Active directory permissions

Similar Messages

• To build the organization's Active Directory permissions are what we need

  To build the organization's Active Directory permissions are what we need

  what is your actual question?  Can you be more specific?
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Active Directory Permissions to Profile Manager

  Hopefully this will help anyone else who runs into this trouble.
  OSX 10.9
  Server App 3.0.1
  We have a profile manager server setup using our Active Directory. After initial setup the system was working fine and all users could access the services.
  In attempting to adjust the web service the permissions for service was turned on and domain users could no longer log in to enroll devices.
  To resolve this issue I worked through the following steps.
  In Server App > Groups found Domain Users (The group containing all users in the domain)
  Clicked the Gear and choose Edit Access to Service
  Checked off Profile Manager.
  I then added Domain Users to the Local Workgroup and allowed the same access to services. This could be done with a different group if needed.
  It may work at this point but as an additional step you can install the Workgroup manager tool from Apples Download site. http://support.apple.com/kb/DL1698
  Log int to your Local Directory, I used /LDAPv3/127.0.0.1
  Find the group you added the permissions to in the local domain and add your Active  Directory Domain Users to that group.
  Hope this saves someone else the annoyances I went through.

  So after a little more trouble shooting as well I ended up using ths post after a backup of the database.
  To backup the database I use this Post - https://discussions.apple.com/thread/3791994
  pg_dump -U _devicemgr -h /Library/Server/ProfileManager/Config/var/PostgreSQL/ -c device_management > $HOME/device_management.sql
  And resetting the server app and database.
  https://discussions.apple.com/message/23925691?tstart=15#23925691?tstart=15
  Interstingly this pulled my old database info back in and restored some settings that had been lost. I'm not really sure why and wouldn't trust it to happen again.
  My issue is now that AD users have to log in twice. The first time they get a denyed error. Then they log out and login on the same browser or a differnt computer al together and they can get in.

• Active Directory Permissions Problems

  Hi all,
  I'll be brief and to the point.
  New iMacs
  10.5.2
  Bound to Active Directory
  Login works fine
  Authentication to network shares works fine (albeit slow)
  But - when saving a file, let's say an HTML document in Coda, it comes up saying "You need administrative privileges to save the file, however you have permissions to replace the file".
  Same in Excel, different message, but the same deal, can't modify files, but can create, delete, rename.
  Same in Illustrator - only lets 'save as' and write over the top.
  The permissions on the AD end are set fine to read&write. Even if I create a new file, it will save it once, then if I try and edit, same deal.
  The permissions are granted as part of a 'group' - but I've added the individual username also and hasn't changed anything.
  Any thoughts would be GREATLY appreciated.

  I have an issue with OSX Leopard (10.5.2) , where by I can't write to NTFS shares on W2K3 servers with SMB signing turned on and IPV6 disabled for the interface.
  To recreate the issue:
  Create a folder named test that contains two files one named ._test.txt and test.txt on OSX and copy to an SMB share on W2k3.
  This results in spurious errors about permissions and locked files.
  Copying a file larger than 4k results in the error:
  "The operation cannot be completed because you do not have sufficient privileges or some of the items."
  Using mount_smbfs from a shell on OSX results in the error: "Permission denied"
  host:~ user$ mount_smbfs //user@server/share /Volumes/test-smbmount/
  Password:
  host:~ user$ cp test.docx /Volumes/test-smbmount/
  cp: /Volumes/test-smbmount/test.docx: Permission denied
  Using smbclient from a shell on OSX results in SUCCESS!!!
  host:~ user$ smbclient \\\\server\\\share -U user
  Password:
  Domain=DOMAIN OS=Windows Server 2003 3790 Service Pack 2 Server=http://Windows Server 2003 5.2
  smb: \> put test.docx
  putting file test.docx as \test.docx (784.7 kb/s) (average 784.7 kb/s)
  smb: \>
  There is an alternative solution if you do need to drag and drop in your gui world, it'll cost you $120
  link: http://www.thursby.com/products/dave-eval.html
  I have mailed the developer as he has obviously identified the root problem of the issue and I urged him to share his patch/resolution with Apple in the interests of the user community and a darn nice thing to do.I had a response form the developer to my request. I sent my workaround solution to the developer and stated that in my opinion the pricing for the software seems unnecessarily high based on the functionality it provides and way above what I would be willing to pay to resolve one small issue.
  <developers response>
  Pricing is a difficult topic to discuss -- but if you have no use for the product, any price is too much. As for reporting bugs to Apple, they'll listen to customers much sooner than they'll listen to developers. And they have some of the brightest engineers I know. If you report the bug to them, they'll likely have it fixed in the next update.
  </developers response>
  I couldn't find away to report the bug myself so I had a friend do it for me. The response I had back from Apple was less than satisfactory.
  They believe that the issue is to do with NTFS streams and that a file containing ".com.apple.smb.streams.on" needs to be created and placed into the root of shared volumes. This is not a fix!
  If you want to prevent writing the "Apple Double" files to a remote share, enter the following into a terminal:
  $ defaults write com.apple.desktopservices DSDontWriteNetworkStores true
  Problem still exists.
  ref: http://docs.info.apple.com/article.html?artnum=301711
  <apple double description>
  ref: fhttp://docs.info.apple.com/article.html?artnum=106510
  Before Mac OS X, the Mac OS used 'forked' files, which have two components: a data fork and a resource fork. The Mac OS Standard (HFS) and Mac OS Extended (HFS Plus) disk formats support forked files. When you move these types of files to other disk formats, the resource fork can be lost.
  With Mac OS X, there is a mechanism called "Apple Double" that allows the system to work with disk formats that do not have a forked file feature, such as remote NFS, SMB, WebDAV directories, or local UFS volumes. Apple Double does this by converting the file into two separate files. The first new file keeps the original name and contains the data fork of the original file. The second new file has the name of the original file prefixed by a "._ " and contains the resource fork of the original file. If you see both files, the ._ file can be safely ignored. Sometimes when deleting a file, the ._ component will not be deleted. If this occurs you can safely delete the ._ file.
  </apple double description>
  I am not the only one this issue. A quick peruse on http://macwindows.com/ will show that numerous people are suffering and numerous workarounds have been suggested. Sadly none of which work for me. Each work around is stranger than the previous. Such as disabling IPV6 and updating Daylight Savings Time.
  The issue lies with the samba integration. I am primarily a Gentoo Linux user and this kind of bug would have been resolved almost instantly if present in open source software.

• 801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

  Hi,
  I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
  thanks for your help.

  Hi Scott,
  I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
  thanks for your help. 

• Set Active Directory Folder Permission

  We have added a Lion server to an active directory domain, however I cannot determine how to set Active Directory permissions on shared folders on the Mac. Ideally we want our windows users to access shared folders on the Mac however we would like to lock them down so we can restrict some users.
  Is anyone able to point me in the right direction?
  Thanks in advance.

  Similar Discussion:
  How i can update thumbnailPhoto AD attribute with powershell?
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/403cda19-7a63-4d95-a273-8f7885e836cd/how-i-can-update-thumbnailphoto-ad-attribute-with-powershell?forum=ITCG
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• How to set permissions on a file for a Mac without active Directory

  We don't have our Macs in the Active Directory, we are looking to share an external hard drive to only Macs and not the Windows PC's on the network with out using active directory. I have tested sharing the external hard drive from a PC to everyone and both the PC's and Macs can access this, but we only want the Macs to see this and access this and not everyone. There is no selection for sharing with the computer name in the Share permissions so the only way to do this is to share it to everyone. The Mac accounts are local to the Macs and the PC's are on Active Directory so what i need to do is have a way to share this folder with only Macs and not all the windows PC's. Any solutions, any ideas will help
  Thanks

  hi
  good
  go through these links
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b9/b4de3f68d48f15e10000000a155106/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/be/0de03f41b9eb06e10000000a1550b0/content.htm
  thanks
  mrutyun

• [Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

  As we all know, the
  ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
  To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
  System.DirectoryServices.ActiveDirectoryAccessRule class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectoryRights
  class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
  System.Security.AccessControl.AccessControlType class:
  http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
  System.DirectoryServices.ActiveDirectorySecurityInheritance class:
  http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
  In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
  we use Active Directory Service Interfaces (ADSI) or
  Active Directory module cmdlets
  with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
  more complex permission settings.
  Method 1: Using ADSI
    1. Get current permissions of an organization unit (OU)
  We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
  $Name = "OU=xxx,DC=com"
  $ADObject = [ADSI]"LDAP://$Name"
  $aclObject = $ADObject.psbase.ObjectSecurity
  $aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
  $output=@()
  foreach($acl in $aclList)
  $objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
       $info = @{
  'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
  'InheritanceType' = $acl.InheritanceType;
  'ObjectType' = $acl.ObjectType;
  'InheritedObjectType' = $acl.InheritedObjectType;
  'ObjectFlags' = $acl.ObjectFlags;
  'AccessControlType' = $acl.AccessControlType;
  'IdentityReference' = $acl.IdentityReference;
  'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
  'IsInherited' = $acl.IsInherited;
  'InheritanceFlags' = $acl.InheritanceFlags;
  'PropagationFlags' = $acl.PropagationFlags;
  $obj = New-Object -TypeName PSObject -Property $info
  $output+=$obj}
  $output
  In the figure below, you can see the results of running the script above:
  Figure 1．
  2. Assign a computer object with Full Control permission on an OU
  We can use the script below to delegate Full Control permission to the computer objects within an OU:
  $SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
  $computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
  $SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
  $SysManObj.psbase.commitchanges()
  After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
  Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
  You can use the script below to get and assign Full Control permission to a computer object on an OU:
  $acl = get-acl "ad:OU=xxx,DC=com"
  $acl.access #to get access right of the OU
  $computer = get-adcomputer "COMPUTERNAME"
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  # Create a new access control entry to allow access to the OU
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
  $type = [System.Security.AccessControl.AccessControlType] "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
  $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
  # Add the ACE to the ACL, then set the ACL to save the changes
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  Method 3: Using GUID setting
  The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
  that.
  The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
  setting ObjectType field in an object specific ACE to the
  rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
  InheritedObjectType field to the schemaIDGuid of the class.
  We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
  You can use the script below to
  assign the group object with the permission to change user password on all user objects within an OU.
  $acl = get-acl "ad:OU=xxx,DC=com"
  $group = Get-ADgroup xxx
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  # The following object specific ACE is to grant Group permission to change user password on all user objects under OU
  $objectguid = new-object Guid 
  00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”) 
  class
  $inheritedobjectguid = new-object Guid 
  bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
  $identity = [System.Security.Principal.IdentityReference] $SID
  $adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
  $type = [System.Security.AccessControl.AccessControlType]
  "Allow"
  $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
  The figure below shows the result of running the script above:
  Figure 2．
  In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
  $guidChangePassword     
  = new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
  $guidLockoutTime        
  = new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
  $guidPwdLastSet         
  = new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
  $guidComputerObject     
  = new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
  $guidUserObject         
  = new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
  $guidLinkGroupPolicy    
  = new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
  $guidGroupPolicyOptions 
  = new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
  $guidResetPassword      
  = new-object Guid 00299570-246d-11d0-a768-00aa006e0529
  $guidGroupObject        
  = new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2                                          
  $guidContactObject      
  = new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
  $guidOUObject           
  = new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
  $guidPrinterObject      
  = new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
  $guidWriteMembers   
      = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
  $guidNull               
  = new-object Guid 00000000-0000-0000-0000-000000000000
  $guidPublicInformation  
  = new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
  $guidGeneralInformation 
  = new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
  $guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
  $guidGroupMembership    
  = new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
  More information:
  Add Object Specific ACEs using Active Directory Powershell
  http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
  Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
  Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
  If you've got time, check out
  this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
  Sample version 3.0:
  # This is going to be kind of slow, and it will take a few seconds the first time
  # you run it because it has to build the list of GUID <--> Property/Class/etc objects
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
  # Same as the previous command, except limit it to access granted to GroupX
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
  Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
  Get-ADGroup GroupY |
  Get-AccessControlEntry
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
  # You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
  Get-ADGroup GroupY |
  Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
  where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
  That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
  New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object
   

• Active Directory: how to return users account permissions RWDA?

  In SCS 7.x
  I`v been looking throught idoc functions and couldn`t find one to return the users account permissions when they log in with active directory..
  How is this done..
  I`v noticed they added the code in 10g..
  <$userHasAccessToAccount("profile_account", "R")$>
  Thanks.
  Update:: I ended up just writing my own function that called a service returned AD info split the string and matched it against the account to return 1 = R, 2 = W, 4 = D, 8 = A
  R = 1
  RW = 3
  RWD = 7
  RWDA = 15

  In SCS 7.x
  I`v been looking throught idoc functions and couldn`t find one to return the users account permissions when they log in with active directory..
  How is this done..
  I`v noticed they added the code in 10g..
  <$userHasAccessToAccount("profile_account", "R")$>
  Thanks.
  Update:: I ended up just writing my own function that called a service returned AD info split the string and matched it against the account to return 1 = R, 2 = W, 4 = D, 8 = A
  R = 1
  RW = 3
  RWD = 7
  RWDA = 15

• "Active Directory operation failed on DC " when assigning Send As permissions on a distribution group

  I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
  Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
  Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
      + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
      + FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
  What could be the problem, considering the items below :
  - inheritance is not broken to the level of the distribution group object
  - the account used to run the cmdlet is a member of the Organization Management group
  - creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
  shows no differences.
  - adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
  - there is no Deny permission on the group's ACL
  - the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issues

  Anyone ever come up with a solution to this?  I get something similar when Activesync tries to create objects on user containers.
  Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
  Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
  Details:%3
  So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment.  You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes:  check the "inherit permissions",
  and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
  I got to this point by following a Migrate to Exch2010 paper by MS.  I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched.  The Exch server is also a DC.  I installed a new 2012r2 server and then patched
  it.  Installed Exch2010SP3Ru8 and all seems well.  
  The old Exch2003 server is still in production.  My iPhone army connects remotely for mail, and all works great.  I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit.  It eventually shows up in the Server
  Manager on the new 2010 Exch Server.  I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works.  I go to the SM on the 2010 box and migrate the mailbox to the new server.  It works.  I can connect with
  outlook, send receive mail to other users in the org.  I then try to connect with my iPhone and I get the message in Event Viewer over and over.
  Went so far as to Promo the new 2012 server to a DC.  seems to be fine.  Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues....

• Again - Active Directory Management Pack - AD MP - SCOM 2012R2 - AD 2012R2 - Action / RunAs Account permissions

  Hi,
  after reading many Posts and Blogs i came to the conclusion that it is still unclear to me what is needed to Monitor Active Directory successfully and what is the securest way configuring the RunAs or Action Account. I hope the experts here can make a clear
  Statement to answer the question for all time ;-)
  1. Action Account:
  Here is described what permissions and rights are needed to use a low-privileged account:
  https://technet.microsoft.com/en-us/library/hh212808.aspx
  Now you might say: that was asked and answered so many times..you are right, but the answer was from run as "local System" to "you Need local admin". So also the AD MP documentation still says you Need a local Admin account.
  here are other references which says you Need local admin rights:
  http://micloud.azurewebsites.net//2014/02/26/scom-agent-grayed-out-when-trying-to-monitor-domain-controllers/
  Even Kevin Holman says here
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/2a0e5a2b-a3d9-42d4-8474-9f690007caa0/opsmgrlatency-cn-gets-auto-created-in-domain-not-configuration:
  "Basically - if your domain controllers are running as local system default agent action account, in most cases you will not need to ever set up any replication monitoring run-as accounts.... as local system on a DC has all the rights necessary. 
  (in most cases).
  "Simple questions: Is this really enought to Monitor every aspect of an ActiveDirectory Domain and Domain Controller using a low privilege account the the permissions in the article? Or is using local System better? Is there a difference when
  using SCOM2012R2 with the new Agent? Most documentation referes to SCOM2007(except the replication Monitoring where it is clear that other permissions are needed:
  http://blogs.technet.com/b/jimmyharper/archive/2009/05/20/configuring-or-disabling-replication-monitoring-in-the-active-directory-management-pack.aspx )

  The MP guide is not really clear about it. The only thing they are clear about is whenever you want to use client monitoring. In those situations low privileged will not work.
  For each of the client-side monitoring scripts to run successfully, the
  Action Account must be a member of the Administrators group on both the computer
  on which the client management pack is running and the domain controller that is being monitored. The
  Action Account must also be a member of the
  Operations Manager Administrators group, which is configured through the Operations console in so that all the scripts that are configured on the Root Management Server can run properly
  Both a local system and domain admin are a risk. If someone loads a malicious management pack that makes changes to the AD services you are screwed. The local system has unrestricted access to local resources including domain services.
  The only reason I don't want a domain admin account in SCOM is that you have an additional layer where the password potentially could be retrieved. That's not the case with a local system account. But the risks are the same.
  See: https://msdn.microsoft.com/en-us/library/ms677973%28v=vs.85%29.aspx
  But this not an answer to your question. :-)

• Copy usernames and file permissions from old workgroup to new Active Directory

  Hi,
  I have a Windows Server 2003 R2 with about 60 users, 100 shared folders and 5000 subfolders. Each folder has share and protection permissions. Each subfolder has protection permissions. No active directory.
  I need to install Windows Server 2012 R2 (as Primary Domain Controller) and re-create
  the same users (which can have different guid but with the same username as the old server)
  the same shared folders, with the same permission as the old server granted to the users
  the same subfolders, with the same permission as the old server granted to the users
   all under Active Directory.
  Is there a way to automate these steps?
  Thanks!

  Look in script repository for scripts that export local users and groups.
  You will have to learn how these two systems work and develop a script / method for translating between the two systems.  It is very dependent on what has been don on old system.  Using USMT and MDT would be the best. 
  Post in the deployment forum for instructions on how to use the MDT to migrate users in a batch.  You would start by adding the 2003 server to the 2012 domain and then the MDT can be customized to do the move.
  https://technet.microsoft.com/en-us/windows/dn475741.aspx?f=255&MSPPError=-2147217396
  https://social.technet.microsoft.com/Forums/en-US/home?forum=mdt
  ¯\_(ツ)_/¯

• Delegate permissions in Active Directory

  Hello All,
  I have a temporary technician that comes once in a while to do work for us.I want to delegate the following permissions to do the day to day support tasks:-
  1)Reset Users password
  2)Unlock the User Accounts
  3)join computers into our domain and remove the computers
  from our domain
  All our User are kept under a "OU=Staff" and All our Computer accounts are kept under "OU=Computers" 
  I don't want to give any other unnecessary permissions to this
  technician on other OU's, My Domain Controller is windows 2008.
  Can you please help me how to do this task.
  Regards,

  You see the Wiki I started here for the permissions delegation in AD: http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx
  To delegate unlocking user accounts: http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts
  To delegate the reset of users password: http://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
  To delegate joining computers to a domain: https://robiulislam.wordpress.com/2012/02/07/delegate-non-admin-account-to-add-workstations-to-domain/
  To delegate removing computers from a domain: http://sigkillit.com/2013/06/12/delegate-adddelete-computer-objects-in-ad/
  In case you would like also delegating moving AD objects then here you go: http://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Permissions issue binding and logging into Active directory

  Hello:
  We're having an issue with file permissions when our Macs connect to SMB shares via AD.  We bind the macs to the active directory but when the users connect to the SMB shares (Go connect to server smb://.......)  they see everything on the drive not just their shares.   Is there a setting in the Directory utility that will only allow the user to see their shares or is this an issue on the windows side of the house. The windows users do not have this problem.  Any help would be greatly appreciated.
  Thanks, Rick
  Mac Clients are running 10.6 thru 10.8

  Also be aware of Apple's white paper on this:
  http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf
  A wide variety of IT-focused white papers are available here:
  http://training.apple.com/osx

• Active Directory Authentication and permissions for user group in APEX 4.0

  Hello,
  I am new to oracle APEX and I have searched the forum for active directory authentication for a user group and I am really confused about all the different threads. Can anyone please provide me the steps to follow; in order to implement AD authentication for a user group in Oracle APEX 4.0.
  These are the threads which i was looking at to get an idea like how AD authentication works but its really confusing for me.
  Help with Authentication (APEX_LDAP.AUTHENTICATE)
  Re: LDAP Authentication Via Groups
  Thanks,
  Tony

  You need to give it more than 30 minutes before bumping your own post. This is not an official support channel, so you need to be patient and wait for people to read, think and respond.