Currently we require Domain Administrator access to transfer a domain account between computers using Windows Easy Transfer.
Is it possible to grant a user access to the Transfer without granting them full Domain rights?
Thanks.
Related
I wish to open and process a text file on a remote Windows server using PowerShell.
We have something (roughly) like the following:
$path = "\\server1\c$\Users\gavin\Desktop\mylogfile.log"
Get-Content $path
Apparently, I can only get this to work when I have Admin rights to server1.
For security reasons, I cannot have unlimited access to all the servers I wish to access.
Is there a way of getting around this, given that I can only have less than full Admin rights?
I am thinking in terms of getting IT to alter my group privileges etc. on the remote machine(s).
\\server1\C$ is a so-called administrative share. They're hidden shares for administrator access to remote computers' filesystems. Accessing these requires admin privileges for security reasons.
Ask an administrator to create a dedicated share that allows you access, or (better yet) have the servers create the logs in a central location to which you have access.
Is there a Windows C++ API to execute a command as a different user ? I am trying to mount a CIFS share from a service which is running as sys admin and I am currently logged in as a Kiosk user so when I try to mount the share using "net use .." I get access denied.
With CreateProcessWithLogin, you can execute a command with an arbitrary user provided you have valid credentials. Alternatively, can can use a combination of LogonUser and CreateProcessAsUser / CreateProcessWithToken.
Rather than requiring credentials including a password stored as plaintext (not recommended from a security POV), you could also grant required permissions to the kiosk user so that the current user context is sufficient for accessing the data and/or mapping the network drive.
If that is not an option, your application could have a manually configured persistent network drive as a prerequisite. The credentials would then be managed by Windows.
I am working on the examination system and need to implement the following scenario:
User ( standard windows user ) completes the exam and then it is saved on the network share.
For security reasons the share does not have permissions for this user account. So I use impersonation API ( LogonUserEx, ImpersonateLoggedOnUser, RevertToSelf).
It all worked fine when the user with which I do the impersonation had admin privileges on the
local computer but the requirements are that it will be standard user.
With standard user the share is not visible. When I log in interactively with this user the share is visible and writable. So I assume that the standard user can not mount share when not logged in interactively. Is this correct? Is there a workaround?
The only time my code runs with elevated privileges is during the setup of the software.
I thought about using WNetAddConnection2 API but I need the share to be mounted to
this "hidden" user profile and not the administrator one that runs the setup.
Is there a way to access a folder on network share with a service account?
I am using Windows 7 ent.
Is there a way to access a folder on network share with a service
account?
YES
It should prompt you for the credentials when you try to access it, and in there you will enter your Domain username and password.
If your account does not have sufficient security permissions, then you won't be able to access it. Ask your network admin to check to see if you have sufficient permission.
I'm going to write a script to disable/enable network access for applications in windows. My idea was to write a script that runs a windows shell command that do this.
The scripting is the easy path, but i don't know how to do the "denying" part. Any ideas?
This sounds like a task better suited to letting Windows user / group security handle.
For example, assuming you're on Active Directory and have administration privileges, you could create a user account with the very specific access your app needs, and configure your app to authenticate with the network using that user's credentials.
Then your app through AD would access the network within the constraints of that user account's privileges, and if necessary deny them access to specific network resources.