How to import your MS Active Directory users in an Oracle table

Similar Messages

• How to import Photos into Active Directory

  Hi -
  IT Director asked me to import employees pictures into Active Directory so that we can use them in Outlook, SharePoint, Lync etc.
  Do you know how to import pictures into Active Directory?

  Thumbnailphoto Attribute in active directory is responsible for adding photos to Active directory.
  By Default Replication of this attribute will be disabled to Global catalog server. To make use of this facility we will have to enable replication of this attribute to Global Catalog. ( To accomplish this you will have to edit the schema using Active directory
  schema snap in).
  Refer Below link which explains about enabling the replication of Thumbnailphoto attribute to Global catalog.
  http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/configuring-using-display-picture-exchange-server-2010.html
  Requirements
  Minimum requirement for your exchange enviornment to use this - Exchange 2010.
  Exchange 2007 Don't support uploading photos AFAIK.
  Domain controller should be running with atleast windows server 2008 or later. And
  schema has to be windows server 2008
  Additionally for your information,
  How to remove the uploaded photos?
  Either You can edit the Thumbnailphoto attribute using ADSIedit and remove the entry which is assocaited with Thumbnailphoto attribute.
  Or,
  Try this.
  The Import-RecipientDataProperty and Export-RecipientDataProperty cmdlets allow you to import and export the photo blob to and from
  thumbnailPhoto attribute, but there's no Remove-RecipientDataProperty cmdlet to remove it. You can use the
  RemovePicture switch of Set-Mailbox cmdlet to remove a user's photo. For example:
  Set-Mailbox "Bharat Suneja" -RemovePicture
  Check out the below link which explains in and out of uploading photos,
  http://blogs.technet.com/b/exchange/archive/2010/06/01/gal-photos-frequently-asked-questions.aspx
  http://blogs.technet.com/b/ilvancri/archive/2009/11/17/upload-picture-in-outlook-2010-using-the-exchange-management-shell-exchange-2010.aspx
  To know about uploading photo using powershell ask this question in powershell forum
  http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/threads
  Regards,
  _Prashant_
  MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• How to import data from excel or csv files to Oracle table

  hello everybody,
  I am new here and new in Oracle. I would like to know the steps how to import data from excel or csv files to Oracle table.
  Let say I already have table inside the Oracle. Then my user give me the sets of data inside the Excel Worksheet.
  So, how can I import the excel data into Oracle table.
  Thank you in advance.
  cheers,
  shima

  Even easier. Download JDeveloper 11G from this site.
  Set up the database connection, right click on the table, select Import->Excel and specify your file to load it. On the import pop-up, you must view and update each tab indicating Columns, Data Types, and DML.
  Columns -- move the selected columns that you want to load to the box on the right
  Data Types -- select column name from second column to which the data for each column of the import file should load
  DML -- click this tab to generate the INSERT SQL
  Once done click 'Insert'

• How to create "folders" in Active Directory Users and Computers?

  Hello Community
      In Windows Server 2008R2 when you go to Active Directory Users and Computer
  you will see icons of folders such as:
      -  Builtin has a folder icon
      - Computers has a folder icon
      - ForeignSecurityPrinicpals has a folder icon
      - Domain Controller as a folder icon
      - Managed Service Accounts has a folder icon
      - Users has a folder icon
      All of the above folders are visually identical.
      If you right click and select “File” –  “New”
   on any of the selections the icon
  will not look like the folder icon they have their own icons which look different
  from the "Folder" icon.
      I would like to create a “Folder” that looks just visually exactly like the ones
  mentioned above, how can I create those types of Folders in Active Directory User
  and Computers?
      Note: I would like to put users in the folders.
      Thank you
      Shabeaut

  Hi,
  you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
  The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
  Refer: Delegating Administration by Using OU Objects
  http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx   
  and the sub-articles:
  Administration of Default Containers and OUs
  http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
  Delegating Administration of Account and Resource OUs
  http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
  Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Import and Export Active Directory users

  Hello,
  I want to export my Active Directory users and import them to different domain.
  I try to use ldifde without any success.
  Do anyone have any idea??
  Thanks,
  Lior

  I would suggest the Active Directory Migration tool.  
  http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
  D/L link: http://www.microsoft.com/en-us/download/details.aspx?id=8377
  If you have 2012, it will be a little more complicated.

• How to display active directory users through weblogic portal Application?

  Hi,
  Does anyone has faced this situation?
  I configured the activedirectory and able to see the users and group in the weblogic console at Security->Realms->Myrealm->users. when I run my portal application,I am able to see only the users that are configured in embedded weblogic LDAP ie, I can see only the users weblogic,portaladmin and yahooadmin that are of defaultauthenticator provider.I need to display the active directory users also in our portal.
  I have two doubts on this?
  1)Is it I need to write custom code to view the active directory users in our portal?
  2)Does I need to use any jars that supports active directory authenticator?
  I would appreciate if any one can reply on this with helpfull docs/information.
  We are using BEA 8.1 SP4.
  Windows 2000.
  Surendra

  Hi,
  I too have a similar kind of requirement, i use a jsp to do this activity, but i get an exception, i have shown the entire jsp code below,
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <%@ page import="java.util.Set" %>
  <%@ page import="javax.naming.Context" %>
  <%@ page import="weblogic.jndi.Environment" %>
  <%@ page import="weblogic.management.MBeanHome" %>
  <%@ page import="weblogic.management.configuration.DomainMBean" %>
  <%@ page import="weblogic.management.configuration.SecurityConfigurationMBean" %>
  <%@ page import="weblogic.management.security.RealmMBean" %>
  <%@ page import="weblogic.management.security.authentication.AuthenticationProviderMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserPasswordEditorMBean" %>
  <%@ page import="weblogic.security.providers.authentication.LDAPAuthenticatorMBean" %>
  <%@ page import="weblogic.management.configuration.EmbeddedLDAPMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserEditorMBean" %>
  <%@ page import="weblogic.management.security.authentication.UserReaderMBean" %>
  <%@ page import="weblogic.management.security.authentication.GroupReaderMBean" %>
  <%@ page import="weblogic.management.utils.ListerMBean" %>
  <%@ page import="javax.management.MBeanException" %>
  <%@ page import="javax.management.modelmbean.RequiredModelMBean" %>
  <%@ page import="examples.security.providers.authentication.manageable.*" %>
  <%@ page import="weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBean" %>
  <%@ page import="weblogic.management.utils.InvalidParameterException" %>
  <%@ page import="weblogic.management.utils.NotFoundException" %>
  <%@ page import="weblogic.security.SimpleCallbackHandler" %>
  <%@ page import="weblogic.servlet.security.ServletAuthentication"%>
  <%!
  private String makeErrorURL(HttpServletResponse response,
  String message)
  return response.encodeRedirectURL("welcome.jsp?errormsg=" + message);
  %>
  <html>
  <head>
  <title>Password Changed</title>
  </head>
  <body>
  <h1>Password Changed</h1>
  <%
  // Note that even though we are running as a privileged user,
  // response.getRemoteUser() still returns the user who authenticated.
  // weblogic.security.Security.getCurrentUser() will return the
  // run-as user.
  System.out.println("------------------------------------------------------------------");
  String username = request.getRemoteUser();
  System.out.println("User name -->"+username);
  // Get the arguments
  String currentpassword = request.getParameter("currentpassword");
  System.out.println("Current password -->"+currentpassword);
  String newpassword = request.getParameter("newpassword");
  System.out.println("New password -->"+newpassword);
  String confirmpassword = request.getParameter("confirmpassword");
  System.out.println("Confirm password -->"+confirmpassword);
  // Validate the arguments
  if (currentpassword == null || currentpassword.length() == 0 ||
  newpassword == null || newpassword.length() == 0 ||
  confirmpassword == null || confirmpassword.length() == 0) { 
  response.sendRedirect(makeErrorURL(response, "Password must not be null."));
  return;
  if (!newpassword.equals(confirmpassword)) {
  response.sendRedirect(makeErrorURL(response, "New passwords did not match."));
  return;
  if (username == null || username.length() == 0) {
  response.sendRedirect(makeErrorURL(response, "Username must not be null."));
  return;
  // First get the MBeanHome
  String url = request.getScheme() + "://" +
  request.getServerName() + ":" +
  request.getServerPort();
  System.out.println("URL -->"+url);
  Environment env = new Environment();
  env.setProviderUrl(url);
  Context ctx = env.getInitialContext();
  MBeanHome mbeanHome = (MBeanHome) ctx.lookup(MBeanHome.LOCAL_JNDI_NAME);
  System.out.println("MBean home obtained....");
  DomainMBean domain = mbeanHome.getActiveDomain();
  SecurityConfigurationMBean secConf = domain.getSecurityConfiguration();
  // Sar
  EmbeddedLDAPMBean eldapBean = domain.getEmbeddedLDAP();
  System.out.println("Embedded LDAP Bean obtained...."+eldapBean );
  RealmMBean realm = secConf.findDefaultRealm();
  System.out.println("RealmMBean obtained....");
  AuthenticationProviderMBean authenticators[] = realm.getAuthenticationProviders();
  System.out.println("AuthProvMBean obtained....");
  // Now get the UserPasswordEditorMBean
  // This code will work with any configuration that has a
  // UserPasswordEditorMBean.
  // The default authenticator implements these interfaces
  // but other providers could work as well.
  // We try each one looking for the provider that knows about
  // this user.
  boolean changed=false;
  UserPasswordEditorMBean passwordEditorMBean = null;
  System.out.println("UserPwdEdtMBean obtained....");
  //System.out.println("Creating MSAI....");
  //ManageableSampleAuthenticatorImpl msai =
  // new ManageableSampleAuthenticatorImpl(new RequiredModelMBean());
  //System.out.println("Done....");
  for (int i=0; i<authenticators.length; i++) {
  System.out.println("### Authenticator --->"+authenticators);
  if (authenticators[i] instanceof ActiveDirectoryAuthenticatorMBean)
  ActiveDirectoryAuthenticatorMBean adamb =
  (ActiveDirectoryAuthenticatorMBean)authenticators[i];
  System.out.println("### ActiveDirectoryAuthenticatorMBean .....");
  String listers = adamb.listUsers("*",0);
  while(adamb.haveCurrent(listers))
  System.out.println("### ActiveDirectoryAuthenticatorMBean user advancement.....");
  adamb.advance(listers);
  if (authenticators[i] instanceof UserPasswordEditorMBean) {
  passwordEditorMBean = (UserPasswordEditorMBean) authenticators[i];
  System.out.println("Auth match ...."+passwordEditorMBean);
  try {
  // Now we change the password
  // Sar comment
  System.out.println("Password changed....");
  //passwordEditorMBean.changeUserPassword(username,
  // currentpassword, newpassword);
  changed=true;
  // Sar Comment
  catch (InvalidParameterException e) {
  response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
  return;
  catch (NotFoundException e) {
  catch (Exception e) {
  response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
  return;
  // Sar code
  LDAPAuthenticatorMBean ldapBean = null;
  UserReaderMBean urMBean = null;
  UserEditorMBean ueMBean = null;
  GroupReaderMBean gMBean = null;
  //ListerMBean lBean = null;
  try
  if (authenticators[i] instanceof LDAPAuthenticatorMBean)
  ldapBean = (LDAPAuthenticatorMBean) authenticators[i];
  String userFilter = ldapBean.getAllUsersFilter();
  System.out.println("userFilter ="+userFilter);
  if (authenticators[i] instanceof UserEditorMBean)
  try
  System.out.println("UserEditorMBean...");
  ueMBean = (UserEditorMBean) authenticators[i];
  System.out.println("List users..."+ueMBean);
  boolean b = ueMBean.userExists("webuser");
  System.out.println("User Exists->>>"+b);
  String cursor = ueMBean.listUsers("webuser", 2);
  System.out.println("List User ----->"+cursor);
  catch(InvalidParameterException e)
  response.sendRedirect(makeErrorURL(response, "ERROR InvalidParameterException:" + e));
  catch(java.lang.reflect.UndeclaredThrowableException e)
  response.sendRedirect(makeErrorURL(response, "ERROR UndeclaredThrowableException :" + e));
  e.printStackTrace();
  catch(Exception e)
  response.sendRedirect(makeErrorURL(response, "ERROR LBean:" + e));
  catch(Exception ex)
  ex.printStackTrace();
  response.sendRedirect(makeErrorURL(response, "ERROR:" + ex));
  return;
  if (passwordEditorMBean == null) {
  response.sendRedirect(makeErrorURL(response, "Internal error: Can't get UserPasswordEditorMBean."));
  return;
  System.out.println("pwd changed ->"+changed);
  if (!changed) {
  // This happens when the current user is not known to any providers
  // that implement UserPasswordEditorMBean
  response.sendRedirect(makeErrorURL(response,
  "No password editors know about user " + username + "."));
  return;
  %>
  User <%= username %>'s password has been changed!
  <br>
  <br>
  </body>
  </html>
  Here is the console log
  User name -->webuser
  Current password -->i
  New password -->u
  Confirm password -->u
  URL -->http://localhost:7011
  MBean home obtained....
  Embedded LDAP Bean obtained....[Caching Stub]Proxy for mydomain:Name=mydomain,Type=EmbeddedLDAP
  RealmMBean obtained....
  AuthProvMBean obtained....
  UserPwdEdtMBean obtained....
  ### Authenticator --->Security:Name=myrealmDefaultAuthenticator
  Auth match ....Security:Name=myrealmDefaultAuthenticator
  Password changed....
  UserEditorMBean...
  List users...Security:Name=myrealmDefaultAuthenticator
  User Exists->>>true
  java.lang.reflect.UndeclaredThrowableException
  at $Proxy1.listUsers(Unknown Source)
  at jsp_servlet.__updatepassword._jspService(__updatepassword.java:411)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
  at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.jav
  a:1006)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:463)
  at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletC
  ontext.java:6718)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:37
  64)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  Caused by: javax.management.MBeanException
  at weblogic.management.commo.CommoModelMBean.invoke(CommoModelMBean.java:551)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1560)
  at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1528)
  at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.j
  ava:988)
  at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:946)
  at weblogic.management.commo.CommoProxy.invoke(CommoProxy.java:365)
  ... 14 more
  ### Authenticator --->Security:Name=myrealmDefaultIdentityAsserter
  pwd changed ->true
  Can u pls let me know how to get all the entries from LDAP.
  Thanx
  Sar

• How to populate active directory users in to drop down list items dynamically in Share point 2010 ?

  Hi My self Arun in my current project i have a task on that active directory user  need to automatically populate in share point list drop down  please help me.  is that any out of box feature in share point 2010 ?   
  Thanking You 
  Arun 

  Arun,
  If you plan to implement the "Querying the Active Directory" based on my code snippet,
  and if you do not have permission [your account must be the part of domain admin] to do so,
  Then still you can do it in least effort through code,
  string usersInXml = SPContext.Current.Web.AllUsers.Xml;your xml string look like this.
  <Users><User ID="2" Sid="" Name="Administrator"
  LoginName="i:0#.w|murugesan\administrator" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1" Sid="" Name="Murugesa Pandian" LoginName="i:0#.w|murugesan\murugesan" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1073741823" Sid="S-1-0-0" Name="System Account" LoginName="SHAREPOINT\system" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0" /></Users>
  You can user Linq to XML to filter the "LoginName,Name and Email and then populate your drop down list.
  * User must be logged into the site at least once.
  Murugesa Pandian.,MCTS|App.Devleopment|Configure

• Windows 2008 Server - Cannot run Active Directory Users and Computers

  Hi,
  I am running Windows 2008 Server with latest windows updates installed. Directory Services Role also.
  I attempt to open Active Directory Users and Computers tool and I get a;
  Microsoft Visual C++ Runtime Library error;
  "The Application has requested the runtime to terminate it in a unusual way. Please contact the application's support team for more information"
  I click ok, then get the following debug info;
  Problem signature:
  Problem Event Name: APPCRASH
  Application Name: mmc.exe
  Application Version: 6.0.6001.18000
  Application Timestamp: 47919524
  Fault Module Name: msvcrt.dll
  Fault Module Version: 7.0.6001.18000
  Fault Module Timestamp: 4791ad6b
  Exception Code: 40000015
  Exception Offset: 0000000000029b06
  OS Version: 6.0.6001.2.1.0.272.7
  Locale ID: 3081
  Additional Information 1: 43aa
  Additional Information 2: cf3a46656318492c1997480001b6b0e0
  Additional Information 3: 3837
  Additional Information 4: 92f72e0d0589ff77cef51e0a413aeff6
  Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
  If someone could please assist, it would be very much appreciated.
  Regards
  B

   
  Hi,
  To solidly troubleshoot this kind of issue, we need to debug dump file. A suggestion would be to contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request please take a look at the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  However, I am also glad to share my research.
  Some third party applications may lead to this error. Please check if you install other third party applications on Windows server 2008?
  Also, please follow the article below to perform necessary steps to see how it's going?
  FIX: You receive an "invalid page fault in module MSVCRT.DLL" error message after you install the run-time libraries from Visual C++ 6.0
  http://support.microsoft.com/kb/190536/en-us
  Hope this helps.
  Best wishes
  Morgan Che

• MySites for non-Active Directory users

  Hi,
  we are planning to provide a collaboration farm for
  internal users (AD)
  external users (external AD, no-trust relationship)
  We plan to authenticate users via Claims/ADFS. The idea is to provide a MySite-Farm. 
  Questions
  Are there any issues with providing MySites to non-AD users?
  Are there any limitations for providing MySites to non-AD users?
  Sven

  Hi,
  According to your post, my understanding is that you wanted to create MySite for non-Active Directory users.
  Yes, it is possible to create them for non-AD users on on-premises SharePoint farms.
  You can use the ADFS authenticate to import the users to the user profile database, then create the MySite.
  If you are trusted the users to access your site or give them appropriate permissions, I don’t think there are some limitations to create MySite for non-AD users.
  Thanks,
  Jason
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Jason Guo
  TechNet Community Support

• Cannot log into DTR with Active Directory User

  Greetings,
  I have set up and installed JDI correctly.  I can log into /devinf, the cbs, cms and sld systems with no problem using both Administrator and my JDI.Administrator that I assigned to an Active Directory user.  I can log into the DTR using a user from the database (i.e. Administrator), however, when trying to access the DTR with an Active Directory user, I get the following message:
  500   Internal Server Error
    SAP J2EE Engine/6.40 
    Application error occurred during the request procession.
    Details:   Error [javax.servlet.ServletException: Group found, but unique name "businessUnit.all.guests" is not unique!], with root cause [com.tssap.dtr.server.deltav.InternalServerException: Group found, but unique name "businessUnit.all.guests" is not unique!].  The ID of this error is
  Exception id: [0012798F81680042000000090000165C0003FE9AA3C0B86B].
  This group exists in multiple domainshowever, this has not caused us any issues to date with our portal and other pieces of SAP WASit's only this DTR error. 
  Any help is greatly appreciated.
  Thanks,
  Marty

  Hi Marty,
  In the document available at the link enclosed below, there is a part that explains how to configure DTR so that it always uses "Unique-IDs".
  http://help.sap.com/saphelp_nw04/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm
  It is mentioned that this is valid for LDAP, but the information is applicable for Active Directory as well.
  Regards,
  Manohar

• Report on Active Directory User Attributes in SCCM 2012

  I need to output a list of all users in a collection, along with certain user attributes from Active Directory. I can get part of what I need with the following query:
  SELECT v_FullCollectionMembership.ResourceID,
  v_R_User.Windows_NT_Domain0,
  v_R_User.Distinguished_Name0,
  v_R_User.Full_User_Name0,
  v_R_User.Mail0,
  v_R_User.User_Name0
  FROM v_FullCollectionMembership, v_R_User
  WHERE v_FullCollectionMembership.ResourceID = v_R_User.ResourceID
  AND v_FullCollectionMembership.CollectionID = 'SMS00002'
  If possible I need to add:
  Last logon timestamp
  User account status (enabled or disabled)
  I have added "lastLogon" and "lastLogonTimestamp" as additional attributesunder Active Directory User Discovery. This discovery method is enabled and I have run a full discovery about a month ago, and again today. I read in
  another thread that these attributes should appear in the table v_R_User, however they have not. Is v_R_User the right place to look for this or is there another view or table I can query?
  Once I have the above sorted out, how can I find the user account status in SCCM? I have done reports in the past directly from AD and used the 'useraccountcontrol' attribute and I noticed there is a column named 'User_Account_Control0' in v_R_User, however
  the values do not match those found in Active Directory.
  Thanks.

  Have you checked the attribute from the Active Directory in decimal format? Check that and compare it to the value ConfigMgr has stored in its 'User_Account_Control0'...
  User Account Control tells you multiple things of the account, for example does the account have "Smart card login required" -option checked from the account properties.
  The tricky part here is to actually get the report show you what you really want, because "useraccountcontrol" -attribute is a numeric value, you have to calculate what decimal combination means what in readable text.
  More info on the attribute can be found from here
  http://support.microsoft.com/kb/305144 and from there you can also find the values for different settings. For example:
  account is enabled = 512
  account is disabled = 514
  account is enabled with smart card = 262656

• Best practice for Active Directory User Templates regarding Distribution Lists

  Hello All
  I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
  this has led to problems with new employees being added to groups which they should not be a part of.
  I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
  but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
  When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
  What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
  for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
  of.
  Has anyone come up with a better method of doing this?
  Thank you

  You can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
  If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
  and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
  Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
  the factors you predefine for them.

• SMB access for Active Directory users

  Hi there,
  My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
  When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
  My smb.conf file is as follows:
  ; Configuration file for the Samba software suite.
  ; ============================================================================
  ; For the format of this file and comprehensive descriptions of all the
  ; configuration option, please refer to the man page for smb.conf(5).
  ; The following configuration should suit most systems for basic usage and
  ; initial testing. It gives all clients access to their home directories and
  ; allows access to all printers specified in /etc/printcap.
  ; BEGIN required configuration
  ; Parameters inside the required configuration block should not be altered.
  ; They may be changed at any time by upgrades or other automated processes.
  ; Site-specific customizations will only be preserved if they are done
  ; outside this block. If you choose to make customizations, it is your
  ; own responsibility to verify that they work correctly with the supported
  ; configuration tools.
  [global]
  debug pid = yes
  log level = 1
  server string = Mac OS X
  printcap name = cups
  printing = cups
  encrypt passwords = yes
  use spnego = yes
  passdb backend = odsam
  idmap domains = default
  idmap config default: default = yes
  idmap config default: backend = odsam
  idmap alloc backend = odsam
  idmap negative cache time = 5
  map to guest = Bad User
  guest account = nobody
  unix charset = UTF-8-MAC
  display charset = UTF-8-MAC
  dos charset = 437
  vfs objects = darwinacl,darwin_streams
  ; Don't become a master browser unless absolutely necessary.
  os level = 2
  domain master = no
  ; For performance reasons, set the transmit buffer size
  ; to the maximum and enable sendfile support.
  max xmit = 131072
  use sendfile = yes
  ; The darwin_streams module gives us named streams support.
  stream support = yes
  ea support = yes
  ; Enable locking coherency with AFP.
  darwin_streams:brlm = yes
  ; Core files are invariably disabled system-wide, but attempting to
  ; dump core will trigger a crash report, so we still want to try.
  enable core files = yes
  ; Configure usershares for use by the synchronize-shares tool.
  usershare max shares = 1000
  usershare path = /var/samba/shares
  usershare owner only = no
  usershare allow guests = yes
  usershare allow full config = yes
  ; Filter inaccessible shares from the browse list.
  com.apple:filter shares by access = yes
  ; Check in with PAM to enforce SACL access policy.
  obey pam restrictions = yes
  ; Don't be trying to enforce ACLs in userspace.
  acl check permissions = no
  ; Make sure that we resolve unqualified names as NetBIOS before DNS.
  name resolve order = lmhosts wins bcast host
  ; Pull in system-wide preference settings. These are managed by
  ; synchronize-preferences tool.
  include = /var/db/smb.conf
  [printers]
  comment = All Printers
  path = /tmp
  printable = yes
  guest ok = no
  create mode = 0700
  writeable = no
  browseable = no
  ; Site-specific parameters can be added below this comment.
  ; END required configuration.
  Any help would be much appreciated!!
  Thanks.

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• Active directory users and computers wont start on a dc, "the server is not operational"

  In our environment, we have 3 dc's 
  two which run server 2008 (they work perfectly)
  and one never off branch dc that runs server 2008 r2.
  We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
  We have a third party DNS solution.
  How do i troubleshoot this issue?

  dc01 (which replicates perfectly with dc02, and vise versa)
  dcdiag /test:dns
  C:\Users\adminuser>dcdiag /test:dns
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: Hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... ourDC01 passed test Connectivity
  Doing primary tests
  Testing server: Hostingpartner\ourdc01
  DNS Tests are running and not hung. Please wait a few minutes...
  Running partition tests on : ForestDnsZones
  Running partition tests on : DomainDnsZones
  Running partition tests on : Schema
  Running partition tests on : Configuration
  Running partition tests on : int
  Running enterprise tests on : int.domain.com
  Starting test: DNS
  Test results for domain controllers:
  DC: ourdc01.int.domain.com
  Domain: int.domain.com
  TEST: Delegations (Del)
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
  Summary of test results for DNS servers used by the above domain controllers:
  DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
  2 test failures on this DNS server
  Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Summary of DNS test results:
  Auth Basc Forw Del Dyn RReg Ext
  Domain: int.domain.com
  ourdc01 PASS PASS PASS FAIL n/a PASS n/a
  ......................... int.domain.com failed test DNS
  dcdiag on dc01(which can replicate with dc02)
  C:\Users\adminuser>dcdiag
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... OURDC01 passed test Connectivity
  Doing primary tests
  Testing server: hostingpartner\ourdc01
  Starting test: Replications
  [Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
  Win32 Error 8453.
  ......................... OURDC01 failed test Replications
  Starting test: NCSecDesc
  ......................... OURDC01 passed test NCSecDesc
  Starting test: NetLogons
  [OURDC01] User credentials does not have permission to perform this operation.
  The account used for this test must have network logon privileges
  for this machine's domain.
  ......................... OURDC01 failed test NetLogons
  Starting test: Advertising
  ......................... OURDC01 passed test Advertising
  Starting test: KnowsOfRoleHolders
  ......................... OURDC01 passed test KnowsOfRoleHolders
  Starting test: RidManager
  ......................... OURDC01 passed test RidManager
  Starting test: MachineAccount
  ......................... OURDC01 passed test MachineAccount
  Starting test: Services
  ......................... OURDC01 passed test Services
  Starting test: ObjectsReplicated
  ......................... OURDC01 passed test ObjectsReplicated
  Starting test: frssysvol
  ......................... OURDC01 passed test frssysvol
  Starting test: frsevent
  ......................... OURDC01 passed test frsevent
  Starting test: kccevent
  ......................... OURDC01 passed test kccevent
  Starting test: systemlog
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:29
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:50
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:10:56
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:11:17
  (Event String could not be retrieved)
  ......................... OURDC01 failed test systemlog
  Starting test: VerifyReferences
  ......................... OURDC01 passed test VerifyReferences
  Running partition tests on : ForestDnsZones
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Running partition tests on : DomainDnsZones
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Running partition tests on : Schema
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Running partition tests on : Configuration
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Running partition tests on : int
  Starting test: CrossRefValidation
  ......................... int passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... int passed test CheckSDRefDom
  Running enterprise tests on : int.domain.com
  Starting test: Intersite
  ......................... int.domain.com passed test Intersite
  Starting test: FsmoCheck
  ......................... int.domain.com passed test FsmoCheck
  The problematic dc03:
  Dcdiag gives the same output as dcdiag /test:dns
  C:\Users\adminuser>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = OURDC03
  Ldap search capabality attribute search failed on server NTSDC03, return
  value = 81
  We have an infoblox dns server on ip address xxx.y.y.251.
  first error in event logs on dc03:
  error 1863
  This is the replication status for the following directory partition on this directory server.
  Directory partition:
  CN=Configuration,DC=int,DC=domain,DC=com
  This directory server has not received replication information from a number of directory servers within the configured latency interval.
  Latency Interval (Hours):
  24
  Number of directory servers in all sites:
  2
  Number of directory servers in this site:
  2
  The latency interval can be modified with the following registry key.
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
  To identify the directory servers by name, use the dcdiag.exe tool.
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
  i have also go several warning 2088, 2093, 2087.
  And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones

• Active Directory Users and Computer not displaying column data?

  I am running Windows 8.1 Enterprise with RSAT installed.  My Domain controllers are Server 2008 R2.
  I am having and issue with Active Directory Users and Computers.  Typically I will turn on Advanced Features and then add Columns for Email address and Display Name.  This for example allows me to easily export lists of users and there email
  addresses among other things.
  The issue is that on my Windows 8.1 client, the columns for Email and Display Name are empty.  It simply will not display this information.  It only displays Name, TYpe and Description.
  If I use a Windows 7 client, the information displays correctly.
  Has anyone run into this issue or heard of this problem when using ADUC on Windows 8.1?

  ADUC is an AD tool that is no longer being improved, with Microsoft now focusing on ADAC (Administrative Center). In 8.1, it has improved quite a bit since 7. You can also just try using the
  ActiveDirectory PowerShell Module, which is easy to use and fairly powerful. It can be simple to export lists, and the module for AD is included with RSAT tools.
  Example:
  Import-Module ActiveDirectory
  Get-ADUser -Filter {Manager -eq "John.Smith"} -Properties DisplayName,Mail | Export-Csv dump.csv -NoTypeInformation
  So, recommendation: either use ADAC, or PowerShell -- ADUC is part of the wave of deprecation.