Manage user access
- Ryan Drescher
- Nick Neal
"sudo nano /etc/sssd/conf.d/access.conf"
- Using an account with 'sudo' privileges, edit the access.conf file located at the path above.
- To give a user access to log in, add their NetID to the 'simple_allow_users' line. If this line does not exist, you can create it. The list of users must be comma-separated.
- Restart the sssd service: sudo systemctl restart sssd.service OR reboot the system.
Use with caution. This will enable the user to make system-wide changes and should be reserved for users who have familiarity with a Linux command-line environment.
If the user is logged in, the user will need to log out and log back in again for the system to assign the privileges to their account.
"sudo usermod -aG sudo <netid>"
- Using an account with 'sudo' privileges, run the above command, substituting in the user's netid
1) On the remote computer, right-click on the start menu and click "Windows PowerShell (Admin)"
2) Copy in the following command, substituting in the user's Netid
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "AD\<netid>"
Please submit a request to ischoolit@ot.syr.edu with the user's netid and we can configure this for you
1) Click on the "Start" menu and then the gear icon in the left-hand menu, then open the "Settings" panel
2) In the search bar, type "Remote Desktop" and then click on the "Remote Desktop Settings" search result
3) In the "Remote Desktop" settings, first make sure the "Enable Remote Desktop" option is enabled. Then, click "Select users that can remotely access this PC"'
4) Click "Add" on the "Remote Desktop Users" window (1). Ensure the "Location" is set to "ad.syr.edu"(2), and then type the netid of the user (3)
5) Click "OK".
At this time, please submit a request to ischoolit@ot.syr.edu and we can configure this for you
1) On the remote computer, right-click on the start menu and click "Windows PowerShell (Admin)"
2) Copy in the following commands line by line, substituting in the user's Netid or "L-netid" to create an admin account (examples below)
Standard user:
$Password = Read-Host -AsSecureString New-LocalUser -Name "<netid>" -FullName "Firstname Lastname" -Description "Standard user account for <netid> -Password $Password
Admin user:
$Password = Read-Host -AsSecureString New-LocalUser -Name "<netid>" -FullName "Firstname Lastname" -Description "Admin user account for <netid> -Password $Password
1) Click on the "Start" menu and then the gear icon in the left-hand menu, then open the "Settings" panel
2) Click on "Accounts" in the settings menu
3) Click on "Other users"
4) Click on "Add someone else to this PC"
5) Double-click into the "Users" location
6) Fill in the user's information, as shown below, using a temporary password and click "Create" when finished. To create an admin account, use the prefix "L-" before the netid (second image)
NOTE: Only standard (non-administrator) accounts should be allowed interactive login privileges!
1) On the remote computer, right-click on the start menu and click "Windows PowerShell (Admin)"
2) Paste in the following command, substituting the local account name
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "<netid>"
1) From within the "lusrmgr" menu (Step #5 in the previous section), click into the "Groups" location in the tree and then double-click to open the "Remote Desktop Users" group
2) You'll see the users who currently have RDP access. Click "Add"
3) Type the user account in the "object name" box and click "OK"
A separate "l-netid" account should be created for this purpose, and the admin account cannot be provided direct remote desktop access
1) On the remote computer, right-click on the start menu and click "Windows PowerShell (Admin)"
2) Paste in the following command, substituting the "L-<netid>" account name
Add-LocalGroupMember -Group "Administrators" -Member "L-<netid>"
1) Follow the "account-creation" steps above to create a new local user account ("l-netid")
2) From within the "lusrmgr" menu (Step #5 in the account creation guide), click into the "Groups" location in the tree and then double-click into the "Administrators" group
3) Type the "L-" user account in the "object name" box and click "OK"