UAC allowing standard domain user to elevate without providing credentials

I don't understand how this is occurring. We created a test user on our domain. Its only group membership is Domain Users. UAC is behaving quite different depending on which computer we test the account on.
When I login to my computer with the test user, UAC prompts me to provide an administrator username/password whenever I try to run something that requires elevated rights (for example: IE "Run as Administrator", compmgmt.msc via right-clicking
Computer and choosing "Manage", accessing another user's folder in c:\users)
When I login using the same test user to my colleague's computer (which was imaged and deployed at the same time), any of the above examples will elevate with a simple click of "Yes" or "Continue" to the UAC prompt. UAC does not prompt
for administrator credentials in this case and this standard Domain User account suddenly has local admin rights! How can this happen?

Hi,
Regarding the UAC issue mentioned, here are some suggestions:
. Change the UAC settings to a higher mode;
. Run gpupdate /force, then log off, then log on and check;
. Check to see if any
local UAC policies configured;
. Log on the Problematic computer with this test user and check the group membership;
. Create a new domain user and recheck this issue.
Best regards
Michael Shao
TechNet Community Support

Similar Messages

Find out who has given local administrator rights to standard domain user?

In my Organization i have faced problems with domain administrator, it seem that all of a sudden a standard domain user is having Local administrator rights. Can anyone please help me how to find out who has given local administrator rights to that standard
domain user account?

Hi,
Based on your requirement, you need to enable the auditing in your Active Directory to identify the user/ group changes and WHO made the change etc.
Checkout the below steps to enable auditing for AD User Changes,
1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
2. Right click the Default Domain Controllers Policy, and then click Edit.
3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Local Policies/ Audit Policy”.
4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
For Windows Server 2008 R2 and later versions, additional configuration is required in “Advanced Audit Policy Configuration” section in Default Domain Controller Policy.
1. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/DS Access.)
Enable Success auditing for the following settings
- Audit Directory Service Changes
2. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Management.)
Enable Success auditing for the following settings
- Audit User Account Management
After completing the audit settings, configure SACL in Active Directory Users and Computers console for enabling the geneartion of AD Change events in the eventlog as shown below,
Checkout the below KB article on complete list on Event ID and Description for AD Changes,
http://support.microsoft.com/kb/947226/en-us
Regards,
Gopi
JiJi Technologies

Allow Domain Users to install without password prompt

When accounts that are members of Domain Users want to install or remove a program from the computer, UAC prompts for administrator password. Is there a way through GPO default domain policy to allow people to install and remove programs if they like? Also, maybe restrict certain software to NOT be removed?

Hi Wizzler, if you at school or big organization that is there one or two image that you deploy to your clients I may have a solution for you, let me explain what Im doing in my organization which is at school, Im using deploy studio where I have 5 different
windows image and deploying them through Deploy studio but go back to the point before I captured image on the windows 7 of course computer is not joined to the domain you have to open computer mangment/ users and groups/ groups/ administrators and then there
just add Everyone that you ready for taking this image ( capturing ) and then deploying to the client computers and all of them have access to install all software and updated what they need with out prompting them for a password, but this need to be done
before computer is joined to the domain, for me is working fine, tested, students and teacher even if then know what is a server name there is no way for them to access it.
If you go with solution below then everybody can access your servers. I hope I was helpful :)

Allowing the domain users Group to SCCM 2012 Remote Control

Hi There,
been working on this issue for the last few days now and its frustrating the crap out of me. My company has requested for all Domain users to be allowed to Remote Control to everyone's computer. This is so that users will be able to show each other how to
use in house application. In SCCM 2012 console, I've added the Domain users to the Premitted viewer tab. I've also added the domain user group to the administrative user section, added the Remote operator role and assigned the
ALL security scope to it. On another machine, i run the CMRCviewer to this machine and it prompts for username advising me the one i provided isn't authorized. when i check on the targeted machine, i can see domain users populated in the ConfigMgr
remote control user group
It seems only domain admins have rights to Remote control in. i've only got one client setting defined (default policy).
the interesting thing is the following layout
WINDOWS XP ---> WINDOWS 7 prompts for username
WINDOWS 7 -----> WINDOWS XP works
WINDOWS XP -----> WINDOWS XP works
WINDOWS 7 ------> WINDOWS 7 prompts for username

Hi Dave,
1) yes domain users is part of the configMgr remote control users". CMRCSERVICE.log shows the following
=== Starting security handshake ===
CmRcService
11/03/2013 10:44:29 AM
4808 (0x12C8)
HandshakeWorker failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Security filter server: DoHandshake failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
m_pSecFilter DoHandshake() failed. CmRcService
11/03/2013 10:44:29 AM 4808 (0x12C8)
DoHandshake failed on server side.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to do Handshake in Server.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to create security context.. Security Handshake failed.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to validate Security requirement..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to complete the RDP connection..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
i've confirmed this user is part of domain users as well.

How to allow non domain users to map to print drivers?

Greetings,
We have a Windows Server 2008 (non R2) 32 bit server that acts as print server. It's also on a domain. Users who are on the domain can easily add the print driver simply by going to device and printers and clicking Add Printer and selecting Network since
I list it in the AD.
The problem arise with well over 100 realtors that walk in and out and need to print. These users are not on the domain. They need to have the print drivers on their computers. I'm hoping we can at least get them to map to the drivers as opposed to unending
local installs.
The management does not want to hear about security, and wants the simplest possible way for their realtors to get up and printing from their computers when they arrive to the office.
Any advice is welcomed.
Thank you!

In the end they got a domain user account that they share to add printers...
Thanks for sharing in the forum. Your time and efforts are highly appreciated.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

How could I allow selected Domain users or Computers to install programs and not be asked for Admin credentials.

We have a handfull of Laptops in the company. They are all joined to our
Domain. The default domain policy keeps these non-adminstrators from installing
software without prodiving the administrator credentials for the domain. We have a
few users that we would let install programs but would prefer not to make administrators.
I have been all over the place searching for solutions. Is there an actual field to allow this
in Group Policy? All the suggestions I have seen have dead-ended on me....Any thoughts.
Server is Windows 2003R2 and clients are all WIndows 7 Pro. Again, at this point I would like
to be able to allow specified computers this right.

Based on what I have found Power Users group has no added user rights in Windows 7:
From http://technet.microsoft.com/en-us/library/cc771990.aspx:
By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system
tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present
in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.
So despite the caution it does not seem like an option. As for Publishing Software, if the user needs to install something "on the fly" that will not work. I guess i could just add to the administrator group as needed in order to install programs then
remove. Now the user is remote operationg on cached credentials. Would then not need to come to the domain and log in locally in order to update their security tokens.

Dreamweaver CS6 error "out of memory" as standard domain user; works fine as admin level user

i have a recent issue come up: a Dreamweaver CS6 user has started getting an out of memory error as he uses the app. when i login as local admin level user, there are no problems. its a Windows 7 64bit domain client user, so wont have local admin rights.
anyone come across this please.
Danny Jacobs
UBM
London office

This page might help:
http://support.microsoft.com/kb/947246
I would spend some time on the Microsoft site to find the exact error you're seeing. W7 is known for its permissions issues.
If you don't have full rights to the machine, you'll want to bring up the problem with your IT guy/gal.

Why domain users account allowed to logon to servers directly?

I'm using Windows Server 2008 R2 with ADDS.
By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
"You cannot log on because the logon method you are using is not allowed on this computer"
I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
And, nothing set on the Deny Logon Locally.
But, tested that, those accounts with just Domain User Group are able to logon to Server!?
How or where should I check, to not allow normal user account to logon to server directly?
Thank you.

Hi,
>>By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP.
By default, standard domain user accounts can log onto workstations and member servers, and they can’t log onto domain controllers unless we allow them to do so via group
policy.
By default, standard domain user accounts can’t remote desktop onto other computers unless they have been added to Remote Desktop User groups of the computers.
Regarding allowing log on locally, the following article can be referred to for more information.
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx
Regarding remote desktop user groups, the following article can be referred to for more information.
Configure the Remote Desktop Users Group
http://technet.microsoft.com/en-in/library/cc743161.aspx
>>How or where should I check, to not allow normal user account to logon to server directly?
We can utilize group policy setting
Deny logon locally to prevent users from locally logging onto the targeted computers.
Regarding this setting, the following article can be referred to for more information.
Deny logon locally
http://technet.microsoft.com/en-us/library/cc957048.aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

BSOD when starting MSMQ service as domain user Windows server 2012

Hi
We have a problem with a server getting BSOD when we start a service related to MSMQ. We get the attempted execute of noexecute memory BSOD whenever we start the service as a User on the domain. When we start the service as a system local it starts without
problem. I got the crashdump here:
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\170\120314-11828-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 9200.16912.amd64fre.win8_gdr.140502-1507
Machine Name:
Kernel base = 0xfffff800`48476000 PsLoadedModuleList = 0xfffff800`48742aa0
Debug session time: Wed Dec 3 14:41:01.892 2014 (UTC + 1:00)
System Uptime: 0 days 0:04:09.904
Loading Kernel Symbols
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
Loading User Symbols
Loading unloaded module list
* Bugcheck Analysis *
Use !analyze -v to get detailed debugging information.
BugCheck FC, {7f982e340e0, 791000010fdb1025, fffff8800485a5e0, 80000005}
Probably caused by : mqac.sys ( mqac!ACCreateQueue+a77 )
Followup: MachineOwner
1: kd> !analyze -v
* Bugcheck Analysis *
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory. The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 000007f982e340e0, Virtual address for the attempted execute.
Arg2: 791000010fdb1025, PTE contents.
Arg3: fffff8800485a5e0, (reserved)
Arg4: 0000000080000005, (reserved)
Debugging Details:
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
BUGCHECK_STR: 0xFC
PROCESS_NAME: mqsvc.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
TRAP_FRAME: fffff8800485a5e0 -- (.trap 0xfffff8800485a5e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000007f982e0c950 rbx=0000000000000000 rcx=0000005dff1fecd0
rdx=0000005dff34e988 rsi=0000000000000000 rdi=0000000000000000
rip=000007f982e340e0 rsp=fffff8800485a778 rbp=fffff8800485ab80
r8=fffffa800e623980 r9=0000000000000521 r10=fffffa800ec547a0
r11=0000000000000006 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
000007f9`82e340e0 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80048661ef1 to fffff800484d0540
STACK_TEXT:
fffff880`0485a408 fffff800`48661ef1 : 00000000`000000fc 000007f9`82e340e0 79100001`0fdb1025 fffff880`0485a5e0 : nt!KeBugCheckEx
fffff880`0485a410 fffff800`48588980 : fffff880`0485a5e0 ffffd8e9`9e6056e2 fffffa80`0ec547a0 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x33f2d
fffff880`0485a450 fffff800`4850aabd : fffff880`0485a500 00000000`c0000016 fffffa80`0e603b00 fffffa80`0e623980 : nt! ?? ::FNODOBFM::`string'+0x33e85
fffff880`0485a4a0 fffff800`484cdfee : 00000000`00000008 00000000`00000000 00000000`00000000 fffff880`0485a5e0 : nt!MmAccessFault+0x3ed
fffff880`0485a5e0 000007f9`82e340e0 : fffff880`00dc5297 fffffa80`0ec54770 00000000`00000000 fffff8a0`011ce7c0 : nt!KiPageFault+0x16e
fffff880`0485a778 fffff880`00dc5297 : fffffa80`0ec54770 00000000`00000000 fffff8a0`011ce7c0 fffff980`00000000 : 0x000007f9`82e340e0
fffff880`0485a780 fffff880`00dc60d7 : 00000000`00000000 0000005d`ff34e988 00000000`00000000 00000000`00000000 : mqac!ACCreateQueue+0xa77
fffff880`0485a7f0 fffff800`488ab127 : fffffa80`0e5ed520 fffffa80`0d50ecf0 00000000`00000521 00000000`00000000 : mqac!ACDeviceControl+0x62b
fffff880`0485a890 fffff800`488c02f6 : 00000000`00000000 fffff8a0`00000080 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7e5
fffff880`0485aa20 fffff800`484cf553 : 00000000`00000000 00000000`0000000c fffff6fb`7dbed078 fffff6fb`7da0ff30 : nt!NtDeviceIoControlFile+0x56
fffff880`0485aa90 000007f9`8a702c1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
0000005d`ff34e928 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x000007f9`8a702c1a
STACK_COMMAND: kb
FOLLOWUP_IP:
mqac!ACCreateQueue+a77
fffff880`00dc5297 85c0 test eax,eax
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: mqac!ACCreateQueue+a77
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mqac
IMAGE_NAME: mqac.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5010abc2
IMAGE_VERSION: 6.2.9200.16384
BUCKET_ID_FUNC_OFFSET: a77
FAILURE_BUCKET_ID: 0xFC_mqac!ACCreateQueue
BUCKET_ID: 0xFC_mqac!ACCreateQueue
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xfc_mqac!accreatequeue
FAILURE_ID_HASH: {d1daca31-6256-358c-65b5-69af54392880}
Followup: MachineOwner

Hi,
For BugCheck FC, it indicates that an attempt was made to execute non-executable memory. For more details,
please refer to following article.
Bug Check 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
à
whenever we start the service as a User on the domain
. When we start the service as a system local it starts without problem
Did you mean that just use a standard domain user account to start the service, then encounter the issue? If
configure Log on as Local System account, will no BSOD issue occurred? Just a confirmation, thanks for your understanding.
Please check if you install all necessary Windows Updates on the server.
In addition, as you know, troubleshoot this kind of kernel crash issue, we need to analyze the crash dump file to narrow down the root cause of the issue. However, it is
not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request, please refer to the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope this helps.
Best regards,
Justin Gu

Standard Domain Accounts don't work with Windows 8.1 Pro

I have AD running on Server 2012 with Windows 7 systems. I recently purchased a few Windows 8.1 laptops that I connected to the domain. They are fully updated to the latest windows 8.1 version, and all security updates are installed.
When I log in as an domain administrator user, then I can log in. No problems.
However, when I log in as a standard domain user, it signs me off immediately. It says 'Welcome' .... 2 seconds pass... 'Signing Out' and I'm back to the login page. I tried this with Windows 8 systems, and it works but as soon as it is updated
to Windows 8.1, I start having this problem.
Event Viewer does show some errors when a standard domain user logs in.
9009 - Desktop Window Manager - The desktop window manager has exited with code 0xd00002fe
Then,
4006 - WinLogin - The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:\Windows\System32\userinit.exe
1542 - User Profile Service - Windows cannot load classes registry file. Detail - The system cannot find the file specified.
I installed Windows 8 Pro using the Dell CD that came with the laptop. I updated to Windows 8.1 using windows store, and then windows update for the latest windows 8.1 update.
I have searched these forums, and made sure that winlogon executable is correct. I have recreated the user profile. I have tried multiple accounts and while they work on Windows 7, and windows 8, they fail on all windows 8.1 laptops.
Please assist. Thank you

Hi,
Try to run the two commands in command prompt:
Net localgroup Users Interactive /add
Net localgroup Users "Authenticated Users" /add
Then what’s the result?
Alex Zhao
TechNet Community Support

Java Won't Work As Domain User

Hi guys and gals,
Was just wondering if anyone else had seen something similar to this, I have JRE 6 Update 13 been deployed from the server (as I have at another school with no problems) however when I got to a webiste that uses a java applet as a domain user (besides the domain admin user which works fine) the applet refuses to load and when I check the console I get the following jibberish:
Java Plug-in 1.6.0_13
Using JRE version 1.6.0_13 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\javatest
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
load: class JavaVersionDisplayApplet.class not found.
java.lang.ClassNotFoundException: JavaVersionDisplayApplet.class
at sun.plugin2.applet.Applet2ClassLoader.findClass(Un known Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unk nown Source)
at sun.plugin2.applet.Plugin2Manager.createApplet(Unk nown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionR unnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConn...Client(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConn...onnect(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConn...onnect(Unknown Source)
at sun.net.http://www.protocol.http.HttpURLConn...Stream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unk nown Source)
at sun.plugin2.applet.Applet2ClassLoader.access$000(U nknown Source)
at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknow n Source)
at java.security.AccessController.doPrivileged(Native Method)
... 7 more
Exception: java.lang.ClassNotFoundException: JavaVersionDisplayApplet.class
Local users work and I have even tried giving a standard domain user both local and domain admin rights as a test to see if that would work but sadly not.
Please has anyone seen this before as I am completely stumped now, I have been through all group policies on the server and can't find anything that would interfere with java in such a way
I have even tried removing the deploy policy for java, uninstalling it, running ccleaner reg fixes and then installing it straight from the website with no luck
Thanks in advance for any help offered,
Adrian

I have the same issue. We have important print production software that depends on Java running in a browser and it has stopped working with 10.5
This means that I cannot deploy 10.5 in a print production environment.
All our web traffic goes through our IIS proxy, and when accessing a Java site I get prompted for an NTLM password. It does not accept any valid passwords, but just re-prompts over and over. The same version of Safari on 10.4.11 works fine with Java as long as all the updates are loaded.
Proxy access in Mac OS X is continually an issue for us, as the current version of Safari cannot access any https sites through our proxy either. I've been forced to install Firefox for users who need access to https sites (which is almost all of them).
We've had issues with our IIS proxy on and off since way back at 10.3 where proxy support would go between working and not working with various patches. This, coupled with the fact that NTLM authentication is much more intrusive on Mac OS (with constant prompting and hassles with the keychain) than on Windows, causes major support headaches for us. I've tried various workarounds with using Authoxy and Squidman, and various keychain settings, but I'd prefer it if the system's built-in IIS proxy support would work better.
It's very frustrating because our IIS proxy has not been significantly changed in over 5 years, but our Macs go from working to not working continually as patches are released. Very poor.
I would love for this to be looked at at Apple, as Mac OS's own proxy panel does not even have as simple an option as "use this proxy server for all protocols" as found in IE on Windows or Firefox on all platforms. This means separate entries in the keychain for all protocols and a huge mess to support.

Cannot delegate Reporting Services Web access to domain user / group, User does not have required permissions

Hi
I have an SCCM 2012 SP1 CU3 installation on a Server 2008 R2 + SQL 2008 R2.
I'm having trouble delegating Reporting Services Web Access to a standard domain user.
I have followed the instructions from these blogs:
http://blog.coretech.dk/kea/creating-the-reporting-user-role-in-configmgr-2012/
http://www.wolffhaven45.com/blog/sccm/assigning-users-to-configmgr-reportusers-group-in-sccm-2012/
No matter how I try, I cannot get the reports to show for a standard domain user. In the console no reports are showing and in the web access I get
"User domain\user does not have required permissions........"
The only thing that is consistenly working when I test is to put the AD Group on the Security Role "Full Administrator".
Then everything will show up.
Any ideas on how to troubleshoot this?

Thanks everyone for helping me with tips. I have now solved the problem. It was the permissions from SCCM that did not replicate to the Reporting Server.
In srsrp.log I got these error messages:
Could not retrieve the reporting service name for instance 'MSSQLSERVER'
Invalid class
Could not stop the reporting serviceAfter googling a litte I found these 2 sites with similiar problems:http://social.technet.microsoft.com/Forums/en-US/d4a7f93a-506f-4e3f-b5fc-bd2b087277da/ssrs-permissions-do-not-add?forum=configmanagergeneral
http://www.microtom.net/microsoft-system-center/software-distribution/sccm-2012-reporting-services-do-not-install
So I ran the command for SQL 2008 R2: mofcomp.exe C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqlmgmproviderxpsp2up.mof
and BAAM, everything started to work =)
/ALX

In Adobe Acrobat X Standard, our user used to be able to resize drawings to 8.5 x 10, it stopped working yesterday. It allows her to do this without an error but the size does not change?

In Adobe Acrobat X Standard, our user used to be able to resize drawings to 8.5 x 10, it stopped working yesterday. It allows her to do this without an error but the size does not change?

Try unmounting the volume on your iMac using Disk Utility. Then mount it again. You may need to reboot the laptop or relaunch its Finder process (using the Force Quit window) after remounting the drive on your iMac. Remember that no process may be accessing any files on the drive you plan to unmount, or the unmount will fail. Unmounting and remounting an external drive on my iMac made it become visible on my MacBook Pro after it had disappeared.

The domain users without administrative permission cannot install printers shared on printer server

Dears
We have a printer server that OS is Windows server 2003 .And all clinets are installed windows 7.Now,the domain users cannot installed printers shared on the printer server.When i logon the clinent computer with a domain user and access printer server by
URL \\192.168.37.1 ,i can see all printers shared on the printer server.Then i double click on printer to install it on client computer.It will ask me to input user name and password of local administrator .
How to install the printers with domain user directly. Thanks

refer step #8:
http://blogs.msdn.com/b/7/archive/2011/07/11/allowing-standard-users-to-install-network-printers-on-windows-7-without-prompting-for-administrative-credentials.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Enable and Disabling the Network Adapter with domain user (Standard User)

Hi Guys.
We setup a active directory in our organization. Added client systems(Windows 7 and Windows 8) to the Domain. Domain users are accessing the system with standard users permission. I don't want to give Administrator permissions. But user should able
to Disable and Enable network Adapter without giving the administrator permissions. Please suggest .
Thanks in advance for the help :)

Hi,
According to your description, my understanding is that you want the standard user has the permission to disable/enable network adapter.
I recommend you to implement this function by group policy:
User configuration - Administrative Templates – Network - Network connections
Enable this policy:
Ability to enable/disable a LAN Connection
Besides, you may consider of joining users to Network Configuration Operators Group, detailed information you may reference:
A Description of the Network Configuration Operators Group
http://support.microsoft.com/en-us/kb/297938
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

UAC allowing standard domain user to elevate without providing credentials

Similar Messages

Maybe you are looking for