Remote user received a "deny log on locally" policy - and is now locked out
Hello,
A traveling user who received a "deny log on locally" policy remotely.
He was accidentally added to a wrong group and is now locked out.
What are the steps to clear this policy? We have a backup local admin account I can remote into.
I appreciate any suggestions or comments.
> What are the steps to clear this policy? We have a backup local admin
> account I can remote into.
Resolve the wrong setting, remote into the machine and issue "gpupdate
/target:computer". Reboot and go ahead :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))
Similar Messages
-
Before updating ios on my ipad I didn't have a passcode. It now wants me to log in a code. I tried one I used previously, then 0000 but am now locked out and my ipad is disabled!
Forgot password or device disabled
http://support.apple.com/kb/ht1212 -
How to allow user to select pdf file on local machine and populate field with file name only
Folks,
I have a project requirement that I am stumped on. I am admittedly a novice, so forgive questions that may seem obvious.
My requirement is a form running on a client system where the user can click a button and select a PDF file name from a PDF on their local machine and then populate a form field with that file path & filename. The file names vary between all machines, so there is no static list. Note that the PDF is not embedded, nothing is executed, I simply need the file name.
There are several of these on a form (20+), so manual name entry is too error prone. I would like to use a 'browse' type dialog, but can not figure out how to implement it.
I've looked at app.browseForFile, but the users can not install a javascript file in their adobe folder or any other files; the functionality has to be integral with the original PDF.
Functionally, this is no different from the image object file browse, except that I need a PDF instead of an image file, so there doesn't seem like there should be a security issue that is any different from those surrounding the image object.
I've been stumped on this for the entire week, and I have a deadline rapidly approaching, so any examples or suggestions (please remember I'm a novice) would be greatly appreciated!Thanks for the reply Paul - do you have any sample code of how to attach the PDF? Or how the user can select a PDF to open? I might be able to attach it, retrieve the file name, and then un-attach it.
Alternatively, do you know how to retrieve the file name from the imagePath object? It will let you select PDF files, but I can't find info on how to retrieve the file name. It should be the way you would retrieve the file name for an image.
As a novice in this, thanks for your help and patience! -
Office 2010 & 2007 - Excel and Access File Locking Out On the Network With Multiple Users
This is also posted in the Office 2010 - IT Pro General Discussions, but was suggested to repost here, since a definitive answer was not found.
Hi,
An issue that's happening is that Excel and Access files are locking on the network. We're currently using Office 2007 and 2010.
Here are some different scenarios that are happening:
When opening the file it is locked out by “User X” which is the person that has the file locked out and no one else can open the file.
When opening the file it is locked out by “User Y” which is NOT the actual person, but is locked out by “User X” and no one else can access the file.
When opening the file it is locked out by “…another user” which is generic and no one else can access the file.
The two more common events are incident 1 and 2 with 3 happening the less common.
This message will continue until the sessions are closed through computer management on the file server.
The file server is running Windows Server 2003.
This does happen on both Windows XP and Windows 7 clients.
This does happen for users using Office 2007 and Office 2010.
There are two sets of Office 2010 Users when it comes to patches. Everyone has the most current patches with Office 2010 SP2 while anyone that has Microsoft Project 2010 is using all the current update before Office 2010 SP2.
All users that are using Office 2007 have all the current patches and service packs.
Another variable is that we have users that will leave a file open on the network for 3+ days and after a while it will lock the file out.
Also we have Shadow Copy that runs daily on the system which I'm not for sure if that impacts anything if a file is opening during that time.
Any ideas on how to mitigate the lock out issues would be appreciated.
Thanks,
Binary Process
Edit November 12, 2013: This issue can occur if and if not another person actually has the file open. If the person doesn't have the file open then there is a hung connection which needs to be disconnected by going to the Computer Management of the File
server.Hi Binary,
I know that the description of the hotfix does not relate to the issue. The purpose is to install it for upgrading SMB related file.
A similar issue I encountered before:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b7fcc59b-52d9-4a02-863a-1a529bcb8cb1/temp-doc-etc-files-dont-close-after-a-file-closes-this-causes-locked-files?forum=winserverfiles
It is resolved by upgrading SMB files so maybe it will help on your case.
Another hotfix which may related:
http://support.microsoft.com/kb/983458
If you have any feedback on our support, please send to [email protected] -
I am trying to reset my admin password. I think my computer was tampered with. I signed out completely and now, I am locked out. I can't get past a black screen. I'm unsure of my operating system but I've had laptop about 2 years.
If you boot from your install DVD and, after choosing language, go up to the Apple bar and select utilities, you can restore you admin and firmware psswds. You will these options there. Do not choose a firmware psswd if you do not need this, you may complicate your life, especially if you forget it.
I do not understand how you changed the psswd and why you cannot log in, though. Did you forget the new psswd or why? What do you mean by ‘was tampered with’? -
When I try to log into Apple ID I get this message.
I have not recieved a verifcation email and nothing is recieved when I resend it.
The email address is correct and I use it daily.
After I get this error message I can proceed no further with managing my ID
Please Help!
Verify your email address.
A verification email was previously sent to [email protected] We can resend the verification email to the same address, or if this address is incorrect you can change your Apple ID and email address.
Verify your email address.
A verification email was previously sent to [email protected]. We can resend the verification email to the same address, or if this address is incorrect you can change your Apple ID and email address.
Apple ID and Primary Email Address
Email address is already verified for another Apple IDIt may not be particularly helpful to you but I would not be surprised if the message number 2 refers to the verification you did that attracted message number 1.
Just a thought. -
I was on facebook and it was hacked. I notified facebook and deleted all remembered passwords in the system and ran anti-virus. Ever since then I've been unable to log onto facebook. Is this a problem with firefox or with face book itself? When I try to login using firefox I get www.facebook..com/checkpoint and doesn't go any further. I've changed my password and still cannot get into fb.
I kind of thought that was the problem but can't seem to get anything from FB. I appreciate your quick response. Flip
-
im just wondering if the person im texting using imessage actually received my message when it says delivered..doesnt mean they read it but does it mean it applies the fact they can c the msg alrd like their ipod touch has received the msg and can b seen tru notification as well
A red check means the text wasn't sent (maybe the number has been changed, they have texts blocked, there was a network problem).
-
Cannot activate ipad because myy fiance' who passed away had it connected to find my iphone and cloud
I have his ipad ID but not his mail password. I cannot get past security questions such as what was your first car, etc.
No help from the Genius Bar at Orlando Millenia Mall or call to Apple Care.
Any suggestions?
I was using this for a year without problems until I decided to have it wiped and get my name on account for downloads from Itunes.iCloud: Find My iPhone Activation Lock in iOS 7
http://support.apple.com/kb/HT5818
Cheers, Tom -
I upgraded my iPad 2 to IOS 8. It was working fine. I went in to Accessibility and turned on Speech (Speak Auto-text). I can't turn it off. It froze and I could not turn it off. I rebooted many times but can't get past the 4digit sign in I implemented. It will not recognize my password. I connected my iPad to my Mac and went to iTunes .
It said I needed to disable find my iPad. I went to iCloud.com and deleted my iPad off my account. How can I resolve getting past my password?FORCE IPAD INTO RECOVERY MODE
1. Turn off iPad
2. Turn on computer and launch iTunes (make sure you have the latest version of iTune)
3. Plug USB cable into computer's USB port
4. Hold Home button down and plug the other end of cable into docking port.
DO NOT RELEASE BUTTON until you see picture of iTunes and plug
5. Release Home button.
ON COMPUTER
6. iTunes has detected iPad in recovery mode. You must restore this iPad before it can be used with iTunes.
7. Select "Restore iPad"...
Note:
1. Data will be lost if you do not have backup
2. You must follow step 1 to step 4 VERY CLOSELY.
3. Repeat the process if necessary. -
Domain Admin locked out of local logon
I have a customer we just took over for. They have an existing issue where the domain administrator cannot log in locally to the DC. I've looked through all their GPOs and cannot find any instance of the domain admin groups being specially being denied this
right. In fact, it says right in the DC GPO that domain admins have the rights for local log in yet I can't seem to log in. Remote desktop works fine and that is how I've been accessing their DC but I cannot find an answer to this problem. Any ideas?Policy Computer Setting
Source GPO
Access Credential Manager as a trusted caller
Not Defined
Access this computer from the network kcengr\IWAM_DELL-OFV7446Y6N,Everyone,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IWAM_DELL-OFV7446Y6N,Administrators,Authenticated Users,ENTERPRISE DOMAIN CONTROLLERS,Pre-Windows 2000 Compatible
Access,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG
Default Domain Controllers Policy
Act as part of the operating system kcengr\bkupexec
Default Domain Controllers Policy
Add workstations to domain Authenticated Users
Default Domain Controllers Policy
Adjust memory quotas for a process NT SERVICE\MSSQL$SCANMAIL,IIS APPPOOL\Classic .NET AppPool,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,NETWORK SERVICE,kcengr\IWAM_DELL-OFV7446Y6N,Administrators,IIS APPPOOL\DefaultAppPool,NT
SERVICE\SQLAgent$SCANMAIL Default Domain Controllers Policy
Allow log on locally kcengr\IUSR_DELL-OFV7446Y6N,Administrators,Backup Operators,Account Operators,Server Operators,Print Operators,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG
Default Domain Controllers Policy
Allow log on through Remote Desktop Services
Not Defined
Back up files and directories Administrators,Backup Operators,Server Operators
Default Domain Controllers Policy
Bypass traverse checking NT SERVICE\MSSQL$SCANMAIL,Everyone,Administrators,Authenticated Users,Pre-Windows 2000 Compatible Access,NT SERVICE\SQLAgent$SCANMAIL
Default Domain Controllers Policy
Change the system time Administrators,Server Operators,LOCAL SERVICE
Default Domain Controllers Policy
Change the time zone Not Defined
Create a pagefile Administrators
Default Domain Controllers Policy
Create a token object kcengr\bkupexec
Default Domain Controllers Policy
Create global objects Not Defined
Create permanent shared objects Default Domain Controllers Policy
Create symbolic links Not Defined
Debug programs Administrators
Default Domain Controllers Policy
Deny access to this computer from the network
kcengr\SUPPORT_388945a0 Default Domain Controllers Policy
Deny log on as a batch job Default Domain Controllers Policy
Deny log on as a service Default Domain Controllers Policy
Deny log on locally kcengr\SBS Remote Operators,kcengr\SUPPORT_388945a0,kcengr\SBS STS Worker
Default Domain Controllers Policy
Deny log on through Remote Desktop Services
Not Defined
Enable computer and user accounts to be trusted for delegation
Administrators Default Domain Controllers Policy
Force shutdown from a remote system Administrators,Server Operators
Default Domain Controllers Policy
Generate security audits LOCAL SERVICE,NETWORK SERVICE,IIS APPPOOL\Classic .NET AppPool,IIS APPPOOL\DefaultAppPool
Default Domain Controllers Policy
Impersonate a client after authentication Not Defined
Increase a process working set Not Defined
Increase scheduling priority Administrators
Default Domain Controllers Policy
Load and unload device drivers Administrators,Print Operators
Default Domain Controllers Policy
Lock pages in memory Default Domain Controllers Policy
Log on as a batch job kcengr\bkupexec,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IWAM_DELL-OFV7446Y6N,kcengr\IIS_WPG,kcengr\SUPPORT_388945a0,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG,IIS_IUSRS
Default Domain Controllers Policy
Log on as a service kcengr\Administrator,NT SERVICE\MSSQL$SCANMAIL,kcengr\SQLServer2005SQLBrowserUser$KC01,IIS APPPOOL\Classic .NET AppPool,kcengr\bkupexec,NETWORK SERVICE,IIS APPPOOL\DefaultAppPool,SYSTEM,NT SERVICE\SQLAgent$SCANMAIL
Default Domain Controllers Policy
Manage auditing and security log kcengr\Exchange Servers,kcengr\Exchange Enterprise Servers,Administrators
Default Domain Controllers Policy
Modify an object label Not Defined
Modify firmware environment values Administrators
Default Domain Controllers Policy
Perform volume maintenance tasks Not Defined
Profile single process Administrators
Default Domain Controllers Policy
Profile system performance Administrators
Default Domain Controllers Policy
Remove computer from docking station Administrators
Default Domain Controllers Policy
Replace a process level token NT SERVICE\MSSQL$SCANMAIL,IIS APPPOOL\Classic .NET AppPool,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,NETWORK SERVICE,kcengr\IWAM_DELL-OFV7446Y6N,IIS APPPOOL\DefaultAppPool,NT SERVICE\SQLAgent$SCANMAIL
Default Domain Controllers Policy
Restore files and directories Administrators,Backup Operators,Server Operators
Default Domain Controllers Policy
Shut down the system Administrators,Backup Operators,Server Operators,Print Operators,SYSTEM
Default Domain Controllers Policy
Synchronize directory service data Default Domain Controllers Policy
Take ownership of files or other objects Administrators
Default Domain Controllers Policy
I am using the domain administrator account to try and log on locally and I cannot see a reason within the DC's GP why it would be prevented. -
Local Policy / Group Policy
With 300 machines you are going to have to use GPO and not local policies. The scope is just way too large for going to each machine and doing the configAs for where and when to use Computer vs User GPO's, that's totally up to youYou should read the below:Computer Configuration in Group PolicyUser Configuration in Group PolicyWhat policies to apply will be in the scope of the desktop hardening so you will have to do your searches on that. Typically hardening would include security settings or some sort which will include password complexity, length and expiration right down to stopping the installation of executables on a machine.These policies will be different in each environment so you will have to do some homework about what GPO's need to be applied
Hi Spiceheads,
I have a question regarding local policy and group policy.
I received a workstation hardening procedure but I need to apply this settings for 300 computers can I use group policy instead of local policy? if yes how and what option I need to select Computer Configuration of User Configuration?
All 300 computers are connected to the same Domain.
Thank you.
This topic first appeared in the Spiceworks Community -
User settings reset and locked out of user folders ! How do I retreive?
Hi everyone,
I'm sure a number of people here on the forums have come across the problem with the blue tint that appears every now and then. It usually appears when connecting an external monitor after the you come back from the screen saver.
Yesterday it happened for the first time without an external monitor connected. I have found a number of sites that have suggested using the command 'sudo chmod 664 *' within the Terminal. I have used it a couple of times to fix this problem but it did not work hence the reason it happened yesterday without a monitor connected. When I did use this command previously I first entered
cd /library/colorsync/profiles/display
When i did it for this occassion i forgot to enter the display folder first.
After this I did a restart and all my user settings were reset and I was locked out of all my user folders. I lost all my desktop settings and everything was back to when I first started my computer.
I did some hunting and found the command 'sudo chmod 777'. I tried this then did a reset and my desktop background returned and the folders were unlocked.
What I want to know is if this is the correct command to bring everything back to normal?
My user permissions in terminal are listed below
Using the command sudo chmod 664 *
drw-rw-r--+ 15 JoeBros staff 510 11 Jun 23:33 Desktop
drw-rw-r--+ 19 JoeBros staff 646 22 May 20:44 Documents
drw-rw-r--+ 46 JoeBros staff 1564 25 Jun 15:08 Downloads
drw-rw-r--+ 45 JoeBros staff 1530 10 Jun 23:56 Library
drw-rw-r--+ 4 JoeBros staff 136 1 Apr 19:19 Movies
drw-rw-r--+ 38 JoeBros staff 1292 4 Apr 18:08 Music
-rw-rw-r-- 1 JoeBros staff 92352512 29 May 18:20 Parallels-Desktop-5600-Mac-en.dmg
drw-rw-r--+ 57 JoeBros staff 1938 25 Jun 16:02 Pictures
drw-rw-r--+ 6 JoeBros staff 204 14 Jun 15:56 Public
drw-rw-r--+ 5 JoeBros staff 170 26 Mar 00:59 Sites
This is what is displayed after sudo chmod 777
total 180376
drwxrwxrwx+ 15 JoeBros staff 510 11 Jun 23:33 Desktop
drwxrwxrwx+ 19 JoeBros staff 646 22 May 20:44 Documents
drwxrwxrwx+ 46 JoeBros staff 1564 25 Jun 15:08 Downloads
drwxrwxrwx+ 45 JoeBros staff 1530 10 Jun 23:56 Library
drwxrwxrwx+ 4 JoeBros staff 136 1 Apr 19:19 Movies
drwxrwxrwx+ 38 JoeBros staff 1292 4 Apr 18:08 Music
-rwxrwxrwx 1 JoeBros staff 92352512 29 May 18:20 Parallels-Desktop-5600-Mac-en.dmg
drwxrwxrwx+ 57 JoeBros staff 1938 25 Jun 16:02 Pictures
drwxrwxrwx+ 6 JoeBros staff 204 14 Jun 15:56 Public
drwxrwxrwx+ 5 JoeBros staff 170 26 Mar 00:59 Sites
Does this look correct ??
Any help would be great thanksI assume this access is open to everyone when I connecto any wireless network
No necessarily, it depends whether you just changed your home folders and nothing else.
But just your home folders present a problems as they should have extended attributes which are now removed. More on that later.
Using one chmod to a directory affects all equally, though the files may have individually different permissions.
I don't know how extensively you have altered the modes permissions, but from what you have shown in your first post your Home folders are incorrect.
For your home folder, which is the default location when you start Terminal, and I dont think you have strayed from there, all the listings, except Parallels are folders, prefaced with the letter d. for folder.
On my machine, for example, the pattern for the home folders all show
drwx------@ 5 xxxxxx staff 170 25 Jun 06:07 Desktop
normally that would be chmod 700 Desktop which will get you
drwx------
but note the @ which shows an extended attribute or ACL in Leopard.
to write the ACL shown as @
You will need to read
man chmod about ACL MANIPULATION OPTIONS
Personally, I think that playing around with chmod without a backup was not a good idea, and I wonder if your ambition has exceeded your knowledge. Sorry if that sounds tough, but a possible Archive and Install may be your safest path I think because what you have messed with was no small oops with a simple fix.
You could just change those home folders to chmod 700 and see how it goes without the attribute, or bite the bullet and do an Archive and Install.
I do not run parallels and so have no idea what is permissions should be.
That Time capsule is starting to look pretty good now
Message was edited by: roam2
Message was edited by: roam2 -
Granddaugter received new I Pad Air from school, appears to have put a password incorrectly into the system and can't remember the word. Now lock out. Is there a way of over coming this problem.
Nothing you can do. The School will have to restore it and input their Apple ID and password to unlock it.
If you restore it, you'll engage Activation lock and unless you know the password for the associated Apple Id you won't be able to do anything else. -
How to get a list of Local Users who has not logged in for 3 months or around 90 days
hi
i found this thread to pull out a list of local users
Retrieve all local user accounts information on remote computers (PowerShell)
however, i need to filter out users who has not logged in for 3 months or around 90 days, how can i do further filtering?
i understand dsquery has an -inactive <xweeks> , however i am doing it for local accounts$ErrorActionPreference = "silentlycontinue"
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user' -and $_.lastLogin -gt (Get-Date).AddDays(-90)} | ft name,lastlogin
using the sample from the link extendend with the 90 days criteria, the erroraction preference surpresses the errors you get for accounts with no lastlogon value (guest being a typical one)
Maybe you are looking for
-
Okay, so the spec says this thing only supports ATA 66 and ATA 100. However, i have a Maxtor ATA-133 disk, absent-mindedly threw it in, and it worked. Is this a fluke? Are the specs wrong? Basically, "what gives?".
-
Dynamic Work Area Field name Assignment.
hi Guru, data: it_SFLIGHT type TABLE OF SFLIGHT, wa_SFLIGHT TYPE SFLIGHT, lv_field TYPE string. lv_field = 'CARRID'. " Field name wa_SFLIGHT-<lv_field> = 'vivek'. " Assigning Value to workarea. When i try this i am
-
When I import some of my greyscale .jpg images into iPhoto 6, they show up as solid black thumbnails. When I view the images, they display as dark negative images. Is there a fix for this?
-
Hi , I would like to create an event generated by a not user event, here is my example but it it doesn't work, it doesn't show the message "value changed" Help Simone ps: I do not want to use "signaling" method Attachments: events.vi 12 KB
-
How to get apps on a new iPhone when they have gone off my ITunes
Hi I have got a new iphone due to my old 1 breaking down. i have gone onto itunes but the appts tab has gone & i have no apps on the new phone, how do i get them back