I need to create 80 local user accounts with the following information/settings:
Username
Full name
Description (will be the same for all users)
Password
Member of Group "Web Reporting Users (Cust)"
Uncheck "Connect client drives,printers at logon" and "Default to main client computer"
The following script works on my server, but it only creates the username/password. I need to modify it to add the other information. Even if you could provide a way to set the group membership that would be very helpful.
strComputer = "SERVER.DOMAIN.com"
Set colAccounts = GetObject("WinNT://" & strComputer & "")
Set objUser = colAccounts.Create("user", "TestingScript")
objUser.SetPassword "09iu%4et"
objUser.SetInfo
Any help would be appreciated :)
EDIT: I made some progress. I can now run the script and have it create a user with password and correct group. However, I still need:
Description
Full name
Uncheck "Connect client drives,printers at logon" and "Default to main client computer"
How can I add these to the script?
EDIT 2:
Made even more progress, but I still need to uncheck:
Uncheck "Connect client drives,printers at logon" and "Default to main client computer"
This is the last step so hopefully someone knows! :)
Related
I would like to test 802.1X function for an Ethernet Switch (NAS).
I have a Workstation (Windows 10) and an Ubuntu server : I want to test EAP-MSCHAPv2.
I see a tutorial to configure FreeRADIUS : https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
Problem is I don't have a Windows server. Is it possible to test EAP-MSCHAPv2 without it ? How to configure FreeRADIUS ? ... I just want to test a static configuration with one login+password.
Currently my FreeRADIUS works with EAP-MD5 : I already created user profile and NAS config
You need to set the MS-CHAP-Use-NTLM-Auth attribute to No in the control list. The mschap module will then do the authentication internally, rather than trying to call out to AD.
This is documented more extensively in raddb/mods-available/mschap.
For example you could create a user bob with password test in the raddb/users file thus:
bob Cleartext-Password := "test", MS-CHAP-Use-NTLM-Auth := No
Note that this attribute must be in the control list, not in the reply list, so appears on the same line as the username.
How can I make the queue manager (which exists by default in the docker image) accept any connection without authentication?
I went through all the options in the web console (:9443/ibmmq/console/) and tried anything that I thought might have the effect I wanted, but couldn't find it.
TIA & BR,
Christian
Edit: here's the code I'm using to connect
JmsFactoryFactory ff = JmsFactoryFactory.getInstance(WMQConstants.WMQ_PROVIDER);
JmsConnectionFactory cf = ff.createConnectionFactory();
// Set the properties
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, HOST);
cf.setIntProperty(WMQConstants.WMQ_PORT, PORT);
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, CHANNEL);
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, QMGR);
cf.setStringProperty(WMQConstants.WMQ_APPLICATIONNAME, "JmsPutGet (JMS)");
//cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
//cf.setStringProperty(WMQConstants.USERID, APP_USER);
//cf.setStringProperty(WMQConstants.PASSWORD, APP_PASSWORD);
// Create JMS objects
context = cf.createContext();
----------edit------------
Error log after
removing "connection authentication" for the QM
setting the channel auth. record (under extended) to "As Queue Manager"
AMQ9557E: Queue Manager User ID initialization failed for '[my OS user]'.
EXPLANATION:
The call to initialize the User ID '[my OS user]' failed with CompCode 2 and
Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
ACTION:
Correct the error and try again.
If you are trying to disable the MQ Connection Authentication feature so that userid & passwords are not authenticated then you can do this by executing the following MQSC commands in runmqsc against the Queue Manager.
ALTER QMGR CONNAUTH(' ')
REFRESH SECURITY(*) TYPE(CONAUTH)
Alternatively in the MQ web Console:
Select your queue manager in the Queue Manager widget
Click properties
Go to the Extended section and scroll down
Set the "Connection Authentication" attribute to a blank value
Click save adn then close
Select your queue manager in the Queue Manager widgit
Click the ... and select Refresh security from the drop down
"Select connection authentication"
Add widget: "Channel authentication records"
In this widget, select the entry for your channel, click properties under "Extended" set client connections to "As Queue Manager"
If required:
Select your QM in the "Queue Manager" widget, open properties (...), "refresh security...", "Connection authentication".
Make sure the default user name (in the standard docker installation, that's "app") is set in the channel properties under MCA (as sugg. by #JoshMc)
Run following mqsc commands to disable channel authentication in IBM MQ server:
ALTER QMGR CHLAUTH(DISABLED)
ALTER QMGR CONNAUTH(' ')
REFRESH SECURITY TYPE(CONNAUTH)
So before showing my code, let me explain what steps I took to 'properly' set up service account environment.
In google developer console, created service account. (this produced Client ID (which is a long number), Service account (xxxxx#xxxx.iam.gserviceaccount.com), and private key which I downloaded in P12.
In Admin console, put the client ID with appropriate scope. In my case the scopes I added is https://www.googleapis.com/auth/admin.directory.group.readonly and https://www.googleapis.com/auth/admin.directory.group.member.readonly.
In my code, correctly set up private key path and other environments.
def getDirectoryService: Directory = {
val httpTransport: HttpTransport = new NetHttpTransport()
val jsonFactory: JacksonFactory = new JacksonFactory()
val credential: GoogleCredential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountId("xxxxx#xxxx.iam.gserviceaccount.com")
.setServiceAccountScopes(util.Arrays.asList(DirectoryScopes.ADMIN_DIRECTORY_GROUP_READONLY, DirectoryScopes.ADMIN_DIRECTORY_GROUP_MEMBER_READONLY))
.setServiceAccountUser("admin#domain.com")
.setServiceAccountPrivateKeyFromP12File(
new java.io.File("/pathToKey/privatekey.p12"))
.build()
val service: Directory = new Directory.Builder(httpTransport, jsonFactory, null)
.setHttpRequestInitializer(credential).build()
service
}
And then I attempt to execute something like this:
service.groups().list().execute()
or
service.groups().list("domain.com").execute()
This code would result in,
com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
"error" : "invalid_grant"
}
at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:384)
at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:217)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:868)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
at com.company.project.GoogleServiceProvider.getGroups(GoogleServiceProvider.scala:81)
at com.company.project.ProjectHandler.handle(ProjectHandler.scala:110)
at com.company.common.web.DispatcherServlet.service(DispatcherServlet.scala:40)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:845)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:583)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:224)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1174)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1106)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle(Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:745)
What could have I done wrong? I have been searching solution for past two days, and tried many things. One of the solutions I am not still not sure of is ntp syncing (as in how to exactly sync server time to ntp).
Any adivce would be very helpful, thank you!
UPDATE: I also made sure to activate the Admin Directory SDK, and enabled the Domain-Wide Delegation on developer's console.
UPDATE #2: I forgot to mention that, the admin account is not the owner of the project itself. So basically, I am a member of a domain, and I created a project, so I am the only owner of the project and the service account.(I am not the admin). But should an admin be owner of the project and create service account in order for this to work properly???
Ok, my problem was that in setServiceAccountUser I put admin group email address, not the actual user account. Apparently, it doesn't allow putting in group email (alias) address into setServiceAccountUser.
So after putting in an actual user account with admin privilege, it seems to be working.
I still wonder what would be the best practice though. As in, should I create a separate user account with admin privilege just for the project? I definitely don't want to just put in an admin account email address in my code.
I'm trying to POST data to a Google Web App to automatically enter some tedious data. Whenever I try I get a response back asking me to log in, the Web App is deployed to be accessible by anyone.
Can I POST data to the form without authentication? If not, what type of authentication is required?
Edit: Quick code sample I threw together:
WebClient client = new WebClient();
var keyValue = new NameValueCollection();
keyValue.Add("agentName", "John Doe");
keyValue.Add("dayOff", "Sunday");
keyValue.Add("startTime", "8:00 AM");
Uri uri = new Uri("mywebapp url");
byte[] response = client.UploadValues(uri, "POST", keyValue);
string result = Encoding.UTF8.GetString(response);
In order to allow anyone to execute your script, even if they are not signed in to a Google account, you need to use the following settings in the "Deploy as web app" dialog:
Project version: if in doubt, select "New" to ensure that you are deploying the latest copy of the script's code.
Execute the app as: select "Me". This ensures that the "even anonymous" option will be available.
Who has access to the app: select "Anyone, even anonymous". (Note that if you select "Anyone", only users that are signed-in to a Google account will be able to execute your script.)
Once you have selected these options, click the "Update" button and copy the script URL. It should look like https://script.google.com/a/macros/<APPS DOMAIN>/s/<SCRIPT KEY>/exec. At this point an unauthenticated GET or POST to the script's URL should be successful.
Be aware that the script's execution will count against your daily Apps Script quota.
First of all, a kind user named "leppie" tried to help me but I couldn't get the answer I am looking for and it's kind of an urgent matter.
I run a windows service in Windows 7 with LocalSystem account (Since this win service will be installed many computers remotely and silently, I guess I need to use LocalSystem in ServiceInstaller.Designer.cs by the code below:
this.ProcessInstaller.Account = System.ServiceProcess.ServiceAccount.LocalSystem;
this.ProcessInstaller.Password = null;
this.ProcessInstaller.Username = null;
When I run this windows service the code below cannot get the currently logged in user's credentials (the users do not have admin privileges, not even myself).
using (DirectoryEntry de = new DirectoryEntry("LDAP://MyDomainName"))
{
using (DirectorySearcher adSearch = new DirectorySearcher(de))
{
adSearch.Filter = "(sAMAccountName=" + Environment.UserName + ")";
SearchResult adSearchResult = adSearch.FindOne();
UserInternalEmail = GetProperty(adSearchResult, "mail");
}
}
I have been suggested to run the WinService under a AD/LDAP/domain account, but which user could this be?
this.ProcessInstaller.Account = System.ServiceProcess.ServiceAccount.<User ? LocalService ? NetworkService>;
this.ProcessInstaller.Password = "adminpassword";
this.ProcessInstaller.Username = "adminusername";
I mean, lets say an ABC user is an admin and lets say I knew the password and username of this ABC admin, but when this admin changes the password, I think this will effect my winservice which will be running on 70 computers.
Is there a way to retrieve the user credentials on active directory? I would be really appreciated if you provide me some code samples..
Thank you very very much,
The problem is that Environment.UserName will always return the username of the service account under which the service is running, not the user logged into the machine.
See this question for information on how to get the names of users logged into the workstation. Keep in mind that Windows will allow multiple users to be logged in at the same time.