I can't seem to figure out how to identify what entitlement keys are available for a given app. How does one query an application for its entitlement keys?
Example:
iTunes has these entitlement keys: com.apple.iTunes.playerInfo, com.apple.iTunes.library.read-write, & com.apple.iTunes.playback
But if I didn't already know this, how could I have retrieved these keys from the iTunes application? What about 3rd-party (non-Apple) apps? Where would one find entitlement keys, if there are any, for those?
Thanks in advance!
You have to look at iTunes's scripting definition (sdef) file. iTunes's is in a weird place (/System/Library/Frameworks/Foundation.framework/Versions/Current/Resources/com.apple.iTunes.sdef, as mentioned in this answer). If you look inside Mail's (or a 3rd party app's) package, and browse to Contents/Resources directory, you should see an sdef file there too.
You can also use the AppleScript Editor's Open Dictionary menu item and command-click on the proxy icon in the title bar to view a temporary copy of the sdef, which works the same way for iTunes and any other app.
Once in the sdef file (using any text editor), you want to look for all of the <access-group /> tags to see which scripting targets the app exposes.
Related
I am working on Win 10 upgrade activity. As you know we can select application for file extension. So, those file will open on that app. e.g. html files only open in Chrome when user double click on that.
We can create XML file (DefaultAppAssociations.xml) and place it in C:\windows\system32
Now, I got the request to make one application default but let user decide if they want any other app. Is there any way to handle such things because defaultappassociations.xml will hard code this. Every time machine restart and it will set the same.
This is only possible as part of the operating system deployment or rather for newly created user profiles.
The command (official documentation):
Dism.exe /online /Import-DefaultAppAssociations:<path to exported xml>
However as I said you cannot alter existing profiles that way. Altering existing profiles in any way that is not the force via gpo is afaik not possible anymore because Microsoft does not want to allow it. A pretty stupid decision but at least you can tell whoever made the request that it is by MS design.
is it possible to allow read access only to the media library? I'm setting a role and with the Media Library module, I've only set the Read permission to Allow, but a user with that role still sees the upload button. Am I looking at the wrong module?
If you go to the specific Media Library and then edit.
Then you will see the list of files within the media library.
On the left-hand side, there will be '...', hover over this and then click on Security.
Here you can specify which role you want to perform what action in that specific Media Library.
Did you configure Permissions and UI Personalization?
So in this case, I removed access to the media library. It forces editors to add images as attachments, which was my end goal. Reason being, sync only works with published content, and won't migrate files from one server to another.
Is it possible to add custom feed programmatically to Web Platform Installer? I tried adding the feed manually and found that the feed location is stored in `%APPDATA%\Microsoft\Web Platform Installer\web.preferences file. However the file seems somewhat cryptic and I would not like to modify it manually. Is there any API for that?
Update: even if this web.preferences file could be edited it is not the way to go as it is user specific file and I need system wide configuration.
Based on this link,
Sorry, there isn't a way to do that currently (for security reasons,
we don't allow an untrusted feed to be loaded without the user's
consent)
Once the feed is added via the Options dialog, it does persist between
sessions
I think we can't add custom feed without intervene from user. Maybe you can use WebpiCmd.exe
that can be configured programmatically via scripts.
C:\Program Files\Microsoft\Web Platform Installer>WebpiCmd.exe /List /Feeds:http://yourcustomwpifeed.co.id/customFeed.xml
A little late, but maybe it may interest others. You can modify the file %APPDATA%\Microsoft\Web Platform Installer\webpi.preferences. Yes, it is a little cryptic, but here's my post about how to do it.
The file webpi.preferences is user-specific. If you want to set settings for all users, all I can think of is to write a bootstrapper application that first modifies webpi.preferences (using the code in the post) and then runs WebPlatformInstaller.exe.
I am currently working on a custom SharePoint web part (WSS 3.0, not MOSS) that will pull in information for all of the users in Active Directory to build an up to date employee directory. This web part shows things like phone number, address, and other similar fields. The issue that I am having is that, by default, the SharePoint web site on IIS is running as the user IUSR_. This user does not have access to Active Directory, so I am unable to retrieve any user information.
To get around this for testing I have hard coded the credentials for a test user which I added just for this purpose. This, obviously, is not ideal. If anyone removes this user or if they ever change the password then the web part will break and they will have no way to fix it (they have no in-house developers to take it over once I am finished here). To fix this problem, I would like to make the Username/Password custom properties on the web part so I can pass those to Active Directory to retrieve the information I need. The issue I am having with this is that the password is stored in plain text so anyone can read it. I would like it to display as ******** or something similar. Is there a way to make a custom property on a web part a password type?
If this isn't possible, can anyone recommend another way to accomplish what I am trying to do? At this time I cannot change the user that the SharePoint website runs as. Although, if I cannot find any other solutions I will try again to persuade them.
Thanks in advance!
We use a service account for that. That service account is solely used for that. Something like DOMAIN\SPS_AD_READ_CUSTOMER
In our documentation that we deliver when putting the application in production that account is put in the list of stuff that is needed to make the webpart run. If the webpart ever fails, the ITPro can go to the chapter and check if everything is still ok.
It's not ideal, but I don't really know another way on how to fix it.
I would go with custom Editor Part, then set up a control of TextBox with property TextBoxMode set to Password, then override methods from type EditorPart - SynchChanges() and ApplyChanges() to set and retrieve values.
tip: override method CreateEditorParts of a WebPart type to start with.
On the "My site" feature of Sharepoint there is a "memberships" Web part that shows the distribution list that the user is a member of.
This is picking up several groups that we would rather not be shown e.g. some that have been set up for administrative purposes only.
Is there any way to control which groups are shown; ideally this would be using another AD group and setting that only members of this group are shown.
I'm fairly sure this won't be possible without a custom web part that is deployed instead of the official part. The reason the Exchange solution doesn't work is because it's going the wrong way (from group to member instead of member to group).
To deploy it you can look at feature stapling... you would need to update the existing sites as well.
This is not an easy answer. I don't believe there is an easy answer.
The best solution would be to set a Deny Access Right for the distribution lists in Active Directory; follow these steps:
1) Open Active Directory Users & Computers as an admin (any user with access to creating groups and modify distribution list security settings).
2) Go to the View menu and make sure that there's a check-box next to Advanced Features.
Create a new security group in Active Directory (call it HideFromSharePoint or something) and add the SharePoint Content Access account (in my case DOMAIN\sa_spcontent) to that group (has to match the account used in step 4).
3) For all of the distribution lists that you don't want to show up in SharePoint do the following:
3a) Open the distribution list and select the Security tab (Advanced Features must be checked for this tab to be shown).
3b) Click on Add and type in the name of the security group that you created in step 3 (HideFromSharePoint); click Check Names and click Ok.
3c) Under Permissions for HideFromSharePoint; check the Deny box next to Read (it's set to Allow by default) and click Ok and Ok again at the prompt.
You've just denied any members of the HideFromSharePoint group read access to the distribution list.
4) Go to SharePoint Central Administration; SharedServices1; User Profiles and Properties; Configure Profile Import and under Specify Account enter the credentials of the account that you added to the HideFromSharePoint-group in step 3. (For some reason if you leave this to using the Default Content Access account SharePoint will use some other account to access Active Directory and thereby being allowed access to the distribution lists. You could experiment with adding other SharePoint service accounts to the HideFromSharePoint group but I think it's safer to specify an account explicitly so that you know which account is accessing AD and importing the data.) Also make sure the "Import Connection" for your Active Directory is set to "Use Default Account" (thereby "inheriting" the account used for Profile Imports).
5) Go to SharePoint Central Administration; SharedServices1; User Profiles and Properties and click on Start full import. (You can't do an incremental import because nothing has changed for the users in terms of group membership; it's just the access rights that have changed.) After completion of the full import (click Refresh until "Import time:" says "Started full import at 11/25/2009 ##:## AM - Ended import at 11/25/2009 ##:## AM")
The distribution lists should now no longer show up under Memberships.
A couple of things to note:
You have to set the Deny Access Right explicitly and individually on all of the distribution lists that you don't want showing up in SharePoint. That's because the special AD-group "Authenticated Users" has read access to every object in the directory by default and explicit Allow Access Rights trump Deny Access Rights set (for example) at the organizational unit level.
While you could skip the step of setting up the HideFromSharePoint-group and set the Deny Access Right directory for the SharePoint Content Access account Active Directory administration best practices is to use a group when configuring security permissions. (Then you can add additional members to that group and have those denied read access too.)
You might have to wait a while (5+ minutes or so) between setting the the Deny Access Rights for the changes to replicate to all of you domain controllers. Otherwise the import might read from a domain controller where the Deny hasn't yet come into effect.
Be careful adding any other accounts to the HideFromSharePoint-group because this might break your distribution lists. For example; if Exchange can't read the groups mail won't work. As long as you just add the SharePoint Content Access Account you're safe.
Also (and this has nothing to do with SharePoint or the solution above) be aware that any user in your domain can fire up ADUC or a LDAP tool and see the members of your distribution lists that way. If you have anything "Top Secret" you need to experiment further with setting access controls in Active Directory.
I assume that your "memberships" web part is using the SharePoint people picker functionality internally.
If that's the case, then the following stsadm command should help you scope your AD lookup the way you want it:
stsadm -o setsiteuseraccountdirectorypath -path <name of OU> -url <URL name>
You could try editing the Distribution List on the Exchange Advanced tab, selecting the "Hide group from Exchange Address lists" check box.
I have not tested this but in theory it would stop the Distribution List from appearing the the list of groups.
Easy fix: add a JavaScript to the page on which those appear that targets and then hides the specific items by applying a CSS style.
I don't have an exact answer, but here's how I would think through the problem. Perhaps you have already answered some of these questions, but it might help to go through them again. I would look at the questions in the following order:
Is there an option in Active Directory to hide a group from SharePoint? (sounds like no)
Is there an option in SharePoint administration (either through stsadm or the actual administration site) to exclude certain users or groups in AD from SharePoint?
Is there a way to configure the web part to exclude certain users or groups from the web part itself?
Is the source code to the web part available such that you can compile the web part to exclude certain groups in the list?
Can you use javascript (as Josh mentioned) in conjunction with the webpart to hide the Distribution Lists from the webpart? (Here's a site with an example of how to use JavaScript to Hide SharePoint's Quick-Launch bar. Maybe that will help).
Those questions are in order from the widest scope and easiest to implement to the narrowest scope that is more difficult to implement. Obviously, you'd like to implement a solution that is easiest to implement, but perhaps you find yourself farther down in the list.
In the last two examples, the solution may appear quite complex, but you may be able to write code that references an XML file of sites to exclude. That way, if your list of Distribution Lists changes, all you have to do is edit the XML file and not edit the source code (of either the javascript or the webpart).
If there's not a simple solution, you'd have to make the painful choice of either 1) letting the problem remain or 2) implementing a hack that adds a dependency to your solution.
I think Distribution Groups that aren't security enabled don't show up in SharePoint. Have you checked AD to see if these groups are security enabled? This may be only for permissions purposes, so I could be wrong.
You will probably need to do a profile import before you see any changes.
You can turn off Distribution Lists entirely, which is what we are doing at my company. This is done by going to the Profile Services Policies in the SSP and disabling the Distribution List feature.
Now if you want to pick and choose the Distribution Lists, it's not that simple, but hopefully this will help someone.