I`m trying to make the reservation system at school where all computers (windows) runs under domain. Users can book the computer to use. They logs into reservation system via credentials in AD, the task is to automatically unlock the certain computer when the reservation time is reached. Does anybody knows is that possible at all?
Related
I'm investigating a failure in my Windows 10 Credential Provider. It calls out to LookupAccountName in order to get the SID of the user that is attempting to log in. Its per-user configuration uses the account SID as the key.
The failure scenario is as follows:
There is a mixture of local and domain accounts on a domain joined computer.
The computer is in an offline or otherwise disconnected state and cannot contact the domain controller.
The domain user has logged in to this computer in the past and its credential is cached.
The call to LookupAccountName fails with ERROR_TRUSTED_RELATIONSHIP_FAILURE (0x6FD)
Here's where things are interesting:
I can log in with a local account and then "Run As" the domain user. Then subsequent calls to LookupAccountName (even when run in the context of the local user) succeeds in looking up the SID of the domain user. It will continue to work until the computer is rebooted.
I've tried calling LookupAccountName as well as LsaLookupNames2. Both exhibit the same behavior. (I assume LookupAccountName is built off of LsaLookupNames2).
It doesn't look like the NetUser* APIs will help me, as I believe they are intended for local accounts.
Is there a way to lookup the account SID for an offline domain credential? Without requiring them to log in first?
Why does using "Run As" cause these APIs to suddenly work?
I have a programm (erp) that needs a network-drive/shared-folder from my windows server.
The problem with this is, I need to implement it as a network drive (internal network) for all client pc.
The problem:
If a user e.g. a trainee use the programm, I can setup the correct role for that user that in the programm so that the user can only do certain actions (e.g. register new customers,..)
However if he/she wants to get lets say all invoices with customer data he/she can copy it from the network drive/share. Thats uncool.
Is there a possibility to only allow that or a program to access the network drive/share?
The program needs to read and write.
Thanks!
How can I not allow computers join to my domain in company if they have not existing account in AD?
I think about Group Policy but I did'nt find how to do this.
There is any a better way to do it?
I am using Windows Server 2016
When a computer is joined to the domain, Windows will prompt you to provide user credentials for the domain to create the computer object.
The only way to stop it is if the user does not have permissions to create computer objects on the domain. By default, any user can.
So I think the better way to go about it is to restrict who can create computer objects on a domain. This article describes how to do that: https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/
The title didn't scare you off. Great!
This is what I'm trying to do:
I have a service that at some point in time plays a very important sound. Because it is so important, I make sure that the mixer is ummuted and that the volume is at a proper level at startup.
This works fine when I start the service logged on locally to the computer where it's executing.
However, when I start the service from a remote desktop session it fails to get the volume control if I select "Play on this computer" when logging on.
The obvious solution is "Select 'Play on remote computer' when logging on" but for various usability reasons this is not feasible.
So; the M$ question is: "how can a service launched from remote desktop session set the local mixer main volume if 'Play on this computer' was selected at log on?"
The service runs on WinXP and I use the horrible Mixer* API from C++.
Thanks,
Rickard
The problem is that as an OS service, you can't control the volume for a TS user unless you have code running in the TS user's session. In order to remote audio from the server to the client, the TS service virtualizes all the audio APIs. Those virtualized controls aren't accessible from Windows services.
In order to solve your program, you'll need come code running in the user's session. I might suggest a scheduled task which is triggered on user logon. The task scheduler APIs allow you to create a task which causes a COM object to be created upon user logon. From that COM object, you can communicate with your service and then perform the mute operation on behalf of the user.
My question is pretty much summed up in the subject.The context is a problem we are facing with the account getting locked our fairly often.
My setup uses this as the service acccount for clearcase application.
There is another account by the same name (but in a different domain - a trusted domain) that runs a monitoring sofftware under this account. For eg., my setup uses the accoundt DOMAINA/clearcase_albd, while this other trusted domain runs a batch file under TRUSTEDDOMAIN/clearcase_albd.
We are suspecting this account to be causing the locking out of our service account (but at this point have not yet figured out why!)
Have pored over event logs endlessly, to no avail and have now decided to start fresh from ground zero.Am following a thread of thought and the first thing I need confirmation on is this:
Should I be seeing DOMAINA/clearcase_albd account when i run clearlicense at all?
If not, then why would another account by SAME name but from a different domain lock out my domain account?
Would greatly appreciate any help in this regard,
Thanks in advance
According to the IBM ClearCase Manual, the Rational® ClearCase® albd_server program runs with the identity of a special user account known as the Rational ClearCase server process user.
This user is a member of the Rational ClearCase administrators group, which grants privileged user status.
That account should not directly uses a license, as it is related to the albd (Atria Location Broker) process which will execute operation on behalf other users.
When a client program needs access to a service (a VOB or view server, for example) on a Rational ClearCase server host, it uses a remote procedure call (RPC) to send a request to the albd_server process on that host.
The albd_server starts the requested service if it is not already started, and provides the service’s port number to the client. Thereafter, the client communicates directly with the service.
IBM does suggest two albd accounts, for central VOB/view servers and end-user workstations. This is primarily done to prevent albd account issues (account lockouts, etc) on the albd account from impacting the VOB servers themselves.
BUT: those accounts should be on the same domain.
Note: by typing
creds clearcase_albd
You will see its SID for the current Windows domain.
You will then be able to check if that SID pops up in the clearlicense command output.