UAC - Standalone local user vs domain user

Similar Messages

• XID - Replace Local User to Domain\User

  Hi All.
  We have to change local SAPServiceXID User to Domain\SAPServiceXID User
  boths users are administrators into the Administrator Group.
  If we start the three central instances(Database,Abap,JAVA) with local User there is no problem.
  when we replace the local user to Domain\user and tries access to http://Host:50000/rep -->The page cannot be displayed, but in SAP Manage Console, the service green and from TCODE SMICM Java stack is green too.
  any idea?
  Thanks & Regards
  RP.

  Hi Rodrigo,
  I think you will have more success if you post in the right Forum
  Expert Forums  » Database & OS Platforms  » 
  Regards,
  Sandro

• How to know RAC 11g R2 is installed Using Local User or Domain User on Win

  We need to identify whether a local User or a domain User is Used to install 11g R2 Clusterware on Windows 2008.
  Here is background:
  Oracle 11g R2 RAC is configured on 2 windows 2008 servers.
  User "oracle" is used to installed that RAC but we dont know whether local "oracle" user or domain "oracle" user is used to install this RAC.
  "oracle" user is present in both the servers as a local user as well as a domain user.
  Due to security reasons we need to remove this local "oracle" user but without knowing which user is installation user for rac we cant remove as this will disturb whole rac setup.
  Please sugest me some solution ......

  Right click on any folder from oracle home -> Security (tab) -> Advance -> Owner.
  This will show you who owns this folder and that should be the user who did this installation. You may see 2 users where, one will be local administrator and second one will be the user who did installation.
  Salman

• Domain user or local administrator permission

  We have a windows 2008 R2 domain environment with windows 7 clients. Users have domain user permission.
  Security wise domain user rights is the way to go. But we have a lot of users with notebooks, with multifunctional printers at home. We configured a GPO to install printers, but they can't run setup to install the printer/scan software.
  Also some notebook user need to install/upgrade work related software.
  I thought of making the users power user.
  Or local amdin user, with UAC turned on. But we had issues with UAC turned on a year ago(can't remember what it was). I could also work with GPO's, Software Restriction Policies, Applocker. But that's to much Admin overhead. I,m looking for a solution that
  I and the users would benefit from.I like to know how other Admins deal with his
  Thanx

  Let me try to be more clearly.
  At the office we don't have any issues with installing printers drivers. We have about 100 users with laptops that need to install the multifunctional printers software(not drivers) at home. For most of them, installing the printer driver is
  no problem, because of a printer GPO's we configured.
  "Allow non-administrators to install drivers for these device setup classes" and "Point and Print Restrictions" GPO's.
  So we don't have issues with domain users
  installing printer drivers, but most of them have multifunctional devices at home. All different brands(canon, hp, Epson etc). As a domain user they don't have the permission to run the setup to install the scanner and printer software. They
  only can install the printer drivers, because of the GPO.
  This is one of the issues we have with domain users permissions. From security perspective, domain users permission is the way to go, but if does have its challenges. I don't want to install all the different software for those users, and on the other hand
  they don't want to rely on IT department for things they can do them self.
  For installing printerscanner software(not only drivers), the printer need to connected to the laptop. Users are not going to bring there multifunctional device to the office for me to install the software.
  So it's more the experience of other administrators I'm looking for, how to deal with giving users more permission to install or upgrade some software, but still have the feeling that IT department is in control of those laptops.
  Thanx

• 10g install for a Win2000 domain user

  I loaded 10 on a standalone Win2000 laptop that is usually connected to an network in the office. The user has domain and local administrator privileges. The database (and DBConsole) works fine when the machine is not connected to the network. As soon as I connect to, and enable the network hardware, I get Oracle Error 28547 possible Net 8 error when using sqlplus. In addition DBconsole now thinks the database is shutdown and will not let me log in to start it up again. I turn off the network and all is fine again.
  Any ideas ???
  Thanks - Michael

  I got the perfect answer at - http://networkingstudy.net/index.php/networking/144-change-user-environment-variable-as-domain-user-in-windows.html
  There is many way, TO change your Environment variable as a users or domain users with out prompting admin password.
  I really like step by step provide the answer in this article -
  http://networkingstudy.net/index.php/networking/144-change-user-environment-variable-as-domain-user-in-windows.html
  Rakesh Kumar

• Difference between Domain\Domain Users and Everyone Group in SharePoint

  Hi,
  In SharePoint 2013, is Everyone Group an AD group ? Please help with details.
  Thanks
  srabon

  Hi All,
  Domain Users, Authenticated Users, or Everyone
  Domain Users
  The Domain Users is the only real group of the 3 listed above.  By that I mean you can add and remove members from this group.  Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain
  Users group resides in.  By default all users created in the domain are automatically members of this group.  However, the  default Guest account in the domain is NOT a member of Domain Users, instead it is placed in the Domain Guest group.
  Because Domain Users is generally considered the most secure group of the three listed above.
  Authenticated Users
  Authenticated Users was first introduced in Windows NT 4.0 SP3.  This is a built-in group and cannot be modified.  The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain. 
  Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not.  Authenticated Users specifically does not contain the built-in Guest account, but will contain
  other users created and added to Domain Guests.The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account. 
  Everyone group
  The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc.  NULL session connections (aka
  anonymous logon) used to be included in this group but were removed in Windows 2003.  This is a built-in group that cannot be modified.Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE,
  LOCAL_SERVICE, NETWORK_SERVICE, etc. is generally considered the least secure of the three groups.
  Short Answer is there isn't much to worry about unless folks are logging I with a guest account or you have removed a bunch of folks from the domain users group
  -Ivan

• Why domain users account allowed to logon to servers directly?

  I'm using Windows Server 2008 R2 with ADDS.
  By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
  "You cannot log on because the logon method you are using is not allowed on this computer"
  I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
  Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
  And, nothing set on the Deny Logon Locally.
  But, tested that, those accounts with just Domain User Group are able to logon to Server!?
  How or where should I check, to not allow normal user account to logon to server directly?
  Thank you.

  Hi,
  >>By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP.
  By default, standard domain user accounts can log onto workstations and member servers, and they can’t log onto domain controllers unless we allow them to do so via group
  policy.
  By default, standard domain user accounts can’t remote desktop onto other computers unless they have been added to Remote Desktop User groups of the computers.
  Regarding allowing log on locally, the following article can be referred to for more information.
  Allow log on locally
  http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx
  Regarding remote desktop user groups, the following article can be referred to for more information.
  Configure the Remote Desktop Users Group
  http://technet.microsoft.com/en-in/library/cc743161.aspx
  >>How or where should I check, to not allow normal user account to logon to server directly?
  We can utilize group policy setting
  Deny logon locally to prevent users from locally logging onto the targeted computers.
  Regarding this setting, the following article can be referred to for more information.
  Deny logon locally
  http://technet.microsoft.com/en-us/library/cc957048.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Can we map three BPC users with single domain user

  Hi..
  When we map the three BPC users in the ABAP server in the program UJA3_WRITE_SYS_USERS with domain user,can we map with only one domain user for all three BPC users or we have to use three different domain users to map the three BPC users?
  Please do reply
  Thanks
  Bobby

  yep
  u can map three bpc user with single domain user.
  but domain user must have management roles.

• BPC domain users

  While creating the BPC users the domain users list is not appearing for selection from office internal domain.
  This user list used to apppear in the development, but in QA system the domain user list is not populating?
  Is it requires some setup in dotnet or someserver so that domain users names gets available while creating as users?
  Appreciate inputs..

  you have to linkt the BPC user group in the server manager on the .NET server
  D

• Deferent between oem user and admin user

  Hi,
  For the SL500 robot,
  Does any body knows the deferent between oem user and admin user?
  does one of them has privileges on the other?
  Yigal

  Dear all,
  Thanks a lot for all of you.
  I have already set local user and domain user in "Logon as a batch job" security policy on my PC. So I can do jobs well if I set logon user that is a any local user in my PC. I can't do a job if I set logon user that is a domain user. So I don't know what it wrong?
  Should I add domain user in "Logon as a batch job" security policy on AD Server not in local PC's "Logon as a batch job" security policy?
  I don't have privilege to change policy on AD Server. And I have to make sure it will work if add my domain user in "Logon as a batch job" security policy on AD Server. So should I add policy on AD Server or just add in local PC.
  Any idea?
  Thanks and regards.

• UAC allowing standard domain user to elevate without providing credentials

  I don't understand how this is occurring. We created a test user on our domain. Its only group membership is Domain Users. UAC is behaving quite different depending on which computer we test the account on.
  When I login to my computer with the test user, UAC prompts me to provide an administrator username/password whenever I try to run something that requires elevated rights (for example: IE "Run as Administrator", compmgmt.msc via right-clicking
  Computer and choosing "Manage", accessing another user's folder in c:\users)
  When I login using the same test user to my colleague's computer (which was imaged and deployed at the same time), any of the above examples will elevate with a simple click of "Yes" or "Continue" to the UAC prompt. UAC does not prompt
  for administrator credentials in this case and this standard Domain User account suddenly has local admin rights! How can this happen?

  Hi,
  Regarding the UAC issue mentioned, here are some suggestions:
  . Change the UAC settings to a higher mode;
  . Run gpupdate /force, then log off, then log on and check;
  . Check to see if any
  local UAC policies configured;
  . Log on the Problematic computer with this test user and check the group membership;
  . Create a new domain user and recheck this issue.
  Best regards
  Michael Shao
  TechNet Community Support

• "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Kpdn, 
  Thanks for your post.
  All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Domain users and local users can't login to reporting service web environment

  Hello,
  We installed reporting services at one of our customers but aren't able to use domain users to login. We've tried to login with a domain user, a local user but both aren't working. We set the proper permissions for the users on the reports folders.
  We can only login with the buildin/administrator account on the local url: http://servername/reports
  How can we allow login with domain users on other report manager url's?

  Below link may be helpful,
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/623da309-21fa-42a8-905f-1424144a347d/setting-up-a-user-in-ssrs?forum=sqlreportingservices
  Regards, RSingh

• Adding a domain user to the admin role within the local user management breaks all metro apps for all users!!

  Hi,
  I have posted this in another large thread under the "Windows 8 General" group but have not had any appropriate feedback from MS.
  After hours of testing and working with other users I have managed to isolate a simple situation that breaks all metro ui applications within Windows 8 for all users on the machine. Here are my exact steps and notes.
  Before continuing if you are running Avast then your solution may be to turn of the behaviour shield functionality as this also breaks metro apps. This is NOT the problem we are having!
  I have performed 3 cleans installs after isolating the problem and am able to reproduce the issue every time using the same steps on two different machines. 
  First thing to say is that for us it has nothing to do with simply joining the domain, domain/group policies nor does it appear to have anything to do with the software we installed, the problem here is much more simple but the result is pretty terrible.
  Here are my exact steps of what I did to reproduce our problem:
  Complete format of HDD in preperation for a clean install
  Clean install performed
  Set up the machine initially with a local account
  Test metro apps - all working fine
  Open control panel from the desktop, click on System, change the system to join the domain, click reboot
  Log into the system using my domain account
  Test metro apps - all working fine
  Here's were the problem starts. I need my domain account to have admin rights on the local machine so I can install programs without the IT men having to come over and enter their password every 5 mins.
  I go to control panel via the desktop and click on User Accounts. From with here I then click on "Manage User Accounts". This requires the IT guys to enter their details to give me access to such functionality. This is fine
  In the dialog box that opens I can only see the local user that was initially created during setup. The "Group" for this local account shows as "Administrators" - Image included below (important to note that metro apps are working at this point)
  I click add and then add my domain account - also giving it administrator access
  Sign off or reboot to ensure the new security is applied
  Sign back in to the domain account
  Test metro - ALL BROKEN
  Sign out
  Sign in as local account
  Test Metro - NOW ALL BROKEN FOR THIS USER ALSO
  So as soon as I add my domain account to the local user accounts and set it as admin it breaks all metro apps for all users. This is on a totally clean install with nothing at all installed other than the OS.
  Annoyingly if I go back and change the domain account to a standard user or if I totally remove the domain account from the local account management system the problem does not go away for either user. basically it is now permanently broken. The only fix I
  could fathom was a full re install and not giving the domain user admin access to the local  machine.
  Screen one - this is the local user accounts window AFTER joining the domain and logging in with my domain account (All metro apps working at this point)
  Screen 2: User accounts AFTER joining the domain and AFTER adding domain account to local user management (METRO BROKEN)
  I have isolated my machine from all group policies so nothing like that is affecting me. Users I have spoken to in different companies have policies that automatically add users to the local user management. This means that metro apps break as
  soon as they join the domain which leads them to wrongly think it is group policies causing the error. Once they isolate themselves from this they can reproduce following my steps.
  Thanks

  Hi Juke,
  Thank you for the response and apologies for the delay in getting back to you. My machine was running a long task so I couldn't try your suggested solution.
  I had already tried running the registry merge suggested at the top of the thread to no avail. I had not tried deleting the OLE key totally so I did that and the problem still exists. I will post all the errors I see in event viewer below. For
  your info, since posting my initial comment I have sent out my steps to 7 different people and we can all reproduce the problem. This comes to 10 different machines (3 of them mine then the other guys) in 3 different businesses / domains. We see the same errors
  in event viewer.
  Under "Windows Logs" --> "Application" : I get two separate error events the first reads "Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: The app didn't start. See the Microsoft-Windows-TWinUI/Operational log for additional
  information." The second arrives in the log about 15 seconds after the first and reads "App winstore_cw5n1h2txyewy!Windows.Store did not launch within its allotted time."
  Under "Windows Logs" --> "System" : I get one error that reads "The server Windows.Store did not register with DCOM within the required timeout."
  Under "Applications And Services Logs" --> "Microsoft" -->  "Windows" --> "Apps" --> "Microsoft-Windows-TWinUI/Operational" : I get one error that reads "Activation of the app winstore_cw5n1h2txyewy!Windows.Store for the
  Windows.Launch contract failed with error: The app didn't start."
  If you require any further information just let me know and I will provide as much as I can.
  Thanks

• Remotely add Domain User to local group

  I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
  groups.  I would like to be able to run this from a management workstation. 
  I've been working from these two posts.
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
  It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
  to execute the two lines of code remotely. 
  Invoke-Command -ComputerName RemoteServer {
  $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
  $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
  (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
  Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
  +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
  +FullyQualifiedErrorID :DotNetMethodTargetInvocation
  +PSComputerName :RemoteServer
  I need help on what to try next.
  Thanks.
  . : | : . : | : . tim

  I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
  groups.  I would like to be able to run this from a management workstation. 
  I've been working from these two posts.
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
  It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
  to execute the two lines of code remotely. 
  Invoke-Command -ComputerName RemoteServer {
  $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
  $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
  (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
  Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
  +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
  +FullyQualifiedErrorID :DotNetMethodTargetInvocation
  +PSComputerName :RemoteServer
  I need help on what to try next.
  Thanks.
  . : | : . : | : . tim
  The ADSI commands work remotely as long as you are an administrator on the domain.
  Invoke-Command only works on systems set up for WinRM remoting and if you are an Administrator on the domain.
  Normally we would use AD and GP to add users to local groups.
  Your script is also incorrect.  Thisis the correct template.
  $remotepc='somepc'
  $de=[ADSI]"WinNT://$remotepc/Administrators,Group"
  $de.Add("WinNT://Domain/User")
  You should never the user to the admin group.  It is a formula for disaster.
  ¯\_(ツ)_/¯