Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

Similar Messages

• Is it possible to switch from Office 365 online user management to Active Directory after Exchange online migration?

  If we utilize the Cutover method to migrate from on-premise Exchange (2007) to Office 365, which to my understanding will hand over user management/authentication to Office 365 online during the process, is possible to later switch from Office 365 user management
  to Active Directory (synced to a future local domain, or even possibly via AD federation single sign-on)? If so, how difficult is this process and is there any documentation available?
  Asking this because the organization  I'm working for plans to upgrade (re-do actually) its entire infrastructure. There will be a completely brand new domain/AD set up that's totally unrelated to the old one. At the same time, we also plan to migrate
  all emails (previously hosted locally on Exchange 2007) to Office 365 and get rid of local exchange. Now because we will set up new domain, we do not want to carry over the older AD to the cloud, hence we will not use the "Staged Migration". 
  So the plan is to to use "Cutover" migration first, which means all authentications will become Office 365 managed. That's fine for now. But later, after we set up our new domain and AD controller etc, we'd like to have Exchange Online switch back
  to syncing with our new on-premise AD. We'd also like to consider the AD Federation Services if it's not too complicated to set up.
  Your advice on this would be greatly appreciated!

  In principle, you cannot sync back from the cloud AD to the on-prem, yet. But you can take advantage of the soft-matching mechanism once you have the new AD in place:
  http://support.microsoft.com/kb/2641663
  Be careful though, as the moment you turn on Dirsync, all the matching users in the cloud will have their attributes overwritten. A very good idea is to do an 'export' of the cloud AD first, using the WAAD module for PowerShell and the Get-MsolUser cmdlets,
  which you can then use to compare or import data in the new on-prem AD. Some links:
  http://technet.microsoft.com/en-us/library/hh974317.aspx
  http://msdn.microsoft.com/en-us/library/azure/dn194133.aspx

• AD Group membership not updating in Sharepoint Foundation when adding Active Directory group to Sharepoint group

  I have Sharepoint Foundation installed with the latest CU updates.  It is running on a VMware box (Windows Server 2008 R2 Standard) with its backend on a SQL Server 2008 R2 vmware box.  The farm account is a domain user and has been given all appropriate
  replication rights, etc to active directory.
  Everything seems to be working fine except for security integrated with AD groups.  When I go to edit permissions I can add individual AD users just fine and remove them just fine and their access is taken away right away or given to them right away.
   I can also find AD groups in the people picker and add them to the site. When I add new groups to AD, they are found immediately within Sharepoint, and when I delete groups from AD, they are taken out of the people picker right away.  Now comes
  the weird part.  When I add an AD group to the site, all users currently within that AD group are given access to the Sharepoint Site.  This works for the first time only.  Now when I add or remove users from the AD groups, it does not update
  in SharePoint.  For example, I have an AD testuser1 in the AD Group "All Users".  testuser1 does not have access to SharePoint.  So I add  the AD group to the Sharepoint group "Visitors".  testuser1 now has read access to the sharepoint
  site.  Now, I remove testuser1 from the AD group, but testuser 1 still has access to the site even though he is not part of the AD group, nor does he have any individual permissions to the site.  Now, I add testuser2 to the ad group.  testuser2
  does not have access to the site, even though he is part of the ad group.
  It seems that the only time AD group security is working for me is when I first initially add the AD group to the site.  From then on, it's like sharepoint is caching the members of the group and not updating any new adds or deletes from the groups.
   Any ideas?  I am lost on where to go from here as I have tried everything from clearing cache files, rebooting servers, iisresets....

  I think I have at least cornered the problem, but am not 100% sure yet that it is the correct answer.  I think it could be 1 of the following 2 scenarios.
  Scenario 1:  We have 3 web applications setup on our web server ports 80 - Our sharepoint Web app, 2020 - Our My Site Web App, 2040 - Our Search Web app.  We are using host headers (http://sharepoint.***.com) instead of a server name.  So
  we setup our access mappings (Central Admin -> Application Management -> Configure Alternate access mappings) to use the host header (http://sharepoint.***.com) as the default mapping and the server name as the intranet access mapping.  By
  setting the default access mapping to host headers, i noticed that Sharepoint automatically assumes that all web apps are on port 80.  You can see this by going to (Central Admin -> Manage Web Applications).  The port listed all 3 web apps on
  port 80.  So I think when I was doing a profile sync and using mysites, it was messing with my AD security because of this.  What I did was the following.  I went to Central Admin -> Manage Service Applications -> [Name of your user profile
  service] -> Setup my sites.  I made sure that my preferred search center had the correct port number on it (mine originally had no port number), that my my site host had a port (again no port number originally), as well as the personal site location.
   I then saved this.
  Scenario 2:  Our user profile sync had 2 BDC connections that were corrupt and throwing errors.  I rebuilt the connections, remapped them to the proper user profile property.
  I did both of these scenarios above around the same time.  I then restarted all my servers, and at last the AD Group security is now functioning appropriately.  I have done multiple IIS resets and server restarts.  The issue has only reappeared
  once.  After restarting the machine again, we were back to the AD groups functioning correctly.  Because we had the issue reappear once after doing the above, I still do not feel 100% sure that either one of the above corrected the issue completely.
  As long as we are up and running currently, I am moving on to other tasks with this project.  My only concern that it will break again and I will have to revisit it is when we restart the servers....which is never fun.  I will update as I find
  a "true" answer to this issue....  Let me know if any of the above helped you or if you find something I may not have thought of.

• How to get the list of Group set in each Users in MS Active Directory

  Hi. I would like to know if you know how to get the set group of each user in Active Directory?
  We have this sample code
  String INITCTX ="com.sun.jndi.ldap.LdapCtxFactory";
  //String MY_HOST = "ldap://myserver/ou=dev,dc=test,dc=com,dc=ph";
  String MY_HOST ="ldap://myserver.dev.test.com.ph:389/dc=dev,dc=test,dc=com,dc=ph";
  String strUsername,strPassword;
  try
       strUsername = Request.getParameter("username").toLowerCase().trim();
       strPassword = Request.getParameter("password").toLowerCase().trim();
       Hashtable env = new Hashtable();
       env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
       env.put(Context.PROVIDER_URL, MY_HOST);
       env.put(Context.SECURITY_AUTHENTICATION, "simple");
       env.put(Context.SECURITY_PRINCIPAL,strUsername+"@dev.lst.com.ph");
       env.put(Context.SECURITY_CREDENTIALS, strPassword);
  After validating the User Name and Password the next task is to Retrieve the group list of the User.

  Nope I want the log-in user to retrieve its Group where he is belong. I have this following code
  strUsername = Request.getParameter("username").toLowerCase().trim()+"@dev.test.com.ph";
  strPassword = Request.getParameter("password").toLowerCase().trim();
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
  env.put(Context.PROVIDER_URL, MY_HOST);
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL,strUsername);
  env.put(Context.SECURITY_CREDENTIALS, strPassword);
  // enable tracing
  env.put("com.sun.naming.ldap.trace.ber", System.err);
  // Create the initial context
  DirContext initCtx = new InitialDirContext(env);
  // Get the target context
  DirContext targetCtx = (DirContext)initCtx.lookup("");
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  // Perform the search on the target context
  NamingEnumeration enum = targetCtx.search("","(userPrincipalName="+strUsername+")",constraints);
  javax.naming.directory.Attributes attrs;
  NameClassPair item;
  String[] attrIds = new String[]{"MemberOf"};
  // For each answer found, get its "Groups" attribute
  // If relative, resolve it relative to the target context
  // If not relative, resolve it relative to the initial context
  while (enum.hasMore()) {
  item = (NameClassPair)enum.next();
  Out.println(item);
  attrs = targetCtx.getAttributes(item.getName(), attrIds);
  Out.println(attrs + "<br>");
       initCtx.close();
  It returns all this string :
  {memberof=memberOf: CN=CMCanadaRD,OU=Groups / Teams,DC=dev,DC=test,DC=com,DC=ph, CN=iMngrCanadaRW,OU=Groups / Teams,DC=dev,DC=test,DC=com,DC=ph, CN=Domain Users,CN=Users,DC=dev,DC=test,DC=com,DC=ph, CN=Backup Operators,CN=Builtin,DC=dev,DC=test,DC=com,DC=ph, CN=Administrators,CN=Builtin,DC=dev,DC=test,DC=com,DC=ph}
  How can i retrieve the Group named CMCanadaRW and CMCanadaRD on the Attribute?
  Thanks

• How do I authenticate users in a specific AD group with Cisco ISE

  I have ISE up and running authenticating properly.  But right now it will authenticate and allow ANY account in Active Directory.  I want to allow access to only users in a specific group in Active Directory.  I have added the group under Administration>Identity Management>External Identity Sources>Active Directory>Groups.  But, I have not been able to find a way to link membership in that group to the Authentication Policy rules.

  Thanks for the reply.
  I'm not getting AD as an option (see below).  Any idea why that might be?

• Error - "Group cannot be found" after rename user group

  Hi,
  I got the error message below after I clicked at 'edit' button in the "People and Groups" page (/_layouts/15/groups.aspx). Before I get this error message, I renamed the group name. It seems like it was looking for the old name when I clicked at
  'edit' button. However, I can still access the Group Setting page by go to the group page -> settings -> Group Settings. Once I renamed the group name back to what it was. I can click at the 'edit' button without any error.
  Can someone please explain to me about this issue? 
  Thank you,

  Hi,
  This is what I have in the log
  Correlation ID: 383abd9c-5f4c-707e-c171-bb7bd63f8d2e Date and Time: 9/29/2014 2:50:53 PM
  09/29/2014 14:50:53.08 OWSTIMER.EXE (0x3C3C)                  
  0x16F4
  SharePoint Foundation         Monitoring                    
  nasq Medium  
  Entering monitored scope (Timer Job MySite-Instantiation-Interactive-Request-Queue). Parent No
  a415c502-5c7f-494d-b58e-f8deec07d9b8
  09/29/2014 14:50:53.08 OWSTIMER.EXE (0x3C3C)                  
  0x16F4
  SharePoint Foundation         Logging Correlation Data      
  xmnv Medium  
  Name=Timer Job MySite-Instantiation-Interactive-Request-Queue
  383abd9c-8f41-707e-7d8c-e722a2386e1c
  09/29/2014 14:50:53.08 OWSTIMER.EXE (0x3C3C)                  
  0x16F4
  SharePoint Portal Server      
  Personal Site Instantiation   aj58q
  Medium   <LogTimerJobInstance> Starting timer My Site Instantiation Interactive Request Queue (e94a6caa-b0f5-4897-b489-585ca50c7803) for web application: SharePoint2013Intranet - 80. Function: MySiteInstantiationJob:Execute
  383abd9c-8f41-707e-7d8c-e722a2386e1c
  09/29/2014 14:50:53.08 OWSTIMER.EXE (0x3C3C)                  
  0x16F4
  SharePoint Portal Server      
  Personal Site Instantiation   aj58r
  Medium   <LogTimerJobInstance> Finishing on timer My Site Instantiation Interactive Request Queue (e94a6caa-b0f5-4897-b489-585ca50c7803) for web application: SharePoint2013Intranet - 80.  Function:
  MySiteInstantiationJob:Execute 383abd9c-8f41-707e-7d8c-e722a2386e1c
  09/29/2014 14:50:53.08 OWSTIMER.EXE (0x3C3C)                  
  0x16F4
  SharePoint Foundation         Monitoring                    
  b4ly Medium  
  Leaving Monitored Scope (Timer Job MySite-Instantiation-Interactive-Request-Queue). Execution Time=3.75969571551692
  383abd9c-8f41-707e-7d8c-e722a2386e1c                  
  b4ly Medium  
  Leaving Monitored Scope (Timer Job MySite-Instantiation-Interactive-Request-Queue). Execution Time=3.75969571551692
  383abd9c-8f41-707e-7d8c-e722a2386e1c

• Search for specific user in an Active Directory group

  Hello,
  I have an OU containing a number of Groups. Each group contains a number of members.
  I'm currently retrieving the entire list of members from each group by searching for the members attrib for each group. This is not an ideal approach as the query execute time is a bit too long.
  from what I can tell, the group class is group (opposed to a groupofuniquenames). Is there a way to query for the specific member?
  Thanks

  Thanks for the reply.
  I have read the first post you gave, but not the second. I'm off to read that now.
  My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
  (&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
  If that's correct and I require a DN, is there any way around this?
  I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (http://msdn.microsoft.com/en-us/library/ms683908(VS.85).aspx).
  If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
  I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
  I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
  Thanks again.

• Using Groups in SharePoint from Active Directory

  Hello,
  Is it possible to use groups in SharePoint from AD?
  I have several groups in AD that I would like to use in SP. Of course SP has its own set up groups in permission (Owner, Member and Visitor). I do not want to use these groups. What I would like to do is use groups that are in my AD and assign those the
  designer, contributor, read-only..etc permission.
  For example, SP people picker finds my AD group called "Finance_Project" and assign this group with permission rights as a contributor.
  Is this doable in SharePoint. I would think since SharePoint can be authenticated with AD, you should be able to use your own AD groups.
  Any suggestions, articles and answers are greatly appreciated.
  artisticweb

  You can do this in SharePoint. are you importing the AD groups via UPA?
  Creating a SharePoint group and adding an Active Directory group to its members…this allows anyone in the Active Directory group to participate in the SharePoint group
  Mapping roles directly to Active Directory groups and not using SharePoint groups at all.
  here is couple of article which will explain your choices one over to other
  Assign permission levels in SharePoint 2013
  Using Active Directory Vs. SharePoint Groups
  http://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• Defined Groups for Cisco Jabber Group Chat

  I dont think it is possible based upon this document but wondering if anyone knew any secrets out there. Is it possible to create predefined groups in Jabber for Windows preferably as defined in Active Directory or on the client side? We want to have chat groups automatically created for Sales, Engineering, etc. so users dont have to add other chat recipients users manually and can reach any engineering team member without knowing who is actually part of the engineering team for example.
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9/JABW_BK_C56E95B6_00_feature-guide.html

  Hi,
  Jabber for Windows 9.7 supports Persistent Chat end user participation.
  Our next Release, 10.5 will add Room Administration and Moderator features, including room creation.
  Persistent Chat Rooms
  Users in your organization can use persistent chat rooms to share ideas and information in a chat room. The chat rooms look like group chats, except that the chat rooms stay active even after participants leave the room. When participants come back to the room, they can scroll back to read the messages that they missed.
  Participants can manage their chat rooms by browsing the existing rooms and joining open rooms, or being added to a room by an administrator. When they are in the chat rooms, participants can create mentions for other users, which notifies the mentioned user if they are a member of the room. They can also search chat rooms for particular keywords or senders by creating filters.
  Administrator tasks include creating, configuring, and deleting chat rooms, and adding or removing users from chat rooms. In this release, chat room administration and moderation must be performed with a client that supports persistent chat room administration. Cisco Jabber for Windows will provide administrative capabilities in a future release.
  Cisco Unified Communications Manager IM and Presence Version 10 is a software prerequisite for persistent chat rooms.
  For end user information about persistent chat rooms, see the chapter on Chats in the Advanced Feature Guide.
  For administrator information about enabling persistent chat rooms, see the Installation and Configuration Guide and the Server Setup Guide.
  Link for the same:
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_7/JABW_BK_CF8F083D_00_cisco-jabber-for-windows-97/JABW_BK_CF8F083D_00_cisco-jabber-for-windows-97_chapter_00.html
  Regards,
  Swathi

• Assign SQ03 Abap Query User Group to role

  Please advise how to assign SQ03 Abap Query User Group to a role. Thanks.
  Moderator message: please do more research before asking.
  [Rules of engagement|http://wiki.sdn.sap.com/wiki/display/HOME/RulesofEngagement]
  [Asking Good Questions in the Forums to get Good Answers|/people/rob.burbank/blog/2010/05/12/asking-good-questions-in-the-forums-to-get-good-answers]
  Edited by: Thomas Zloch on May 12, 2011 5:40 PM

  Hello Sunil,
  The problem is that I have hundreds of users to maintain user groups.
  found out that it is possible to assign user group to role and role to user groups. implementing hr authorization with in-direct assignment of auth. So if I could use sq10, user groups could also be link to position in the org chart.
  sq10 does allow you to assign a user group to a role but when you assign the role to a user and the user runs a query, it reports that no user group has been assigned.
  Suspect that there must be a parameter or switch that is not turned on
  Regards

• Afaria User Group question

  Hello,
  I have a qustion regarding User Groups in Afaria.
  If I have configured the active directory authentication in the Security settings of the Afaria Server.
  I also configured 2 AD groups where my user is in 1 of the group and 2 User groups in Afaria, that shows to the AD groups.
  SAP told me if I use the "User Name" variable in the enrollment code, I can use the user groups for the devices.
  I tested it with the standard Afaria Client from the appstore without success. Only if I enroll via the Self Service Portal the device are bound to the user group I created.
  Is it really only possible via the SSP?
  Thank you and best regards
  Michael

  Super.
  We have used this:
  USE [Afaria70]
  GO
  /****** Object:  Trigger [dbo].[MA_TR_IPhone_Device]    Script Date: 08/18/2013 22:51:30 ******/
  SET ANSI_NULLS ON
  GO
  SET QUOTED_IDENTIFIER ON
  GO
  -- =============================================
  -- Author:            Peter Mohr
  -- Create date:
  -- Description:
  -- =============================================
  ALTER TRIGGER [dbo].[MA_TR_IPhone_Device]
     ON [dbo].[A_IPHONE_DEVICE]
     AFTER UPDATE, INSERT
  AS
  BEGIN
  -- SET NOCOUNT ON added to prevent extra result sets from
  -- interfering with SELECT statements.
  SET NOCOUNT ON;
      Update D
      SET D.AssignmentsUserName = D.SelfServiceUserName
      FROM A_IPHONE_DEVICE D
      INNER JOIN Inserted I ON I.arowid = D.ARowID
      WHERE I.SelfServiceUserName IS NOT NULL
  END
  BR
  Peter

• Deploying to AD based user groups

  I am trying to understand the user based deployment.
  I have AD discovery enabled, the AD groups are populated in SCCM, however it is not possible to deploy directly to any group showing under All User Groups, I have to make the target groups a part of an SCCM based user collection.
  Is this by design or am I missing something?
  Thanks

  You always have to deploy to collection. In this case you indeed should create a (user) collection that contains the user group (or the members of the user group, depending on the query that you use).
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Maximum Number of users in a "User Group" (SU01/Logon data/User Group)

  All,
  My security person recently approached me with a problem she has regarding user groups.  She wants to assign user groups so that way division leaders/designees can handle password resets within their own area.  To do this she has started using the "User Group" field in SU01/Logon data.
  She's told me the maximum number of users she can add to a "User Group" is 30.  Can anyone else confirm this?  Is there a setting (profile or otherwise) to increase this limit?  Any DSN or outside reading that anyone can refer me to on this matter?
  Many thanks....

  > There is a little green clip board icon on the bottom right corner...
  I only get that after hitting the Authorization data button in SU10 and the the Multiple selection button next to the user. Ow, and it's not green, the upload from textfile button is
  By the way, hitting F4 on a user input field in SU10 will also provide you with the possibility to select more than 30 users in one go.
  Edited by: Jurjen Heeck on Dec 29, 2009 12:08 PM

• Active Directory LDAP integration; can not see the XMLP_ groups/roles

  We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
  It is working to a certain extent:
  Users can log on to the XML Publisher using login/password as defined in AD.
  -When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
  Problems/questions:
  The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
  -When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
  Is there any way to monitor the login process to try and see what goes wrong?
  -Roald
  -Roald

  The problem has been solved, it was self inflicted, typo in the config file:
  <property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
  (semicolon instead of comma after Users).
  It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
  -Roald

• How to create User in the specific group in Microsoft Active Directory

  Hi,
  I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
  it get added to Domain Users group.
  I tried adding memberOf attribute with value "TestUsers"
  attr = new LDAPAttribute("memberOf", "TestUsers");          
  attrs.add(attr);
  It gives me following error :
  code= 53 Exception 0000209A: SvcErr: DSID-031A0D6F, problem 5003 (WILL_NOT_PERFORM), data 0
  Following is the code I am using.
  public LDAPResult createUserID(
  String userId,
  String pwd,
  String pId,
  boolean resetonLogOn,
  LDAPConnection ldCon) {
  boolean flag = false;
  int code=0;
  try {
  String pwdLastSetVal;
  String desName;
  String desc;
  /* Specify the DN of the new entry. */
  String dn =
  "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
  /* Create and add attributes to the attribute set. */
  String objectclass_values[] =
  { "top", "person", "organizationalPerson", "user" };
  // LDAPEntry findEntry=null;
  /* Create a new attribute set for the entry. */
  LDAPAttributeSet attrs = new LDAPAttributeSet();
  /* Attribute sAMAccountName */
  LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
  attrs.add(attr);
  /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
  attr =
  new LDAPAttribute(
  LDAP_PASSWORD_KEY,
  (byte[]) this.encodePassword(pwd));
  attrs.add(attr);
  /* Attribute Display Name */
  desName = userId + ":" + pId;
  //desName = userId ;
  attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
  attrs.add(attr);
  /** Attribute userAccountControl to enable the userid.
  attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
  attrs.add(attr);
  /* Attribute pwdLastSet to reset the password on first logon*/
  if (resetonLogOn == true) {
  pwdLastSetVal = "0";
  } else {
  pwdLastSetVal = "-1";
  attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
  attrs.add(attr);
  /* Attribute Description */
  desc = " Account Created by HelpNow App";
  attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
  attrs.add(attr);
  /* Attribute objectclass */
  attr = new LDAPAttribute("objectclass", objectclass_values);
  attrs.add(attr);
  attr = new LDAPAttribute("memberOf", "TestUsers");          
  attrs.add(attr);
  /* Create an entry with this DN and these attributes . */
  LDAPEntry myEntry = new LDAPEntry(dn, attrs);
  /* Add the entry to the directory. */
  ldCon.add(myEntry);
  flag = true;
  }catch (LDAPException e) {
  flag = false;
  code=e.getLDAPResultCode();
  }catch (Exception e) {
  flag = false;
  code=LDAPException.OTHER;
  }finally {
  ldaprs.flag=flag;
  ldaprs.code=code;
  return ldaprs;
  }

  Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150