I am upgrading Collaborative lifecycle management version to 6.0.5 current version is 5.0.2. As specified in IBM Interactive upgrade guide one of the step is to run upgrade script on your databases and below are the command
cd D:\IBM\JazzTeamServer6.0.5\server
upgrade\jts\jts_upgrade.bat -oldJTSHome "D:\IBM\JazzTeamServer5.x\server\conf" -updateTomcatFiles no -updateAppServerFiles no
After running this command I am getting message as "Upgrade must be run with administrator rights"
I am logged in as administrative user on the system, assigned all the full access control permission of folder where CLM server is installed to user still everytime same problem persist.
I was going through links to troubleshoot the problem but nothing seems to be working out for me. Some of the links I have referred are
https://www.techsupportall.com/how-to-enable-administrator-account-on-welcome-screen/
http://www.thewindowsclub.com/elevated-privileges-windows
Can anyone please suggest I am missing anything here?
This could be caused by User Account Control, a feature which makes so that, even if you have administrative rights, you don't actually have them unless you explicitly request them. There are two distinct policies governing UAC behaviour (both found in Computer settings\Windows settings\Security settings\Local policies\Security options), one for the built-in Administrator account, and another one for all other administrative users:
User Account Control: Admin Approval Mode for the built-in Administrator account (disabled by default)
User Account Control: Run all administrators in Admin Approval Mode (enabled by default)
What this means is: by default, the built-in Administrator account is not affected by UAC, while all other administrative users are; thus, it's possible for an administrative user (different from the built-it Administrator) to not actually have administrative rights, even if it's a member of the Administrators group.
More info -> https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd835564(v=ws.10)
Related
imagine there is a Powershell script running under the SYSTEM account on a Windows 10 machine and checks which domain user is currently logged on. No big deal.
Now: I want to check if this logged on user has administrator rights on this machine. Every check I could find so far is only looking at ".IsInRole([Security.Principal.WindowsBuiltInRole]::'Administrator')".
But this only checks if the user is a direct member of the local group "Administrators". But it is possible that within the local Administrators group there is a domain group, and the user is a member of this domain group instead. So he is admin, even if he is not a direct member of the Administrators group.
How can I check for both at the same time? I just want to check IF someone is admin, no matter where those admin rights come from. This check will also run under the SYSTEM account, not with the affected user account itself.
Any ideas?
If the Domain group is part of the local admins group, then by design, all users in that domain group are local admins and has all the rights and privileges that means. So, that code block would still apply.
You have to explicitly check for user rights and privileges assigned. There is no cmdlet for this built-in, so you have to code for it. To see your rights and privs, you can just use the good old whoami.exe...
whoami /priv
# Results
<#
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
#>
... then compare that to the Windows Privilege list that are normally used for Administration actions.
Running this remotely as the logged-on user, cannot be done with PowerShell natively, it's a Windows Security boundary and thus, you'll need something like PSExec.exe from MS SysInternals to try that.
In our current environment all the users who would like to access ClearCase will require local administrative rights and i'm looking into the options to remove the local admin privs constraint so that all the users should be able to access if they are part of clearcase domain groups like CCUsers.
Local admin privilege should only be required for installing ClearCase, especially when it comes to the MVFS (MultiView FileSystem) part.
But it is also used for launching ClearCase services. Without a privilege elevation, you would see:
C:\>net start albd
System error 5 has occurred.
Access is denied.
From Windows Services
Unable to open service Albd for writing on Local Computer
Error 5: Access is denied.
First, check if you can set those services as "Automatic": they should be started during Windows Startup, even if the user is not an administrator.
This thread recommends:
Click on Atria Location Broker service and select Properties.
On the General tab, "Startup type" should be "Automatic".
On the Log On tab, select the radio button to Log on as "This account" and enter the ALBD user account and password that you should have already setup (e.g. your-domain\clearcase_albd). If you do this properly, the Atria Location Broker service should start automatically for any user.
See also "Troubleshooting ALBD startup failures on Microsoft Windows".
I've checked that the TeamCity user has access to the network share in question.
All packages from the public NuGet feed are found correctly while packages available on the network share are not.
We use the network share when building via Visual Studio with the exact same path without a problem.
I've tried using "file://ratchet/NuGetRepository" but that doesn't make a difference.
TeamCity log entries and screenshot of the build step configuration shown below:
NuGet command: E:\BuildAgent01\plugins\nuget-agent\bin\JetBrains.TeamCity.NuGetRunner.exe E:\BuildAgent01\tools\NuGet.CommandLine.DEFAULT.nupkg\tools\NuGet.exe restore E:\BuildAgent01\work\95323b7041b60513\MySolution.sln -Source https://nuget.org/api/v2/ -Source \\ratchet\NuGetRepository\
Was able to solve this by specifying the fully qualified name of the network share, e.g. \\ratchet.hq.local\NuGetRepository.
Since the accepted answer did not provide a solution for my setup, I'd like to post what did allow TeamCity to access my network share.
First, a very important note: TeamCity Build Agent may either run as a Windows service or directly in command prompt. For my machine, this had the following consequences:
When run as a Windows service, the build agent was logged in as LocalSystem. For our network share, my machine's credentials were not given permissions.
Note: while this SO thread indicates that the network share can be configured to allow the machine's LocalSystem account to have permission, this was NOT an option for me.
When run in command prompt, the build agent will use the security context of whoever runs it (for me, it was my domain user). Again, for our network share, all domain users are given permissions.
The quick solution was to simply run the build agent in command prompt and call it a day; however, I did really want to run the build agent as a Windows service, since I think it is a cleaner approach.
Here's my solution:
First, I needed to grant my domain user the privilege to log on as a service. This is needed to run the service with my domain user's security context. I navigated to User Rights Assignment within Local Security Policy:
Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment
Next, I added my domain user to the Log on as a servcie setting. For this, I made sure to include the domain with my user name.
Now that my domain user's security context can be used when starting a service, I navigated to Services (services.msc), located TeamCity Build Agent, and edit its properties:
Now, when relaunching the TeamCity Build Agent Windows service, it would be able to access the network share since it was using the security context of my domain user. I can now access the Nuget repository on our shared drive and keep the build agent running in the background.
You can include the package sources in NuGet.targets file. Just find the commented lines and add your path.
<PackageSource Include="https://nuget.org/api/v2/" />
<PackageSource Include="\\ratchet\NuGetRepository\" />
Let's say I'm an administrator on a Windows7 box. I'd like to be able to run commands as other users without knowing their passwords.
This is what happens on linux. If I'm root, I can 'su' to other accounts without providing any password and run commands in their own name.
su (substitute user or switch user) allows changing the account associated with the current terminal. Where Normal user have to give password of the account he wants to change to, super user (root) can change to any ID he wants without giving password.
sudo executes a command as another user but observes a set of constraints about which users can execute which commands as which other users (generally in a configuration file named /etc/sudoers, best editable by the command visudo). Unlike su, sudo authenticates users against their own password rather than that of the target user (to allow the delegation of specific commands to specific users on specific hosts without sharing passwords among them and while mitigating the risk of any unattended terminals).
On windows runas.exe allows a user to run a programs with different permissions than the user's current logon provides. But for this you have to provide credentials. Windows security does not allow an administrator to execute as another user without his credentials. Administrators can do what they want but not under certains limits without control(discretionary power)
Now once it's said, on Windows an administrator can take and give ownership of ressources and then do what he wants, but it's logged.
I have been maintaining an installation for a while but I am not really an expert. now I've been asked to come up with a solution for this:
Our software is always sold together with a computer as it has to be run in a very controlled environment. The installer needs administrative privileges to be executed. So far we had two different users, one with administrative rights and other one without. Our custumer service login as Administrator, install the software and restart the machine so that the user can access as a normal user.
Now we want the user to be able to install the software themselves but we don't want them to have access as an administrator because they can modify things it shouldn't be modified.
So, is there any way to programmatically raise the user privileges during the installation and afterwards lower them back? The installer is made using InstallShield but we use vbscript to check some pre-requisites.
Check out CPAU. It allows you to create an encrypted command that will run the installation as administrator.
EDIT: This is a more comprehensive list of like tools.
If you are looking for a toolkit to do this kind of thing, well, Microsofts MSI technology has this built in: Administrator access is required to install the initial MSI file, additional patches (MSPs I think) are digitally signed by the original MSI and are thus deemed safe - users can install them without requiring administrator elevation.
You can do the same thing: As part of your administrative install, install a service. The service can create a named pipe - that you explicitly give user ACLs to - or even just a socket or monitor a drop off folder that allows the user level code to communicate with the service code (running with SYSTEM or configured access). The service can then use its SERVICE or configured account level permissions to either impersonate an administrator, or do other tasks on the behalf of the user without EVER giving the user any kind of elevated permission - even temporarily.