts.
Script 2 updates the settings on those managed accounts in bulk.

SDK service using domain user trying to set SPN for computer account

I have a SDK service running under a domain user account, but it tries to register the SPN for the computer account of the machine?!
Therefore I get the following alert:
The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/WIN-9IAJC0HS9RJ and MSOMSdkSvc/WIN-9IAJC0HS9RJ.domainxx.local to the servicePrincipalName of CN=WIN-9IAJC0HS9RJ,CN=Computers,DC=domainxx,DC=local
Which makes sense because it has not the permissions to do that.
When I make the domain user account member of domain admins it has the concerning permissions and it indeed registers that SPN to the computer account. But why?? The SPN should be registered to the domain user account instead (and therefore I had given the
domain user account the read/write permissions to itself to do that).
I have the following SPN registered now for the computer and domain user account:
setspn -l WIN-9IAJC0HS9RJ
Registered ServicePrincipalNames for CN=WIN-9IAJC0HS9RJ,CN=Computers,DC=domainxx
DC=local:
MSOMSdkSvc/WIN-9IAJC0HS9RJ
MSOMSdkSvc/WIN-9IAJC0HS9RJ.domainxx.local
MSOMHSvc/WIN-9IAJC0HS9RJ
MSOMHSvc/WIN-9IAJC0HS9RJ.domainxx.local
TERMSRV/WIN-9IAJC0HS9RJ
TERMSRV/WIN-9IAJC0HS9RJ.domainxx.local
WSMAN/WIN-9IAJC0HS9RJ
WSMAN/WIN-9IAJC0HS9RJ.domainxx.local
RestrictedKrbHost/WIN-9IAJC0HS9RJ
HOST/WIN-9IAJC0HS9RJ
RestrictedKrbHost/WIN-9IAJC0HS9RJ.domainxx.local
HOST/WIN-9IAJC0HS9RJ.domainxx.local
setspn -l domainxx\omdas
Registered ServicePrincipalNames for CN=OMDAS,CN=Users,DC=domainxx,DC=local:
none for this account
I don't get it. Anyone?
I am using SCOM 2012 R2
Pls help.
Thanx in advance.
Regards
Chris

SCOM SDK service really tries to set its SPN to the computer account (although the SDK service is running using a domain user account). The alert is no bug!
I know this for sure because I gave the SDK service permission to do it - by making the domain user account member of the domain admins security group - and it indeed sets the SPN on the computer account.
The latter is the actual bug I would say! It should try to set the SPN for the domain user account the sdk service is running with.
Then again, nog having the SPN been set correctly to this domain user account, does not seem to bother SCOM at all indeed. Perhaps it uses NTLM instead in this scenario.
Can anyone comfirm?

Using Assigned Access on a Domain user account

We would like to use Assigned Access in Windows 8.1 Enterprise, but it appears to only allow locking down a local user account. Is there any way to lock down a Domain user account with Assigned Access?

No, it is designed for local user account. Regarding domain user, I think group policy is a better choice.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

SharePoint farm - SQL Server - MSSQLSERVER service is running as "Local System" - Can I change it to Domain User account?

Hi there,
In my SharePoint 2010 farm - on the SQL Server:
The MSSQLSERVER service is running under Local System.
1. Can I change it to run as a normal Domain User account?
2. Does it need any extra privileges?
3. Is it a safe thing to do?
Brief description will be very useful.
Thanks so much.

You need to create Service account with password never expire option+ User never change password
Then you need to go through below recommendation from Microsoft
Security Considerations for a SQL Server Installation
Planning for Services, Accounts, and Connections
Hope you got starting point
Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

Why domain users account allowed to logon to servers directly?

I'm using Windows Server 2008 R2 with ADDS.
By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
"You cannot log on because the logon method you are using is not allowed on this computer"
I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
And, nothing set on the Deny Logon Locally.
But, tested that, those accounts with just Domain User Group are able to logon to Server!?
How or where should I check, to not allow normal user account to logon to server directly?
Thank you.

Hi,
>>By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP.
By default, standard domain user accounts can log onto workstations and member servers, and they can’t log onto domain controllers unless we allow them to do so via group
policy.
By default, standard domain user accounts can’t remote desktop onto other computers unless they have been added to Remote Desktop User groups of the computers.
Regarding allowing log on locally, the following article can be referred to for more information.
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx
Regarding remote desktop user groups, the following article can be referred to for more information.
Configure the Remote Desktop Users Group
http://technet.microsoft.com/en-in/library/cc743161.aspx
>>How or where should I check, to not allow normal user account to logon to server directly?
We can utilize group policy setting
Deny logon locally to prevent users from locally logging onto the targeted computers.
Regarding this setting, the following article can be referred to for more information.
Deny logon locally
http://technet.microsoft.com/en-us/library/cc957048.aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

Query to retrieve windows domain user account

I am totally new to Oracle. Right now, I have a requirement which needs the windows domain user account and local user accounts to be found and linked to. I ve been searching on google, but no use. Frankly, I have no idea even what I am supposed to do and I am not sure what I wrote here is even framed correct. Please help me out. Thanks a lot.

Hi,
I think you've made your first Oracle mistake: think that Oracle is working just the same as MS SQL Server :-)
First, before trying to do anything, you must read the TFM: Database Concepts(click) in order to begin to understand how Oracle works.
I'm going to try to explain fast and simple.
Oracle user accounts are different accounts than OS accounts. That is the first important point to get. A domain user "toto" will not automatically gat an Oracle "toto" account.
There are 3 types of user authentication:
. Password: typical authentication, no link between OS account and Oracle account
. External: User is authentified by the O.S. This means that the DBA has to create a special account that'll be "linked" to the O.S. account (whether it's a local or domain account)
. Global: The user is authentified by the enterprise directory service.
You can see these 3 approaches in the SQL Statements: CREATE USER doc(click). So, there is some way to link the Oracle user account to the O.S. user account, but not straight forward!
I need to verify if my oracle database user account is a windows domain user or not, if he/she is one, then if he/she is a local user account or a global user accountWhen I read this, the closest thing I can think of is the 3 types of authentication. And the info can be found in DBA_USERS (columns USERNAME, EXTERNAL_NAME and PASSWORD - obfuscated of course).
With these info, maybe can you see why your requirement is a bit strange? Anyway, read the references I linked and come back here with more questions / comments :-)
HTH,
Yoann.

Java SE Ver 7 Uxx locking out domain user account failing Kerberos PreAuth

Java SE Ver 7 all updates are failing Kerberos Pre_Auth and locking domain user accounts because of truncated UDP packets.
When a user opens a page that uses JavaScript their domain account gets a bad password, subsequent openings in the lockout threshold window (5 in 30 minutes for us) results in a domain account lockout.
I have done extensive troubleshooting of this issue and have root caused and been able to prevent it with a less desirable solution. Oracle fixes for the bug below (basically same issue) do not work for me or i'm implementing them incorrectly.
This effects XP\Win7 (32Bit browsers with IE 8 and 9).
Java SE Ver 7 U21 and lesser updates are failing Kerberos Pre_Auth (KRB5KDC_ERR_PREAUTH_FAILED)due to the use of UDP instead of TCP. Starting with the SRV request, UDP exceeds MTU and gets truncated enroute to the KDC. This results in the eventual response from the KDC as bad credential and eventual account lockout if user repeats call for Java.
We have been able to force TCP by blocking UDP 88 on a test station's windows firewall. This prevents the bad password, but injects a delay while kerberos times out UDP and fails to TCP.
Java BUG 8009875 lists the "udp_preference_limit=1" value that forces Java to use TCP, but i can't get this working with a KRB5.config or KRB5.ini file in the c:\windows directory. Even utilizing an environment variable KRB5_CONFIG does not work.
Our expected result is to force Java 7 to use TCP for Kerberos transactions and not UDP. This will be a stop gap until the release of Version 8 next year, which BUG 8009875 says corrects the default UDP call to TCP.

I had this same issue. My fix was to create a custom jass config file that specific to not use the local tgt cache.
If you would like I could provide you with this setup. 1.7 uses GSS/SPNEGO as the first method of auth, this will essentially disable this method of single-sign on.
Http Authentication
GSS/SPNEGO -> Digest -> NTLM -> Basic
It looks like you got a fix so this post could be worthless

Domain user account limit exceeded

My company is running Windows Server 2012 R2 Essentials. I receive the error:
Domain user accounts limit exceeded
Alert details: Windows Server 2012 R2 Essentials supports a maximum of 25 domain users. If you want to upgrade your server to Windows Server 2012 R2 Standard, please follow the steps in resolution.
I am aware that the Domain User limit is set to 25. However, we have created, and have less than 25 active domain user accounts. The rest are 'system' users that are either disabled, or active but not real user accounts, and they became active within the system
themselves; in other words, we have less that 25 real people who have been created an account to use the domain.
Can someone please tell me what they count? 25 user accounts? Or 25 real, active users?
If it is 25 accounts in total, then it is slightly unfair as most of the accounts are therefore already taken before we add a single domain user.
If it is 25 real, active users, why do I receive the error message in the logs?

Hi William Kirkman,
à
The rest are 'system' users that are either disabled, or active but not real user accounts, and they became active within the system themselves.
I’m a little confused with this sentence. Would you please provide some details of system users and let me
understand it clearly? Did you mean some Administrator accounts or any other?
Regarding to how count 25 user accounts, “Any user that appears in the dashboard counts against your total
of 25.” Robert answered in the following thread. Please refer to.
Admin
Account Setup as Part of Wizard Count Against 25 Users?
Hope this helps.
Best regards,
Justin Gu

We are having sync issues when trying to use separate user accounts and Apple ID's on the same iMac. What can we do?

My wife and I share an iMac and we each sync to it using separate user accounts and separate Apple IDs. She has an iPad 2 and I have an iPhone 4. We upgraded the mac to Lion and the iphone to OS 5. Now itunes only recognizes my apple id no matter which user is logged in. Now if I download the Home Depot app to my phone it automatically gets pushed to my wife's iPad, which she does not want. We want to keep things separate. How can we do this?

You can sync devices with the same iCloud ID, not seperate ones.
If she has a different login on your Mac, make sure she has her own ID defined in System Prefs > iCloud

Using one user account table across multiple databases but account used as a foreign key

I want to use one user account table from one database and use it across a couple other databases. The problem is that I want some tables to use the primary key from the user account table as a foreign key to access the data when the user logs in. Is this
the right way of going about it? Do I have to create a user account table in all my databases? What is the best practice to handle this problem? Thanks in advance.

You can use Triggers or using replication.
more info:
Add Foreign Key relationship between two Databases
SQL Server Replication
Saeid Hasani [sqldevelop]

My daughter and I have separate iCloud accounts set up on out desktop PCs and our iPhones and iPads. We want to share the usage of a Win 8 laptop and will log in using using separate user accounts. Is it possible to set up our own iCloud accounts?

My daughter and I have separate iCloud accounts set up on out desktop PCs and our iPhones and iPads. We want to share the usage of a Win 8 laptop and will log in using using separate user accounts. Is it possible to set up our own iCloud accounts in each of those separate user accounts?

No it is not possible. Content purchased from the iTunes Store is permanently tied to the account from which it was originally purchased, and Apple does not provide a way to change it.

R12 using domain user account

Similar Messages

Maybe you are looking for