So whenever we get a new employee, we usually have to login to their rds account, open their outlook and give groups or individuals certain permissions / access (reviewer, editor, etc) to their calendar. Is there a way to automate this so the first time they log on these permissions are inherited and saves us the time? Thanks and I hope this is clear enough.
You should look at the Add-MailboxFolderPermission cmdlet in Exchange Management Shell. The account running it will need to have Full Access to the target mailboxes in order to logon to the mailbox and apply the appropriate permissions at the folder level, but that can be granted just before the folder permissions are applied, then removed afterwards.
Related
I am having a weird issue that didn't used to happen. Perhaps windows update causes this?
We have an E drive partition created and I created a directory:
Test1
I shared it with administrators and everyone. Administrators have full access while everyone group only has read permissions but this folder only. I added a permission to allow full control to this folder and subfolder's and files to it and assigned it to domain admins. My jadmin#domain.local account is added to this group
I checked the security on the folder and the same permissions exist.
I created a directory within Test1 and called it New Folder, disabled inheritance and made sure explicit permissions for domain admins full control to all dir and subdir and files are added.
When i attempt to open this folder, i get a message:
"You don't currently have permission to access this folder. Click Continue to permanently get access to this folder".
When I Push Continue then an explicit permission for my user gets added to that folder. I am trying to prevent that from happening. If domain admins(my user added to this group) is added with full control. Why does this warning pop up and require my user to explicitly be added. How to prevent this from occurring?
I was expecting to be able to access the new folder directory without any warning and an explicit permission to be added
Check if you can access it with an elevated CMD.
Folders wich are protected for builtin administrators groups are supposed to be security relevant. These users should also not be used to administrate on server systems.
Increase security by creating a seperate admin group and dedicated permissions.
Alternatives are using a progam that can be started elevated, Like CMD, PowerShell, totalCommander, winscp (local part) and many more.
You could also administrate remote. That should remove the problem.
Another way would be to add "Interactive Logon" group to all of your permissions where you need to access.
Disabling UAC or removing administrators from the security settings is the least that I would suggest.
I'm working on a System Service project with SYSTEM privilege (cleaning utility)... It does not interactive with any user interface.
My goal is to check files in "Desktop" and "AppData" folders for any user that exists on the PC.
I'm using NetUserEnum() to get the user list on the PC. Then I want to get the path of each user's Desktop and AppData with SHGetKnownFolderPath(), but I can't find a way to get each user's access token for SHGetKnownFolderPath(). Without a token defined in SHGetKnownFolderPath(), it returns the path for SYSTEM and not specific users.
Q1. How can I get the token of each user for SHGetKnownFolderPath()?
Q2. If no answer for Q1, is there any documented way to get the desktop & appdata path of each user in the PC?
I understand this can be achieved with dirty way ---> Registry key with some string replacement. However, the Registry key method is undocumented, which may easily break in future updates to Windows.
Edit Update:
#RaymondChen Thanks for pointing out that some user profiles may not exist. Also,
About Q1 : #Remy Lebeau provides a solution with LogonUser/Ex(),login to each user with their credentials,might be the only answer that fits the need of Q1.
About Q2 : There might have no documented way to achieve this. The only method might have to stick with Windows Registry (Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) , as #Remy Lebeau and #Olaf Hess said. I tried to dig more information on Microsoft Community Forum and I got Microsoft would never allow access other users' profile with their native API for security reason. They do not provide APIs that can possibly violate the security rules. Each user profile can only access by its credentials.
btw, I totally understand that "Cleaning utility" aka "Windows-breaking tool", especially when the tool is not being well codded(ex. compatibility problem). For the sake of avoiding to make it become a totally Windows-Destroyer, I tried to use more documented API as possible.
For Windows Vista with SP1 / Server 2008 and better you can query the existing user profiles using the WMI class Win32_UserProfile. This allows you to retrieve the profile path and check whether it is a local or roaming profile and to get status information. The rest (retrieving the paths to APPDATA, DESKTOP, etc.) is likely going to involve reading values straight from the registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders).
All,
I have no idea how Windows service works, just curious when we register a windows service(such as auto run a server after reboot), if it requires a user profile to load info(such as pulling data from somewhere else), what user profile does it load?
Thanks,
You can select what user run each service registered and the system comes with users assigned per service. The most used by the system is SYSTEM.
To check this you have to:
Go to services.
Right click on the desired service and properties.
Go to the Log on tab and check.
If the Local System account is selected the username is SYSTEM which has special permissions on almost all folder and Windows sections including users' profiles data.
By the other hand if you would like to do something special with an specific account you can tell the system the service will start with the account specified. Just make sure to update the password information every time the user change it.
Regards,
Luis
Lenovo's system update program can be started without administrator right. When the service starts, it creates a temporary administrator account to perform the installation.
Why can a windows application have right to create an administrator-level account? How can I achieve it when I want to create a similar program?
It's related to TVSU. A design point of TVSU is that even limited users can install updates from Lenovo. And to accomplish this, the TVSU service creates a temporary admin account with a randomized username and password, then uses it to do the installations on behalf of the limited user. This is the only time the account is created. The account is not created when an admin user does updates, because the admin user already has the permissions needed to do installations.
The account is supposed to be deleted after the TVSU session finishes, but I'm aware of a case where this doesn't happen and the account stays around. However there isn't any security risk to this because both the account and password are random and not known by anything except the specific TVSU process that created them, and this process ended the last time TVSU was closed. You can safely ignore the account, delete the account, or else it should be deleted the next time TVSU is run.
(Skip to the bottom for the TLDR version.)
OK - so I have searched (really!) and all other UAC articles I have found seem to center on enabling, disabling, detecting or hiding UAC. My issue is not one of those, so here goes:
My user used to have the standard dual-token setup where I was in the Administrators group and the UAC's Consent UI would just ask me if I wanted to proceed. Now, we have separate administrative-level accounts that we need to use, and I have to authenticate with this new user. The problem I am having is that previously, starting an app as Administrator just elevated my current user, where now if I use the credentials of the new administrative user, whatever I am running runs AS that new user.
As an example, previously elevating CMD and typing whoami into the command prompt used to return my normal/current user, where it now returns the new administrative user.
This has serious negative consequences - since this is a new user, and an Administrative-level one, if any files are created using this new user, my normal user cannot write to or delete them unless I manually adjust permissions and ownership. If I use my development environment under the new account (e.g. I need to debug a service or work with a driver) and rebuild something, I end up with a bunch of files that I cannot manipulate unless I am an administrator. Likewise if I add a file while running as this new account - my SCM tool will not be able to update that file later unless it also runs under this new administrative account.
Also, Since a profile is associated with this user, things run under a completely different environment (different %USERNAME%, %USERPROFILE%, %LOCALAPPDATA%, etc.)
Installing an application will also work incorrectly if it is installed just for the current user (e.g. the "Just Me" option), instead of for all users. Things that are licensed to/in my normal user account also fail to function if run under the new account, because things are running as that new user.
The ripple effects of this change are getting larger and larger the more I work with it. So...
[TLDR] Is there a way to get temporary elevation of the current user without that user having the normal dual-token setup you get from being in the Administrative group? Or are you stuck with the impersonation behavior?