Will binding to AD stop local users from logging in?

Similar Messages

• How to Stop Certain Users from Logging in to The Wiki?

  While the Wiki Server in Mountain Lion Server allows me to restrict who can create new wikis, it does not seem to allow me to restrict who can login. If I setup a 'Test User', and give this user access only to the FTP service on the server, this user can still use his credentials to login to the Wiki. In fact, every user that is listed on server - for any service - can login.
  Once logged in, even if the user has been prohibited to create new wikis, they seem to still be given a 'my documents' space on the wiki server, in which they can create pages, and where they can still upload files.
  There are, therefore, several users that I don't want to be able to login to the wiki, at all. Can wiki login access be restricted?

  Try:
  1) create users and uncheck access to all services for each user,
  2) create a group with access to File Sharing and FTP,
  3) edit the group to add users, then
  4) Create Group Wiki
  Does that get you closer to the behavior you seek? Users will still see the main Wiki page, but won't have access to any of the individual wikis unless they're a member of that group's Wiki.

• Deny local admin users from logging on (or at least restrict them)

  I have a fully managed environment (AD authentication, using managed preferences from OD) that I am testing before rollout.
  My concern is that once preferences are managed, admin users will be able to create local admin accounts (I can't block the accounts pane otherwise users will not be able to change their passwords), then login and bypass preference management.
  Is there a way for local admin accounts logging on to inherit a default set of preferences that are only applied when a local account (or someone not in one of my directory groups) logs in, or better still - DENY local admins from logging in, or deny anyone from being able to create new local accounts?
  (Please don't suggest denying the users admin rights - it's not possible for political reasons).
  Many thanks in advance!
  FZ.

  There is no root or admin privilege that controls root or admin privilege. You have it, or you don't.
  I've been in exactly this case many years ago, and with replete with the politics of privileges and perceived prestige.
  I ended up documenting the foibles of the privileged folks and the time spent on recovery and restoration and related for each event, and waiting for a sufficient accumulation of same (and that didn't take very long), and I then preemptively yanked the access.
  Yes, the good folks squawked. Loudly. Yes, I got called onto the carpet.
  The Designated Responsible Individual (DRI) was then left to ruminate and make a decision, and (with the assistance of the foibles-related documentation around the efforts and time and costs) made the call. The proffered alternative (with the costs and the design and time estimates ready) with a private subnet or private LAN and private services and and a dedicated firewall configured between the privileged folks and the production LANs to keep the good folks safe and secure. Here's what that'll cost...
  Either way, you've punted the responsibility and the decision up the management chain to the DRI.
  (Oh, wait, did I mention which way that firewall was going to be facing? No? Oops. Bummer.)

• How to stop  the users from changing the Decimal in SAP

  How  to stop  the users from changing User Profile

  Hai,
  It is not possible to restrict SU3 to display, because it has only S_TCODE has the authorization object.
  If you really want to restrict users from changing their profile you have to remove the SU3 access and give SU1 or SU2 which gives access only to Personnel details and Parameters.
  Hope this helps.
  Regards,
  Yoganand.V

• Stopping the Users from Postings Transactions in a Currency

  Hi Now that Slovakia currency has switched over to EURO, we want to stop our users from posting the transactions in SKK currency accidentally. Is there some config settings that can be done for this purpose..

  Hi Pete,
  You can create a validation in the transaction OB28.
  example:
  Prerequisite BKPF-USNAM <> " "
  Check BKPF-BKPF-HWAER
  check bkpf-BKPF-WAERS
  You should create a message error in the transaction SE91 to be displayed:
  Example:
  Z1 001 You are not allowed to use this currency anymore, obsolete !!
  After that run the program RGUGBR00 with just the last 2 flags not selected.
  I hope it helps.
  Best Regards,
  Bruno Wiener

• Stopping local chain from the meta chain

  Hi ,
  Can any one let me know is there any option to stop a local chain from the meta chain....
  I have a meta chain in which 13 local chains are there.
  In those 13 chains i want to stop one particular chain ,but i dont want to delete that local chain from the meta chain.
  and below this local chain another dependent chain is also there.
  which will start execute after that chain(which i want to delete)irrespective of the status whether the above chain is pass or fail.
  can any one help me in this regards
  Thanks in advance.

  No, you cannot .  The best solution I have is to change the local chain to bypass all activity in the local chain.  This way the meta chain will run but nothing will happen within the local chain and the meta chain will continue to the next local chain.
  Hope this helps.
  PS-  Another idea, change the meta chain and replace the local chain with an ABAP program which will execute the local chain (use FM RSPC_CHAIN_START).  Then you can change the ABAP program to decide whether or not to execute the local chain.
  Edited by: Geo on Apr 2, 2009 10:11 AM
  Actually, you might be able to do something creative using "Decision Between Multiple Alternatives".
  Edited by: Geo on Apr 2, 2009 10:16 AM

• How do I unbind a local user from an Open Directory user?

  I have a couple MacBook Pros running Leopard that successfully bound a local account to a corresponding Open Directory account using Directory Utility.
  I had to re-install Leopard Server (using Standard configuration) and re-create Open Directory accounts. Now these laptops are unable to bind to the new Open Directory accounts. They receive an error that the Open Directory user ID and password provided is incorrect. In addition the local user can no longer reset or change their password. I'm thinking this is because their local accounts are still bound to the old Open Directory accounts that no longer exist. Is there are way to unbind a local account in Leopard that has been bound to an Open Directory account via the Directory Utility.

  What account are you using to bind the machine? When binding you must authenticate using the OD admin login which is usually setup as diradmin or as the current client you are logged into the machine with, but this client needs to exist on the OD server.

• Problems restricting AD users from logging in

  We previously had a Snow Leopard Server/client setup and used the magic triangle, placing AD users in an AD group and then nesting this within an OD group in Workgroup Manager.  This group was then given access to logon to our clients in the computer group pane (login preference > access) of workgroup manager and all other users were automatically dissallowed.  This worked perfectly and our system relies on this mechanism.
  Having replaced this system with Mountain Lion Server latest release and 10.8.4 clients, the same setup is not working.  We have not extended the AD schema (just for info).
  To restrict access to our clients to a particular user group, we place the users in the AD group, nest the AD group in the OD group and it appears to break the preference and give access to everyone.
  I have tried some other combinations to determine where the problem lays.
  1.     I explicitly give access to a single AD user - the single AD user can log in and no other users can log in.  This is working.
  2.     I explicitly give access to a single AD user and a deny to a second user.  The single AD user can log in, the second user cannot log in.  Other users cannot log in.  This is working.
  3.     I give access to a single OD group containing a nested AD group containing the single AD user that had access in (2).  I also explicitly deny a second user.  Now all AD users can log in except the one user I denied.  This is broken.  All users not in the nested AD group should be denied access.
  4.     I give access to the nested AD group directly instead of nesting within the OD group.  I also explicitly deny a second user.  Now all AD users can log in except the one user I denied.  This is broken and the same result as (3).
  There are some other quirks in Workgroup manager regarding the AD groups and users.  If I add an AD user directly to an OD group then it is displayed correctly until I change tab.  If I return to the tab again the name is "Not Found" with a "target" icon displayed to the left.  The ID is hexidecimal string.  The same occurs with AD groups.  I have read about this and the suggestion was to change the AD user groups to domain.local groups rather than global groups.  I did this and the AD groups then display correctly but this has not solved the login problem.
  If I use the Server.app to view the users and groups they show up correctly including an AD users added directly to the OD groups so this is better than workgroup manager but I cannot restrict access to the clients using Server.app.
  If anyone has any ideas of how to deal with this or workarounds I would really appreciate it.

  Methinks you should be posting to the server forum.

• How to stop the users from saving the PO when there is error message

  Hi Guru,
  The error message had appeared but the user still can choose to hold the PO even though there is an error.
  They do not want to let the user to have a choice to save the PO once there is an error.
  Please advice where i can out this checking in.

  Dear Sally,
  As per OSS: Note 606728 - Hold Functionality of the PR & PO - Gaps.
  The only way you can stop the hold functionality is by implementing the BADI: ME_PROCESS_PO_CUST.
  I am copying the OSS text for your reference.
  Summary
  Symptom
  It is possible in the system to create/hold a purchase order (PO) referencing a held purchase requisition (PR), but your business process requires that this not be possible in your installation.
  Other terms
  Hold, ME21N, ME52N, Parking, Save without Check, Held PR, PO referencing a held PR, Commitments, reduction of PR by a held PO
  Reason and Prerequisites
  Cause: The functionality is not provided in EA-PS 110.
  Prerequisites : You must be on EA-PS 110 to implement this note
  Solution
  You can implement some customer BAdI's provided by SAP to get this functionality. Note that customer implementations of the BAdI's provided by SAP are upwardly compatible. The text that follows gives details of how to implement the customer BAdI's to accomplish this functionality.
  This functionality might be provided in future releases. However, we cannot make any binding statements at this time in regard to the scope of this development and when it will become available.
  The following are the steps required to implement the customer BAdI to give an error message when a user tries to create a PO referencing a held PR.
  1. Go to transaction SE18. Enter the definition name as ME_PROCESS_PO_CUST. Select the push button display.
  a) Choose Implementation -> Create.
  b) Enter an implementation name. Choose Enter.
  c) Enter a short text to describe the purpose of the implementation, then save the implementation.
  d) Select the tab interface, then double-click the method "process_item".
  e) Create a message to issue a message that the PR is on hold.
  f) Enter the following code in the method:
                      DATA: LS_MEPOITEM TYPE MEPOITEM.
                      DATA : MEMORY     TYPE EBAN-MEMORY.
  get current data from business object
                      LS_MEPOITEM = IM_ITEM->GET_DATA( ).
  Check if the PO references a PR and check if the PR is not on hold
  If the PR is on hold give an error message
                        IF NOT LS_MEPOITEM-BANFN IS INITIAL.
                          SELECT SINGLE MEMORY INTO MEMORY
                          FROM EBAN WHERE BANFN = LS_MEPOITEM-BANFN
                                      AND BNFPO = LS_MEPOITEM-BNFPO.
                          IF MEMORY = 'X'.
                             MESSAGE E900(ZM). "The message that you have created in step 6
                          ENDIF.
                      ENDIF.
  g) Activate the implementation.
  2. If you do not want to let the user put the PO referencing a held PR on hold, you have to also implement the BAdI ME_HOLD_PO. The following are the steps to implement the BAdI.
  a) Go to transaction SE18.Enter the definition name as ME_HOLD_PO and click on the 'DISPLAY' button.
  b) Go to Implementation -> Create.
  c) Enter an implementation name, then choose Enter.
  d) Give some short text to describe the purpose of the implementation, then save the implementation.
  e) Select the tab interface. Double-click the method IS_ALLOWED.
  f) Enter the following code in the method:
                      DATA : IM_BEKPO_WA TYPE BEKPO.
                      DATA : MEMORY TYPE EBAN-MEMORY.
                      *-Look if the PO refers to a Held PR
                      LOOP AT IM_BEKPO INTO IM_BEKPO_WA
                             WHERE NOT BANFN IS INITIAL.
                               SELECT SINGLE MEMORY INTO MEMORY
                               FROM EBAN WHERE BANFN = IM_BEKPO_WA-BANFN
                                          AND BNFPO = IM_BEKPO_WA-BNFPO.
                               IF MEMORY = 'X'.
                      *-Do not allow the PO to be kept on hold
                      *-if the PO is refering a held PR
                                 CH_ALLOWED = ' '.
                                ENDIF.
                      ENDLOOP.
  g) Activate the implementation.
  I hope it helps.
  Kind Regards,
  Prakash

• Stop secondary user from placing bids in auction

  Hi Experts.
  I'm trying to stop the secondary user of a company from placing bids in the auction and only the primary contact to place bids. There is a setting i have looked at in the auction type settings, but I do not want to use this settting as the event should be company-wide.
  Is there an alternative way?
  Kind Regards
  Gino

  Hi Gino,
  There is no alternative and you have to know what you want.
  If you want only the primary user of the supplier to be able to place bids then you have to choose contact-specific event and then only the invited contacts will be able to place bids so in this case the primary users.
  If you want everyone of the supplier to be able to place bids then you choose company-wide event.

• How do i stop workstation users from saving their network password or credentials for logging into a 2008 R2 Server workgroup?

  I have a small workgroup of about 30 users that are a mix of XP Pro, 7 Pro and 8.1 desktop / laptop users that connect to a Windows 2008 R2 Server to use Quickbooks Enterprise, share files and printers. I dont want the users to be able to save their password
  on their workstations, I want them to have to log in every time they connect to the server. How do I turn that off?Is the something on the server in Group Policy or a secruity setting that will not allow a saved credential for logging onto the server?

  Hi,
  I have a small workgroup of about 30 users that are a mix of XP Pro, 7 Pro and 8.1 desktop / laptop users that connect to a Windows 2008 R2 Server to use Quickbooks Enterprise
  By connecting to the server, do you mean users log on locally or through remote desktop services, or just through network to access network resources instead of log on to the server directly?
  If it’s log on locally, please disable auto logon feature by configure the registry entry
  AutoLogonCount to 0, it is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  If it’s remote desktop connection, please clear Logon Credentials for corresponding remote desktop sessions.
  If it’s network access, then it is by design because network logon has a single-sign-on feature.
  More information for you:
  How to disable Auto Login?
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/705b0cf8-53f1-45f9-b6bf-2ba61c8d10bf/how-to-disable-auto-login?forum=winservergen
  How Interactive Logon Works
  http://technet.microsoft.com/en-us/library/cc780332(v=WS.10).aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How to stop grouped users from seeing all users?

  I have several users organized into groups, and would like to make is so that users can't see people outside of their group (or groups). No matter how I tweak permissions, all users get to see every other user no matter what group they're in.
  That is unacceptable and makes Server pretty useless when we need to protect the ID of our users. How can I make it so that users see only the other users in their group?
  Thanks in advance!

  Replying to my own query as it may help other noobsters.
  I've been able to control which users and groups can see a project by using the following schema:
  Create Project Wikis by creating a group with the project name, giving the group a shared folder and creating a group Wiki. Edit Access to Services and check only those services needed by the project. For example, check File Sharing and FTP for Wiki and FTP service.
  Create People categories by creating a group with the name of that group of people. For example, you could organize people by firm or department or staff category. Do not create a shared folder or group Wiki. Edit Access to Services and uncheck all services. The people groups will acquire the services and permissions they need from the Projects they join as members.
  Create users and require them to log in. Make sure "administer this computer" is unchecked and the Home Folder: drop down reads "None - Services Only." Edit Access to Services and uncheck all services. Users will acquire the services and permissions they need from the Groups they join as members.
  Now, add users to the people groups as appropriate. For example, add all engineers to the Engineers Group. Next add people groups to project groups as appropriate. For example, the Engineers Group may be added to the Bridge Project Group as well as the Building Project Group.
  Once you have users in your groups of people and groups of people in your project groups you can start the Wiki then point to it with your favorite browser. Sign in with the same username you used to create the Wikis. Select a Project Wiki then click on the gear in the upper right corner. Choose "Wiki Settings..." from the drop down menu.
  In the Wiki Settings dialog that appears, click on "Permissions" in the left pane. Enter the name of the Project (Group) then set its permissions to "Read &Write." Change the permissions for "All logged in users" and "All unauthorized users" to "None." Save changes.
  Now sign in as a user with limited permissions and verify that they can see only those wikis they're supposed to see.
  On the FTP side, they'll be able to see all group folders but they can only open those they have access to. Not great, but better than a kick in the head.

• How do I stop the user from saving information onto my original?

  Hello everyone,
  I created a form that I plan to put on a website but, I have one problem. The user is allowed to fill-in the form and save the new data onto the original. How can I set up the form so that the user cannot save over the original but, still be able to save a copy and use the "Submit by Email" button? Any help would be appreciated.
  Thank you,

  Use these steps to remove saved (form) data from a drop down list:
  #Click the (empty) input field on the web page to open the drop down list
  #Highlight an entry in the drop down list
  #Press the Delete key (on Mac: Shift+Delete) to remove it.
  *http://kb.mozillazine.org/Deleting_autocomplete_entries
  You can remove saved Password(s) here:
  * Tools > Options > Security: Passwords: "Saved Passwords" > "Show Passwords"
  *http://kb.mozillazine.org/Password_Manager
  Websites remembering you and automatically log you on is stored in a cookie.<br />
  So you need to remove the cookies from that site to reset this choice.
  *Tools > Options > Privacy > Cookies: "Show Cookies"

• How can I stop a user from saving over "standard" workbooks in a role?

  Hello -
  We are using BEx Analyzer 7.0. 
  I need help restricting our regular users so they can only save workbooks to their favorites and cannot override workbooks published to roles by our super users / authors. 
  My understanding is the regular users need the following in order to save workbooks to favorites.
  S_GUI   Activity = 60
  S_BDS_DS  Activities = 03 and 30  Class Type = OT
  These users are able to save to their favorites.
  However, if they open a workbook from a role and then just choose Save -> Workbook, it allows them to save their changed version of the workbook over the "standard" workbook that was published to the role for all users. 
  What can I do to only allow them to save to their favorites and not be able to override the standard workbooks in regular roles?
  Our super user / authors have the following security to allow them to publish to roles. 
  S_USER_AGR with Activities = 01, 02 and 06 (Create, Change and Delete)
  Our regular users have
  S_USER_AGR but only with activities 03 and 08 (Display and Display Changes)
  Any help that can be provided would be greatly appeciated.  This is very frustrating.
  Thank you -
  Ann

  Hello Anne,
  Inspite of restricting the authorisation object S_BDS_DS you are not able to restrict the users in overwriting the workbooks, please implement the note 1167094 in your system.
  Implementing this note with the help of yout BASIS team would surely fix your issue.
  Let me know if this helps. Thanks.
  Best Regds,
  Suyog Chakot...

• How can I stop authenticated users from getting other user's information?

  We recently discovered that it is possible for authenticated users, via KMu2019s details view, to view details about the other users that have access to the same resource as you.  Our portal (7.0 sp15) is used for an external facing web site.  We have secured it against anonymous users but the problem still remains for authenticated users.  Here is an example:
  The KM folder documents\Public Documents has been assigned read permissions for the group Everyone.  An authenticated user can open the URL https://<host>/irj/go/km/navigation/documents/Public%20Documents and a list of folders are shown.  The user can then select the Details from the menu for one of the folders and the Details iview is displayed.  They then select the menu item Settings > Permissions and the users/groups/roles assigned to this folder are shown.  The user can then select a user and view that users name and email address or the user could select a group and view for each member of the group the user id, name, and email address which could then be used to help attack the site.
  So I thought it would be easy enough to disable the details view for all users but content managers or administrators but I seem to running into difficulty. 
  I tried disabling the Details KM command with limited success.  Even with it disabled, if you know the URL for the details component you can still access it.  So it seems the better option is to take away access to the details component.  It seems that the users are getting access to the Details iView from the standard eu_role.  If I remove the iView from this role then all user have no access to the Details in KM.  I tried to add the iView to another role that content managers would have but when logged in with a user that had that other role I still was not able to access the Details iView. 
  This SAP Help document [http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm |http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm ]discusses the eu_role(Standard User role) and it states that
  By default, the Everyone group is assigned to the Standard User role. If you choose to use the other every user roles instead, you need to remove these assignments from the Standard User role and apply them to the Every User Core and Control Center User roles.
    But, when I look at what groups the role is assigned to or what roles are assigned to the Everyone group they donu2019t appear to be linked contrary to what the documentation says.  So, what Iu2019m thinking here is that I can create a copy of this role and remove the Details iView from the original and then assign the copy to the content managers and administrators.  Doing this causes all users to lose access, even the content managers.
  I thought Iu2019d give the Security Zones a try to see if this could help me but when I take away rights from here it still allows access.
  Iu2019m stumped.  Iu2019m sure there is some key piece that eludes me.  What can I do to allow users read only access to some KM folders and files while preventing them from viewing the permission/user details?

  The only 3d party apps are Hazel...
  And that's your problem!
  From the Hazel site's description:
  Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create.
  Hazel, is a prefPane so you must have some rule (or it supplied the rule as a default) to put pictures (jpg's) from your Desktop (folder) into your Pictures folder.
  Open your System Preferences and Hazel in there and either turn off Hazel or change or delete the appropriate rule covering this situation.