Way to prevent certain OD users from logging into certain computers?

Similar Messages

• Is there a way to prevent an end-user from changing their own password?

  All you guru's out there, I need your help. Is there a way to prevent an end-user from changing their own password? Is there a function or procedure I can create or what?

  In this case, you do not want someone (whoever they are DBA etc) to connect as that
  particuler user to change the password.Yes, but I wouldn't expect the users to[i] know that password. The connnect would be handled automatically, behind the scenes.
  The clear implication of the OP's question and response was that users would not be allowed to change their own passwords. I'm guessing this is in response to a policy that says users mustn't have simple passwords like 123abc or mom. In such a scenario a better approach would be to apply regexp to a user's password to ensure it contains a mix of letters, numbers, punctuation, etc to achieve the desired level of complexity.
  So questions, should not be regarded as daft Agreed, but the same is unfortunately not always true of business decisions. As the OP has told us not to ask we cannot know why they want to do this. Personally, I think a user's individual password should always be their responsibility; anything else strikes me as insecure. YMMV.
  Cheers, APC

• Is there any way to prevent non-root users from rebooting the system?

  This question seems to be addressed many times on the web, but the problem is that none of the wannabe-howtos work on my system. In particular, this doesn't work and this doesn't work either, because (1) I need to keep policykit installed for udisks and other dependencies to function and (2) renaming (or removing) the file /usr/share/polkit-1/actions/org.freedesktop.login1.policy has (again) no effect on the users' ability to reboot and shut down the system. Even more surprisingly, adding the following to /etc/polkit-1/rules.d/20-disable-shutdown.rules has no effect at all:
  polkit.addRule(function(action, subject) {
  if (
  action.id == "org.freedesktop.login1.power-off" ||
  action.id == "org.freedesktop.login1.reboot" ||
  action.id == "org.freedesktop.login1.suspend" ||
  action.id == "org.freedesktop.upower.suspend" ||
  action.id == "org.freedesktop.login1.hibernate" ||
  action.id == "org.freedesktop.upower.hibernate"
  return polkit.Result.NO;
  As a result, ordinary users (not in the wheel group and with no special permissions) can simply reboot the machine by typing reboot. I remember that a simple polkit rule (as proposed on the Fedora forum) worked fine just a few months ago, but this doesn't work nowadays. The action IDs mentioned there are no longer listed in pkaction, so it's quite obvious that some changes (and bugs) have been introduced since then. I just need to prevent the users from rebooting the machine and to keep policykit installed. Is there any way to do this?

  karol wrote:Do said users have the ability to push the Power or Reset buttons?
  No, they don't.
  But come on, access permissions are a matter of principle rather than a matter of what you can possibly do with a hammer in your hand. That makes your question somewhat irrelevant to this issue. Imagine someone asking: "How can I protect my home directory from access by other users?" You would then probably ask: "Do said users have the ability to pull out the hard drive and mount it on their computer?"
  Even if the users had physical access to the ACPI buttons, rebooting the computer by mistake (via software) would still be much more likely than pressing (or even holding) the ACPI buttons by mistake.
  If I call rm -Rf / as a normal user, nothing should happen to the system in terms of availability to other users. Only my home directory and temporary files would vanish, but that's all. This is what permissions are there for. Similarly, when I type reboot as a normal user (no matter if I'm on SSH, on a local terminal or logged into KDE), it should be possible to simply disallow rebooting.
  The idea that users logged in locally can restart the computer may be fine for laptops under certain conditions, but it is a bad idea in almost all other cases. In a "kiosk" type environment, for example, the ability to reboot and get to the bootloader can be a huge security hole, unless all your disks are encrypted, and a huge "reliability hole" in any case. Suppose you use a desktop as a home server. You want everyone to be able to log in and to connect a USB flash drive (using polkit and udisks). But you simply don't want the machine to be rebooted. Why is such a simple thing so hard to do?
  Last edited by andrej.podzimek (2014-03-10 02:15:35)

• Having problem with svchost.exe/ntdll.dll errors causing GPSVC (Group Policy Client) to crash preventing users from logging into the server.

  Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied
  to svchost.exe and therefore is protected from being manually restarted.
  I noticed the following errors when this occurs:
  Log Name:      Application
  Source:        Application Error
  Date:          7/23/2013 4:35:26 AM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server1.xxx.xxx.net
  Description:
  Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
  Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
  Exception code: 0xc0000024
  Fault offset: 0x00000000000cd7d8
  Faulting process id: 0x46c
  Faulting application start time: 0x01ce877f9476ac07
  Faulting application path: C:\Windows\system32\svchost.exe
  Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
  Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
      <EventRecordID>158950</EventRecordID>
      <Channel>Application</Channel>
      <Computer>AAW19XM2.agency.nwie.net</Computer>
      <Security />
    </System>
    <EventData>
      <Data>svchost.exe</Data>
      <Data>6.1.7600.16385</Data>
      <Data>4a5bc3c1</Data>
      <Data>ntdll.dll</Data>
      <Data>6.1.7601.17725</Data>
      <Data>4ec4aa8e</Data>
      <Data>c0000024</Data>
      <Data>00000000000cd7d8</Data>
      <Data>46c</Data>
      <Data>01ce877f9476ac07</Data>
      <Data>C:\Windows\system32\svchost.exe</Data>
      <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
      <Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
    </EventData>
  </Event>
  All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however,
  about 5 months ago a similar error fired on a non-virtual machine:
  Log Name:      Application
  Source:        Application Error
  Date:          2/27/2013 6:57:58 AM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      AAW29033
  Description:
  Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
  Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
  Exception code: 0xc0000024
  Fault offset: 0x00000000000cd7d8
  Faulting process id: 0x6c0
  Faulting application start time: 0x01ce14e1af313fd9
  Faulting application path: C:\Windows\system32\svchost.exe
  Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
  Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
      <EventRecordID>286291</EventRecordID>
      <Channel>Application</Channel>
      <Computer>AAW29033</Computer>
      <Security />
    </System>
    <EventData>
      <Data>svchost.exe_gpsvc</Data>
      <Data>6.1.7600.16385</Data>
      <Data>4a5bc3c1</Data>
      <Data>ntdll.dll</Data>
      <Data>6.1.7601.17725</Data>
      <Data>4ec4aa8e</Data>
      <Data>c0000024</Data>
      <Data>00000000000cd7d8</Data>
      <Data>6c0</Data>
      <Data>01ce14e1af313fd9</Data>
      <Data>C:\Windows\system32\svchost.exe</Data>
      <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
      <Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
    </EventData>
  </Event>
  I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes
  the Group Policy Client service to stop?

  You still out there looking at things? If so I have an update. The issue hasn't stopped, even though it did seemingly die down for awhile, however, it is now back with a vengeance.
  I am able to force it to happen by killing the svchost process that is hosting GPSVC. If I run gpupdate /force, then logout/login it does get GPSVC running again. Furthermore, if I simply start svchost again via the Task Manager GPSVC starts running again.
  When I access the server remotely with KVM it acts just like it does as if I'm logging into it via Citrix/RDP which for Admin IDs gives an error saying "Failed to connect to a windows service. Windows could not connect to the Group Policy Client service...",
  however, normal user accounts just get a message when logging into the server "The Group Policy Client Service Failed the Logon. Access is denied."
  I haven't opened a case with Microsoft yet, but we about ready to because of the increase in these errors.
  If you have any further suggestions that would be great, otherwise I'll provide an update once I get word back from Microsoft.
  **EDIT -- apparently I mistook the the server's SCM's actions as my own. I was able to successfully crash the GPSVC service by killing the hosting svchost process, however, after I crashed it and let it sit crashed for awhile when I attempted
  to restart either by starting a svchost task, or running gpupdate /force it failed. Either that, or there is a timing issue where if we don't restart the svchost process, or run gpupdate /force quickly enough it won't be able to recover without a reboot.

• How do I prevent users from logging into my machine in single user mode?

  I established an standard accounts for my family.  My son figured out that if he logs into the machine in Single User mode that he logs in as the root user.  He then proceeded to create another user with administrative privileges and change his account to administrator then delete the other account.  Funny thing about this is that as much as OS X is secure from outside threats a simple command-s gets you right into the very heart of the machine......

  You can set a firmware password. The firmware password only allows you to start up in normal mode, so if you try to start in single-mode user or safe mode, your Mac will ask you for a password.
  The process to turn it on depends on the OS X version you have. Open  > About this Mac, check the Mac OS X version and follow the steps depending on your OS X version.
  If you have 10.7 or 10.8:
  1. Hold Command and R keys while your Mac is starting up.
  2. After starting up into OS X Utilities, go to Utilities menu (on the menu bar) > Firmware Password Utility, and enable the firmware password.
  3. Restart the Mac.
  If you have 10.6 or older:
  1. Insert the Mac OS X disc and hold the C key while your Mac is starting up.
  2. Choose your language, go to Utilities menu (on the menu bar) > Firmware Password Utility, and enable the firmware password.
  3. Restart the Mac.
  Also, this will protect your Mac against thieves because they won't be able to erase the hard drive without knowing the firmware password. Don't forget the password, because only Apple can reset it if you don't know this password

• Is there a way to prevent a form user from paging up and down or scrolling through a form?

  I'm using Livecycle Designer 8.0.  I'm working on a registration form (it's set up like a survey).  As users respond to questions, they will be sent to the appropriate next page in the form.  In doing so, they will bypass certain pages.  However, if users decide to scroll through the document, or page up or down, it will take them to pages that will not be appropriate given their initial responses.  In some cases, it will appear that they are responding to the same question. 
  This was asked before and the answer seemed to be that this is not possible to do.  However, it's been a year or two since then.  It is my hope that the version I'm using now allows this.
  Thank you in advance for any help you can offer.

  In this case, you do not want someone (whoever they are DBA etc) to connect as that
  particuler user to change the password.Yes, but I wouldn't expect the users to[i] know that password. The connnect would be handled automatically, behind the scenes.
  The clear implication of the OP's question and response was that users would not be allowed to change their own passwords. I'm guessing this is in response to a policy that says users mustn't have simple passwords like 123abc or mom. In such a scenario a better approach would be to apply regexp to a user's password to ensure it contains a mix of letters, numbers, punctuation, etc to achieve the desired level of complexity.
  So questions, should not be regarded as daft Agreed, but the same is unfortunately not always true of business decisions. As the OP has told us not to ask we cannot know why they want to do this. Personally, I think a user's individual password should always be their responsibility; anything else strikes me as insecure. YMMV.
  Cheers, APC

• Preventing windows XP from logging into Load Balancer

  With Windows XP support essentially ended earlier this year, I was wondering if there was a way to prevent a computer running XP from logging into my hosted environment via RDP (Terminal Services 2008R2) protocol. Let's say for example that someone has a
  windows XP machine compromised with a key logger...I would need a way to prevent that computer from logging into my environment.
  I've looked at trying to get a GPO to block RDP Client settings based on protocol however XP and Vista share the same V7 RDP protocol.
  Any Suggestions?
   

  Hi,
  Thank you for posting in Windows Server Forum.
  From your description it seems that you want to block particular windows XP computer to access the RDS Server. If this is the case, then you can do following different steps.
  You can configure RD Gateway with RD CAP and RD RAP policy to control the access from computers and users and force the computer to use the RD Gateway setting.
  The other one, you can filter traffic in your router or firewall to deny traffic to the terminal server from certain ports or IP addresses. (Quoted form below thread).
  More information.
  exclude computers from access to terminal server
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/09695fb9-3344-4f0a-b8c9-2c48c1704e5b/exclude-computers-from-access-to-terminal-server
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• How do I prevent other Mac users from changing my Airport Extreme Network Name and Password within the Airport Utility?

  How do I prevent other Mac users from changing my Airport Extreme Network Name and Password within the Airport Utility?  My company is using an Airport Extreme in our office now and I want to prevent other employees from messing with the network/settings.  Is there a way to place a password on the settings to allow only the admin to access the network name and password? 

  Hi - you have will have to change the device passwords on all the base stations and then don't give them to anyone except the administrators and tell them not to save them on their computers that use the older versions of the Airport Utility - for the newer versions like the mobile apps, as soon as you enter the pasword it is saved and is visible in the advanced pane along with the network password - so if anyone gets a hold of your iPad or iPhone, they can edit the whole network - I have this same issue with my networks in the office and it is inconvenient but doable - I hope this helps

• Is there a way to prevent a PDF file from being forwarded?

  is there a way to prevent a PDF file from being forwarded? For example, im a personal trainer and if i send a client a plan via PDF file, i want to make sure that they cannot send it to anyone else. I read about how you can secure a file by creating an ID and then having the recipient create an ID as well, but i would like to make the orocess as easy as possible for my clients and not have to have them create an ID and then send it to me. is there a better way to block the recipient from resending the PDF?

  Hi Kiana,
  As such there is no option to prevent the recipients from forwarding the pdf. However you can refer to this blog How do I prevent someone from forwarding a PDF?, it might be of some help.
  Regards,
  Aadesh

• Is there any way to prevent opening the lid from waking my MBP?

  Hi,
  I have a problem with my screen on my MBP such that when the computer is asleep in its case the lid often comes ajar, wakes the computer, and drains the battery. Is there any way to prevent the lid opening from waking the computer?
  Thanks for any ideas on how to fix this.

  Option 3: Open Applications > Terminal and type sudo pmset lidwake 0 (you'll be prompted to enter your admin password). To revert to wake on lid open, use the Terminal command sudo pmset lidwake 1.

• Is there a way to find how many users are logging on to my site?

  Is there a way to find how many users are logging on to my site at a specific time?
  Thanks in advance..

  Is it possible to use an EJB3.1 Singleton beans for this too? (instead of the application context)
  Or will this create a bottleneck because of the standard write lock? It wouldn't be thread safe to provide a read lock on a user_counter increment method?

• Is their way to prevent a form data from being lost when a validation fails

  Is their way to prevent a form data from being lost when a validation fails?

  So I would use APEX_COLLECTION (there is some information in APEX documentation).
  Read all data you need to keep after submit and save them to your collection. Then, if validation fails, show report with data not from base, but from your collection. You have to create process, which creates collection, and you need to modify your report definition to get data not only from DB but also from collection.
  If you have any questions feel free to ask.
  Regards,
  Przemek
  Edited by: Przemek on 2009-01-10 17:47

• Force Active Directory Users to Log Into a Shared Local Profile.

  I've searched long and hard for an answer to this but I've found very little info on it so I'm starting to wonder if it's at all possible.
  On some of our "Presenter PC's" at work it has been deemed that the creation of a new account from the Default profile takes too long when logging into Active Directory and slows presenting down too much. Our Default profile is probably around 120Mb due to
  the contents of the image after deployment and how every application is tailored for use hence the AppData folder takes the bulk of the size up and it's not an option to remove it.
  These PC's are (for now at least but hopefully not for much longer) locked down by Deep Freeze which resets all changes to all files when the PC is rebooted so a shared profile is not a problem at this point in time.
  What I want to know is whether there is ANY way to make it so that a user authenticating to Active Directory can ALWAYS be forced into a pre-configured, local profile running on Win 7 32/64 Pro?
  I've been looking at credential providers and replacing USERINIT.exe. I'm just not 100% sure which part of the process actually tells the PC which profile to use. I know that the registry is checked for the user GUID and if not present creates a new entry and
  copies the Default profile but I don't know quite where this is called and how to modify it.
  My programming knowledge limited to a bit of CMD and AutoIt but I do know a few coders so if we really have to get our hands dirty on this it isn't the end of the world.
  I should also add I've recently been toying with taking the AppData folder outside of the Default profile and creating a SymLink to it but upon copying the Default profile to a new profile (much quicker and more acceptable) the SymLink is lost and replaced
  with a relatively empty set of folders which can't be deleted and replaced with a SymLink because the LSASS.exe process is using it and obviously you can't stop that process...
  Making the PC log into a local profile on startup is also not an option because a user MUST log into AD to not be in breach of our AUP and all network drives must be availalbe (mapped by GPo and login script).
  Any help is more than welcome at this point in time as I've pretty much exhausted all avenues that I know of and have turned to you helpful folk.  Cheers

  Hi,
  For mandatory profile, I suggest you refer to the following articles:
  Customize the default local user profile when preparing an image of Windows
  http://support.microsoft.com/kb/973289
  mandatory profiles
  http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/d2406a55-e053-45c5-b064-bf009c4bfafc
  Hope this helps.
  Vincent Wang
  TechNet Community Support

• How to find out if a user is logged into a windows XP or VISTA machine

  Hi,
  Could somebody please tell me how to find out remotely over a LAN, whether a user is logged into a computer that is running windows XP/VISTA or not? How can this be programmatically done if we know the name of the remote machine?
  Thanks.
  Ravisara

  Hi,
  Thanks for all the replies.
  Actually it seems that my question has either been misunderstood or has been badly phrased by me.
  What I want to know precisely is the way to find out if a user is logged into a machine or not. Say for example in a LAN there are three computers called A, B and C. If my Java program is running on machine C, how can the program check whether a user is logged into machine A? Assuming JRE is present in all three machines, the machines have as their OS windows XP or VISTA and all machines are connected to a windows domain(Windows 2003 server based network)
  The idea here is to identify all the computers in a network that users are not logged into and then to remotely shutdown those computers in order to minimize wastage of electricity(preferably after a particular time of the day in an organization).
  Any replies would be much appreciated.
  Kind regards,
  Ravisara

• Users cannot log into Remote Desktop after 3/11/2015 update!

  I have a simple network where users can log into a Windows SBS 2008 server with Remote Desktop to access various applications.  This worked quite smoothly until this morning, after the updates of last evening. (3/11/2015)
  When users tried to log into the Remote Desktop this morning their credentials were rejected, as if their username and/or password were incorrect.  Even I (as the administrator) could not log in remotely.  Finally I connected a monitor and keyboard
  directly to the server and was able to log in without an issue.  After logging in directly I was able to connect through remote desktop.
  This method worked for my other users as well - after I logged them in directly they were able to use remote desktop no problem.
  The trouble is that I have a couple dozen users, and this is an issue that should not be occurring.  What happened in the last update to cause remote desktop to reject users credentials?  Why does it only work after the user logs in directly? 
  And most importantly, how do I fix this?
  A few notes:
  Simply browsing for files on the server also asks for the user's name and password, and this works as well.  This is only a remote desktop issue.
  I have already checked to make sure the domain was correct.  It was.
  I have already checked to make sure the usernames and passwords were correct.  They were.
  I have already checked to make sure this was not a unique issue for a single (or limited number) of users.  This issue effected
  all users all the network.
  Thank you very much for your help,
  Dustin

  I'm curious here...  If the server is rebooted, does it put the RDS users back into a "credentials failed" situation?  If so, could you please have them log in with credentials:
  domain.local\username    (I suspect they may be currently using domain\username)
  and see if that fixes the RDS problem without having to first log into the server directly.
   The ".local" may be ".lan" or ".somethingelse" depending on how you initially configured your domain, but the default for SBS 2008 is ".local"
  Merv Porter
  =========================
  That's a good question - the server will auto-reboot this evening and I'll test again in the morning. 
  You are correct that we've been using domain\username.  I tried domain.local\username (which is the way we've set up), and that did not work either.
  I'll let you know how things turn out tomorrow morning.  I don't want to mess with my users anymore today. :P
  Dustin