I have a requirement to create userids and assign Admin role for some users and I am trying to do this through a Jython script as it will speed up the process and saves time.
So,I have created the below Jython script to achieve it.
Script
import sys
filename="C:\Users\harish\Desktop\scripts\input.txt"
fileread = open(filename, 'r')
filelines = fileread.readlines()
for row in filelines:
column=row.strip().split(';')
user_name=column[0]
print user_name
pass_word=column[1]
first=column[2]
last=column[3]
AdminTask.createUser(['-uid',user_name, '-password', pass_word, '-confirmPassword', pass_word, '- cn', first, '-sn', last ])
AdminTask.mapUsersToAdminRole(['-roleName','Administrator','-userids',user_name])
AdminConfig.save()
print 'Userid creation completed for', user_name
fileread.close()
The script runs fine and doesn't throw any errors.However, the users are not able to login to WAS Admin Console and they can only able to do it after I save the configuration by clicking "OK" at page "Users and Groups" -> "Administrative User Roles" ->
Can someone please let me know what am I missing here while working with wsadmin or is there anything else I need to do to accomplish the task ?
I am working on WAS 8.5.5.0 version.
Thanks for your help.
I think you need to add this code to the end of your script (not in the for-loop). This will refresh the security configuration.
agmBean = AdminControl.queryNames('type=AuthorizationGroupManager,process=dmgr,*')
AdminControl.invoke(agmBean, 'refreshAll')
This assumes you're using Network Deployment, process=dmgr. You may need to change the process.
Related
I have a Window 10 vb.net main process (tester) that needs to create a process to clean up certain registry area. The products we test have a single FTDI serial port adapter, but over time these instances build up and slow the registry to a crawl.
As the main process starts, the desire is to use an off the shelf utility, DeviceCleanupCmd.exe, to search and remove the driver instance build up. This requires administrator privileges for that sub process. I've been able to do this on XP with script, but the system is running with full administrator privileges. Since it's not on the network, there's very little risk.
Moving forward, we are trying to replace the XP system with a Windows 10 Enterprise box that is network connected. I wanted to incorporate the equivalent of the script into the vb.net process and I modified the vb.net application to use
Process() with StartInfo.Verb = "runas"
Local user credentials (not a domain user) the application provides to start the sub process.
Using this method, my sub process executes, but not with administrator level privileges. The Stackoverflow reference below explains that I can't use this method and have to use CreateProcessWithLogonW. I understand Ian Boyd's concerns for security in the post.
Run process as administrator from a non-admin application
I have followed the Microsoft implementation that follows and am still having issues.
https://learn.microsoft.com/en-us/troubleshoot/dotnet/visual-basic/start-process-as-another-user
Here's the essential part of my code. You will see that I truncated the MS example to use the W2K portion, as we won't be going back that far!
wUser = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(UserName + Chr(0)))
wDomain = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(DomainName + Chr(0)))
wPassword = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(Password + Chr(0)))
wCommandLine = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(CommandLine + Chr(0)))
wCurrentDir = System.Text.Encoding.Default.GetString(UnicodeStringToBytes(CurrentDirectory + Chr(0)))
Result = CreateProcessWithLogonW(wUser, wDomain, wPassword, CREATE_DEFAULT_ERROR_MODE, 0&, wCommandLine, CREATE_NEW_CONSOLE, 0&, wCurrentDir, si, pi)
If Result <> 0 Then
CloseHandle(pi.hThread)
CloseHandle(pi.hProcess)
W2KRunAsUser = 0
Else
W2KRunAsUser = Err.LastDllError
Status = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, CType(0&, IntPtr), W2KRunAsUser, 0, strMessage, Len(strMessage), 0)
MsgBox("CreateProcessWithLogonW() failed with error: " & W2KRunAsUser & " " & strMessage, vbExclamation)
End If
Please remember that my target administrator user is only resident on the PC I'm running the application on - not on the domain. I've verified that I can login with the credentials and run DeviceCleanupCmd.exe with success. In order to login locally, I must use a \ before the user. When I run the code, I've attempted the following, with the error message that Windows 10 supplies after the colon (:):
Providing "user", "password", and "domain" (I know it's not required): The directory name is invalid.
Providing "user", "password", and domain as "": The directory name is invalid.
Providing "\user", "password", and domain as "": The directory name is invalid.
Providing ".\user", "password", and domain as "": The stub received bad data.
Providing "user", "password", and domain as "computer name": The directory name is invalid.
Providing "non-admin user", "password", and "domain of user": DeviceCleanupCmd.exe runs but complains 'No admin privileges available'.
Because the application is complaining about an invalid directory name, I've purposely placed the DeviceCleanupCmd.exe in a C:\sub-directory that is not protected by Windows (Like Program Files). Attempt 6 above would seem to prove that there's not rights/access violations.
I have also tried CREATE_NEW_CONSOLE in place of CREATE_DEFAULT_ERROR_MODE and same results as above. I've proved the user is being decoded, as when I provide an incorrect password, I get "The user name or password is incorrect".
#Hurshey provided the insight to look at the Windows Task Scheduler and the following links support full configuring the task + incorporating the exported XML into NSIS - my target deployment method.
https://www.windowscentral.com/how-create-automated-task-using-task-scheduler-windows-10
https://nsis.sourceforge.io/Talk:Scheduled_Tasks
I connected Alfresco with my active directory I am able to login using windows credential but how to add userspace to these windows login. I am not able to able to create new content using windows login. Also I have to login twice inorder to view the alfresco explorer page. First in browser then in alfresco login page. How to make it as single page.
Here is my global property
### ACtive Directory Configuration ###
authentication.chain=passthru1:passthru,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
passthru.authentication.sso.enabled=false
passthru.authentication.allowGuestLogin=false
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
passthru.authentication.servers=192.168.100.100
passthru.authentication.domain=<Netbios Domain>
passthru.authentication.useLocalServer=false
passthru.authentication.defaultAdministratorUserNames=sameer
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS
ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.100.100:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid\=sameer,cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.java.naming.security.credentials=<administrator.privilege.account.password>
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.userSearchBase=cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=true
cifs.enabled=false
First error kind of in your properties:
Use the ldap.authentication.active=true or the passthru as active subsystem
This is the reason you need to login double.
So in this case just put the
ldap.authentication.active=false
I'm not sure why you're not an admin, can you try the following:
ldap.authentication.defaultAdministratorUserNames=sameer
or
ldap.authentication.defaultAdministratorUserNames=uid\=sameer,cn\=users,dc=<company.domain>,dc=com
Are you sure it's uid=sameer and not cn=sameer.
How do users reset passwords while in "off-line" mode.
We are running the site as Intranet.
Joomla 2.5.4
Mhm.. this is quite long to do, but maybe you can work it out.
Grant your user level offline access (you can do that in Global configuration -> Permissions)
Create a menu entry that point to the user profile and set visible to your users
Set every menu/modules etc etc invisible to "normal" users (except the previous one)
I've never tried it before, but it should work.
I just wanted to share my solution for Joomla 3.9:
In the file "offline.php" of your template (or in /templates/system if the template has no offline.php) you can place this code before where the login form is displayed:
if( JRequest::getVar('option') == 'com_users') {
?><jdoc:include type="message"/><?php
$registrationController = new UsersController();
$registrationController->display();
} else {
// Login Form
}
so it displays the dialogs to reset the password if the page is loaded by using "index.php?option=com_users&task=request.reset" or similar, but shows the "offline" login form by default.
I have an application that performs WMI queries on remote hosts. I'm attempting to define the minimal amount of security permissions required for the user used to do the queries.
I've defined a user with minimal permissions. I've found that this user has enough permissions to do the needed queries, but only if the same user is logged in interactively on the remote host.
For example, if I log in to the remote host with the nonadmin user (i.e. open a desktop on the remote host), the query select * from Win32_Environment returns 2 additional entries than if I'm not logged in. The 2 entries are:
instance of Win32_Environment
{
Caption = "COMP-BAF3244E\\nonadmin\\TEMP";
Description = "COMP-BAF3244E\\nonadmin\\TEMP";
Name = "TEMP";
Status = "OK";
SystemVariable = FALSE;
UserName = "COMP-BAF3244E\\nonadmin";
VariableValue = "%USERPROFILE%\\Local Settings\\Temp";
};
and
instance of Win32_Environment
{
Caption = "COMP-BAF3244E\\nonadmin\\TMP";
Description = "COMP-BAF3244E\\nonadmin\\TMP";
Name = "TMP";
Status = "OK";
SystemVariable = FALSE;
UserName = "COMP-BAF3244E\\nonadmin";
VariableValue = "%USERPROFILE%\\Local Settings\\Temp";
};
as seen in MOF representation in the wbemtest tool. The wbemtest connection is to \\remotehost\root\cimv2 as user nonadmin.
How does logging in to the remote host effect the results of the WMI query?
What permissions do I need to add to my user so that the additional information is available even when the remote user is not logged in?
The problem has to do with the user profile not being loaded unless the user has the correct rights.
The user profile not being loaded is also an issue for calling Win32_Process.Create. If the profile is not loaded then this will fail with UNKNOWN FAILURE (8).
Thanks to this blog post for pointing out the cause of the errors!
In order to have the user profile loaded automatically while during remote WMI access, give the user "Backup files and directories" and "Restore files and directories" user rights.
You can find the these rights policies at:
"Run..." --> secpol.msc --> Local Policies --> User Rights Assignment
I've been tasked with converting a legacy application to mvc. The app used pgp.exe to pgp sign user input and send it as an email. The application works locally and on a test server but won't run on a live server. I've had to jump though hoops such as running a specified user in the application pool so that we can set the keys in the users profile BUT it worked.
For some reason on the live server which is windows 2003 IIS 6 and identical to the testing server it fails. The problem is pgp.exe just wont seem to sign and create files the message I get from the console out put is. "Signature Error"?? When I put the command into a shell window logged in as the app pool user it runs no problem (after a fight with some permissions) but when running through the mvc application/IIS server it fails. The code used to call the process is below.
var startInfo = new ProcessStartInfo();
startInfo.FileName = _pgpexeLocation;
//startInfo.FileName = "pgp.exe";
startInfo.Arguments = string.Format("-sta \"{0}\" -u keyuser-z keypass +COMPATIBLE +FORCE", _tempFilePath);
startInfo.UseShellExecute = false;
startInfo.RedirectStandardOutput = true;
startInfo.LoadUserProfile = true;
using (Process exeProcess = Process.Start(startInfo))
{
// TODO: set limit to wait for and deal with exit
exeProcess.WaitForExit();
//var stringItem = exeProcess.StandardOutput.ReadToEnd();
//Logger.Info(stringItem);
}
I'm clutching at straws here hoping somebody has done something similar before and can help. I'm guessing it's key location or file location not being picked up somewhere but not sure what else to try?
Turns out that even though the app pool was using a specific user and I'd set the keys up in that users appdata folder when I checked the underlying process call it was actually trying to pick the keys up from the Default User profile. Not sure if this was an IIS config or something similar but moving the keys and pgp folder to this appdata instead worked?