| Author | Messages | |
akimmons
Posts:9
 | | 05/08/2008 4:06 PM |
| Hello Gurus,
I have a question concerning local administrator rights.
Here is my setup:
Server/Network
Server 2003 Active Directory, single domain controller, Exchange 2003
member server, (both fully patched as of April) small network with Cisco
6509 core, and all Cisco Wiring Closet switches.
Workstation
Gateway units with XP Pro, IE7, fully patched as of April, joined to
the domain.
No group Policies in effect (I am still a newbie and doing things the
hard way  .
We use a Web based software application that requires a java plug in
(jinitiator).
If I run the application logged in as the default local system
administrator, it works.
If I run the app logged in as a domain user, it won't work.
If I run the app logged in as a domain administrator, it won't work.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
If I run the app as any other type user I can think of except the
default local administrator, then use the "run as" option and choose
the default local administrator, it won't work. (I have used this
option for a couple of other apps such as a web based mainframe
terminal emulation, and it did work. For this one, it will not.)
I do not want this secretary to run as a local admin for everything she
does.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?
Can those rights be granted to a "created local administrator"? If so,
how?
Is there some way to grant "more rights" to the "run as option"?
Any guidance or pointing me in the right direction will be greatly
appreciated.
Anthony
Anthony Kimmons
Technology Coordinator
Mississippi School of the Arts
P O Box 229
Brookhaven, MS 39601
601-823-1354
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kennedyjim
Posts:28
| | 05/08/2008 4:16 PM |
|
Run regmon/filemon as a failing user and find out for sure where it fails. Probably something as simple as full access rights to a file or folder.
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
> Sent: Thursday, May 08, 2008 4:05 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Local Admin Rights Question
> Any guidance or pointing me in the right direction will be greatly
> appreciated.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| habr
Posts:25
| | 05/08/2008 4:21 PM |
| Anthony,
Once you get this fixed, you REALLY need to work on the "single domain
controller" problem.
RH
________________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Anthony Kimmons
Sent: 08 May, 2008 4:05 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Local Admin Rights Question
Hello Gurus,
I have a question concerning local administrator rights.
Here is my setup:
Server/Network
Server 2003 Active Directory, single domain controller, Exchange 2003
member server, (both fully patched as of April) small network with Cisco
6509 core, and all Cisco Wiring Closet switches.
Workstation
Gateway units with XP Pro, IE7, fully patched as of April, joined to
the domain.
No group Policies in effect (I am still a newbie and doing things the
hard way .
We use a Web based software application that requires a java plug in
(jinitiator).
If I run the application logged in as the default local system
administrator, it works.
If I run the app logged in as a domain user, it won't work.
If I run the app logged in as a domain administrator, it won't work.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
If I run the app as any other type user I can think of except the
default local administrator, then use the "run as" option and choose
the default local administrator, it won't work. (I have used this
option for a couple of other apps such as a web based mainframe
terminal emulation, and it did work. For this one, it will not.)
I do not want this secretary to run as a local admin for everything she
does.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?
Can those rights be granted to a "created local administrator"? If so,
how?
Is there some way to grant "more rights" to the "run as option"?
Any guidance or pointing me in the right direction will be greatly
appreciated.
Anthony
Anthony Kimmons
Technology Coordinator
Mississippi School of the Arts
P O Box 229
Brookhaven, MS 39601
601-823-1354
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| akimmons
Posts:9
| | 05/08/2008 4:26 PM |
| I found it with Google. I have just downloaded it, and will try it
out.
Thanks for the direction. I will let you know if this works.
Anthony
>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM >>>
Sorry, it's called process monitor now....
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
> Sent: Thursday, May 08, 2008 4:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
>
> Run regmon/filemon as a failing user and find out for sure where it
> fails. Probably something as simple as full access rights to a file
or
> folder.
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Anthony Kimmons
> > Sent: Thursday, May 08, 2008 4:05 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Local Admin Rights Question
>
>
> > Any guidance or pointing me in the right direction will be greatly
> > appreciated.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kennedyjim
Posts:28
| | 05/08/2008 4:26 PM |
|
I just noticed 'school'.
Are you playing with ESIS by any chance, is that the software in question?
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
> Sent: Thursday, May 08, 2008 4:23 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I have the hardware in the rack.
>
> I will tackle it when school lets out in a couple of weeks.
>
> Hope it lasts that long
>
>
>
> >>> "Rocky Habeeb" <habr@jws.com> 05/08/08 2:21 PM >>>
> Anthony,
>
> Once you get this fixed, you REALLY need to work on the "single domain
> controller" problem.
>
> RH
> ________________________________________
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Anthony
> Kimmons
> Sent: 08 May, 2008 4:05 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Local Admin Rights Question
>
>
> Hello Gurus,
>
> I have a question concerning local administrator rights.
>
> Here is my setup:
>
> Server/Network
> Server 2003 Active Directory, single domain controller, Exchange 2003
> member server, (both fully patched as of April) small network with
> Cisco
> 6509 core, and all Cisco Wiring Closet switches.
>
> Workstation
> Gateway units with XP Pro, IE7, fully patched as of April, joined to
> the domain.
>
> No group Policies in effect (I am still a newbie and doing things the
> hard way .
>
> We use a Web based software application that requires a java plug in
> (jinitiator).
>
> If I run the application logged in as the default local system
> administrator, it works.
>
> If I run the app logged in as a domain user, it won't work.
>
> If I run the app logged in as a domain administrator, it won't work.
>
> If I run the app logged in as a local administrator created on the
> local machine with no domain rights, it won't work.
>
> If I run the app as any other type user I can think of except the
> default local administrator, then use the "run as" option and choose
> the default local administrator, it won't work. (I have used this
> option for a couple of other apps such as a web based mainframe
> terminal emulation, and it did work. For this one, it will not.)
>
> I do not want this secretary to run as a local admin for everything
> she
> does.
>
>
> Here is the question:
>
> What rights does a default local administrator have that are missing
> from a local user granted local machine administrator rights by adding
> them to the "Machine Administrators Group"?
>
> Can those rights be granted to a "created local administrator"? If
> so,
> how?
>
> Is there some way to grant "more rights" to the "run as option"?
>
> Any guidance or pointing me in the right direction will be greatly
> appreciated.
>
> Anthony
>
>
>
>
>
> Anthony Kimmons
> Technology Coordinator
>
> Mississippi School of the Arts
> P O Box 229
> Brookhaven, MS 39601
>
> 601-823-1354
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| akimmons
Posts:9
| | 05/08/2008 4:36 PM |
| The application is called MSIS (Mississippi Student Information
System).
It is a custom written conglomerate running Oracle on a Sun box.
>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:25 PM >>>
I just noticed 'school'.
Are you playing with ESIS by any chance, is that the software in
question?
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
> Sent: Thursday, May 08, 2008 4:23 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I have the hardware in the rack.
>
> I will tackle it when school lets out in a couple of weeks.
>
> Hope it lasts that long
>
>
>
> >>> "Rocky Habeeb" <habr@jws.com> 05/08/08 2:21 PM >>>
> Anthony,
>
> Once you get this fixed, you REALLY need to work on the "single
domain
> controller" problem.
>
> RH
> ________________________________________
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Anthony
> Kimmons
> Sent: 08 May, 2008 4:05 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Local Admin Rights Question
>
>
> Hello Gurus,
>
> I have a question concerning local administrator rights.
>
> Here is my setup:
>
> Server/Network
> Server 2003 Active Directory, single domain controller, Exchange
2003
> member server, (both fully patched as of April) small network with
> Cisco
> 6509 core, and all Cisco Wiring Closet switches.
>
> Workstation
> Gateway units with XP Pro, IE7, fully patched as of April, joined to
> the domain.
>
> No group Policies in effect (I am still a newbie and doing things
the
> hard way .
>
> We use a Web based software application that requires a java plug in
> (jinitiator).
>
> If I run the application logged in as the default local system
> administrator, it works.
>
> If I run the app logged in as a domain user, it won't work.
>
> If I run the app logged in as a domain administrator, it won't work.
>
> If I run the app logged in as a local administrator created on the
> local machine with no domain rights, it won't work.
>
> If I run the app as any other type user I can think of except the
> default local administrator, then use the "run as" option and
choose
> the default local administrator, it won't work. (I have used this
> option for a couple of other apps such as a web based mainframe
> terminal emulation, and it did work. For this one, it will not.)
>
> I do not want this secretary to run as a local admin for everything
> she
> does.
>
>
> Here is the question:
>
> What rights does a default local administrator have that are missing
> from a local user granted local machine administrator rights by
adding
> them to the "Machine Administrators Group"?
>
> Can those rights be granted to a "created local administrator"? If
> so,
> how?
>
> Is there some way to grant "more rights" to the "run as option"?
>
> Any guidance or pointing me in the right direction will be greatly
> appreciated.
>
> Anthony
>
>
>
>
>
> Anthony Kimmons
> Technology Coordinator
>
> Mississippi School of the Arts
> P O Box 229
> Brookhaven, MS 39601
>
> 601-823-1354
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:143
| | 05/08/2008 5:27 PM |
|
> We use a Web based software application that requires a java plug in
(jinitiator).
Hi Anthony, I've asked our Ops people to send me a copy of our user GPO
so I can check the specific details. From memory tho' to get Jinit to
work you need to give modify access to some directories, and potentially
one small part of the registry.
I also had to make it work on Citrix so I think my brain is actively
repressing the memory of the pain :-)
#############################################################################################
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal.
##############################################################################################
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| CrawfordS
Posts:39
| | 05/08/2008 5:32 PM |
| I think you're barking up the wrong tree. Using process monitor is
helpful to find things a standard user needs access to, but your
original post indicated that it only works as the actual administrator
account. That means it's not a permission issue, it's the app actually
checking the username, in which case all the rights in the world won't
help.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony Kimmons
Sent: Thursday, May 08, 2008 3:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
I found it with Google. I have just downloaded it, and will try it
out.
Thanks for the direction. I will let you know if this works.
Anthony
>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM >>>
Sorry, it's called process monitor now....
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
> Sent: Thursday, May 08, 2008 4:11 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
>
> Run regmon/filemon as a failing user and find out for sure where it
> fails. Probably something as simple as full access rights to a file
or
> folder.
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Anthony Kimmons
> > Sent: Thursday, May 08, 2008 4:05 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Local Admin Rights Question
>
>
> > Any guidance or pointing me in the right direction will be greatly
> > appreciated.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| miller4
Posts:12
| | 05/08/2008 5:42 PM |
| sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile (some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is 
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual administrator
> account. That means it's not a permission issue, it's the app actually
> checking the username, in which case all the rights in the world won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM >>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| CrawfordS
Posts:39
| | 05/08/2008 6:02 PM |
| I respectfully disagree with your disagreement
"We use a Web based software application that requires a java plug in
(jinitiator).
.
.
.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
.
.
.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?"
I suppose it's possible that some perms have been changed to allow only
the "Administrator" account, but I think that's far less likely than an
app checking the username to make sure it's the actual account. I know
nothing about jinit, so I don't disagree that it needs some extra perms,
but I do disagree that it needs more perms than a user of the local
administrators group has (by default). Note that the OP wasn't
specifically about jinit, but rather "a Web based software application",
which can have its own set of requirements.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael Miller
Sent: Thursday, May 08, 2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Local Admin Rights Question
sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile (some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual administrator
> account. That means it's not a permission issue, it's the app
actually
> checking the username, in which case all the rights in the world won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony
Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM >>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| akimmons
Posts:9
| | 05/08/2008 6:32 PM |
| I think ya'll are arguing a moot point.
The local administrator accounts on the boxes in question are all
renamed.... Administrator does not get you anywhere....
(Of course the local profile is saved under docs and settings using the
term "Administrator" but you can not log in by using the name
administrator)
FWIW
Additionally, I have tried installing jinitiator with the desired
account doing a "run as" the local admin. That doesn't work either.
I will try the process monitor tomorrow.
I am gone for the day.
Thanks for all the replies.
Anthony
>>> "Crawford, Scott" <CrawfordS@evangel.edu> 05/08/08 3:58 PM >>>
I respectfully disagree with your disagreement
"We use a Web based software application that requires a java plug in
(jinitiator).
.
.
.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
.
.
.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?"
I suppose it's possible that some perms have been changed to allow
only
the "Administrator" account, but I think that's far less likely than
an
app checking the username to make sure it's the actual account. I
know
nothing about jinit, so I don't disagree that it needs some extra
perms,
but I do disagree that it needs more perms than a user of the local
administrators group has (by default). Note that the OP wasn't
specifically about jinit, but rather "a Web based software
application",
which can have its own set of requirements.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael
Miller
Sent: Thursday, May 08, 2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Local Admin Rights Question
sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile
(some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual
administrator
> account. That means it's not a permission issue, it's the app
actually
> checking the username, in which case all the rights in the world
won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony
Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM
>>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:143
| | 05/08/2008 6:37 PM |
| The user needs modify access to somewhere like c:\program
files\oracle\Jinitiatorx.x.x.xx\lib\security and one of the registry
keys that they don't have by defualt.
I'm trying to make sense of my Advanced Installer project file for
repacking Jinit for install by GPSI, but I'm going to have to get admin
access to the domain so I can browse the GPOs for workstations and
users, and the citrix servers to find the other cunning things I did
late one night.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Friday, 9 May 2008 9:59 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
I respectfully disagree with your disagreement
"We use a Web based software application that requires a java plug in
(jinitiator).
.
.
.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
.
.
.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?"
I suppose it's possible that some perms have been changed to allow only
the "Administrator" account, but I think that's far less likely than an
app checking the username to make sure it's the actual account. I know
nothing about jinit, so I don't disagree that it needs some extra perms,
but I do disagree that it needs more perms than a user of the local
administrators group has (by default). Note that the OP wasn't
specifically about jinit, but rather "a Web based software application",
which can have its own set of requirements.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael Miller
Sent: Thursday, May 08, 2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Local Admin Rights Question
sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile (some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual administrator
> account. That means it's not a permission issue, it's the app
actually
> checking the username, in which case all the rights in the world won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony
Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM >>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
########################################################################
#####################
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal.
########################################################################
######################
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| TG
Posts:86
| | 05/08/2008 6:37 PM |
| it may not be looking for the name. Checking if it is the "500" account
will do just that. People that code that in, should be put in front of
the firing squad, though.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 |
USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
From:
"Anthony Kimmons" <akimmons@mde.k12.ms.us>
To:
ActiveDir@mail.activedir.org
Date:
05/08/2008 05:30 PM
Subject:
RE: [ActiveDir] Local Admin Rights Question
I think ya'll are arguing a moot point.
The local administrator accounts on the boxes in question are all
renamed.... Administrator does not get you anywhere....
(Of course the local profile is saved under docs and settings using the
term "Administrator" but you can not log in by using the name
administrator)
FWIW
Additionally, I have tried installing jinitiator with the desired
account doing a "run as" the local admin. That doesn't work either.
I will try the process monitor tomorrow.
I am gone for the day.
Thanks for all the replies.
Anthony
>>> "Crawford, Scott" <CrawfordS@evangel.edu> 05/08/08 3:58 PM >>>
I respectfully disagree with your disagreement
"We use a Web based software application that requires a java plug in
(jinitiator).
.
.
.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
.
.
.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?"
I suppose it's possible that some perms have been changed to allow
only
the "Administrator" account, but I think that's far less likely than
an
app checking the username to make sure it's the actual account. I
know
nothing about jinit, so I don't disagree that it needs some extra
perms,
but I do disagree that it needs more perms than a user of the local
administrators group has (by default). Note that the OP wasn't
specifically about jinit, but rather "a Web based software
application",
which can have its own set of requirements.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael
Miller
Sent: Thursday, May 08, 2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Local Admin Rights Question
sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile
(some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual
administrator
> account. That means it's not a permission issue, it's the app
actually
> checking the username, in which case all the rights in the world
won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony
Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM
>>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| CrawfordS
Posts:39
| | 05/08/2008 8:08 PM |
| The administrator account can be renamed without changing its SID. I'd expect they're looking for a particular SID.
________________________________
From: ActiveDir-owner@mail.activedir.org on behalf of Anthony Kimmons
Sent: Thu 5/8/2008 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
I think ya'll are arguing a moot point.
The local administrator accounts on the boxes in question are all
renamed.... Administrator does not get you anywhere....
(Of course the local profile is saved under docs and settings using the
term "Administrator" but you can not log in by using the name
administrator)
FWIW
Additionally, I have tried installing jinitiator with the desired
account doing a "run as" the local admin. That doesn't work either.
I will try the process monitor tomorrow.
I am gone for the day.
Thanks for all the replies.
Anthony
>>> "Crawford, Scott" <CrawfordS@evangel.edu> 05/08/08 3:58 PM >>>
I respectfully disagree with your disagreement
"We use a Web based software application that requires a java plug in
(jinitiator).
.
.
.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
.
.
.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?"
I suppose it's possible that some perms have been changed to allow
only
the "Administrator" account, but I think that's far less likely than
an
app checking the username to make sure it's the actual account. I
know
nothing about jinit, so I don't disagree that it needs some extra
perms,
but I do disagree that it needs more perms than a user of the local
administrators group has (by default). Note that the OP wasn't
specifically about jinit, but rather "a Web based software
application",
which can have its own set of requirements.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael
Miller
Sent: Thursday, May 08, 2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Local Admin Rights Question
sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile
(some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual
administrator
> account. That means it's not a permission issue, it's the app
actually
> checking the username, in which case all the rights in the world
won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony
Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM
>>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:143
| | 05/18/2008 1:38 PM |
| >From memory there is two parts to it. Getting it to install properly,
which is why I spent time repackaging it as a MSI, as Windows Installer
over came the issues it's native installer has.
Then the second part is when you first attach to an application server.
>From memory our users did not have modify permissions on directories
under program files\oracle. During the first connection to the
application it updates either the local key or cert store. I don't
remember which.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, 9 May 2008 3:03 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
Here's my take on this whole thing:
Go back to that Google article and test that stuff out first.
I'm guessing that the app is EITHER not fully installed OR there's an
ACL that is specific to the ADMINSITRATOR account.
Then (my guess) the real rub is that the app is doing something using
explorer.exe (like a Shell.Run in VBscirpt would do). Reason is that
you can make it work when logged on directly but not with RunAs, and the
main difference with RunAs is that (by default), you cannot "run as" a
second instance of explorer.exe. So if you RunAs the app, and if it
tries to launch Explorer, it will fail.
This is probably (certainly) due to lousy coding on the app's side *but*
what might be rare in your environment (that might "elicit" the bug more
easily than normal environments) is if you have the following Group
Policy setting enabled:
Computer Configuration \ Local Policies \ Security Options \ System
Objects; Default owner for objects created by members of the
Administrators group: Object Creator
If that policy setting is configured (the DEFAULT would be
:Adminsitrators Group), then all of a sudden if ADMINISTRATOR installs
the app, each SD has Administrator (rather than Adminsitrators) as the
Owner, which would explain why your domain (or even local)
Administrators cannot get the app to work (again assuming poor coding in
the app installation routine or app itself).
SO I think you're seeing the confluence of several factors, based on the
behavior you describe. You definitely need to run filemon, regmon, and
other monitoring tools to see what the heck is going on.
You might also set an AUDITING entry at the root of Program Files,
Windows, HKLM and HKCU to watch for EVERYONE:FAILURE:FULL CONTROL and
turn on Object Access auditing... the failure audit entry that appears
in your event log (assuming one does) will be illuminating. Be sure to
remove those audit entries, after testing, though, since they're super
broad and will impact performance.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, May 08, 2008 2:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
The administrator account can be renamed without changing its SID. I'd
expect they're looking for a particular SID.
________________________________
From: ActiveDir-owner@mail.activedir.org on behalf of Anthony Kimmons
Sent: Thu 5/8/2008 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
I think ya'll are arguing a moot point.
The local administrator accounts on the boxes in question are all
renamed.... Administrator does not get you anywhere....
(Of course the local profile is saved under docs and settings using the
term "Administrator" but you can not log in by using the name
administrator)
FWIW
Additionally, I have tried installing jinitiator with the desired
account doing a "run as" the local admin. That doesn't work either.
I will try the process monitor tomorrow.
I am gone for the day.
Thanks for all the replies.
Anthony
>>> "Crawford, Scott" <CrawfordS@evangel.edu> 05/08/08 3:58 PM >>>
I respectfully disagree with your disagreement
"We use a Web based software application that requires a java plug in
(jinitiator).
.
.
.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
.
.
.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?"
I suppose it's possible that some perms have been changed to allow
only
the "Administrator" account, but I think that's far less likely than
an
app checking the username to make sure it's the actual account. I
know
nothing about jinit, so I don't disagree that it needs some extra
perms,
but I do disagree that it needs more perms than a user of the local
administrators group has (by default). Note that the OP wasn't
specifically about jinit, but rather "a Web based software
application",
which can have its own set of requirements.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael
Miller
Sent: Thursday, May 08, 2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Local Admin Rights Question
sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile
(some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual
administrator
> account. That means it's not a permission issue, it's the app
actually
> checking the username, in which case all the rights in the world
won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony
Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM
>>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| listmail
Posts:428
| | 05/18/2008 1:38 PM |
| Renaming doesn't hide the admin account, it is a simple SID resolve of a
well known RID tied to the machine SID to figure out what the admin account
name is; trivial to do. It very well could be something tied to the specific
builtin administrator account but it could also be some weird perm issue. I
have seen this with the builtin admin account several times in the past.
I actually think the process explorer suggestion was a good one. At least it
will give hard data to look at.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony Kimmons
Sent: Thursday, May 08, 2008 6:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
I think ya'll are arguing a moot point.
The local administrator accounts on the boxes in question are all
renamed.... Administrator does not get you anywhere....
(Of course the local profile is saved under docs and settings using the term
"Administrator" but you can not log in by using the name
administrator)
FWIW
Additionally, I have tried installing jinitiator with the desired account
doing a "run as" the local admin. That doesn't work either.
I will try the process monitor tomorrow.
I am gone for the day.
Thanks for all the replies.
Anthony
>>> "Crawford, Scott" <CrawfordS@evangel.edu> 05/08/08 3:58 PM >>>
I respectfully disagree with your disagreement
"We use a Web based software application that requires a java plug in
(jinitiator).
.
.
.
If I run the app logged in as a local administrator created on the local
machine with no domain rights, it won't work.
.
.
.
Here is the question:
What rights does a default local administrator have that are missing from a
local user granted local machine administrator rights by adding them to the
"Machine Administrators Group"?"
I suppose it's possible that some perms have been changed to allow only the
"Administrator" account, but I think that's far less likely than an app
checking the username to make sure it's the actual account. I know nothing
about jinit, so I don't disagree that it needs some extra perms, but I do
disagree that it needs more perms than a user of the local administrators
group has (by default). Note that the OP wasn't specifically about jinit,
but rather "a Web based software application", which can have its own set of
requirements.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael Miller
Sent: Thursday, May 08, 2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Local Admin Rights Question
sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile (some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual
administrator
> account. That means it's not a permission issue, it's the app
actually
> checking the username, in which case all the rights in the world
won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony
Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM
>>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| bhopkins
Posts:7
| | 05/18/2008 1:40 PM |
| I haven't really been following this thread is this something totally written from scratch or is it Banner modified? The jinitiator requires admin rights to install, but it should not need anything special to just run. You do need to have it in the list of trusted sites or it shows some weird behavior at times. This may be something to look at since you say it works fine when the user is logged into the domain.
It will also exhibit different behavior depending on how you have the server set up. Have you checked to see if the issue is different with IE than firefox? There are some older versions of this that have issues with IE7. I haven't worked with this on a Solaris install, but these are some of the issues that I've seen with Banner on AIX.
Thanks
Bruce Hopkins
Director Information Technology
Chattahoochee Technical College
770-528-4574
http://www.chattcollege.com
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, May 08, 2008 5:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
I respectfully disagree with your disagreement
"We use a Web based software application that requires a java plug in
(jinitiator).
.
.
.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
.
.
.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?"
I suppose it's possible that some perms have been changed to allow only
the "Administrator" account, but I think that's far less likely than an
app checking the username to make sure it's the actual account. I know
nothing about jinit, so I don't disagree that it needs some extra perms,
but I do disagree that it needs more perms than a user of the local
administrators group has (by default). Note that the OP wasn't
specifically about jinit, but rather "a Web based software application",
which can have its own set of requirements.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael Miller
Sent: Thursday, May 08, 2008 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Local Admin Rights Question
sorry, disagree. it is a perms issue.
jinit needs to write some junk somewhere outside the local profile (some
cache directory).
Thus, you need to grant Everyone write perms for this directory if you
can figure out where it is
-mjm
Crawford, Scott wrote:
> I think you're barking up the wrong tree. Using process monitor is
> helpful to find things a standard user needs access to, but your
> original post indicated that it only works as the actual administrator
> account. That means it's not a permission issue, it's the app
actually
> checking the username, in which case all the rights in the world won't
> help.
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Anthony
Kimmons
> Sent: Thursday, May 08, 2008 3:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Local Admin Rights Question
>
> I found it with Google. I have just downloaded it, and will try it
> out.
>
> Thanks for the direction. I will let you know if this works.
>
> Anthony
>
>
>>>> "Kennedy, Jim" <kennedyjim@elyriaschools.org> 05/08/08 2:14 PM >>>
>>>>
> Sorry, it's called process monitor now....
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
>
>
>
>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>> owner@mail.activedir.org] On Behalf Of Kennedy, Jim
>> Sent: Thursday, May 08, 2008 4:11 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] Local Admin Rights Question
>>
>>
>> Run regmon/filemon as a failing user and find out for sure where it
>> fails. Probably something as simple as full access rights to a file
>>
> or
>
>> folder.
>>
>>
>>
>>> -----Original Message-----
>>> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
>>> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
>>> Sent: Thursday, May 08, 2008 4:05 PM
>>> To: ActiveDir@mail.activedir.org
>>> Subject: [ActiveDir] Local Admin Rights Question
>>>
>>
>>> Any guidance or pointing me in the right direction will be greatly
>>> appreciated.
>>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| akimmons
Posts:9
| | 07/16/2008 5:34 PM |
| Hello again everyone.
Here is a follow up with what I found to be the problem.
Thank you very much to all those that responded with suggestions to
help troubleshoot my problem.
The most helpful suggestion was to run process monitor and see what
error messages were generated. It really documented what steps were
being taken by IE7 and Jinitiator to launch the web session.
The second most helpful suggestion was to be sure that the domain user
was granted explicit full rights to the Jinitiator program directory
tree.
I granted those rights, but still had the failed session problems.
I launched a successful session as the default machine admin, and
recorded the results with process monitor.
I then launched a failed session as the desired domain user, and
recorded those results as well.
Both cases generated a plethora of messages that appeared to be errors.
Most of them were not what was causing my grief. I finally found a
single error on the failed session that was not present on the
successful one.
Jinitiator was trying to create a file with a particular name every
time in the jcache sub-directory of the program directory tree. (The
same file name was specified regardless of the user running the app.)
That file already existed due to previous successful attempts as a local
admin. It is not cleared out and deleted at the end of the session.
When running as a local admin, it apparently deleted the file and
recreated it. When running as a domain user with rights to the
directory, it failed at that point. Evidently, the Jinitiator logic
would not delete the file that was created by another user with the same
identical filename, even though the user had the rights to do so.
I deleted the file in question, and now the domain user can run the
session. Jinitiator can create the file and the session works.
This solved the issue.
I have some questions remaining about why the symptoms appeared, can
the situation be duplicated again, what are all the other plethora of
error messages about, etc. But, quite frankly I do not have the time to
investigate further just for the sake of curiosity. I am on to other
tasks.
Thanks again for all of your advice that helped to solve this problem.
Anthony
Anthony Kimmons
Technology Coordinator
Mississippi School of the Arts
P O Box 229
Brookhaven, MS 39601
601-823-1354
>>> "Anthony Kimmons" <akimmons@mde.k12.ms.us> 05/08/08 2:04 PM >>>
Hello Gurus,
I have a question concerning local administrator rights.
Here is my setup:
Server/Network
Server 2003 Active Directory, single domain controller, Exchange 2003
member server, (both fully patched as of April) small network with
Cisco
6509 core, and all Cisco Wiring Closet switches.
Workstation
Gateway units with XP Pro, IE7, fully patched as of April, joined to
the domain.
No group Policies in effect (I am still a newbie and doing things the
hard way .
We use a Web based software application that requires a java plug in
(Jinitiator).
If I run the application logged in as the default local system
administrator, it works.
If I run the app logged in as a domain user, it won't work.
If I run the app logged in as a domain administrator, it won't work.
If I run the app logged in as a local administrator created on the
local machine with no domain rights, it won't work.
If I run the app as any other type user I can think of except the
default local administrator, then use the "run as" option and choose
the default local administrator, it won't work. (I have used this
option for a couple of other apps such as a web based mainframe
terminal emulation, and it did work. For this one, it will not.)
I do not want this secretary to run as a local admin for everything
she
does.
Here is the question:
What rights does a default local administrator have that are missing
from a local user granted local machine administrator rights by adding
them to the "Machine Administrators Group"?
Can those rights be granted to a "created local administrator"? If
so,
how?
Is there some way to grant "more rights" to the "run as option"?
Any guidance or pointing me in the right direction will be greatly
appreciated.
Anthony
Anthony Kimmons
Technology Coordinator
Mississippi School of the Arts
P O Box 229
Brookhaven, MS 39601
601-823-1354
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| kennedyjim
Posts:28
| | 07/16/2008 5:36 PM |
| A local admin created the original file. The regular user did not have sufficient rights on the file to delete it or modify it. I would bet a box of ho ho's that is it. I know you said they had rights but I think you might be mistaken on that one.......
I say that because when we ripped admin rights from our users we found several of them had created root C drive folders, and they could no longer get to them.......
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Anthony Kimmons
> Sent: Friday, May 16, 2008 12:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Local Admin Rights Question
> When running as a local admin, it apparently deleted the file and
> recreated it. When running as a domain user with rights to the
> directory, it failed at that point. Evidently, the Jinitiator logic
> would not delete the file that was created by another user with the
> same
> identical filename, even though the user had the rights to do so.
>
> I deleted the file in question, and now the domain user can run the
> session. Jinitiator can create the file and the session works.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| habr
Posts:25
| | 07/16/2008 5:36 PM |
| Tell me why recursed Modify access of the SID in question (whether it be an
individual, Everyone, Authenticated Users, etc) to the file(s) failed to
achieve this action. The OP stated that "Evidently, the Jinitiator logic
would not delete the file that was created by another user with the same
identical filename, even though the user had the rights to do so."
I am assuming (possibly wrongfully of course) that Modify access was
granted.
If so, 'splain that one.
Sounds "logic" based to me.
__________________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Kennedy, Jim
Sent: 16 May, 2008 1:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Local Admin Rights Question
A local admin created the original file. The regular user did not have
sufficient rights on the file to delete it or modify it. I would bet a box
of ho ho's that is it. I know you said they had rights but I think you might
be mistaken on that one.......
I say that because when we ripped admin rights from our users we found
several of them had created root C drive folders, and they could no longer
get to them.......
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Anthony Kimmo |
|
|