AD Group Membership revoked on adding new group through role and acespolicy

Similar Messages

• Adding new groups to weblogic

  Is there a way of adding new groups to weblogic without using the console ? I need to add a list of group names (~100) from a flat file to weblogic. Is there a way I could automatically add those groups instead of me creating each of those groups from the console. Any suggestions would be helpful. Thanks.

  This is likely not the forum to get an answer to this question - check the BEA support fora.
  IIRC groups are defined in weblogic.xml - unless you are talking about some other groups, in which case it depends on your authorization provider, right?
  Good Luck
  Lee

• HT201269 I just synced my new iphone through itunes and it deleted my new pictures.  is there any way to get them back?

  I just syned my new iphone through itunes and it deleted all of my new pictures.  is there anyway to get them back?

  Do you sync your iPhone with iTunes every once in a while? If yes, there are chances that iTunes has taken last backup of your photos, contacts, etc. that you want back.
  Connect your iPhone with your PC. launch iTunes, right click on your device and click on "Restore from Backup". Choose the latest backup to proceed.
  If you configured iCloud for backup before you restored your iPhone. Go to Settings -> iCloud -  > and login using your Apple ID. Once you've logged in, all the photos, contacts, mail, messages should be back on your iPhone. This may take a while (depending on your network).
  Alternatively, if you are only now setting up your iPhone, choose 'Restore from iCloud Backup' in the setup screen. Login with Apple ID and the iPhone will be restored from the latest iCloud backup.

• Adding new groups

  I was unable to find a viable solution to this without having to use OS X Server tools. I would like to create a user group so that I can make sure that certain users on my system will have access to the same folders, but restrict access to those folders for anyone else who is not a member of that group. However, I am unable to find an easy way to create the user group. Any answers?

  Courtney,
  You could use the ServerAdmin Utility as Biovisier has suggested, but it is certainly not necessary. Netinfo Manager is the only thing you need.
  For many, the easiest way to create a new, custom group is to duplicate and existing one, then modify the new group's properties. The "admin" group is usually the best choice for a template. When making any changes to the Netinfo Database, it is prudent to make a backup of the original first!!
  Select the admin group, then click the "Duplicate" button at the top of the window. In the "properties" pane at the bottom of the window, the "name" property for the new group should be highlighted for editing. Just type your desired name.
  Each group needs to have a unique "GID." GIDs 0-100 are reserved for "system groups," and OS X uses 501 and up for users. So, your best bet is to follow (pretty much) standard practice and use 201- 300 for custom-created groups.
  For a custom-created group, the "realname," "generated_uid" and "smb_uid" properties are not needed. Just select these properties and click the "Delete" button. You should now have only the "users," "name," "password," and "gid" properties. The only thing left to do is to modify the "users" property.
  Click the "disclosure triangle" next to "users" to reveal the complete list. First, remove any unwanted users by selecting them, then clicking the "Delete" button. Next, add users by selecting the "users" property and choosing Directory>Insert Value. A new user will be added to the list with the username value highlighted. Type the short name for an existing user to add that user to the list.
  The "password" property should remain in place, and should have a value of "*" (asterisk). This means that there is, in effect, no password for the group. Leave this property and value alone.
  When you have finished setting up your group, choose Domain>Save changes and confirm to "update this copy," if asked (Netinfo has become pretty smart about confirming and saving changes as they are made, so most or all of this shouldn't be necessary).
  Scott

• Can't see calander group's or add a new group in ical 5.0 (lion)

  Help.
  Can't add a new group or see my groups when i click on calander in Lion version of ical. Any idea's why?
  Thanks

  Info taken from other discussion threads on Win not recognizing iPhone:
  NOT SEEN IN ITUNES:
  Windows 7 uses a MTP driver instead of the USBAAPL by default, and what you need is an 'Apple Mobile Device USB Driver' which you might not have in 'Universal Serial Bus Controllers' (check it and see).
  Update the driver by expanding 'Portable Devices' from the list, right click Apple iPhone/iPhone and select 'Update Driver Software'. Then select 'Browse My computer...'
  C:\Program Files\Common Files\Apple\Mobile Device Support\Drivers - then hit 'Next'.
  NOT SEEN AS CAMERA:
  Open Device Manager: Right click on My Computer and select Properties from the drop down menu. This will open System Properties as shown below. System Properties opens on the General tab so you will need to click on the Hardware tab.
  Remove iPhone USB Driver: called Apple Mobile Device USB Driver. We want to remove this driver by expanding the list of USB drivers which can be done by clicking the + next to Universal Serial Bus controllers. Now right click on Apple Mobile Device USB Driver and select Uninstall from the drop down menu. A confirmation will require you confirm you want to remove the iPhone USB driver.Click the OK button on the pop up confirmation window which will remove the driver.
  Reinstall iPhone Driver: Once the driver has been removed you should unplug the iPhone from the USB cable. To reinstall the iPhone USB driver plug it back into the USB cable and the reinstalling of the driver will start automatically. There will be numerous pop up messages displayed near the system clock in the lower right corner of your Windows desktop. Once you see the pop up message confirming that your new device is ready to use everything should be working properly again.
  Verify iPhone Camera Detected: Open My Computer now to verify that the iPhone is displayed and you can click on it as you previously were able to do.

• Best Practice Adding New Target to Namespace and Replication

  Hi,
  whats the best way to add a new target to Namespace and replication. Goal is to replace a old file Server at the end.
  I did the following:
  - copied the share with robocopy incl timestamps of files and folders
  - created share
  - added the new share as a new target as well as meshd member of the replication connection
  - disabled the new member in the Namespace, so no one can Access it until dfsr is fully done and initialized
  After the the new dfsr Connection was replicated through AD to all 4 Members (3 different site, 1 same site) the
  following happend:
  dfsr begin and almost every file was in a conflicted and copied over the the Conflict Folder. Almost all timestamps
  of the Folders were changed to the current date, but the timestamps of the files not.
  Thousands of eventlogs: 4412
  The DFS Replication service detected that a file was changed on multiple servers. A conflict resolution algorithm was used to determine the winning file. The losing file was moved to the Conflict and Deleted folder.
  Any idea why? Later on i disabled the Connections to the remote Fileservers, but that did not stop it.
  My idea was to pre-seed the files with robocopy. So what would be the best way to prevent that for the next share ? Is it a better way to just add the target to a bi-directional Connection to the local Fileserver without adding to DFS-N and without copying
  the files before ? Is it better to let DFSR do the hole Initial sync incl Files ?
  At the end i have no loss of date but to check almost every file for conflict took Ages to finish.
  Thanks a lot,
  Marco

  Hi,
  The steps you performed are correct - compare with waiting for DFS initial replication, a manually pre-staging is recommended.
  When doing the Robocopy step, wether all attributes are copied such as NTFS permissions?
  After robocopy, you can add that folder as a folder target of DFS replication group - you can add it to DFS namespace after replication finished.
  And if it is a Windows 2012 R2, you can prestaging DFS database for a better result.
  https://social.technet.microsoft.com/Forums/windows/en-US/a06c9d25-ed04-44e9-a1f7-e1506e645d53/forum-faq-how-to-prestaging-dfsr-database-on-windows-server-2012-r2?forum=winserverfiles
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• I added new songs in itunes and sync'd to ipod but the playlists that were changed are now in the wrong location. e.g. "Instrumental" playlist is now between letters M and N on my ipod, but in right location in itunes.  How do I fix this?

  Also, I can no longer find my "Recently Added" playlist.  I have searched every title in my playlists and its no longer there.  It's really frustrating because now if I want to listen to a new playlist that I've added new music to I have to really search for it.  Please help!  Thank you!

  This worked. Yesterday after I logged out - I continued to try to figure it out, and came up with the same solution. I made a smart playlist with both types.
  However, I had tried to drop those into the green purchased file yesterday and it would not accept them. Today it works.
  Guess it is like a car. It makes a noise, and when you take it to the dealer, it stops making that noise.
  I went and looked at all of the songs I had purchased. Some of the more recent songs say Protected. The first five I purchased just say "AAC audio file" but if you look at them in their file, they have the little lock icon on them, as the purchased and protected ones do.. So I dunno... ??
  Thanks for the help.

• Adding new field using EEWB and using it for Pricing

  Using the Easy enhancement workbench, I have created a new tab containing a new field at the item level of contract. Then in SPRO, in the field catalog, I added a new entry using the same field name and data element name. Created a new condition table with this new field. created access sequence and assigned it to a condition type.
  I tried to maintain condition record for the condition type but initially it was showing some error for which I had to implement a new method for the BAdi /SAPCND/ROLLNAME.
  Now. condition record is also maintained successfully.
  But, the problem is that the value is not reflected at the contract.
  Somehow, the condition record is not being picked up.
  Please suggest some solution.
  Regards,
  Anindita RoyChowdhury.

  Hi Anindita,
  Stpes mentioned in your questions are fine.
  You have created new Screen @ item level in Order txn, right?
  Did u checked value passed to the method of BAdI ?
  As per my knowledge, pricing call must have happened before you fill the Zfield which u added in new screen. Hence no value in field and no effect on pricing.
  Regards,
  Deven

• Need best procedure for adding new start-up disc and keeping all original data.

  We are adding a new (bigger)SATA drive to our 8-core Xeon Mac Pro and would like to clone the original startup disk to the new drive and use it to boot from.
  If you know of the best and surefire way to do this and not have any permission issues or any issues please advise.
  Thank you in advance.

  A. Carbon Copy Cloner
  B. use the big drives for media folders, libraries, data
  C. use smaller fast drive for system - $110 will buy a 1TB WD Black or Samsung 830 SSD, $150 will buy a 10K 250GB VR
  How to clone your system:
  http://macperformanceguide.com/Mac-HowToClone-backup.html
  http://macperformanceguide.com/Mac-HowToClone.html
  http://www.macupdate.com/app/mac/7032/carbon-copy-cloner
  Maybe you want to move all your sub-folders in your account to another drive - the new 2-4TB model (enterprise, not green)

• Adding new field in PO and PR screen

  Dear Friends,
  Kindly sugest the solution to add new custom field to PR and PO screen at item level in SOURCE OF SUPPLY TAB.
  regards
  Vishal

  Hi,
  Check the exit MEREQ001 for PR & MM06E005 for PO.
  Hope the above helps.
  Regards,
  Vivek

• Adding new field in va01 and va02 t-code.

  hello all,
  here in sales order creation t-code and change order t-code's header information in shipping tab all fields coming regarding total waight and total volume and net waight but there is no field of total quantity and intersting thing is this its not coming in whole t-code anywhere.
  so friends i want to add this field.
  so which method should be followed for doing this.
  thanks and regards amit.

  Hi,
        Refer
  https://forums.sdn.sap.com/click.jspa?searchID=4998349&messageID=3132651
  Please check this
  http://help.sap.com/saphelp_46c/helpdata/en/1c/f62c7dd435d1118b3f0060b03ca329/content.htm
  The SAPMV45A , 8309 screen is the Additional Data B tab to add your custom fields . To capture the data from this custon field you can use
  the user exit MV45AFZZ, USEREXIT_SAVE_DOCUMENT_PREPARE OR
  USEREXIT_SAVE_DOCUMENT depening on your functionality
  Regards

• Design question: Change Group membership for a AD resource via SelfService

  Hi all,
  based on the OIM tutorials, I designed OIM that way that an end user can successfully request a resource. Is there a way to allow end users to modify their resource "subscriptions"? For example, I would like to allow end users to change their AD group memberships after the initial provision to the resource.
  From what I have learned from the tutorials, I would assume to create an AD group membership attribute in the user account profile form and propagate changes to that attribute back to AD.
  Or is there a way to allow end users to change their resource data directly under "My Resources" ?

  there is no concept of requesting a modification of an already provisoned account. Like you said this can be achieved thru an attribute on the user's profile and on changing that attribute, downstream applications can be propagated the new value.
  Typically if changes to an already proviisoned account needs to be done in oim and through oim, an oim admin goes to the user's resource profile and clicks on edit on the process form and can edit any data there. in case of ad groups, there will be a child process form that shows the groups that the user is a member of, you can insert(add) new groups or delete existing groups from there and save the form. In the proviisoning porcess of AD you will need to write a porcess task, which should add/remove the user from the specified group in AD on the trigger when a new group is added or an existing group is removed wehn the admin is modifying the user's AD process form/process child forms in oim.

• Group membership redirect with AD LDS

  I have my LDS instance synchronized with my AD environment. I am only synchronizing objectClass=user. I am creating userProxyFull objects on the LDS side. Authentication is working as I have tested authenticating with an AD user to LDS.
  My application person would like to query group membership, that is the group membership that exists in AD. Is it possible to redirect group membership queries so that the group membership information from AD is provided to the application that is using
  the userProxyFull object in LDS?
  Thanks,
  Paul

  Hi,
  why do you need userProxy and AD LDS, is it that the application can only support LDAP simple bind or that you need a form of distinguishedName other than that in your AD or that the application cannot reach your DCs?
  To do Authorization, if you have ruled out having the application query AD DCs, your options are:
  [1] have the application maintain an Authorization database and sync that from your AD or provisioning system if you really need it to follow AD group membership
  [2] use adamsync to sync the groups as well as doing the userProxy transform, something like:
          <object-filter>(&#124;(objectClass=user)(objectClass=group))</object-filter>
          <attributes>
          <include>objectSID</include>
          <include>member</include>
          <exclude></exclude>
          </attributes>
  it would be best to spin up another AD LDS instance to try this against. You then need to test adding and removing users from the AD groups and check that those changes sync. This might work but unfortunately the more creative you get with object-filter
  in adamsync, the more surprising the results tend to be.
  [3] a variation on [1], ldif export your group memberships from AD and import into AD LDS (distinguishedName re-writing may be required)
  [4] have the application bind with the userProxy credentials to the rootDSE of the AD LDS instance and read tokenGroups to get a list of SIDs that you then need to resolve into groups (I mention this for completeness but it's possibly more complex application
  development than you would want to do...)
  Other options are:
  use a virtual directory tool
  use a different sync tool e.g. FIM or
   Quest One Connect
   disclaimer: I  have never used the latter.
  review the application to see if direct AD DC access is possible.
  Lee Flight

• Group Memberships not Flowing into Metaverse

  Hello,
  I'm trying to figure out why the group member attributes in the CS are not flowing into the MV.  Here's what I have:
  An HR system running on SQL Server
  A staging database that extract data from the HR system
  The staging database has a table representing person object
  The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
  The staging database has a table representing group objects
  The staging database has a table representing group memberships (mult-valued)
  A SQLMA connected to the person and person multi tables
  A SQLMA connected to the group and group membership tables
  All group memberships are based on job codes and locations.  There are no approval process in place.  If they have this job code, they get certain groups.  That's all calculated in the staging database and the memberships are in the group membership
  table
  This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
  I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense.  The flow from the database into the CS works well.  No issues there.
  But, a search of the metaverse for the group shows an empty member attribute.  The sync process is not throwing any errors.  At least they're not showing up in the sync service app or the event logs.
  Where allowed, I'm using rules extensions for everything.  I can't use a rules extension to set the member attribute because it's an rdn.
  I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object.  Then, I'll modify my existing MA to use that attribute instead of the member attribute. 
  I'm not sure what kind of issues I'm going to run into when exporting that to AD.  I'll cross that bridge when I come to it.  I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
  group functions and person types (bascially, I don't care about the MV rdn).
  Anyway, I'm looking for some real world insight on this.  This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
  Thanks,
  Greg Wilkerson

  Hey Cameron,
  I have total control of all the DB tables FIM is accessing.  I build them up as part of IDM process.
  I've read this article, along the many others that address the "manager" scenario.  This really doesn't apply in this case as the user and group objects are loaded in separate MAs.  Getting reference values to flow with both object live in the
  same CS shouldn't be an issue. 
  I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group).  That solution solved the issue of the groups and user being in the same CS.  As I grow tired of my daily
  FIM beatdown, that solution is growing more attractive.  That's a major DB redesign, and seems quite inefficient.
  The multi-value table for group memberships already exists in the DB.  For FIM purposes, I transferred that data into the user object multi-value table.  See screen shot.  I can certainly configure the group MA to access that multi-value table
  and load the group members as references.  But, because the group MA CS will not contain the user objects, I don't see how the references will be set.  If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
  figured out a way to set the an reference value for an object in the MV - my problem all along.
  This whole "setting a reference value" encompasses much more than just group memberships in my implementation.  Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system.  These objects exist
  in our current IDM system and are associated with users based on rules.  So, the reference value process is something I need to figure out, if I'm going to use this product.
  Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact.  I'm not sure that would get me where I want to go, and
  it seems like a lot of extra "stuff" to solve what should be a simple problem.  Hmmmmmm.  Or, connect the ECMA2 directly to my group membership multi-value table in the DB.  Hmmmmmm.  I'd still have to export the groups and users into that
  CS, but the import might be much more straight forward.  Hmmmmmm.
  The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
  EmployeeGroups
      GroupName varchar(50) not null,
      EmployeeID nvarchar(50) not null,
      ID int identity(1,1) not null

• User Unable to RDP in Win 2008R2 Due to Multiple Group Membership But Can RDP in Win 2003 Server

  We have built a new application server with Windows 2008R2 where set of users are local admin (application owners) and we have same kind of application server
  in Windows 2003 SP2 with same users as local admin. 
  Now in Windows 2008R2 servers these local admins are unable
  to RDP and get ACCESS
  DENIED whenever user tries to login but can login successfully in 2003 server.
  Now, strange case is, I found these admin users group membership with more than 600 groups and they are able to login win 2008 server as well if I remove their
  group membership to a minimum level say around 300.
  This is so confusing for me as user can login in WIn 2003 server with highest group membership but not in WIn 2008.
  We have applied Maxtoken registry also through GPO.
  Any idea what are we missing here.

  This has nothing to do with Directory Services so I will move to the General forum.
  One thing to look at is to make sure that you have RDP enabled on these new 2012 servers.
  http://winplat.net/post/2012/07/16/How-to-enable-Remote-Desktop-on-Windows-%E2%80%988%E2%80%99.aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.