Should Netweaver Admins have local server admin rights?

Similar Messages

• All logins slow/failed, even local server admin won't work...

  I've had an issue last Friday which reoccurred this morning concerning logins. Any logins on the network don't work, but take forever to come up with an error message. So I went to the server locally and tried the admin account there, but it hung as well (pinwheel for a few minutes, then spinning gear indefinitely). On Friday, a hard reboot seemed to fix the issue. Today, after hard rebooting, I could log in locally, but upon opening Server Admin, my server's info never came up (showed connected, but no info came up (in the software/hardware/etc area on the first page) and no services were listed. No network accounts could log in at this time (would take a minute and then the generic "Cannot log into this account due to an error").
  Did another restart (via the apple menu this time) and everything is working fine for now. I couldn't find anything in any logs to indicate a problem (although it seems several logs restarted with the server restart).
  Most clients are 10.6.2, a few are 10.5.8 and one is 10.4.11.

  Happened again this morning. Hard restart seemed to fix it, but the RAID with the home folders on it took (3-drive RAID in the XServe, OS is on a separate solid state drive) about 5 minutes to mount.
  Most logs seemed to have reset on the restart. There was no server system log at all or a DCHP system.log.
  OD LDAP log's first line was "nse error = 2". Everything after that was after the restart.
  OD Password Service Error log was full of "Unknown listener exception error." All entries were since the restart.
  Couldn't find any other anomalies in any logs (although, like I said, most of them don't seem to exist anymore.
  Now, I don't know if it's related, but the green light on the center RAID drive is off, but it seems to check out fine in System Profiler and Disk Utility. The blue access light works. I just figured it's a bad LED, but seems possibly related if the RAID's losing connection somehow (which could explain logins not working and its slow mounting behavior).
  Any ideas would be greatly appreciated as this is really bringing us to a standstill.

• Local Server Admin app on G5 power mac

  Apologis if this is obvious, but just installed 10.5.8 server on a recycled G5 1.8GHz late 2004 power mac.
  Seems to work well, but no idea how to locally admin the machine.
  Trying to run Server Admin loads the program, but majority of menu options are greyed out and clicking 'new server admin window' doesn't actually open a server admin window. Means I can't manage any services locally on the machine. This is from the user admin account set-up during installation.
  I can run it from an user admin account setup after installation was complete, but not from the account created during installation.
  I can also run server admin remotely on my laptop.
  Am I missing something?
  Thanks
  Andy

  G5 Power Mac with OSX server (I think 10.5)....When using Alt or pressing C to start-up from a Snow Leopard installer......Am I missing something?
  A Power Mac G5 CANNOT run Snow Leopard (10.6x).
  Any use of a Snow Leopard disk WILL fail to install, format WILL produce a non-booting drive (without extra steps) and repair with a SL Disk Utility may worsen a damaged drive directory.
  We also have a Time Machine backup from the Friday night before the failure.
  However, we still can't start-up from the DVD to restore the Time Machine backup.
  What you need to be doing is booting to the real, currently installed OS install disk and using the restore function available with it and Time Machine.
  Without the install disc of the currently used OS, you're chances of recovery without reinstall may be slim.
  Repair of a drive directory may be possible using fsck. Start by booting to Safe Mode.
  Read more here:
  Resolve startup issues and perform disk maintenance with Disk ...
  Anyhow, stop mucking around with Snow Leopard in a G5.
  Unless, of course, what you are really talking about is a Mac Pro, then we need to start all over again as a Mac Pro and a G5, save for a cosmetically similar case, are completely different.

• Unable to sign on CF Admin on local server (CF10)

  As part of the installation I was led to the web admin to complete the configuration; whereas, I was not allowed to continue because my credentials were stated as wrong . I was able to successfully go to one of the other remote computers which its IP was included in CF10s "Secure Profile" settings. After that I entered 127.0.0.1 as part of the allowable IPs. Still no luck with getting access from within the same server as CF10.
  Details:
  Win2008R2
  IE9
  CF10 Enterprise

  Is 127.0.0.1 in the list of allowed IP addresses (if you try to connect using http://localhost:8500)? Or the action IP address of the server if you are using the IP address or hostname of the server?

• List Local Service Admins Using Alternate Credentials

  We're trying to write a script that will query a single server for a list of local server admins but want to pass alternate credentails.  In other words, we want users who do not have admin rights to the server to be able to list local admins using
  this script.
  Any thought on how this would be accomplished?

  Here's one way you could do it in PowerShell. You can pass it a credential object with which to connect to the remote machine.
  #Get-LocalAdmin.ps1
  #requires -version 2
  param(
  [String] $ComputerName,
  [System.Management.Automation.PSCredential] $Credential
  $args = @{
  "Class" = "Win32_Group"
  "Computer" = $ComputerName
  "Filter" = "Domain='$ComputerName' and SID='S-1-5-32-544'"
  if ( $Credential ) { $args.Add("Credential", $Credential) }
  get-wmiobject @args | foreach-object {
  $args = @{
  "Computer" = $ComputerName
  "Query" = "associators of {$($_.Path.Path)} where AssocClass=Win32_GroupUser ResultRole=PartComponent"
  if ( $Credential ) { $args.Add("Credential", $Credential) }
  get-wmiobject @args | foreach-object {
  $_.Caption
  Example usage:
  PS C:\> $cred = get-credential
  PS C:\> Get-LocalAdmin.ps1 servername -credential $cred
  Bill

• Setting workgroup backup permissions for server admin user

  I apologize in advance for what is probably a trivial question. At school I have set up a Tiger server on a PPC desktop. Open directory is implemented and managed remotely on my personal desktop machine using Workgroup manager. The local server admin account is different from the remote workgroup manager account. I have been backing up using rsync from my machine by logging in with ssh and the Workgroup manager account. Now I want to use ChronoSync on the server machine to set up a simple incremental backup routine. The problem is that ChronoSync runs under the server admin account which does not have permissions to access the group accounts. What is the best way for me to give the server admin account "global" permissions so it can backup the files and directories that were set up using Workgroup manager?
  iMac Intel Mac OS X (10.4.9)
  iMac Intel   Mac OS X (10.4.9)  

  Hi,
  User Account Control treats members of the Administrators group as standard users.
  With UAC enabled, members of the local Administrators group run with the same access token as standard users. Only when a member of the local Administrators group gives approval can a process use the administrator’s full access token. This process is the
  basis of the principle of Admin Approval Mode.
  When an administrator logs on to Windows Vista or newer, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights
  removed (filtered).
  To work around this issue, use the net use command together with a UNC name to access the network location.
  Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems
  http://support.microsoft.com/kb/937624
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Getting Server Admin to connect over SSL

  According to the help provided with Server Admin:
  "By default, Server Admin treats all communications with remote servers as encrypted
  using SSL. This uses a self-signed 128-bit certificate installed in /etc/servermgrd/ssl.crt
  when you install the server. Communications use HTTPS (port 311). If this option isn’t
  possible, HTTP (port 687) is used and clear text is sent between Server Admin and the
  remote server."
  How do I know that Server Admin is connecting using SSL. I have port 311 open on my router and the server firewall, but when I connect to the server using the localhost name of the server, it saves the password in the keychain as "http://myserver.local".

  um... interesting
  sudo lsof -i -P
  should show you that servermgr is talking, who to, and on which port.
  however on my 10.5.1 server, it does not show as connected. I checked on 10.4 servers and it works as expected.

• Using spamtrainer then Server Admin

  I've run spamtrainer and followed all the instructions included with it and all looks well...
  I believe I remember reading in some of those instuctions that I should stay clear of changing settings with Server Admin once I've using spamtrainer.
  Is it safe to change the "Minimum junk mail score" setting in Server Admin? What are the settings (or is it just any of them) that one should refrain from changing in Server Admin after running spamtrainer?
  By the way pterobyte, if you are the one that answers, thanks for all your posts and for spamtrainer.

  Alan,
  spamtrainer does NOT limit your use of Server Admin in any way whatsoever.
  What you probably read somewhere is that you should ditch Server Admin once you start manually modifying postfix and amavisd configuration files.
  Yes it is safe to change the score in SA.
  Alex
  P.S. You are welcome

• Domain Admin doesn't have local Administrator privileges

  This was all done using Azure VMs.
  machine: server-dc
  Setup Windows 2012 R2 as a domain control with user 'testadmin'
  Domain: DEV
  Added a user 'domainadmin' and made a Member of all the same groups as testadmin (including Domain Admins)
  machine: server-a
  Setup Windows 2012 R2 with user 'localadmin'
  Joined server-a to the domain
  "DEV\Domain Admins" was automatically added to the local Administrators group
  Login to server-a as "DEV\testadmin"
   - full local admin rights (because is member of "DEV\Domain Admins" - correct?)
  Login to server-a as "DEV\domainadmin"
   - does NOT have local admin rights yet is a member of "DEV\Domain Admins"
  Why does "DEV\domainadmin" not have the exact same local admin rights on server-a that "DEV\testadmin" does?
  Thanks,
  Mike

  I'm still having problems.
  This account is in the local Administrators group so they should have permission to do these things.  I've tried your work around but still no luck.
  User Account Control: Run all administrators in Admin Approval Mode
   - Enabled (Default) is set
  User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
  - Elevate without prompting is set
  Machine rebooted
  UAC in Control Panel set to Never notify
  To clarify:
  User 'domainadmin' is a user created on the DC.
  Group 'Domain Admins' is a group created on the DC.
  'domainadmin' is a member of 'Domain Admins'
  'Domain Admins' is a member of the local Administrators group on SERVER-A
  So 'domainadmin' is in essence a member of the local Administrators group on SERVER-A.
  YET:
  When logged in to SERVER-A as 'domainadmin', from a command prompt:
  c:\del test.txt (a file created by 'localadmin')
  Access is denied.
  c:\iisreset
  Access denied,
  This user is a member of the local Administrators group - why can he not function as an Administrator?

• Server Admin unable to connect to local server

  Hey all. I've been using SLS to serve a Promise RAID via NFS for a few weeks now, and it's been stable and smooth. I've had Server Admin open all that time so I could watch the network usage graph via ARD. Today, Server Admin can no longer connect to the local server. I've tried stopping and starting com.apple.servermgrd but it still cannot connect. Is my only option at this point a reboot?
  Has anyone else experienced this on SLS? I've always had stability issues with Server Admin in the past, but I'd been told the issues had been addressed in SLS. Could someone verify this? Thanks

  I should have been more clear. This is on an 8-core Intel XServe.
  I was able to use Server Admin locally on the machine for weeks. Now I can't. Nothing has changed or been altered on the machine during that period.
  I can not connect to the server via Server Admin remotely or locally. I can connect via SSH, ARD, etc. and the system is still serving NFS just fine, so it's just the process that handles communication with Server Admin that is non responsive.
  Something interesting from the syslog:
  qt1 servermgrd[44258]: servermgr_accounts: noteDirectorySearchPolicyChanged (reopening nodes)
  qt1 servermgrd[44258]: -[AccountsRequestHandler(AccountsOpenDirectoryHelpers) openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null) , error = Error Domain=com.apple.OpenDirectory Code=2000 UserInfo=0x1066a16c0 "Unable to open Directory node with name /LDAPv3/127.0.0.1."
  qt1 DirectoryService[31]: DirectoryService has 42000 internal references open (due to clients), warning limit is 2000.
  These lines repeated apprx. every 30 secs until I bounced the servermgrd. Now, I see that entry whenever I try to connect to the local server via Server Admin.
  Now, this system is not a LDAP server, but I understand OSXS still uses LDAP for local directory info... I've tried restarting the related directory services as well, but still no joy.
  It looks like my only recourse is a reboot, which is really not a great option for a dedicated file server. Am I the only one who has ever encountered this issue of Server Admin eventually losing contact with a server?

• Can't login to local NON-admin accounts-Directory Access set to server

  I have a strange problem on a set of laptops that I cannot resolve and am hoping someone can help me.
  Here is the issue:
  I have a set of building laptops (PowerPC, OSX.4.11) that seemingly will not "search locally" in the authentication process. The logins seem to work fine for NETWORK logins to our Open Directory Master xserve, but these machines will not login to any LOCAL non-admin accounts. The local root and local admin account logins do, however, work fine. ?? The remainder of the building computers (Intel iMacs OSX.4.11) appear to have the exact same settings and login fine both locally and via the network home directories.
  I have tried the following:
  Deleted DirectoryService preferences folder (MacintoshHD-->Library-->Preferences->DirectoryService)
  Deleted the mcx cache in Directory Access
  Tried adding a new non-admin user to test (still will not login)
  Removed and re-created LDAP configuration (all set to custom)
  Tried setting the LDAP to the automatic settings ("Add DHCP-supplied LDAP servers to automatic search policies")
  Disabled all network connectivity (turned off Airport and disconnected the ethernet cable), still cannot login to local accounts
  Tried to bind in LDAP configuration (when I did bind the machine, it would no longer authenticate to the network authentication server, so I did an "unbind" and restarted and it went back to performing the network logins, but still will not login to local non-admin accounts).
  Reset passwords in System Prefs and also re-typed them in NetInfo Manager
  Deleted login keychains
  Deleted mcx.plist
  Reinstalled the OS from disk and local logins worked TEMPORARILY--UNTIL I set the LDAP directory access to authenticate to our server (which I also need for the network logins to work),then, the issue started again.
  *Same results with both ethernet and wireless connectivity enabled.
  *Note: I also manage these local accounts via WGM (installed on the local machine) and even tried disabling that and still no luck.
  Please help...I have spent hours and hours trying to find a solution and nothing seems to work! What am I missing??

  Mostly just a bump...
  How about that .local extension, or trailing / ?

• Loggin in to remote website admin redirects to localhost on local server!!

  This is definitely a new one for me. I have developed a Wordpress site locally then uploaded to the remote server. For some reason when I log in I am redirected to the localhost and the version installed locally in XAMPP. I have tried clearing the cache in Firefox but to no avail. When Apache and MySQL are turned off in the XAMPP panel, it still tries to redirect to the local server and I get the "Problem loading page" error.
  Also, strangely, when I turn off XAMPP the CSS for the site on the REMOTE server doesn't display! Any ideas short of deleting and starting over? I can't even get into the admin of the site to change the password.

  I made all the changes to the config.php file for the new database name, password and username and everything was running fine yesterday. I only noticed today that the CSS was broken when XAMPP was turned off. I may just reinstall the database, it will take less time than trying to figure it all out.

• How long should it take a well-qualified server admin to migrate from Tiger to Lion...

  How long should it take a well-qualified server admin to migrate from Tiger to Lion...
  For a small company, if the Tiger server is running on a G4 Tower:
  -Roughly 500GB in user files
  -Data resides on old-school ATA drives
  -OD Master - Kerberized
  -AFP
  -Mobile Homes
  -DHCP
  -DNS (for 2 domains)
  -FTP
  -iChat
  -Mail (non SSL)
  -NetBoot
  -Print Server
  -SWUPD
  -VPN
  -Hosting website using MySQL
  -User & Computer Management
  Considerations/Hurdles/Challenges:
  -Tossing old G4 into garbage, upgrading Mini client to Snow Leopard, adding Lion iMac client to the LAN
  -Fresh OS installs on the Mini and iMac
  -Upgrading from CAT5 to CATE on the LAN (not it the walls - just loose cables)
  -All new hardware must be sourced out (take some time to price compare)
  -Must find a way to transfer data from ATA drives to SATA drives or Lion Server
  -Company must not have any email downtime (MX Records to be modified on DNS Providers site)
  -Servers hostname goes from "companyserver.company.com" to "server.company.com"
  -ISP blocks some SMTP ports
  -DNS Provider doesn't support TSL/SSL SMTP
  -Implementing a switch into the network
  -Implementing a new router (for firewall and NAT) from ISP
  Upgrading to Lion Mini Server
  -All the same services
  -Using SSL
  -Implementing Mobile Device Enrolment and Deployment
  That should just about cover it. I'll add any other details/hurdles as they come to mind.
  Can you guys give me your best guesstimate as to how many hours you think this job should take? I'd appreciate any feedback as to how long you guys think it'd take you to make this transition. I'm trying to plan, and we're going to be down-and-out, the boss NEEDS to know for how long.!
  Thanks in advance guys!

  It's about a gigabyte, so if you have a slow connection, it might take some time.
  But - you shouldn't be getting the beach ball - that's a different thing.
  Can you do open Activity Monitor, or is it stuck completely?

• Server Admin won't connect (not even locally)

  One of my customers' machine crashed and had to be rebooted (So they say). I was not on site at the time and someone else with a "bit of knowledge" fiddled with the machine and tried to resurrect it (instead of leaving it for me to sort it out). Ever since there is no access to the server via the Server Admin (no server found) although the server is running fine and people are working from it. The Workgroup Manager is operational, though no sharing access is possible, only user privileges can be modified. The syslog reports the following message:
  ----"Feb 21 06:54:13 XServe servermgrd: servermgr_dns: no hostname set and unable to detect via DNS, services may not function properly - use changeip to repair
  Feb 21 07:24:13 XServe servermgrd: servermgr_dns: no name available via DNS for 192.168.0.2"----
  Very strange. I can ping it, the IP is fixed anyway and I have access to the machine via ARD 3 no probs, but both server manager and server monitor fail to connect, even locally. Something somehow went wrong and I haven't got a clue. Rebooted the machine, done the usual things to no avail.
  Has anyone experienced something similar? Machine is on 10.4.8 and its a dual G5 with one Gig RAM. I noticed that the activity monitor reports more than half the system memory as 'inactive', leaving precious little free mem. The systm disk is 80 Gigs with 30 Gigs free.
  XServe G5 Dual - 2 GHz Mac OS X (10.4.8) 1 Gig RAM, ext. RAID
  XServe   Mac OS X (10.4.8)  

  Hi
  I had a similar situation on a server I was called in to have a look at after it was upgraded via software update from 10.4.2 to 10.4.8, the Open directory db went corrupt and the server administration tools would not work after that.
  In the end I had to ditch the open directory and rebuild the server from scratch as the other IT guy did not have a decent backup.
  Have you repaired permissions or tried Disk Warrior on the boot drive?
  The DNS thing is something that Apple has inrtroduced in 10.4.8, many people are having the same error show in system.log, see the Network Services section under Mac OS X Server.
  Ed

• "Server Admin" tool does not have proper listing of SMB Share directories

  I've been stuck on this one for a while and am looking for any thoughts/help on how to unstick things.
  BACKGROUND
  I have an SMB share that works (about 10 users banging on it). There are lots of subdirectories to this share and all is fine. The share location is /Users/myshare and I can browse to directories that have the effective path of:
  /Users/myshare/mydir1/subdir
  /Users/myshare/mydir1/subdir2
  PROBLEM
  The problem is that Server Admin simply has lost some of the "subdir" directories. It just doesn't think they exist anymore. Specifically, when going into the Server Admin SMB panel under Share Points, I can select my sharepoint and Browse the directory structure.....I might see myshare/mydir1/subdir2 and subdir3 and subdir5, but Server Admin just won't see "subdir1" or "subdir4".
  I have checked permissions, and "subdir1" and "subdir2" are identical. I have re-applied permissions and even run mdutil -E on the volume.
  Does anyone know any what to force Server Admin to re-index it's listing of a sharepoint???
  Message was edited by: mizraith

  I ended up filing a formal bug through Apple on this one, as there was definitely and issue with something on the share and how permissions were propagating and Server Admin was pretty much worthless at browsing the share (and setting permissions).
  The solution was painful, but basically involved: (a) Cloning the internal server drive and booting off of that. (b) Booting off the external clone, then deleting the entire /Users directory on the the original internal (c) cloning back to the internal drive (thereby replacing the /Users directory). Somehow this re-wrote permissions from scratch and fixed whatever corruption was stuck in the way.