User blogs using non-OD accounts
I'm attempting to deploy user blogs but all my users are currently in an external LDAP. I've been able to get authentication working so that an LDAP account can login, create a blog, and act as the owner. But any other LDAP user can login and post to the blog. The other users aren't owners, or at least they can't change any of the blog settings.
If I create an OD user and a new blog then only the OD user can post to it.
So has any one else run into this breakdown in permissions?
Thanks,
Derek
The username section can get populated from the users that do exist on the controller.
The second issue doesnt make much sense, you may want to open a TAC SR to investigate this further
Similar Messages
-
Monitor standby database via OEM using non-sysdba account
Hi,
Is it at all possible to monitor a standby database via grid control using non-sysdba account so that targets are seen as up (green arrows visible etc)
We audit sys operations and as the SYS user is the account that currently monitors the standby we are seeing our audit file dest fill too quickly. We need to keep auditing on though.
I would like to do this using dbsnmp, though are there any roles or specific privs that need to be granted to do this? so far i am unable to do this.
Would welcome any advice on this one.
Thanks,
firefly.Thanks for reply robert.
we are using active for one standby but not using active for 2 other standby db's.
I just wondered what the SYSDBA priv used (what actual priv etc) to be able to monitor standby dbs effectively, whereas non-SYSDBA accounts are unable to.
Thanks,
firefly -
Hey and thanks for checking out the thread.
I am wondering if it is possible to have users use a generic account at the same time without any sort of screen sharing.
I have set up a generic user account (for example useraccount, password 1234) for users to use in the time before I can set up a custom user name for them. However, I have run into some issues with this.
When multiple users log on using this generic account, their applications seem to be shared on each screen. In the room with multiple Mac workstations, if someone starts working on Photoshop, Photoshop will open on every one elses screen who is logged on under that generic account.
Is it possible for users to log on using a generic network account and have their own isolated work environment or is this sort of sharing a feature? I am new to Mac servers and am not sure.
Thanks for reading the thread.That shared-account approach seems impractical for the various reasons you've identified, as well as the inevitable issue of cleaning up the detritus that'll inevitably build up in a shared account, and for the lack of accountability for activities occuring under the shared account for both auditing and security, and sharing directories would tend to introduce obscure conflicts around which-file-version-wins file updates when the same file is used in several places, and would probably be contrary to any per-user application software licensing agreements that might be involved.
Put another way, get unique accounts created for folks, and work toward the ability to create accounts for arriving folks, and — if it's applicable here — talk to management about getting any per-user software licensing issues sorted out, whether that's having spare copies purchased and ahead or some advanced notice on accounts, or establishing group software licensing where that's available.
AFAIK, there are tools around which can automate account creation, too. Either generic, a tool such as Passenger, or it's certainly feasible to script the account creation sequence.
Trying this shared-access generic-account approach just looks like it can create more work and more hassles and more effort to me... -
A user whose device had been recently restored to a different institutional backup, noticed her personal account apps were no longer on the device.
Here's how to do it.
1. App Store, iTunes Store should have the same AppleID on Computer and iPhones. (Free to share apps, music and books... )
2. Person A uses the same purchasing account for everything (ie. email, contacts and ...).
3. Person B have the same purchase account see no. 1 (for App Store and iTunes Store) but create a second AppleID for iCal, e-mail, contacts and etc. -
Powershell script for when user last used their AD account to login or unlock a computer.
I want to create a method for determining when a users account would expire after 35 days of inactivity.
The issue would be not when they last logged on, as many of our users just lock their machines, but when they last logged on or unlocked any computer in the domain.
I am thinking a combination of last logon with a session unlock parameter.
In the system logs:
Event viewer id for logon unlock is 7.
SessionSwitchEventArg - SessionSwitchReason is SessionUnlock.
Is this feasible?dsget user -inactive 30
Don't reinvent the wheel.
http://technet.microsoft.com/en-us/library/cc725702.aspx
¯\_(ツ)_/¯ -
Access to Resources via Non-admin accounts
Is there any way to provide access to resources so that they are accessible via
non-admin accounts. For e.g. to Retrieve my JMSConnectionfactory i do a
Environment env = new Environment();
env.setProviderUrl(url);
env.setSecurityPrincipal(username);
env.setSecurityCredentials(password);
Context ctx = env.getInitialContext();
The username and password here is the admin account. This works fine but if i
use a non-admin account(member of Operators group), i get exceptions on Domainloghandler
runtime
Problem: I need to register a mbean that needs to access JMS Resources. Since
our deployment team doesnt want to provide us access to admin accounts, we use
a "operators" group account to register our mbeans. if i do this, i get a
Access not Allowed for subject:principals=[operator, Operators], on ResourceType:
DomainLogHandlerRuntime Action: execute Target: registerToMe.
This happens when my managed resource tries to access a JMS ConnectionFactory.
Instead if i register my mbeans using the admin account, everything is fine and
my managed resource works nice.
This is on weblogic 81 SP1 on Solaris. Please let me know if you need more details.
Any clues/hints/solutions greatly appreciated. There is not a lot of documentation
on how to access/register mbeans using non-admin accounts.
TIA
RajI have done some more debugging on this and have narrowed down the issue to the
location where my initialcontext is being obtained.
so if i register my mbean as a non-admin account and do an operation on the managed
resource which fetches initial context, i get the below exception. This is how
i get my initialcontext
weblogic.jndi.Environment env = new weblogic.jndi.Environment();
env.setProviderURL("t3://machine:8102,machine:8103");
env.setSecurityPrincipal("operator");
env.setSecurityCredentials("operator");
Context ctx = env.getInitialContext();
I am doing this from a mbean thats registered on a different managed server(t3://machine:8101)...
Whats wrong with this?
TIA
Raj
"Raj" <[email protected]> wrote:
>
Is there any way to provide access to resources so that they are accessible
via
non-admin accounts. For e.g. to Retrieve my JMSConnectionfactory i do
a
Environment env = new Environment();
env.setProviderUrl(url);
env.setSecurityPrincipal(username);
env.setSecurityCredentials(password);
Context ctx = env.getInitialContext();
The username and password here is the admin account. This works fine
but if i
use a non-admin account(member of Operators group), i get exceptions
on Domainloghandler
runtime
Problem: I need to register a mbean that needs to access JMS Resources.
Since
our deployment team doesnt want to provide us access to admin accounts,
we use
a "operators" group account to register our mbeans. if i do this, i get
a
Access not Allowed for subject:principals=[operator, Operators], on ResourceType:
DomainLogHandlerRuntime Action: execute Target: registerToMe.
This happens when my managed resource tries to access a JMS ConnectionFactory.
Instead if i register my mbeans using the admin account, everything is
fine and
my managed resource works nice.
This is on weblogic 81 SP1 on Solaris. Please let me know if you need
more details.
Any clues/hints/solutions greatly appreciated. There is not a lot of
documentation
on how to access/register mbeans using non-admin accounts.
TIA
Raj -
When I use the
"dsmgmt" command to add a user to the local administrators account of a RODC I can actually see the user when I use the "Show Role Administrators" parameter. However, I can't see the members of the
group added to the "Managed By" tab of the RODC object in AD. Even though, the users added using
"dsmgmt" and by the "Managed By" tab can all log in locally and have admin rights to the RODC. Are there any differences between these two ways of adding users to the local administrators account?Hi,
For groups, managedBy is an administrative convenience to designate “group admins”. Whatever principal listed in
managedBy gets permission to update a group’s membership (the actual security is updated on the group’s AD object to allow this).
In Win2008 and later managedBy also became the way you delegated local administration on an RODC, allowing branch admins to install patches, manage shares, etc. (http://technet.microsoft.com/en-us/library/cc755310(WS.10).aspx).
On the RODC, this is updating the RepairAdmin registry value within RODCRoles.
So the difference between them should be only the way they do the same thing.
For more details, please refer to the below article:
http://blogs.technet.com/b/askds/archive/2011/06/24/friday-mail-sack-wahoo-edition.aspx
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Write errors when using non-administrator shared accounts
Dear all,
we're experiencing an apparently weird issue with our Xserve machines. The entire setup comprises of 4 Xserve, all of them running Lion Server, connected together and to the network of our institution through an Ethernet switch.
I've set up an OpenDirectory master on one of these servers and created several shared user accounts for the various people working here (the /Users folder is hosted on that machine and shared across the other three). Users can access any of these machines via VNC.
A few days ago a guy reported to me that he was getting random write errors when attempting to perform basic operations on his shared user folder (e.g., unzipping a file or running a software which write data on the disk). I had a look into it and found that the guy was right. When attempting to extract a zip archive (which, I'm absolutely confident, is a non-corrupted .zip file) from the Terminal - using his account - a few errors came out, like:
error: cannot create pybrain-pybrain-87c7ac3/pybrain/auxiliary/importancemixing.py
error: cannot create pybrain-pybrain-87c7ac3/pybrain/rl/learners/meta/meta.py
Every single time I run the unzip command the errors are related to different files.
Weirdly enough, the problem arises only when the user works on one of the three machines that don't host the shared /Users directory. Furthermore, it only applies to non-administrator accounts (if I try to perform the same operation using my admin account everything works smoothly, no matter on which machine I'm working). Promoting that guy to administrator (Server->Users->right click on the username->Edit User->Allow user to administer this server) made the problem disappear. Even more weird, after I removed the flag on "Allow user to administer this server" for that user, he is not experiencing the issue anymore.
What the heck is going on?
Cheers,
Fabio1. You can delete the Test1 and Test2 accounts if you log into your Administrator Account. Once in your Admin Account, open System Preferences > Users & Groups and you will see and be able to delete the Test1 & Test2 accounts.
2. Leave your Guest account for, well, guest users. Do not use it in the normal course of events. When you log out of the Guest account, all the settings, caches, etc. are wiped, as are all files and folders that you may have saved in the Guest account home folder. The Guest account is truly designed only for temporary, guest use.
3. Leave your Administrator account for use only for installing programs, doing system administration, managing accounts, etc.
4. User your named account as your regular account. It appears to already be a User account. The primary limitation is you cannot install programs in a regular User account. This actually helps protect your Mac from viruses and other malware that would need to install software in order to corrupt your system.
5. You can turn off the need to enter a password when your computer sleeps in System Preferences > Security & Privacy > General. UNcheck the option called "Require password for sleep and screen saver." -
IChat doesn't display OD users for non admin account
I have a Mac Mini SL server with iChat service running. When I add an Admin account (Account with admin privilege to work group manager) it can see other accounts and groups. However, when I add a non admin account it doesn't see any user nor group!
Checking the iChat logs, I can see the non admin account logging in and being authorized:
Oct 24 13:49:59 qserv jabberd/c2s[1631]: [14] [::ffff:192.168.1.29, port=50799] connect
Oct 24 13:49:59 qserv jabberd/c2s[1631]: [14] SASL authentication succeeded: mechanism=DIGEST-MD5; authzid=[email protected], TLS negotiated
Oct 24 13:49:59 qserv jabberd/c2s[1631]: odauth_check_servicemembership: checking user "user" access for service "chat"
Oct 24 13:49:59 qserv jabberd/c2s[1631]: odauth_check_servicemembership: mbrcheck_servicemembership returned 0
Oct 24 13:49:59 qserv jabberd/c2s[1631]: odauth_check_servicemembership: user "user" is authorized to access service "chat"
Oct 24 13:49:59 qserv jabberd/c2s[1631]: [14] bound: jid=[email protected]/Luminous
Oct 24 13:49:59 qserv jabberd/sm[1629]: session started: jid=[email protected]/Luminous
All clients are Mac OS X 10.6Tim Harris wrote:
odauth_check_servicemembership: user "user" is authorized to access service "chat"
This means that this user is not allowed to use the iChat services. In sever admin - access, you get to set who or what type of users / group, etc is allowed access to which services. Did you check that?
Unfortunately I don't see that! I'm using Server Admin 10.6.3 and when I click on the iChat service it displays three tabs only; Overview, Logs, Settings where settings has two sub tabs (General and Logging).
There isn't any option where I can define whom can or cannot access iChat service in Server Admin.
Under the Setting's General tab I have:
Host domains set to: qserv.xxx.net
I also have my SSL Certificate selected
Authentication: Any method
Enable XMPP server-to-server federation is not checked -
Using BT Mail smtp server for non-bt account
Having recently discovered the hard way that I was migrated (and had no BT e-mail for 3 days), I have now discovered that all the authorisations I had set up for sending of e-mail fwith the senders address being a non-bt account have gone.
The help files point me in the direction of setting up BT Mail to get non-bt mail for me. This is not what I want. All I need is to authorize andrew@******.org.uk as an authorised user on my BT account. Thunderbird is quite capable of getting the mail from mail.****.org.uk with POP3. I just need to be able to use the BT smtp server for outgoing mail only.
Help Please
Andrew Johnson
Solved!
Go to Solution.Appears to be working again with andrew@******.org.uk
I guess it was just a glitch. -
Hi,
Problem Description:
After installing my new product version, when user does log-off and log in again into admin account
or switch from admin account to non-admin account, PATH environment variable shows incorrect path of my product (previous product version’s path) using command prompt.
It seems windows refresh issue during session changes (log off and log in / switch from Admin to
Non-admin account).
Why PATH environment variable is not refresh immediately after log off and log in again or Switch
from admin to non-admin mode?.
Please see my thread for more details http://social.msdn.microsoft.com/Forums/vstudio/en-US/445ab42c-bdff-405a-8d53-558e1b6c7d34/path-environment-variable-issue-when-user-logoff-and-login-or-switch-from-admin-to-nonadmin?forum=windowsgeneraldevelopmentissues
Also submitted bug for this in connect.microsoft.com portal.In that it has lots of information
like problem statement, Reproduction steps and Expected Results.
Bug ID: 871782
Could you please any body help me for this?. your support will be appreciated.
Thanks,
MarichamyWhy PATH environment variable is not refresh immediately after log off and log in again or Switch
from admin to non-admin mode?.
I wouldn't have any expectation of what you are doing to work the way you expect. E.g. why is the %ABC% being replaced at all? There is some help about this ambiguous scenario in the cmd help...
/V:ON Enable delayed environment variable expansion using ! as the
delimiter. For example, /V:ON would allow !var! to expand the
variable var at execution time. The var syntax expands variables
at input time, which is quite a different thing when inside of a FOR
loop.
/V:OFF Disable delayed environment expansion.
So, what's the setting for the /V: switch that your users would be using? Perhaps you should be using the ! instead of the % for your ABC variable?
Oh. There's more below where I found that...
Delayed environment variable expansion is NOT enabled by default. You
can enable or disable delayed environment variable expansion for a
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable delayed expansion for all invocations of CMD.EXE on a
machine and/or user logon session by setting either or both of the
following REG_DWORD values in the registry using REGEDIT.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
and/or
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
to either 0x1 or 0x0. The user specific setting takes precedence over
the machine setting. The command line switches take precedence over the
registry settings.
In a batch file the SETLOCAL ENABLEDELAYEDEXPANSION or DISABLEDELAYEDEXPANSION
arguments takes precedence over the /V:ON or /V:OFF switch. See SETLOCAL /?
for details.
If delayed environment variable expansion is enabled, then the exclamation
character can be used to substitute the value of an environment variable
at execution time.
So, I guess the essence of your "bug" will boil down to whether you
need the feature to get the result you want and the
truth of that first sentence but it certainly looks like a "can of worms" to me. ; )
HTH
Robert Aldwinckle -
Can I put more than one user under one Apple ID account. I want to let other family members use imessage on their own Apple device. Or is there another way to get this end result?
You can seach the net for solutions like this one http://appletvvpn.com/how-to-connect-apple-tv-2-to-vpn/ another idea is to use a PC as the control and fit that with a wireless card and set up a ad hoc wireless network that the Apple TV uses.
-
I RECENTLY PURCHASED ANOTHER IPHONE. MY INTERNET IS NOT WORKING. I JUST CREATED AN APPLE ID. WHAT'S NEXT? I NOW HAVE TWO DIFFERENT ACCOUNTS WITH DIFFERENT USER NAMES. HOW CAN I USE ONLY ONE ACCOUNT FOR ITUNES, ICLOUD APPLE ID ETC???
Welcome to the Apple community.
iTunes and iCloud and different accounts, you will need to delete both accounts from your device before adding the new details in their place.
For iCloud go to settings > iCloud, scroll down and hit the delete button. You can then sign back in using your correct details. For iTunes go to settings >store, tap your account ID and then sign out, you can then sign back in using your correct Apple ID. -
I recently upgraded our family's mac to OS X. I thought this was the perfect time to create and use "user accounts". We had always used 1 main account. So how do I use software or applications with a lot of data like Quicken under my own user account? I wanted to be able to manage my own itunes library, iphone apps, messages. But I still really need to use the Stuff I have in Quicken essentials. I don't want to have to restart all my work done in Quicken already.
I haven't used Quicken in a while, but most applications store your files in your Documents folder. Is that where your Quicken data file is? What you do next depends on how many family members need to get at that data.
If multiple family members need to use the Quicken data file, try moving it to the Documents folder in the Shared account. That is an account that all accounts can see. It's at the same level as the other accounts. In other words, Shared is one level up from your Home account, or Hard Drive/Users/Shared.
If you're the only one allowed to see that Quicken data, move the Quicken data file from the old main account to your account, and don't leave a copy behind. You can use the Shared folder as a way station for the transfer since you won't be able to see both accounts' Documents folders at the same time (because you're not allowed to peek into other people's accounts). Or you can use another disk or server for the transfer, as long as you can get to it when logged into either account. -
Can I use one itunes account for multiple users and multiple devices
Can I use one itunes account for multiple users and multiple devices?
The iTunes EULA, as I understand it (I'm not an attorney )for Apps is basically that one person can use an App multiple devices, or multiple people can use an App one device..so one to many or many to one, but not many to many....
Maybe you are looking for
-
I have created a business service using the SFTP protocol. When testing the BS, I received the "known_hosts doesn't exist or doesn't have read permission" error, which I resolve by placing the known_host file in $Domain_Home\config\osb\transports\sft
-
I have upgraded my ipad2 to the latest ios. shortly after this message came up: "ipad is disabled, connect to itunes". I have never synced my ipad2 to itunes and don't have any backup. Is there any way to bypass this without restoring the device? I h
-
How do I sync my Camera Roll to iPhoto in iOS 5?
I have upgraded my iphone to iOS5 and my OS to 10.7.2 and to iPhoto 9.2(626). When I go into iphoto to sync my all of my Camera Roll photos my phone does not show up as a device in iPhoto. Is there another way to sync all my camera roll photos other
-
How migrate from older time machine backup (not the latest)?
My old Snow Leopard Mac had a dying hard drive. In the last few days, files were disappearing left and right. I bought a new Lion Mac, but I don't trust the Time Machine backup for the last few days and I would like to migrate the backup from just be
-
My Character Report don't send printer codes to the printer
Hi every one ! I am developing an ASCII report, I made my own prt file for my printer, I defined my width ... etc. I want to print bold characters in the printer and configured the printers code in the report (before and after), I put the "codes" in