Want to configure a GPO "Stop (domain) users [having admin rights] from installing software"

Similar Messages

• I want to transfer a Windows PC Domain user to a mac.

  Hi,
  I want to transfer a Windows PC Domain user to a mac. The mac was being used by another user who was also on the domain but left the organization. I need to set up that mac for another using a PC. There is a mac server involved but i dont know the process and how it works. The domain controller is Windows server.
  Can someone please let me know the process involved in transferring a PC Domain user to Mac Domain user?
  That will be great
  Cheers

  thanks for the info. I found apple utilty software on this windows 7  PC but I guess it is not required for sharing  internet on exisiting apple extreme. Am I correct that I can remove this apple software?

• Domain Users AD group disappearing from SharePoint security

  After applying SharePoint 2010 SP2 and the September 2014 cumulative update (KB 2883103) to our SP2010 farm, we've discovered the system is automatically removing the 'Domain Users' active
  directory group from SharePoint security.  It's not affecting any other AD groups or users or when Domain Users is a member of a SharePoint group.  Only when Domain Users has been explicitly added to a site, library, list or document.
  For example, we give Domain Users access to the root of most our site collections and then break inheritance for certain libraries or lists that need more security.  Now Domain Users has disappeared from every site.  I can say
  with 100% confidence that this has not been done by anyone in the organization.  Nothing else changed besides SP2 and Sept2014 CU. 
  Yesterday we fixed a few sites by re-adding Domain Users.  This morning those were missing again, so it must be a timer job or other cleanup process that is causing this.  Again, this does not affect SharePoint groups/membership or any other
  AD object, only Domain Users.
  Has anyone ran into this issue or have any suggestions on a resolution?  We have enabled audit logging but have not seen any related logs yet. 

  Sometime between noon and 1:00pm this afternoon we lost the Domain Users group again from all sites where we re-added it.  Audit logging is showing this for one particular site:
  {072c340a-42cb-4861-a182-38102b53bc52}
  {072c340a-42cb-4861-a182-38102b53bc52}
  Site
  System Account   <SHAREPOINT\system>
  2014-10-21T18:53:52
  Security Role Bind Update
  SharePoint
  <roleid>-1</roleid><principalid>DOMAIN\domain   users</principalid><scope>67A6138A-CBFA-42BD-87EF-86D558047D63</scope><operation>ensure   removed</operation>
  Does anyone know if any additional logging can be enabled to see WHY this is occurring?
  So far our solution has been to setup another AD security group and nest the domain users security group inside.  Not exactly a solution but at least a work around. 

• AD users losing admin rights when working offline.

  We have recently started using AD accounts on our Macs but a critical problem has presented itself.
  Under 'Allow administration by' we are using a domain group called 'Domain Users' and this works fine when users are connected to our corporate network but when they are offline and not able to see the AD servers at login they lose their admin rights.
  So even if you create a mobile account this settings has to be validated every time the user logs on.
  It has been suggested to use the following command to correct the problem but this has no effect:
  "sudo dseditgroup -o edit -a "domain\groupname" -t group admin"
  Has anyone successfully found a workaround for this problem?

  Yep.  That is the side effect of the evolution of AD integration.  Many more things are live look ups.  Have you tried password protected screen savers yet?  Yep, live call to AD.  The reason this is failing is the domain users is an AD group and the system can not resolve the GUID without access to the domain.
  In any case, there is a way around this but it is a little messy and it breaks the whole point of using the plug in to allow for a single point of control.  If you are using cached credentials, you should be able to add the user to the admin group.  Once again, this posses a number of problems as you are now injecting an AD user into a local account, you have no centralized method of removing admin rights from the user, and each machine requires a custom command (you need to issue the users shortname).
  Now, you other option is to say, "it is a security implementation to prevent unauthorized access to the machine when it is not under the protection of out LAN."  Yep, line of garbage, but the real question is, why do they need admin rights?  If for installing software, that likely should not be up to them if you are enforcing a corporate standard.  I generally can't find a good argument for permitting admin rights.

• Users with Admin Rights

  I've been looking through the Admin Ref Manual and Admin Guide (9.0.42) to see if there is a way to list the users that have been given Administrative rights on any given node within the node network on our server. I thought I remember seeing this documented somewhere but now I can't find it.
  Does anyone know if it's possible and if so where is it documented?
  Thanks in advance for you words of wisdom! :)
  -Gail

  In the BASIC web browser login popup there is a read-only field called
  "Realm". This is what is specified in the tab. It is merely there for
  informational purposes for the user logging in.
  Neil Smithline
  WLS Security Architect
  BEA Systems
  "veena" <[email protected]> wrote in message
  news:3ae5ab86$[email protected]..
  does weblogic support different security domains for different web
  applications ? if not, what is the purpose of the Auth Realm Field in the
  Other Tab when installing a web application ?
  Veena.
  "Neil Smithline" <[email protected]> wrote in message
  news:3ae563d4$[email protected]..
  This is not possible in current WLS releases. Each "administrativedomain"
  (referred to simply as a "domain" in WLS doc) corresponds to one andexactly
  one "security domain". Users have the same permissions throughout the
  domain.
  We are currently considering various options for how to support this inthe
  future.
  Neil Smithline
  WLS Security Architect
  BEA Systems
  "Nick Roberts" <[email protected]> wrote in message
  news:[email protected]..
  Can anyone provide information about how to have different users
  have admin rights to different servers in a domain ?
  Is there any documentation on the different resources defined in
  the ACLs list of the default server ?
  Nick

• Creation of a normal user without admin rights

  Hi,
  I am new to oracle apex. Can you please let me know how to create a normal user without admin rights in oracle apex application.
  Thanks & Regards,
  venkat
  Edited by: 866673 on Jun 17, 2011 9:53 AM

  Welcome to the forum: please read the FAQ and forum sticky threads (if you haven't done so already), and ensure you have updated with your profile with a real handle instead of "866673".
  You'll get a faster, more effective response to your questions by including as much relevant information as possible upfront. This should usually include:
  <li>Full APEX version
  <li>Full DB version and edition
  <li>Web server architecture (EPG, OHS or APEX listener)
  <li>Browser(s)/version(s) used
  <li>Theme
  <li>Templates
  <li>Region type
  (although for your question only the APEX version is necessary).
  Assuming you mean a user who can authenticate to an application that uses Application Express Account Credentials?
  In APEX 4.0:
  1. Go to Home > Application Builder > [Your Application ] > Administration > Create Users and Groups > Create User
  2. Enter the User Identification information.
  3. In the Account Privileges, specify:
  User is a workspace administrator: No
  User is a developer: No
  4. Complete the rest of the form as necessary.

• Additional User with admin rights

  Hi all,
  i checked the documentation but i could not found a possibility to create an additional user with admin rights to access the Vibe Management Console.
  Does anybody know if this is possible and how to do this?
  Thanks in advance
  Alex

  Hi Willem,
  thank you for the great post. It did the job very well.
  Alex
  >>> <[email protected]> schrieb am 1.8.2013 um 07:46 AM:
  > arlorenz;2275156 Wrote:
  >> Hi all,
  >>
  >> i checked the documentation but i could not found a possibility to
  >> create an additional user with admin rights to access the Vibe
  >> Management Console.
  >> Does anybody know if this is possible and how to do this?
  >>
  >> Thanks in advance
  >>
  >> Alex
  >
  > Hey Alex,
  >
  > Yes, that's possible. It's somewhat a twofold/threefold process, as
  > you have to give an accounts right to administer the zone, and then also
  > have to give that account rights to the personal workspace root (to be
  > able create/delete user accounts) and any workspaces that need to be
  > administered.
  >
  > I always create an vibe-admins group (local group) that gets the rights
  > to the zone and workspace roots. Then add the needed users to that
  > group.
  >
  > Access for the zone can be set within the administration console:
  > https://www.novell.com/documentation...ata/bk4saug.ht
  > ml
  >
  > Then add the needed rights on the workspace roots, Global, personal &
  > team workspaces.
  >
  >
  > !Do note that admin is the only user that is not allowed to get
  > blocked. Other admin users can be filtered out via ACL's.
  >
  >
  > Cheers,
  > Willem

• Change postalsoft user to admin rights

  How do we enable a current Postalsoft user with admin rights?  Currently, she doesn't have upgrade rights, some print options are greyed out...  The originally installed Postalsoft is under a ex employee logon.
  Is there a simple way to change over the rights?
  Appreciate any help with this.  Thanks.  jb

  JB,
  It still sounds like there is a permission issue.  Some settings are stored in the registry, and some of the printing options are stored in the Windows Printers folder.  So when you say that they have Read/Write Administrative rights are you sure that all the folders were changed?  As for the Presort options being gray it could be that the database is set to Read Only.  To check that you can open a job and go to File > Properties > Document.  Click on the Database Permissions tab.  Make sure that Other's Rights are set to None and Your Rights are set to Read/Write.  If this does not fix it please log a message for us in Support.
  Below are the steps to log a message for support -
  1.  Go to http://service.sap.com/bosap-support.
  2.  Click on "Create a message / Contact technical support".
  3.  Under System Search, click the drop down arrow next to your installation and choose your system, and click Search and then click on the BOB link.
  4. When creating a SAP message it is required to search for Notes. (Knowledge Base articles) to see if you can find an answer to your question without having to log the message for support. In the Search Terms area, type your question and click Continue.
  5. If you do not see any Notes pertaining to your question click on Create Message.
  6. Choose the correct Component for the product you are creating the message for. The component is the support Q that your call will go into so the correct team can assist you. To do this click on the icon next to the icon next to the Component window to see a drop down list.
  7. Click the arrow by BOJ-EIM to see a more detailed list. By each component the names of the u201Cproductsu201D you are using are listed. Choosing the correct component will get your Message logged for the correct support team.
  For example:
  a. BOJ-EIM-COR is used for ACE, DataRight IQ, Match/Consolidate, IACE, and FirstPrep products.
  b. BOJ-EIM-COM is used for DeskTop Mailer, Business Edition, Presort, PrintForm, Label Studio
  c. BOJ-EIM-DEP is used for DQXI, Data Insight, eDQ Infa, SAP Siebel, PSFT, Oracle, Rapid Library
  8. After choosing the component, fill in any remaining required/optional items. **Required fields under Problem Details are flagged with a red asterisk.
  u2022 In the Short Text box, enter a brief description of the question or issue.
  u2022 In the Long Text box, you can go into further detail about what you are seeing or questioning.
  u2022 click Send Message.
  Thanks,
  Melissa

• Delegate specific domain user to do add/remove hardware&software, join to domain feature only.

  Dear team;
  I want to Delegate specific domain user to do two things add/remove hardware/software, join to domain feature only without give him Local admin
  Best regards
  LAshkham

  Hi,
  Please understand that if you want make some specific domain users add/remove hardware/software on domain computers, you should grant these users the local admin right. We could grant the local
  admin right using Restricted Groups Policy Settings or Local Users and Groups GPP setting. For details, please refer to the following articles.
  Restricted Groups Policy Settings
  http://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx
  How to use Group Policy Preferences to Secure Local Administrator Groups
  http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
  You also mentioned that you want to delegate the
  Join a computer to a domain task to these specific users. Regarding the request, we could delegate the task via Delegation of Control Wizard. For details, please refer to the following article.
  Delegation of Control Wizard
  http://technet.microsoft.com/en-us/library/dd145344.aspx
  Hope this helps.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• The domain users without administrative permission cannot install printers shared on printer server

  Dears
  We have a printer server that OS is Windows server 2003 .And all clinets are installed windows 7.Now,the domain users cannot installed printers shared on the printer server.When i logon the clinent computer with a domain user and access printer server by
  URL \\192.168.37.1 ,i can see all printers shared on the printer server.Then i double click on printer to install it on client computer.It will ask me to input user name and password of local administrator .  
  How to install the printers with domain user directly. Thanks

  refer step #8:
  http://blogs.msdn.com/b/7/archive/2011/07/11/allowing-standard-users-to-install-network-printers-on-windows-7-without-prompting-for-administrative-credentials.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Keep getting a prompt to install java even when not surfing the net. I have java installed and the control panel says it is right version. Want to know how to stop prompts. This started after I installed Yosemite.

  Since installing Yosemite I keep getting a prompt to install Java even when I am not surfing the net. Went system preferences and I have recommended version installed. I want to know how to stop the prompts. I do not have this problem on my iMac.

  Most likely, you have either the Facebook video calling plugin or the "NexDef" plugin for watching baseball streams. Both depend on the Java runtime distributed by Apple. If you no longer need the plugin, remove it. Otherwise, install Java.

• Give a windows domain user local administrative rights?

  I'm familiar with managing servers/computers in a windows environment, and I can't seem to find a tool to do something similar in OS X 10.5. I'm getting ready to ship a macbook pro to an employee who will be authenticating against our active directory windows domain for login. The machine is already setup to allow this (and I'm able to log in using my network credentials currently). However, I'd like to also give the user administrative rights so he can install software as he sees fit. In windows, I would just goto the groups section and add the user by typing in his account as : Domain\user and it would add him to that group. I haven't been able to find anything similar with the MacBook so far. Any help would be greatly appreciated.
  Message was edited by: vlitsupport
  Also.. if this needs to be in another section of the forum, please let me know.
  Thanks!
  Message was edited by: vlitsupport

  found a good tutorial:
  http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/Article ID/234/PageID/359/Default.aspx

• Clustered enviroments -Starting/Stopping Managed servers, NodeManager & Admin server from single node

  Hi,
  We have 5 node Weblogic cluster. At the time of some mass activities like patching we have to stop all our managed, Admin Servers and node manager and it takes a lot of time to do this by logging in to all 5 managed servers and stopping all components. Though we have node manager configured so we can stop managed servers from console itself, but still have to login to each server to stop NodeManager and Oracle Http Servers.
  Things become worse when wee have to shutdown almost 15-20 instances.
  Is there a way (using wlst or shell script) that we can do all these tasks from by logging in to just one server?
  Thanks,
  Suraj

  The simple code below would shutdown all the running Servers. Some of the APIs for ex MBeanHome are deprecated..still work though..if your concerned about that..I am working on the same using JMX API..if you want I could share that too. And also as described in the below link..you can Cluster stop and start using WLST commands.  Managing the Server Life Cycle - 12c Release 1 (12.1.1)
  <This code is from Oracle Weblogic documentation>
  import java.util.Set;
  import java.util.Iterator;
  import java.rmi.RemoteException;
  import javax.naming.Context;
  import javax.management.ObjectName;
  import java.io.*;
  import java.net.*;
  import weblogic.jndi.Environment;
  import weblogic.management.MBeanHome;
  import weblogic.management.WebLogicMBean;
  import weblogic.management.configuration.ServerMBean;
  import weblogic.management.runtime.ServerRuntimeMBean;
  import weblogic.management.runtime.ServerStates;
  import weblogic.management.WebLogicObjectName;
  public class ServerStopper {
    public static void stop() throws Exception {
      MBeanHome home = null;
      //url of the Admin server
      String url = "t3://localhost:7001";
      String username = "weblogic";
      String password = "welcome1";
      ServerRuntimeMBean serverRuntime = null;
      Set mbeanSet = null;
      Iterator mbeanIterator = null;
      try {
        // Set ContextClassloader to prevent assertions
        URL[] urls = { new File("/").toURL() };
        Thread.currentThread().setContextClassLoader(new
           URLClassLoader(urls));
        Environment env = new Environment();
        env.setProviderUrl(url);
        env.setSecurityPrincipal(username);
        env.setSecurityCredentials(password);
        Context ctx = env.getInitialContext();
        home = (MBeanHome)
             ctx.lookup("weblogic.management.adminhome");
        mbeanSet = home.getMBeansByType("ServerRuntime");
        mbeanIterator = mbeanSet.iterator();
        while(mbeanIterator.hasNext()) {
          serverRuntime = (ServerRuntimeMBean)mbeanIterator.next();
          if(serverRuntime.getState().equals(ServerStates.RUNNING)){
              serverRuntime.shutdown();
      } catch (Exception e) {
        e.printStackTrace();

• Agent Installation on users without Admin Rights

  There are around 500 users and all are having non admin rights on their computers. When the software is download from the cas to the users pc it says that the software cannot be installaed as the user does not have admin rights. so each time we have to logon as a admin and install the software. Is there an easy way that we can install the agent. Even if i have to install the stub, it also requires admin rights.

  Talha,
  That is correct. You have to install the stub as an admin. For convenience it is available as a MSI which you can push using any of your software push methods you use (SMS, GPOs, Altiris etc) but the initial install requires admin access.
  HTH,
  Faisal

• Active Directory: user has admin rights when logs in for the first time

  I have an Xserve server running OS X server 10.5.8 and trying to host _open and active directory_ for both Mac and PC machines. The open directory works fine but what happens on the active directory side is that, when a user logs in from a windows machine he/she can access all the other users folders. In other words, he/she almost has *admin rights*. Is this normal or there is some settings that I can look into to fix this?
  Details: The first time user logs in, his only effect on the server is the password change. What this means is that his changes dont get uploaded to the server. It is only the second time the user logs in from ANOTHER computer that the server starts saving the his profile. Also, after the second login the user doesnt have admin rights anymore.
  Thanks,
  MR

  If you've just changed your login password in Recovery mode, follow these instructions. Otherwise, see below.
  At some point, you may have reset your keychain to default in Keychain Access. That action would have caused your login keychain to be renamed.
  Back up all data before proceeding.
  In Keychain Access, delete the login keychain from the keychain list. Choose Delete References when prompted, not Delete References & Files.
  Triple-click anywhere in the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
  ~/Library/Keychains
  In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar, paste into the box that opens (command-V), and press return. A folder will open. Rename the file "login.keychain" in that folder to something like "login-old.keychain". Rename the file "login_renamed_1.keychain" to "login.keychain". You can then close the folder.
  Back in Keychain Access, select 
            File ▹ Add Keychain...
  from the menu bar. Add back the file now named "login.keychain". If any of your needed keychain items are missing from it, also add back the file you named "login-old.keychain". I suggest you transfer any needed items from that keychain to the login keychain, then delete it. The transfers are made by drag-and-drop in Keychain Access. You'll need to enter your password for each item transferred.