How to create a limited Active Directory service account
Problem: For webNetwork installation, you will need a Schema Admin and Domain Admin account. For daily operation, you will need a service account to connect to Active Directory, but you may not want to run it with this same high-level account. webNetwork uses a "proxy" style account to connect into your directory. This means the proxy account is the only user that accesses the Active Directory server.
Cause: webNetwork must have the proper rights to be able to modify objects in the Active Directory tree or it will not function. General guidelines are the service account needs read/write access on swareXXX attributes and ability full access to swareXXX objects in Stoneware OU.
- Active Directory Users and Computers console
- Domain Admins have two accounts (ex: joe-regular-user and joe-domain-admin-user)
- webNetwork will need to be taken offline to switch account
Solution(s): Create a lower-privileged account easily using the built-in Account Operators group.
- Create a standard user in desired OU
- Add user to Account Operators group (under Builtin)
- Right-click on Stoneware OU and click Properties
- Go to Security tab and click Add...
- Search and select for created user
- Select Full Control for permissions
- Click Apply button
- Click Advanced button
- Find the created user and click Edit
- Change "Apply onto" field to "This object and all child objects"
- Click OK and OK
- Go to webNetwork Server Management console (8090 console)
- Enter new service account and password on Directory Services tab
- Validate user/password then click Save
- Go to Settings tab and click Shutdown
- Startup webNetwork service again
IMPORTANT - limitations of above service account:
- Members of Enterprise/Domain Admins will not be able to login to webNetwork because we cannot update their swareXXX attributes (hence the need for a secondary regular-user accounts for domain admin members)
- Must use groups/users for assignments; the Account Operators group does not give write access to OUs, although you can add write to specific OUs manually
- May experience errors in webNetworkTrace.log (start-up log) about missing ability to flush schema; lines should all start with INFO and webNetwork will still function
- webNetwork updates that require additional schema extensions (new features), you will need to switch the service account to a higher-privileged account or configure the schema credentials in Server Management Console (8090 console)
- Full control of the Stoneware OU will allow webAdmin users to create new users and groups; if you wish to remove this right, you'll need to edit the security further on Stoneware OU further
Creating a directory service account
Problem: Need to create service account for directory services (LDAP) connection. Cause: Unified Workspace uses a "proxy" style account to be able to integrate into your directory. This proxy account is the only user that accesses the LDAP server ...
UW Active Directory Modifications
Issue: How does Lenovo Unified Workspace affect Active Directory and specifically the Schema? Solution: Why does UW need to extend the Schema of AD? Please see the following KB article for a full explanation: ...
Active Directory Sync Tool With our new Sync Tool you can integrate DNSFilter with your Active Directory, click the link above to learn more about our new features. DNSFilter can be deployed easily and quickly in your Active Directory environment. ...
Microsoft command line tools for Active Directory
How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...
User password expiration / lockouts in Microsoft Active Directory
How can I show accounts that are locked out in AD ? http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx Can I dump password expiration for users in AD ? AdFind.exe to dump the password expiration. Stoneware download / Utilities has this ...
Old Browser Versions
Question: I am using an older browser version and am having problems. What can be done ? We are not able to upgrade the browser at this time. This is a challenge for any company that makes software that utilizes a browser. Since Stoneware does not ...
Problem: How to redirect the LCS in an environment with multiple LCSs and students connecting to them. Solution(s): Create an allow.cfg on all LCS(s) (including the Master) in the network, however, even if no allow.cfg is present on an LCS, machines ...
Time windows allows for Service Shutdown
Issue: Can the time windows gives a service to shut down before it kills the service be increased? Solution: Yes, the following information comes from the Microsoft URL : http://support.microsoft.com/kb/146092 To specify the wait time, do the ...
How to disable password saving - Internet Explorer
Having multiple methods for saving a password in the browser can cause confusion for the user. To disable password saving in Internet Explorer, launch Internet Explorer and perform the following steps. Click the blue Settings menu icon in the upper ...
How to disable password saving - Chrome
Having multiple methods for saving a password in the browser can cause confusion for the user. To disable password saving in Chrome, launch Chrome and perform the following steps. Click the Chrome menu button in the upper right corner of the Chrome ...
Lenovo Unified Workspace 184.108.40.206 Released
Highlights of Unified Workspace 220.127.116.11 If you need assistance with your update, please e-mail support at email@example.com or visit https://unifiedworkspace.com/support/ for more information. Below is a list of enhancements and fixes for ...
How to fix customized login and profile after upgrading to v7.0
With the release of 7.0 the default login page has been modified to simplify the customization process. If you are having an issue with the login page not displaying, after upgrading to v7.0, you will need to delete the custom CSS code and start ...
SAML SP - Sync Directory Password
Login script to prompt for directory password Since the user does not login into Unified Workspace with a password, we cannot capture the password to use in the @@password@@ variable. If you would like to use the Active Directory password for other ...
MySQL 8 SSL
Issue Admin is making a database connection to a MySQL 8 database. When clicking the Ping button on the DB Connection object, the following error is presented: WARN: Establishing SSL connection without server's identity verification is not ...
7.0 excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file
excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file The following configuration is recommended for systems running 18.104.22.168, and higher. (For older 6.5 releases of UW, please see this article.) ...