Risk of using domain admin to deploy software

Similar Messages

• Using MDT 2013 for deploying Software from MDT Server to PC Client automatically and silently ?

  I have a trouble about deploying software from MDT 2013 server to PC Client , Can we using MDT 2013 for deploying software automatically and silently , that Users/Clients don't have to click "next,next" to install software ?
  If you have a solutions to deploying it , please share me about that solutions ?
  Thanks.
   

  you can make software silently with boot opción:
  with chocolatey opensource.
  or make software with switches
  here link to help you:
  http://blogs.itpro.es/octaviordz/2014/05/29/instalando-aplicaciones-con-chocolatey
  http://blogs.itpro.es/octaviordz/2014/06/05/integrando-chocolatey-a-mdt-2013-e-instalando-aplicaciones-de-forma-desatendida-en-windows-8-1/
  http://blogs.itpro.es/octaviordz/2014/10/31/probando-chocolatey-en-windows-10
  http://blogs.itpro.es/octaviordz/2012/07/10/aplicaciones-desatendidas
  MVP Jesús Octavio Rdz http://blogs.itpro.es/octaviordz

• Need recommendation regarding domain admin permission

  Hi,
  Recently we got the request from IT security team to remove domain admin privileges for any IT user account even Sr. System Administrator. As per them it is not recommended to login with domain admin account on workstation so they asked me to create
  standalone account for workstation and use domain admin account only for login to servers.
  I need someone recommendation regarding this and if yes then please mention some points why it not recommended to have domain admin privileges for System Administrator for daily usable account.
  Appreciate your quick response regarding them.
  Regards,
  Hakim. B 
  Hakim.B Sr.System Administrator

  1. Do not provide the domain admin permission more that 3/4 persons. No matter however big is the env.
  2. ADDS Audit should be enabled.
  ADDS 2008 Audit  
  3. Restricted group is ok but that is overwritten the existing admins.
  Regards,
  Biswajit
  MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
  Blog:
    Script Gallary:
    LinkedIn:
  Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

• Windows 7 deployment- Local Admin password not working, no way to assign domain admins

  I have SCCM 2012 configured for OS deployment of a Windows 7 64x enterprise image. I am using boot media (cd) since PXE boot was not an option in this office. Deployment seems to work fine except that despite selecting "Enable the account and specify
  the local administrator password" I cannot login to the imaged system as Administrator. I tried several different passwords, and leaving the password field blank. Because of this I cannot add the domain admins as local admins and thus I cannot change
  any major settings on the PC. I have created multiple task sequences, redeployed the source files, tried two different machines (a desktop and a laptop) and have disabled or adjusted just about every part of the task sequence at least once.
  I'm pasting a recent SMSTS.log file, though it has an error 0x80070002 error in it I am not sure if this is related.
  Any suggestions on how to remedy this issue, or workarounds to assign local admins would be helpful. I have already tried adding in some command lines like "cmd /c net localgroup administrators /add "etoo\Administrators" and "cmd /c net
  localgroup administrators /add "localhost\username"" to various points in the sequence without any success.
  https://www.dropbox.com/s/g3s520bwo8pv4kp/smsts.log
  Thanks

  I suspect that your keyboard layout isn't configured correctly so that's why your "Enable the account and specify the local administrator password" doesn't work, check the keyboard layout on the login screen of the client you're trying to log in to...
  There are several ways of adding local admins to the client during  OS deployment:
  "Apply the windows settings" -task sequence step
  unattend.xml (http://sybaspot.com/the-complete-guide-to-preparing-a-windows-7-deployment-image-using-audit-mode-and-sysprep-with-an-unattend-xml-answer-file/)
  "Run a commandline" -task sequence step, after the Setup Windows & ConfigMgr step (cmd /c net localgroup "Administrators" "domain\user" /add)
  And after OS deployment:
  Restricted groups group policy (http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html)

• How to Reset Password of User while not connected to Domain using Local Admin Account

  How to Reset Password of User while not connected to the Domain using Local Admin Account
  (I have the use of a local admin account), and I want to help a user reset their password who has logged in the PC and had their credentials cached, but forgot this password. 
  In Local Admin Account :
  When I go to Control Panel, users, users, manager user ; I cannot see any users in this window except the local admin account, and, so I cannot reset a user password this way.
  When I go to lusrmgr.msc, then users ; the local admin account will display only. 
  If I go to command prompt and type "net user", this will not display any users who have logged in to the computer, and so I cannot use "net user" to reset a password.
  I don't want to use any disks, 3rd party programs, or create a VPN connection to the domain.  I just want to help a user who calls in and forgets their password.

  Hello Keith,
  I know this is an old thread but I'm trying to better understand how I could change the domain password while not on the network. What I'm getting from your post is that you:
  1. Create a local user account (not a domain user)
  2. Login with that local user account
  3. Connect to the VPN while logged in as a local user
  4. Log out of the local account and login with the domain credentials
  Now, my question is based on the assumption that the password created on the local account is the same password that one will use to login to the domain account? Also, is the local user account the same as the domain account?
  Thanking you in advance!

• Software always installs to Domain Admin account on connected PC-cant install to Domain User account

  I have completed the following steps:
  Set up Windows Server 2012 R2 Essentials successfully
  Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
  The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
  Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
  credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
  All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
  Admin desktop-Not the Domain User account, etc. I've tried:
  Downloading a new copy of the software to the Domain User desktop & running it from there
  Right-click file, Install as Admin
  click file, Install as a different user
  Right clicking file, Properties>Compatibility & changing compatibility settings
  Right clicking file, Properties>Compatibility>Run as Administrator
  None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
  the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!

  Hi voltron5,
  Many programs may provide options: "install for everyone" or "just for current user", when you install them.
  Please check if there are such options during the installation process.
  If those three programs are all third-party applications. I suggest you should contact with the corresponding
  support and confirm this.
  If those three programs are Microsoft applications, would you please let me know specific information of those
  three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
  Hope this helps.
  Best regards,
  Justin Gu

• Create DSN in admin tool using domain account

  Hi. We're moving away from SQL authentication and using
  domain accounts for SQL Server authentication. How does one create
  a data source in the admin site to use a domain account? Is this
  possible? We're using ColdFusion 6.1. Thanks.

  We've tried that and get the following error,
  Connection verification failed for data source: myDataSource
  []java.sql.SQLException: [Macromedia][SQLServer JDBC
  Driver][SQLServer]Login failed for user 'MYDOMAIN\domainAccount'.
  The root cause was that: java.sql.SQLException:
  [Macromedia][SQLServer JDBC Driver][SQLServer]Login failed for user
  'MYDOMAIN\domainAccount'.
  The account exists on the SQL Server 2005 database and has
  read/write privileges.

• RunState.Sequence.Main vs RunState.SequenceFile??? When using Deployed Software??

  RunState.Sequence.Main vs RunState.SequenceFile???  When using Deployed Software??
  Can someone explain to me why when I use something like->
  RunState.SequenceFile.Data.Seq["Test Seq"].Main["Test Step"].Result.Status
  the status will never be updated if I am configured for LabVIEW Run-Time Engine (but will work for Development System).
  Also why does->
  RunState.Sequence.Main["Test Step"].Result.Status
  update for both LabVIEW Run-Time Engine and Development?
  I fixed my problem by using RunState.Sequence.Main["Test Step"].Result.Status but I still am curious why the other way doesn't work???  Can someone please give me a sanity check?
  Thank you very much!
  Solved!
  Go to Solution.

  RunState.SequenceFile.Data.Seq contains the edit time copy of the sequences. These copies are not used at all at runtime. At runtime a separate copy is made (and is accessible from RunState.Sequence) and only that runtime copy is updated. These runtime copies are made for several reasons such as the following:
  1) To make it so that modifications made to the sequence at runtime, do not affect the original edit time version of the file (you don't want modifying the status to be an edit to the sequence file right?).
  2) To support recursion, recursive calls into the same sequence each have their own copy of the sequence so that the state for a call isn't overwritten by a recursively made call to the same sequence.
  There are probably other reasons as well, but these are probably the biggest ones.
  -Doug

• Office 2013 will not open unless user is a Domain Admin

  In order to get the Office 2013 suite to install from Office 365, I had to make all the users (115 in 4 offices) a domain admin, we then installed the software on everyone's computers and we have migrated our email.  However, I now need
  to remove all the users from being a domain admin, but when I do none of Office programs will open, no error message, just a spinning wheel for 10 seconds and nothing.   I need to remove the users from being a domain admin as they can now see
  network drives that they were previously restricted from.  All computers are Windows 7 Pro.  I have even installed the suite on a brand new computer, installed as admin, login as a domain user and nothing will open.
  Thanks

  What's the default right for the user in your domain, domain user?
  Can we open the Office application when the domain user is in local administrator group?
  Please turn off all of security programs and 3rd-party programs (Windows clean boot) and then launch Office component, such as Word.exe with safe mode. ("Winword.exe /safe") to check if it opens successful in non-domain user rights.
  Don't use Office shortcut to open Office but double click the .exe file under %programfiles%\Microsoft Office to check if the office process appears in Windows Task Manager. 
  In addition, please go to eventvwr to check if there is any errors regarding to permission or Office exist. If so, post it here for further checking. Thanks. 
  Tony Chen
  TechNet Community Support

• Use Global Conditions when Deploying an Application to a User

  Hi,
  Use Global Conditions when Deploying an Application to a User:
  I would like to deploy App-V Application with User centic in mind. The problem is that when the user login to a specefic typ of desktop the application shall be deployed. But if the use login on there primary device or some other
  device with same SLA the Application shall not be deployed.
  I think I can use Global Conditions to solve this. I have read about GC and it looks like I could greate a GC rule that deploy the software if the computer is in an AD-group or maybe becas all this computer starts with same prefix, sp maybe
  if the computernamn starts with PC the application will get deployed.
  The issue is that there is differant SLA on the computers that the User login to. 
  Or what mor can I do?
  /SaiTech

  Just keep in mind this puts a load on AD, a Domain Controller can get tickled silly by these Global Conditions running from each of your Clients, depending on the scale of your environment it can have an impact. It's a great idea GC's, just need to consider
  what load you are putting on the infra when they run.
  Might not be an issue for\to you, worth nothing all the same.
  Robert Marshall | This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs

• Error while invoking bean "domain manager": Error deploying BPEL suitcase.

  My issue is the following, when I use wsa adressing in my bpel process such as:
  xmlns:ns2="http://schemas.xmlsoap.org/ws/2003/03/addressing"
  and create a variable based on this schema
  <variable name="partnerReference" element="ns2:EndpointReference"/>
  I can compile and generate the jar file. But when I deploy this file in my console I get the following error:
  Module     oracle.soa.bpel.system
  Host     brux0304
  Host IP Address     10.18.80.129
  User     weblogic
  Thread ID     [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'
  Message     Error while invoking bean "domain manager": Error deploying BPEL suitcase.
  Supplemental Detail     error while attempting to deploy the BPEL component file "/soa/oracle/Middleware/user_projects/domains/base_domain/servers/soa_server1/dc/soa_f7fc611b-51eb-4910-a671-d2bb5c5c31d0"; the exception reported is: java.lang.Exception: BPEL 1.1 compilation failed
  This error contained an exception thrown by the underlying deployment module.
  Verify the exception trace in the log (with logging level set to debug mode).
  ORABPEL-05250
  Error deploying BPEL suitcase.
  error while attempting to deploy the BPEL component file "/soa/oracle/Middleware/user_projects/domains/base_domain/servers/soa_server1/dc/soa_f7fc611b-51eb-4910-a671-d2bb5c5c31d0"; the exception reported is: java.lang.Exception: BPEL 1.1 compilation failed
  This error contained an exception thrown by the underlying deployment module.
  Verify the exception trace in the log (with logging level set to debug mode).
  at com.collaxa.cube.engine.deployment.DeploymentManager.deployComponent(DeploymentManager.java:197)
  at com.collaxa.cube.ejb.impl.CubeServerManagerBean._deployOrLoadComponent(CubeServerManagerBean.java:820)
  at com.collaxa.cube.ejb.impl.CubeServerManagerBean.deployComponent(CubeServerManagerBean.java:119)
  at com.collaxa.cube.ejb.impl.bpel.BPELServerManagerBean.deployComponent(BPELServerManagerBean.java:88)
  at sun.reflect.GeneratedMethodAccessor844.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at com.bea.core.repackaged.springframework.jee.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:104)
  at oracle.security.jps.ee.ejb.JpsAbsInterceptor$1.run(JpsAbsInterceptor.java:94)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
  at oracle.security.jps.ee.ejb.JpsAbsInterceptor.runJaasMode(JpsAbsInterceptor.java:81)
  at oracle.security.jps.ee.ejb.JpsAbsInterceptor.intercept(JpsAbsInterceptor.java:112)
  at oracle.security.jps.ee.ejb.JpsInterceptor.intercept(JpsInterceptor.java:105)
  at sun.reflect.GeneratedMethodAccessor843.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
  at com.bea.core.repackaged.springframework.jee.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:69)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
  at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
  at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
  at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy281.deployComponent(Unknown Source)
  at com.collaxa.cube.ejb.impl.bpel.BPELServerManagerBean_bp05wg_ICubeServerManagerLocalBeanImpl.__WL_invoke(Unknown Source)
  at weblogic.ejb.container.internal.SessionLocalMethodInvoker.invoke(SessionLocalMethodInvoker.java:39)
  at com.collaxa.cube.ejb.impl.bpel.BPELServerManagerBean_bp05wg_ICubeServerManagerLocalBeanImpl.deployComponent(Unknown Source)
  at oracle.fabric.CubeServiceEngine.load(CubeServiceEngine.java:886)
  at oracle.fabric.CubeServiceEngine.load(CubeServiceEngine.java:128)
  at oracle.integration.platform.blocks.deploy.CompositeDeploymentConnection.deployComponents(CompositeDeploymentConnection.java:242)
  at oracle.integration.platform.blocks.deploy.CompositeDeploymentConnection.deploy(CompositeDeploymentConnection.java:93)
  at oracle.integration.platform.blocks.deploy.CompositeDeploymentManagerImpl.initDeployment(CompositeDeploymentManagerImpl.java:149)
  at oracle.integration.platform.blocks.deploy.CompositeDeploymentManagerImpl.load(CompositeDeploymentManagerImpl.java:62)
  at sun.reflect.GeneratedMethodAccessor18895.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
  at oracle.integration.platform.blocks.deploy.DeploymentEventPublisher.invoke(DeploymentEventPublisher.java:68)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  at $Proxy309.load(Unknown Source)
  at oracle.integration.platform.blocks.deploy.StandaloneCompositeDeploymentCoordinatorImpl.coordinateCompositeRedeploy(StandaloneCompositeDeploymentCoordinatorImpl.java:95)
  at oracle.integration.platform.blocks.deploy.servlet.BaseDeployProcessor.overwriteExistingComposite(BaseDeployProcessor.java:398)
  at oracle.integration.platform.blocks.deploy.servlet.BaseDeployProcessor.deploySARs(BaseDeployProcessor.java:229)
  at oracle.integration.platform.blocks.deploy.servlet.DeployProcessor.doDeployWork(DeployProcessor.java:161)
  at oracle.integration.platform.blocks.deploy.servlet.DeployProcessor.doDeployWork(DeployProcessor.java:109)
  at oracle.integration.platform.blocks.deploy.servlet.DeployProcessor.doRedeploy(DeployProcessor.java:101)
  at oracle.integration.platform.blocks.deploy.servlet.DeployProcessor.process(DeployProcessor.java:81)
  at oracle.integration.platform.blocks.deploy.servlet.CompositeDeployerServlet.doPostInsideLoggingSession(CompositeDeployerServlet.java:221)
  at oracle.integration.platform.blocks.deploy.servlet.CompositeDeployerServlet.doPost(CompositeDeployerServlet.java:124)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  When I remove the namespace and variable it works.
  What should be causing that?
  Regards,
  Luciana

  There seems to be some issue with partnerrole definition. Please check CreatePurchaseOrderListEbizProvABCSImplProcess.bpel(line 51): and CreatePurchaseOrderListEbizProvABCSImplProcess.bpel(line 617): role not found
  as mentioned in the log.
  Regards,
  Narayana

• Domain Admins not able to run executable on Domain Servers

  I have built a VM domain of Windows 2008 R2 SP1 x64 machines.  One Domain controller, 4 member servers.  I have built a couple users, and put them into the following domain groups:
  Domain Admins
  Enterprise Admins
  Schema Admins
  However, if I log into any of the machines as the two users I created, I cannot run, for instance, setup.exe for SQL server.  I am invariably told :
  "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."
  I CAN access stuff on the Domain Controller logged in as one of those users.  So all these problems only apply to the member servers.
  I have checked to unblock the files (not an issue)
  I have modified UAC settings through SECPOL.msc
  I have confirmed that the users in question (as well as the groups above) are members of the local Administrators group on each node.  The only way for me to run these programs (things like regedit also won't run either) is to log in as Administrator
  (domain and local work for this) 
  I have removed a member server from the domain and re-added it.  I did so using one of the userids that have been problematic.  It added it to the domain fine, but upon reboot, that userid had effectively no rights on the box.
  I have no idea what the problem is.  I can't even elevate a command prompt to administrator - it gives the error above.
  I built this system for some exercises and testing for a cert test I am taking.  If I can't get these (or any other) accounts working, I am kinda stuck.  
  Any help would be great, because none of this makes sense.
  Thanks,
  Todd 

  Hi,
  Would you please check the below article and try the suggestions in it:
  "Windows cannot access the specified device, path, or file" error when you try to install, update or start a program or file
  http://support.microsoft.com/kb/2669244
  Regards,
  Yan Li
  Regards, Yan Li

• Group Policy - Issues deploying software packages through GPO

  Hello everyone,
  I am having issues successfully deploying MSI packages through group policy.  I have set my computer account up in its own test OU in my domain, but yet the software will not deploy.  Example, I'm trying to deploy AVG Anti-Virus and make sure it
  is installed on each and every PC in my domain.  As for the GPO, I set it up as an assigned package and pointed to the location of the package with the UNC file path (visible to both the DC and my computer that is part of the affected OU)
  On the domain controller, I get these messages in application event logs:
  Beginning a Windows Installer transaction: \\hs-dc2\software\avg\installavg.msi. Client Process Id: 9048.
  Ending a Windows Installer transaction: \\hs-dc2\software\avg\installavg.msi. Client Process Id: 9048.
  This shows up when I refresh GP on my computer.  I run gpresult /h GPReport.html and get the following message:
  Software Installation failed due to the error listed below.
  Fatal error during installation.
  Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between
  The software is in a share on the domain controller that is visible from my computer, and permissions are set where "Everyone" has read access.  I have tested the package on my computer and it installs
  correctly if I do it manually, so it's a good package. 
  I'm at a loss.  I am admitedly very new to GP management, but I'm pretty sure I have covered all my bases here.  I humbly ask for any and all help that you all can provide.
  Thank you all very much, have a great weekend!

  > Magnolia_Schools.exe
  What's that???
  > \\hs-dc2\software\avg\installavg.msi
  > <file://\\hs-dc2\software\avg\installavg.msi> /qb addeploy=1
  /qb ADDEPLOY=1
  Uppercase matters (:
  A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
  I should have explained, my apologies.  The InstallAVG.msi is the package I have GP deploying.  it is a package that AVG wrote for us that goes in, uninstalls the two previous antivirus softwares we have on our network if it is present, and
  then wraps it to run magnolia_schools.exe which installs the AV software.  I am uninstalling AVG now and will try reinstalling with
  \\hs-dc2\software\avg\installavg.msi /qb ADDEPLOY=1 and report back.
  also, the only logs I found that were around the time of the install attempt were such as these:
  1: 2905 2: C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
  1: 2905 2: C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
  Does that tell you anything?
  I will say this, if this means anything...now that AVG is installed, the event logs are changing from an error %%1603 to this:
  Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : %%1274
  The removal of the assignment of application exe2msiSetupPackage from policy Install AVG failed. The error was : %%2
  So it acts like it's at least seeing that the package is installed...and reacting differently, correct?
  Thanks so much

• Can I use SCCM 2007 to deploy SCCM 2012 Agent

  I was reading the scenarios for deploying the SCCM 2012 agent here
  http://technet.microsoft.com/en-us/library/gg682132.aspx
  I have been planning to deploy the 2012 agent using an SCCM 2007 deployment package. I am not migrating any data/packages/collections/anything from SCCM 2007. 
  I am looking for a sane way to deploy 2000ish clients a day for 2 weeks and be done. 
  I figure they are all SCCM 2007 clients so lets deploy 2012 agent using SCCM 2007.
  I read the following in the link above and it sounds like the way I want to go – use SCCM 2007 software distribution…
  Upgrade installation by using application management
  Upgrades clients to a newer version by using Configuration   Manager application management. You can also use Configuration Manager 2007 software  
  distribution to upgrade clients to System Center 2012 Configuration Manager.
  Then later in the same document there is this…
  How to Upgrade Configuration Manager Clients by Using a Package and Program
  You can use Configuration Manager to create and deploy a package and program that upgrades the client software for selected computers in your hierarchy. A package definition file
  is supplied with Configuration Manager that populates the package properties with typically used values. You can customize the behavior of the client installation by specifying additional command line properties.
  You cannot upgrade Configuration Manager 2007 clients to System Center 2012 Configuration Manager by using this method.
  In this scenario, use automatic client upgrade, which automatically creates and deploys a package that contains the latest version of the client.
  What???!??  There is no Automatic client upgrade feature in 2007 – so how does that even make sense?  In one section, it says I can deploy the 2012 Agent using SCCM 2007 software distribution, and then later in the same document, it
  says I can't.  I am probably misunderstanding somthing.
  Is it possible to make a package/program in SCCM 2007 that will make targeted clients upgrade to Agent 2012 and join the new SCCM 2012 Site?

  I tested this (deploying 2012 agent using existing 2007 SCCM infrastructure) with a few test systems at my desk and it seems to work pretty smoothly.  I made a package to deploy SCCM 2012 SP1 and added it to my SCCM 2007 Site.  Then I deployed
  the 2012 agent from 2007 and it worked great.  If it works this well in production, I will be able to migrate all of my clients in less than a weeks time. 
  I have not published the 2012 site information in AD - and I don't plan to.  We would have some overlapping site boundaries - and in 2012 it seems its unnecessary in a single site hierarchy.  I AM planning to use boundaries to assign
  DPs, but thankfully site and DP boundaries have been separated.  It works great to just specify the site in everything and not worry about auto discovery.  My clients don't move among sites since I only have one large site.
  Sorry that I somehow posted this same question twice, and thanks for cleaning that up.
   In my installation, I just called ccmsetup.exe with the following command line...
   /mp:myMP.mydomain.com CCMLOGMAXHISTORY=5 CCMLOGMAXSIZE=1000000 SMSCACHEFLAGS=PERCENTDISKSPACE;NTFSONLY SMSCACHESIZE=10 SMSMP=myMP.mydomain.com SMSSITECODE=CCM
  I am not sure that I need to specify the MP twice, but it is working to do so.  I'm also not sure whether the log and cache flags will be honored since there are existing settings from SCCM2007 agent.  I think that the 2012 install will not change
  these settings upon installation, but it does not appear to hurt the process to include them just in case it does work.

• Non domain admins can't auththenticate

  I'm setting up a new ACS 5.6.  It has an external identity store connected to our AD.  The RADIUS client is an ASA5510 with 9.1(5)21.  My issue is I can only authenticate accounts in the Domain Admins group.  Accounts not in the Domain Admins group fail authentication.  The message I see in the ACS log has Failure Reason "15039 Selected Authorization Profile is DenyAccess.  Access Service is "Default Network Access", Authorization Profiles is "DenyAccess".
  The account I'm testing with is in the "ACS Remote VPN Devices" group.  I added this group in Users and Identity Stores > External Identity Stores > Active Directory > Directory Group tab by using select and adding the group.  I did not type in the group name.  I created an access Policy and added the ACS Remote VPN Devices group to this policy.  The Domain Admins group is also on this policy.
  The test I am using to generate successful or failed logins is on the ASA.  I use the command "test aaa authentication RADIUS user ??? password ????
  With an account in the Domain Admins group the test is successful.  With an account not in the Domain Admins group the test fails.
  Thanks for any help.
  Bill

  hmmm.  If your computer is on a domain, and you plug it into someone else's network running workgroup, you should be OK, if the workgroup is on single segment.  Your computer will resort to Netbios name resolution if host name resolution fails.
  You can remove the primary dns suffix from your computer, but if the DHCP server that negotiates the lease on the network you are on supplies option 015, it will add the domain suffix to that NIC.
  Since I do not know the exact situation you are facing, you can try this...
  Open the control panel--> system--> advanced settings --computer name tab --> change button --> more button --> uncheck "change primary dns suffix... & also clear the text box that contains the primary dns suffix.
   Overview regarding name resolution for windows:
  Microsoft Windows TCP/IP NetBIOS and Host Name Resolution
  http://www.anitkb.com/2010/08/microsoft-windows-tcpip-netbios-and.html
  Visit: anITKB.com, an IT Knowledge Base.