I'm trying to get a list of the real users on the local machine. By real I mean the users
that can physically logon to the system and use it, excluding remote only accounts and the like.
This is what I do already.
Call NetUserEnum() with FILTER_NORMAL_ACCOUNT.
I get the following users:
__ vmware_user __
Administrator
Help Assistant
ASPNET
Guest
SUPPORT_xxxxxx
Note that this are the same users that I get when calling net user from the command line,
but in the logon dialog I can only select Administrator. This is what I want.
From the return list on NetUserEnum(), I can tell which accounts are disabled. That leaves:
__ vmware_user __
Administrator
ASPNET
SUPPORT_xxxxxx
Then I run LsaEnumerateAccountRights() to check which accounts have the SeInteractiveLogonRight.
All of them have it. Except the real one, Administrator. Some of them have SeDenyInteractiveLogonRight.
That leaves me with:
__ vmware_user __
Administrator (no SeInteractiveLogonRight)
I found somewhere that maybe I should be checking group permissions first, as my user account might be inheriting SeInteractiveLogonRight. So far, I haven't found a way to list the groups for a given account (SID or name). Tried with NetUserGetGroups() but it turns out that this one only returns domain groups (in my case, "None").
Right now I don't know what else to try. Looks like everything will be easier if I had an 'Access Token' but there seems to be no way of getting that for a user other than the currently logged on.
There are like 20 different APIs related to authentication and this is crazy.
I appreciate your help
As you said, the last step probably is just filter the users which belong to Administrators or Users group.
Try the method NetUserGetLocalGroups for enumerating the groups an user belongs to.
Related
Is there any way to login other users account for admin user ?
Currently authentication based on Meteor Accounts
I saw this post but didn't working at all now.
The feature is important for us because when user have problem in system then admin need to see it this by simulating user account.
Thanks in advance.
It seems you want to impersonate a user. This means that you want to have Meteor.userId (or this.userId depending on context) reflect the _id of a specific user both on the client and the server.
afaict the only way to do this is to login as the user. Presumably you don't want to ask the user for their password so you have a couple of choices:
Save their existing password, replace it (temporarily) with a password of your choosing, then after you're done impersonating their account, restore their existing password.
You probably don't want to ask the user for their password and you don't need to. All you need to do is set aside Meteor.user.findOne(userId).services.password.bcrypt, then reset the password to your temporary value, then restore the original bcrypt value later.
The downside is that the original user would not be able to login while you are logged-in. Plus it's really hacky.
Extend Meteor's Accounts package to provide impersonation capability in a more elegant manner.
You might also look at validateLoginAttempt. The docs are unclear as to whether a failed login attempt could be overridden with a successful one but if it could then that would provide another pathway to solve your problem.
Instead of logging in as the users, which requires their password and which is a total no-no, you may use rather alanning:roles and allow the admin to assign the role of any user in order to draw views based the user's role.
This requires a well designed role system.
As a plus you could then at least load the documents associated with the user who you want to support.
This requires a well designed document and data model.
But generally spoken you should rather focus on writing good tests (test driven development) for components as unit tests, integration tests and UI tests.
This will reduce the need to manually view the app as an end user a lot.
The most common end user problems can be reduced by creating a good knowledge base like a wiki or video tutorials.
Even if then an error occurs in the end user side, I would rather try to implement a well designed error log that allows users automatically create tickets on error which also include the error stack.
All the above methods are to be favored before logging in AS THE USER.
As #Jankpunkt has already mentioned alanning-roles I can add something you can use without installing any external package.
Just keep a type key in the profile object of the users collection. Then define some types like 1 for super-admin, 2 for admin, 3 for general etc. Then check the authorisation of particular action by checking the value of user.profile.type key.
Caveats: Make sure you are checking the type in server side. By default profile field is writable from the client end, so if you are putting type field in the profile object make sure that you are not allowing users to modify users collection in the client end.
Here is how to restrict client end update in users collection:
Meteor.users.deny({
update() { return true; }
});
Read more on roles and permissions here:
https://guide.meteor.com/accounts.html#roles-and-permissions
We are trying to integrate our platform with Pipedrive. As far as we have researched, in a pipedrive account, there is one admin and he can add multiple users. And the users later can login in their respective accounts.
What we are trying to make sure is that once a Pipedrive account is integrated with our platform, the same account should not be integrated twice. So, I need a unique identifier, that lets me know whether the account has already been integrated.
My initial approach was to check the api key. But it was not successful, since every users in an account have different API Keys.
After a bit of research, I found out that there is an identifier called company_id which is common for all the users in an account. But I could not find anything regarding it in documentation. So, I am not 100% confident to go ahead and implement it in our code.
Does anyone have an idea about this?
Pipedrive support rep here.
The most sure-fire way to ensure this is to make a GET request against http://api.pipedrive.com/v1/users?api_token=your_token_here.
You are correct in assuming the company_id in the additional_data object in the response is static and won't change across any users on the account.
Note that a Pipedrive account may have more than one admin, and that non-admins (regular users) might have visibility (and editing) restrictions in place, which may cause some of your GET, PUT and DELETE requests to fail.
In case you're not doing this already, I'd thus advise filtering the data array from the abovementioned endpoint for user.is_you to equal true and check whether the is_admin property is set to 1 during "registration" to ensure the user setting up the integration is an admin.
Hope this helps!
I'm not quite sure what you're asking for. Are you looking for a unique identifier for each user?
Each user has an id, you can get all users by calling
https://api.pipedrive.com/v1/users?api_token=____
This will return a JSON Object with data on your users, including their names and associated IDs. Admins are just users with different privilege levels. All admins are users, but not all users are admins. All users are part of a company, the company is identified by the first part of the Pipedrive account url ie.
https://FooCompany.pipedrive.com
Are you trying to see if a certain company has been integrated already?
I am working on Windows 10 Assigned Access for Desktop for version 1607.
Mission: I need to get Assigned Access to work with Powershell.
Steps done:
I create a new LocalUser account with New-LocalUser and I enable the account with Enable-LocalUser. To check if the account is added, I run Get-LocalUser and see that the account is created (see attachment).
Issue:
To double check I go to the PC settings for Accounts-Family & other people, but I cannot see the new local user account "KioskTest".
I have restarted the computer but the account is not added to "Family & Other people".
I have spent some time on this and I would really appreciate your help, How can I make sure that the added Local user "KioskTest" is shown in the PC Accounts settings-Family & other people, when using Powershell?
I can Set-AssignedAccess, when I do Get-AssignedAccess I can see that it is there. Trouble is, I cannot login to the local user account because I cannot find the account in the settings for the PC.
It's like powershell has "hidden" the local user account from my client computer!!!
ADDED information + updated images:
After some trial and error I found out the following:
Using NET USER username password/ADD --works perfectly! I can find the user account and login as a customer would. The account is part of the LocalGroupMember
The local user account created with New-LocalUser with Powershell does NOT appear in the PC account settings BUT if you click on set assigned access in the Family & other people the system finds the local user account (see attachment). However you cannot login to the account as it seemingly does not have a group membership! Not great for testing :(
Thanks for taking the time,
Karina
See attachment:
Powershell Get-AssignedAccess
PC Account settings Family & other people
In my case it was a group membership issue. I have created some users with powershell new-localuser, but they did not show up in any GUI and I was unable to log on. The users were only visible in powershell with get-localuser and lusmgr. In settings, control panel 'user accounts' and login screen they did not show up.
I just had to add the new users to the local 'users' group. Once this was done, the new users were visible in all settings and available for login.
I was unaware of that local security policy (local policy/user rights assignment/allow log on locally) restricting login to 'Guest,Administrators,Users,Backup Operators'.
Either add the users to one of these groups or add them to the local security policy.
This isn't really a PowerShell issue and might be better suited for SuperUser. But I would guess that this is an issue with group membership. Unfortunately get-localuser doesn't give membership. So something like this would be the PowerShell way to check which user objects belong to which local groups.
Get-Localgroup | % { "`n$($_.name)`n"; get-localgroupmember $_}
Then check through which groups other user objects are a member of and add the KioskTest account to that group using this:
Add-LocalGroupMember -Group "ExampleGroup" -Member "KioskTest"
To validate user is created or not, the below simple command helps. You may try it.
In case user is created you will get below output
Command- net user TestUser2
Output-
User name TestUser2
When user is not present
Command- net user TestUser
output-
The user name could not be found.
I had the same issue. The problem was that when specifying the group I didn´t take into account that before the name of the group needs to go domain or in my case, name of the virtual machine. Therefore the command will look like this:
... -Group "DomainName\ExampleGroup" ...
You can check the existing groups on your machine by typing lusrmgr in Window´s run window.
I am the web developer for a company who need to upgrade to v3 of mysagepay to continue trading.
However, the only username that I have been given, does not appear to give me admin rights in the control panel. I need to add the IP address of our shopping cart provider to allow it to continue to work after the end of the july.
My guess is that there is another username , which is the full admin rights one..
The one I have is payments, which allows you to view orders etc, but not access most of the settings.
Is there a standard username for the admin account on a given vendor name? I've tried 'retrieve username' using various emails of the company, but they only return the payments username, which isn't apparently an admin user.
I've filled out a couple of forms for online support but as yet have had no useful responses, and time is running out.
Can any one advise as to whether there is a standard username that gives full access rights (admin?) or whether there is a way of telling what the admin user is.
Many Thanks - pulling my hair out here.
Gavin
Call Sage Pay. They can add the IP for you, and/or probably sort out an admin user account. You'll probably need your Merchant number in order to prove you have something to do with that vendor account - you can get this from the authorisation details screen when viewing one of the payments that you have. Number is 0845 111 4455 - I recommend calling out of core business hours as they are pretty busy then (but phones are manned 24/7)
Is it possible to manage multiple calendars from a single program? The task is to add events for different users in a domain, but do it from single program without knowing all users domain passwords. What type of authentication should be used to connect EWS? Is there any admin account exists? How to specify which calendar to update on each operation?
sure is this possible. You will have to create an ExchangeService-instance for each user and set the ImpersonatedUserId property to the mailbox of the user you want to the appointment or whatever you want to add.
have a look at http://msdn.microsoft.com/en-us/library/exchange/dd633680(v=exchg.80).aspx there you can find how to work with impersonation and also have a look at http://msdn.microsoft.com/en-us/library/bb204095.aspx where you can see how to set the rights your user needs to impersonate.
hope that answers your questions...