Tag Archives: Admin

Trust other Domain users

Assuming the trust between DCs already exists-
In ADUC, make sure to enable advanced options in the view menu or the security tab will not show up on a computers properties.

From the Security tab of a computer’s properties in ADUC, Add the other domain user(s) (ie: domain2/domain users) then tic the checkbox for Allowed to Authenticate permission.

ref: https://technet.microsoft.com/en-us/library/cc738653(v=ws.10).aspx

Advertisements

Win7 RSAT

Thought I had this posted a long time ago and was going to reference it and…. hmm.

So here it goes (again?)

Win7 RSAT (Remote Server Admin Tools)

http://www.microsoft.com/en-us/download/details.aspx?id=7887

Then they can be turned on for the mmc/snap-in via Turn On/Off Windows Features or via cmdline:

dism /online /enable-feature /featurename:RemoteServerAdministrationTools
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS-AdministrativeCenter
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS-NIS
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-LDS
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-Powershell

Network Shares for computer account (System Processes)

You can grant access to a share/folder using a computer account (or a Global Security Group containing the computer accounts you wish to have access)

as a batch file:

Net Share SharedFolderName=C:\FolderName /grant:”DOMAIN\COMPUTERACCOUNT$”,CHANGE

echo y | cacls c:\SharedFolderName /c /g “DOMAIN\COMPUTERACCOUNT$”:C

The $ suffix indicaties this is a computer account.

This would give Change access to any process/service that COMPUTERACCOUNT runs as SYSTEM, but would not give any access to processes created by users logged onto COMPUTERACCOUNT.

I’ve not tested this, but when I installed an instance of SQL Server ’08r2 I chose to run it all as system processes.. My thought is the network share above would allow me to have the database on the share (with rights granted via the sql svr’s system process) without needing to grant access to any particular users to the share and only accessible from specified PCs.  I take it as well that this method is probably breaking a few security rules..

Add a printer via terminal or applescript

Using terminal:

/usr/sbin/lpadmin -p tms-copier-room18-01 -E -v lpd://tms-copier-room18-01 -P /Library/Printers/PPDs/Contents/Resources/en.lproj/CNR5050X1.PPD.gz -o printer-is-shared=false -D “tms-copier-room18-01 (Office)”

In Applescript you’ll need to use double quotes, etc.

do shell script “/usr/sbin/lpadmin -p tms-copier-room18-01 -E -v lpd://tms-copier-room18-01 -P /Library/Printers/PPDs/Contents/Resources/en.lproj/CNR5050X1.PPD.gz -o printer-is-shared=false -D ”tms-copier-room18-01 (Office)”“

If you have spaces in the driver name or elsewhere, be sure to preface them with a space. The below example uses a fictitious canon imagerunner example (the real ppd is not named as such)

do shell script “/usr/sbin/lpadmin -p Canon_Imagerunner -E -v lpd://tms-copier-room18-01 -P /Library/Printers/PPDs/Contents/Resources/en.lproj/Canon Imagerunner 4100.gz -o printer-is-shared=false -D ”tms-copier-room18-01 (Office)”“

to delete a printer, use the -x command.

/usr/sbin/lpadmin -x “name of printer”

Be sure to checkout the full list of options via the lpadmin man page.  From terminal:

man lpadmin


and remember, the do shell script command uses sh as the default shell, not bash.

Configure Leopard for a different Software Update Server

via neverblog.net

To configure a Mac running OS X 10.5 (Leopard) to connect to a local Apple Software Update server, simply use the following command, where servername is the name of your local server that runs Software Update.

defaults write /Library/Preferences/com.apple.Softwareupdate CatalogURL http://servername:8088/

If you have any problems, verify that you can see the update server by accessing the following URL from the client’s web browser:

http://servername.domain.com:8088/index.sucatalog

If you don’t see an XML-type page come up, you should verify that the Software Update service is running on the server, and that port 8088 is properly configured to allow traffic on your network.

Software Updates via terminal

If you want to do an automatic install of all the updates for a particular Mac, you can do it easily in the background using ARD.  Gather up the system you want to update then execute a unix command: softwareupdate -i -a and specify to run it as the root user even if you have not enabled the root user account on the workstation.  It takes a while but the results window pretty much updates after each title install — it’ll even tell you if the remote system needs restarting.

If you want to do it manaully (perhaps via a remote ssh login), log in as an administrative user, and type: sudo softwareupdate -i -a. You’ll be prompted to enter your admin level password.  If you wish, this can also be done locally via a terminal window.

To see all the command options, type man softwareupdate in a Terminal window.