I need some help in understanding a problem. Here is the scenario. We have a windows domain controller machine and several machines in that domain. (Everything in windows 2008). In one of the machines in that domain (machine name AlphaSiter) our own custom java based product is installed. To log on into our product, you have to provide a user/password combo which is validated against the active directory. Now here is the scenario.
Log into the domain controller and create a user (say David) in the active directory and set the “User must change password in next login option”.
Go to the machine called AlphaSiter where our custom product is installed and try to login to our product with the newly created user credentials and then change password successfully.
The side affect is that in the AlphaSiter machine in C:\Users the user folder is created..that is c:\Users\David. Also this folder is only created if at the time of user creation the “User must change password in next login option” is set. This user folder is not created if the option is unchecked. We are not creating the folder programmatically from our code. So I am wondering how this folder is getting created.Is it something that windows does internally?
Any help on this would be appreciated as I have to give explanation to our customer ---:)
The user's profile folder is always created when there is some profile information that needs to be stored. It may be some registry settings in HKCU hive.
You can use RegMon to track regitry activity.
Related
I am using below code to create CRM Client
var conn = new CrmServiceClient($#"AuthType=ClientSecret;url={organizationUri};ClientId={clientId};ClientSecret={clientSecret}");
Above code is throwing me "UserNotLicensed :User does not have license to use with access" error
I have also followed this article for creating application user. which is not possible as user needs to be created using power platform.
https://www.ashishvishwakarma.com/Dynamics-365-Single-Tenant-Server-2-Server-Authentication-Azure-Active-Directory-Access-Token/
Mine looks like
Also, as shown in the article I am not able to navigate to "New User" form. It keeps redirecting to Office Admin page. where I am not sure if I have permission to create. Let's say I make Admin do that, will Admin have option to associate User with application ?
creating application user. which is not possible as user needs to be
created using power platform.
what do you mean by this? You first need application user which should be created via Azure AD as app registration as mentioned in article and then you need to go to admin.powerplatfrom.com, select your env and then you see s2s users. Onye you click here it will give you list of all your s2s users (including the one you created). Add this s2s user in your env and assign particular security role (in most cases systemadmin). This should solve your issue
I am working on Windows 10 Assigned Access for Desktop for version 1607.
Mission: I need to get Assigned Access to work with Powershell.
Steps done:
I create a new LocalUser account with New-LocalUser and I enable the account with Enable-LocalUser. To check if the account is added, I run Get-LocalUser and see that the account is created (see attachment).
Issue:
To double check I go to the PC settings for Accounts-Family & other people, but I cannot see the new local user account "KioskTest".
I have restarted the computer but the account is not added to "Family & Other people".
I have spent some time on this and I would really appreciate your help, How can I make sure that the added Local user "KioskTest" is shown in the PC Accounts settings-Family & other people, when using Powershell?
I can Set-AssignedAccess, when I do Get-AssignedAccess I can see that it is there. Trouble is, I cannot login to the local user account because I cannot find the account in the settings for the PC.
It's like powershell has "hidden" the local user account from my client computer!!!
ADDED information + updated images:
After some trial and error I found out the following:
Using NET USER username password/ADD --works perfectly! I can find the user account and login as a customer would. The account is part of the LocalGroupMember
The local user account created with New-LocalUser with Powershell does NOT appear in the PC account settings BUT if you click on set assigned access in the Family & other people the system finds the local user account (see attachment). However you cannot login to the account as it seemingly does not have a group membership! Not great for testing :(
Thanks for taking the time,
Karina
See attachment:
Powershell Get-AssignedAccess
PC Account settings Family & other people
In my case it was a group membership issue. I have created some users with powershell new-localuser, but they did not show up in any GUI and I was unable to log on. The users were only visible in powershell with get-localuser and lusmgr. In settings, control panel 'user accounts' and login screen they did not show up.
I just had to add the new users to the local 'users' group. Once this was done, the new users were visible in all settings and available for login.
I was unaware of that local security policy (local policy/user rights assignment/allow log on locally) restricting login to 'Guest,Administrators,Users,Backup Operators'.
Either add the users to one of these groups or add them to the local security policy.
This isn't really a PowerShell issue and might be better suited for SuperUser. But I would guess that this is an issue with group membership. Unfortunately get-localuser doesn't give membership. So something like this would be the PowerShell way to check which user objects belong to which local groups.
Get-Localgroup | % { "`n$($_.name)`n"; get-localgroupmember $_}
Then check through which groups other user objects are a member of and add the KioskTest account to that group using this:
Add-LocalGroupMember -Group "ExampleGroup" -Member "KioskTest"
To validate user is created or not, the below simple command helps. You may try it.
In case user is created you will get below output
Command- net user TestUser2
Output-
User name TestUser2
When user is not present
Command- net user TestUser
output-
The user name could not be found.
I had the same issue. The problem was that when specifying the group I didn´t take into account that before the name of the group needs to go domain or in my case, name of the virtual machine. Therefore the command will look like this:
... -Group "DomainName\ExampleGroup" ...
You can check the existing groups on your machine by typing lusrmgr in Window´s run window.
After starting ObjectGears the first time I created administrator as the first user. I configured everything with this user and then imported other users.
Now I do not know if I can delete this user. I do not want to lose admin access.
You can delete it. The fact that some account is admin is set in the file web.configu in the parameter AdminLogins. So admin can be anybody who has the account included here.
You can also leave this parameter blank and then nobody will be able to change any configuration in the instance, supposing you also delete model owners.
I'd like to access a Fileserver (NAS) through my ASP.NET MVC Application and can't find a way to do that in a correct way.
What I've done so far is:
Created a User with Read/Write permissions on a directory on my NAS
Created a virtual directory on my IIS Server that is connected to the nas directory with the previously defined usercredentials
Now if I navigate to my virtual directory (AppliCationIPAdress/NAS) I get automaticaly redirected to \NASIPAdress\My\Directory. On the NAS loginnotifications I get the info, that somewone connected to my directory with the given credentials => That is how it should be
But if I access the NAS directory trough my MVC application (no matter if i use the UNC or the virtual directory redirection) i get an access denied erromessage and in the NAS loginnotifications there is not listed my prepared useraccount but my webserver as user who tried to login.
var dirName = Server.MapPath("~/NAS/Dir/");
ViewBag.Message = System.IO.Directory.GetFiles(dirName );
Could someone please explain why that is happening and what I have to do if i want to access files on a fileservice throuh my mvc application?
You have to give the service account rights to access the filearea, or run the app with a user that has rights
What worked for was:
Have same user account and password in NAS and IIS Server.
Create an application pool for your web app or use the default app pool and change the user account to the same mentioned before. Steps:
Go To IIS Manager
Click on Application Pools
Right click on the app pool assigned to your web app and select Advanced settings...
In section Process Model change the Identity field to the user account mentioned above.
Click on the 3 dots button located at the right of the field
Select Custom account and click on Set... button
Set username, password and password confirmation (same user account mentioned above.
Hope it helps!
FranciscoG
I'm writing an application which needs to store login data for multiple (XMPP) accounts on Windows.
Currently the application stores them in Windows' "Stored User Names and Passwords" using CredRead and CredWrite. And here is the problem: The login name for an XMPP account cannot be changed (it's the account's JID), but Windows only stores user name/password pairs under a given target name. I use something like "xmpp:account#server.tld" for the target name and don't use the user name at all during login. The user can't even set the user name from within the application (it will be set to "account#server.tld" automatically instead).
Now I would like to prevent the user name to be changed to something different by the user (using control panel or rundll32.exe keymgr.dll, KRShowKeyMgr) or an other application as this is currently possible and somehow confusing because the actual value is ignored anyway. If I open up the "Stored User Names and Passwords" dialog (using rundll32.exe keymgr.dll, KRShowKeyMgr), the entries which are created by my application are listed as "xmpp:account#server.tld (LegacyGeneric)" and can be edited using the "Edit..." button.
The list contains also an entry for Windows Live (listed as "live_account#hotmail.com (WindowsLive)"), whose user name cannot be changed (trying so will bring up a message box saying: "Windows cannot save the logon information. Make sure the information is correct and that all required fields are completed.".
And here is (finally) my question: Can I get this behavior for my application as well? How can I change the credential type to something different than "LegcyGeneric"? Or is there a better way to store only the password for a given login name (maybe using Windows Data Protection), while still using some "standard" Windows way of storing them?
Any hints and answers are appreciated.