Adding Users from sharepoint into Active Directory Groups

I have a requirement for Approval Workflow where the Approved User gets added   to AD group directly,i think 2 way sync is possible.plz help

Out of the box, I really doubt that this is possible BUT it can more than likely be achieved via the Object Model.  A good discussion and some attached code can be seen here.
Steven Andrews
SharePoint Business Analyst: LiveNation Entertainment
Twitter: Follow @backpackerd00d
My Wiki Articles:
CodePlex Corner Series
Please remember to mark your question as "answered" if this solves (or helps) your problem.

Similar Messages

  • Problem in provisioning user from oim to active directory using ssl

    problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
    15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed:
    15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
    AvailableAD():simple bind failed:
    15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
    me problems: Must set a query before executing
    com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
    at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
    at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
    at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
    at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
    nnectToAvailableNextAD(Unknown Source)
    archResultPageEnum(Unknown Source)
    at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
    known Source)
    at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
    at Source)
    at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi Source)
    at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
    at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
    at org.quartz.simpl.SimpleThreadPool$
    can any one help.
    Thanks and Regards,

    Are you able to connect to AD over SSL through some LDAP Browser ?
    Check the validity of Certificate ?
    Does your certificate appear in the list ?

  • SharePoint 2013 Active Directory Groups represented as c:0+.w| SID in UserInformation list instead of c:0+.w|Domain\Groupname

    We are running on SharePoint Server 2013.When we add AD groups as permissions, we see that the group name is being displayed properly in the permissions. Whereas when I click on the groupname I see the SID with the Sharepoint specific claims characters,
    instead of domain\groupname. I understand that the claims characters are because of claims mode. But I expected domain\groupname instead of SID. Is this the right behaviour.
    When I call SiteData.GetContent web service, I get the SID of the group name instead of the domain\groupname.
    Can someone please clarify?

    Yes, the identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections:
    •"c" for a claim other than identity
    •"+" for a group SID
    •"." for a string
    •"w" for a Windows claim
    More information:
    Dennis Guo
    TechNet Community Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Dennis Guo
    TechNet Community Support

  • Provisioning: Users from OIM to Active Directory

    Dear Experts!
    I am trying to setup provisionig from OIM to AD. I just want to provision Users from OIM to AD.
    I am going through this documentation/tutorial:
    i also read this:
    But it just won't work. The provisioned resource get's always status rejected in the (To-Do List --> Open Tasks).
    Then i tried to test the connection to AD using this documentation:
    And i get this error in the console:
    The IT resource: ADITResource looks like this:
    Remote Manager Prov Script Path:     
    Admin FQDN: [email protected]
    Use SSL: no
    Remote Manager Prov Lookup: AtMap.AD.RemoteScriptlookUp
    Target Locale TimeZone: GMT
    Port Number: +636+
    AtMap ADUser: AtMap.AD
    ADGroup LookUp Definition: Lookup.ADReconciliation.GroupLookup
    isUserDeleteLeafNode: no
    Allow Password Provisioning: no
    UPN Domain: domain-test.local
    AtMap ADGroup: AtMap.ADGroup
    ADAM LockoutThreshold Value: +5+
    isADAM: no
    Admin Password: *********
    Invert Display Name: no
    Root Context: dc=domain-test,dc=local
    Server Address: testing-server.domain-test.local
    Could be the problem that i don't use SSL? I don't set Passwords in AD, i have read that then i don't need SSL...?
    I am new to OIM, so your response is greatly appreciated!
    Thank you very much in advance!

    Hello again Raj!
    Thank you for your answer. You have always good ideas...
    *1) Whats the response that you are getting from AD for this operation. Check this as following:*
    Go to Users->UserABC->(Resource Profile from Drop down)->(Click your particular resource instance)->(Select the rejected task precisely "Create User")_
    I get this on the Task Name - Create User:
    Response: Please Select the Organization or Container Name from Organization Name Lookup
    Response Description: Please Select the Organization or Container Name from Organization Name Lookup
    But i can't get to populate the Organization Name on the user form, because there are no values available.
    Under Error Details there is nothing.
    *2) If your IT resource parameters are incorrect, you will get a connection error in logs. Your port information is correct, it has to be Port->389 and Use SSL-no*
    I have created a new IT resource without SSL. Just to test the connection to AD. It works because I get “Successfully established connection to the AD_Test_without_SSL.”
    Bellow is my NEW configuration for the IT Resource.
    IT Resource Name:* AD_Test_without_SSL
    IT Resource Type:* AD Server
    ADAM LockoutThreshold Value:* 5
    ADGroup LookUp Definition:* Lookup.ADReconciliation.GroupLookup
    Admin FQDN:* [email protected]
    Admin Password:* *********
    Allow Password Provisioning:* no
    AtMap ADGroup:* AtMap.ADGroup
    AtMap ADUser:* AtMap.AD
    Invert Display Name:* no
    isADAM:* no
    isUserDeleteLeafNode:* no
    Port Number:* 389
    Remote Manager Prov Lookup:* AtMap.AD.RemoteScriptlookUp
    Remote Manager Prov Script Path:*
    Root Context:* dc=domain-test,dc=local
    Server Address:* testing-server.domain-test.local
    Target Locale TimeZone:* GMT
    UPN Domain:* domain-test.local
    Use SSL:* no

  • Need to automatically add newly created user account in an existing active directory group.

    Hi All ,
    In my  environment we are having window server 2012 active directory environment.We need to have the newly created active directory user account to get added automatically to the existing active directory group after that new user account creation.
    Please tell us the possible ways to achieve this scenario.
    Thanks S.Nithyanandham

    Can you please confirm your requirement,
    When you create a new user account in AD, based on the user's property like Department, Job or Location, the user need to be added to your specific AD groups?

  • SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

    I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
    The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have  access to the library and list, except for
    a few additional folk who I have made individual members. 
    I  have created a SharePoint 2013 Workflow using SPD 2013 associated with the  Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
    the form and go to different Stages depending on that status.
    The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
    with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
    Here's a print of the info from the Workflow Status page (I don't have access to server logs):
    RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":[""],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
    RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
    The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
    instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor 
    Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
    user who started the workflow, unlike 2010 which used System Account).
    All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
    I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
    and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
    Does anyone have any ideas why this is happening and what I can try to fix it?

    Hi Lars,
    I'm afraid not so far but we are trying a few things today so I will post back with results.
    First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
    versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
    This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
    "If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
    the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
    intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
    You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
    I'll update when we try these ideas. If you have any luck please do the same.
    (sorry about formatting - using my phone....)

  • How to import Photos into Active Directory

    Hi -
    IT Director asked me to import employees pictures into Active Directory so that we can use them in Outlook, SharePoint, Lync etc.
    Do you know how to import pictures into Active Directory?

    Thumbnailphoto Attribute in active directory is responsible for adding photos to Active directory.
    By Default Replication of this attribute will be disabled to Global catalog server. To make use of this facility we will have to enable replication of this attribute to Global Catalog. ( To accomplish this you will have to edit the schema using Active directory
    schema snap in).
    Refer Below link which explains about enabling the replication of Thumbnailphoto attribute to Global catalog.
    Minimum requirement for your exchange enviornment to use this - Exchange 2010.
    Exchange 2007 Don't support uploading photos AFAIK.
    Domain controller should be running with atleast windows server 2008 or later. And
    schema has to be windows server 2008
    Additionally for your information,
    How to remove the uploaded photos?
    Either You can edit the Thumbnailphoto attribute using ADSIedit and remove the entry which is assocaited with Thumbnailphoto attribute.
    Try this.
    The Import-RecipientDataProperty and Export-RecipientDataProperty cmdlets allow you to import and export the photo blob to and from
    thumbnailPhoto attribute, but there's no Remove-RecipientDataProperty cmdlet to remove it. You can use the
    RemovePicture switch of Set-Mailbox cmdlet to remove a user's photo. For example:
    Set-Mailbox "Bharat Suneja" -RemovePicture
    Check out the below link which explains in and out of uploading photos,
    To know about uploading photo using powershell ask this question in powershell forum
    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  • Sharepoint 2013 Active Directory Import- Manager field not updating

      SharePoint 2013 Active directory import  -Manager field not updating
     We are using SharePoint and configured the Active Directory Import .First import it seems everything is working fine and OOB Organization chart  built using User profile data is coming out right.
    Now the user is moved from one Organization Unit to Another.
    Now our Manager field is not Updating .There is change in AD manager attribute but not reflecting in the SharePoint User profile.
    Manger field is mapped to "manager" attribute in SharePoint.
    We tried removing the user and Re-Import using Incremental import but no luck.
    Thanks for help in advance

    Moving a user from one OU to another in AD won't normally change the Manager attribute in AD.  You would need to edit the user's organization settings to change the manager value in AD.  I've also seen these changes not be picked up unless something
    other than just the manager field in AD changing.  Try changing something like Office location and see if the manager change is picked up by AD Import.
    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

  • Lion Server not reading Active Directory Groups reliably

    I am trying to upgrade one of our XServes from Snow Leopard Server to Lion Server and am running into a strange issue with our Active Directory based users and Groups.
    The current Snow Leopard Server serving files from a XSan volume is running fine, though we find a very long Lag time for Windows users to connect. Once a few users have connected the lag seems to go away, but it is still not nearly as fast as Mac users connecting or Windows connecting to a PC server.
    So I have connected a second Xserve to the SAN and performed a clean install of Lion Server. Initially while it would find my Active Directory Groups it would not import any of the users, so obvioulsly no one could connect. In a last ditch effort I installed the beta of 10.7.4, which seemed to resolve the issue for a small group of test users. However as I expanded the test I found that some users would get a message that the were no resources available to them, or they didn't have the correct permissions. This is very strange as everyone is in the same group so should have the same permissions. As a test I took one of the user accounts and created a new share and gave him R/W permission to that share and suddenly all of the shares that he should have had permission to in the first place popped up.
    The only thing that I can think of is that we have such a large Active Directory structure that the authentication is timing out or reaching some user limit and stops looking. (we have over 50,000 users and thousands of groups spread through multiple OUs in the AD structure)
    The new in Lion looks nice, but it does not seem to have nearly the robustness of the previous Server Admin tools. For instance, I never needed or wanted to setup a "Golden Triangle" but with Lion it is required. Perviously I could search for AD users or groups and drag them from the search window to the share to assign permission, now even though I've imported the groups and users it needs to search the entire directory when assigning permissions - why can't it see the groups that are already there? Why can I run a dscl search and find a user or group instantly, but the hangs for 5 minutes and shows 0 results?
    Has anyone found a way to make Lion Server work in an enterprise environment?

    Yesterday morning I bound a 10.7.4 server to our AD, and in the afternoon I eventually saw all the AD users, groups, etc show in Workgroup Manager. Now, with dscl, I can see all the AD user and group records, and with Workgroup Manager, I can search the groups, users, and computers, but with the, when trying to create new group of the type "Imported group from another directory", the searches returned nothing. Directory Utility can show all the AD information also. Our AD has thousands of user record, and so it is reasonable that it may take some time for the Mac server to get all the info. But from the add users or groups interface, I just could not get any search results. What could be wrong then? 

  • Syncing Active Directory Groups for Unity Distribution Groups

    We have multiple remote stores with managers that move around quite a bit. This poses an administration nightmare when trying to keep voicemail distribution lists up to date. Is there a way to syncronize an active directory group to a Unity voicemail distribution group? Therefore when we move a manager around in ADS the user automatically moves in Unity.

    Unfortunately this feature has not been re-implemented in Unity Connection. This is one of the few things from Unity that I miss. I suggest voicing your desire for this as a feature enhancement with your Cisco AM.
    If you are doing that many changes you may want to consider going through the Cisco Unity Connection Provisioning Interface. At least you could script the changes there using code that checked AD group membership and replicated the changes into CUC.

  • User login report in Active Directory for specific date and time

    I want to get User login report in Active Directory for specific date and time e.g user logged in at15-01-2015 from 8:00am to 4:00pm
    Is any query, script or any tool available?
    Waiting for reply please

    You can identify the last logon date and time using my script here:
    If you would like to get back in time and see when the user did a logon / logoff then you need to have auditing enabled. Once done, you can records from Security log in the event viewer:
    I have started a Wiki about how to track logon / logoff and it can help too:
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • Add a mac to an active directory group using a script?

    I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
    Thanks in advance...

    I think I misunderstood your question.  If you are trying to add the computer record to a location other than the Computers container, then just change your binding script to target the folder you want.  Remember that the user account you are using to bind must have access rights to this folder.
    For example, the sample command from the man page shows you how.  Say you have a subfolder inside Computers called Macs.  You would do this in your binding script.  Note the notation of an organizational unit within the Computers container.
    dsconfigad -a ThisComputer -u "administrator"
    - ou "CN=Computers,OU=Macs,DC=ads,DC=demo,DC=com" -domain
    Is that what you are looking to do?

  • Search for single member in an Active Directory Group

    Hello all,
    I'm attempting to find a better method to search if a user is a member of a group in Active Directory. I currently retrieve the entire member attribute of the group.
    I need to reduce the time of the query. I would like to be able to search for a specific member (user) of the group instead of retrieving the entire member list of the group.
    I can post my current code if that would help.
    I believe the default Active Directory group object is the ldap group. I know that there are posixGroup and groupOfUniqueNames ldap classes available, but I'm not sure if Active Directory has access to those classes.
    Is my request possible using the group ldap object?

    Thanks for the reply.
    I have read the first post you gave, but not the second. I'm off to read that now.
    My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
    (&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
    If that's correct and I require a DN, is there any way around this?
    I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (
    If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
    I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
    I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
    Thanks again.

  • FCS 1.5 Not all Active Directory groups visible in list

    We just upgraded Final Cut Server to 1.5 and want to make use of Active Directory groups to set permissions in FCS. I've created a few groups in AD which do not appear in the list when I want to add these to Group Permissions. I do see many AD groups but some are not in the list. I can find the group in the Directory application and also with dscl (dscl /Active Directory/domain.tld -read /Groups/fcs-editor).
    Please advice.
    Thanks in advance,

    I found a solution, though it might be still temporary. See if you can narrow down your Directory Search Policy. In your AD forest, you might need just one domain for your department, location, etc.
    So, in Directory Utility, click on Search Policy, delete "/Active Directory/All Domains", don't apply yet, but click on the plus sign, and see what specific domains you can choose from there. Do the same to contacts.
    Though still I can see now 1.592 records of groups or users when I run dscl but at least I know that AD administrators can really clean up our groups listings ( some of those groups are not being used) , and try to keep the number under 2,000.
    It has to be a way to increase the default number of 2,000 in Search Policy, but I haven't had time to do that

  • BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

    Dear all 
            In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
           " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
          Anyone has encountered similar issue?
       BO version: BO XI 3.1 SP5
       Authenticate: Windows AD
    Thanks and Regards

    Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
    Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995

Maybe you are looking for

  • In CJ20N, unable to change the "Person Responsible"

    Hi, In cj20n, When I create a new WBS under a project, the system defaults the Person responsible from the Project level. The field is display only and I am unable to change it.  There is no substitution active in the project profile. Could anyone he

  • How to Print 4-Pg Newsletter on 11x17 using EPSON WF7510

    I am having difficulty printing a 4 page newsletter in .pdf format on the Epson Work Force 7510 printer.  You would think it would be simple to print four 8.5x11 sheets 2-up on 2-sided 11x17 paper, but I am finding it impossible. I spend 2 hours on t

  • Error while loading data from DSO to Infocube

    Hi all, I'm loading data from flat file to the cube via a DSO. I get an error in the DTP. The data loads to the DSO, i'm able to see the contents in the active data table. Transformation from DSO to Cube is activated without any errors. Its a one to

  • Error message while i am trying to configure app server domain in PT 8.48.1

    Team, I am getting below error message while i am trying to configure app server domain in PT 8.48.16. I have uninstall TUXEDO 8.1 and then install 3 times. But, no luck. Enter domain name to create :CRPROD Merging old domain configuration file with

  • AIF webdynpro for Java Prerequsites

    Hi,      What are the prerequsite for AIF development with Portal 6.0 WebAS 640 (SP17). NWDS Version? ADS version? ALD Version? any other required componets and their versions? If you could point me to some documentation on this that would also be he