Local A.-Group A. Differences TType 181 "Clearing Down Paymt" CIP aseets

Similar Messages

• Realized exchange rate difference in local and group currency

  Hi Friends,
  For a company code with local currency as Euro and group currency as USD, the setting in TR code OB22 for group currency is: Translation taking first local currency as a basis. When the open items are cleared, SAP posts difference in local currency and group currency. Sometimes, document currency is also group currency i.e. USD. The realized exchange difference is posted in Euro but it is not converted from Euro to group currency. Instead, system just calculates difference in group currency by comparing the value in group currency at the time of original transaction and when the transaction is cleared. Does anyone have dealt with such requirement and is there a way to be able to translate realized exchange differences from local to group currency?
  Thanks and regards,
  Pinky

  >Sometimes, document currency is also group currency i.e. USD.
  Can you explain, it's because of your settings or because of SAP?

• Local admin vs user placed in local admin group

  what are the differences between the built-in and the user placed in the admin local group
  .  I noticed when installing Cisco's AnyConnect 3.x client as a user who has been elevated to the local admin group  that when the install is complete the settings only apply to the specific user used during the install as opposed to when the built-in
  admin (I am aware of the option for this) ...my question is  are there any window applications that require well known security identifiers (sid).
  or
  simply put what are the differences between the built-in and the user placed in the admin local group..I experienced differences and wanted to know where I can get more information

  Hi,
  Their are some subtle differences. The built-in administrator account SID is well known forprogramming logic by 3rd parties.
  For the built-in admin, UAC is disabled by default. That means that the built-in admin never requires elevation. But, as we all know, UAC can be turned off by the user so even when an admin user launches a program, he will be elevated automatically.
  The built-in admin account cant be deleted (though it can be disabled).
  Karen Hu
  TechNet Community Support

• Activatate second local currency(Group currency)

  hi Experts ,
  I am going to activate activate second local currency(Group currency) on the current company [ which i close 2 years on it ]
  i face serious problem to evaluate the amount has been entered for the previous year is there any to way to evaluate it .

  Hello Emad,
  To avoid many future trouble, it will be a nice idea to activate group currency at the beginning of a financial year. Acitivate at country level (OY01) and at co.code level(Ob22). Also make sure to clear all open items before activating.
  How to evaluate the historical data after activation of group currency needs to be tested.Adding a new currency needs depth analysis about the impact to various modules.  Pl see the note-399919 which details the process for maintaining additional currencies.
  Regards,
  Sam

• LDAP Query for particular user account in local Administrators group on All Enabled Computer Accounts

  Need to query on all enabled computer accounts that have a particular user account present in the local Administrators group.
  Ldap query is best, because not all our machines have SCCM client
  Thanks for any help you can provide. Lisa

  Ya, I have 41800+ computer accounts in my directory. I think that option is not feasible :) Thanks for your reply.
  I can use SCCM to do this too, but only for those that the client is running on and which are online. Thanks again.
  Hope is not all lost; a scripting solution is still possible.  The difference is instead of running a central script to pull info from all computers, you let the computers report back to you with the info.
  If I were you, I'd do the following:
  1) Create a file share and adjust the permissions so that "Domain Computers" have "Modify" Permissions.
  2) Create a script similar to the 2nd link I posted above, with a bit of adjustment:  at the end of the script, write the information to the file share created in (1), and name the file
  ComputerName.txt
  3) Use Group Policy Preference Scheduled Task to deploy the script, and make sure it only runs once.
  4) Happily wait for the results to come back :)
  The main benefit of this approach is you're not restricted by the computer connectivity at the moment you run the script.  This is especially true if you have many mobile computers in your environment.  Just wait for a reasonable time (they all need
  to come back to the mother ship once a while don't they?) and the results will show up in the file share you created.
  Cheers.

• Service accounts adding to Local admin group

  Hello Everyone,
  What are the risks with adding SharePoint service application service accounts to local admin group.
  I see in many Microsoft blogs not to use farm account to create service application and better to use dedicated service account but i didn't see any articles why we shouldn't add dedicated service accounts to local admin group
  I am facing some GPO issue and one my friend suggested to add service accounts to add local administrator group to fix this issue but i am not sure what the risks behind it. 
  Please let me know if you aware of risks.
  Thanks S

  The basic is that it increases your attack surface. If the service (and this goes for any application regardless of vendor or platform) has elevated access to the underlying system (e.g. Local Administrator, SYSTEM, root, and so forth) and that service is
  compromised, there is the possibility that the entire server would be compromised.
  Clearly, this is not a good situation.
  Having said that, there are two scenarios where a service account in SharePoint must be a Local Administrator:
  If you're running the Claims to Windows Token Service (C2WTS) as a Domain User. This account requires Local Admin.
  If you're provisioning the User Profile Sync Service, the Farm Administrator account must be a Local Administrator during the provisioning process (reason being is that it makes calls to the SAM).
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• CUCM 10.5 Local Route Group

  When utilizing the local route group for a device pool, when a change is made for that device pool, does a reset of the devices have to occur for the changes to go into affect?  The reason I ask is if you are simply making the change to the Route List there is no interruption to the end users, but what if a location's Long Distance is pointing to a Route List that references a Local Route Group.  If you want move that to another route group under the device pool is there any impact on the phones in that device pool?
  Thanks,
  Joe

  So What you ask is if you modified the route list (change the actual local route Group for other route group) will reset the phones ? as far as I now no change on rl will reset phone but change on dp will..

• Active Directory users not made member of Local Network group

  Hi all,
  I've just done a clean install from 10.6 Server to 10.8.4.
  The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
  The Setup:
  In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
  Members in that group are:
       - AD-Domain User Group (so should be all users in the domain)
       - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
       - AD User 1
       - AD User 2
       - AD User 3
  The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
  The Behaviour:
  AD User 1 can access AFP and other services as expected.
  AD User 2 and 3 cannot.
  Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
  Yet other users within AD-Domain User Group or netaccounts cannot
  Furthermore: 
  If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!
  Diagnosis:
  I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
  >dseditgroup -o checkmember -m ADUser1 accessserver
  yes ADUser1 is a member of accessserver
  >dseditgroup -o checkmember -m ADUser2 accessserver
  no ADUser2 is NOT member of accessserver
  >dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
  yes ADDomainUser/netacc is a member of accessserver
  >dseditgroup -o checkmember -m n accessserver
  no ADUser2 is NOT member of accessserver
  When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
  2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
  I get the same results even after removing the user from the Groups screen!
  Failed Solutions
  - As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
  - I've let the system just sit, in hopes delayed replication would solve the problem overnight.
  - I've deleted and recreated the groups.

  Upon further investigation we have discovered:
  a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
  b)  This is NOT limited only to MacOS X Server 10.8.  The same behaviour is occuring on a long-running 10.6 server as well.
  c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually.  If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
  d) Which users are allowed and which are not is unclear and appears generally random.  We have found 3 'classes' of users:    
            1 - those that are successfully becoming members every time.
            2 - those that are intermittent members.  Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
            3 - those that are never successfully admitted as a member.
  So the problem is both Apple's and Windows in that:
  Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
  Windows:  Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
  Really hoping people have some ideas on this.  This system of nested groups or individual user access is something we have of course being using for many years.  So this is a major setback.

• Hard currency is not valuated in FAGL_FC_VAL along with local and group currency

  Hi All,
  I have the below system settings for FOREX revaluation. The revaluation is not happening for Hard currency along with local and group currency. The test data and other settings seams to be fine as the below mentioned workaround works perfectly for hard currency revaluation.
  I would like to take your expert feedback on this issue to confirm whether this is how SAP works or its an issue with FAGL_FC_VAL program.
  System Settings:
  Currencies in company code
  local currency      group currency      hard currency
  10                             30                         40
  USD                          USD                    UYU
  FOREX settings:
  Work around found:
  Define two Valuation area, say
  1. Valuation Area: A1 which will have currency type 10 and 30.
  2. Valuation Area: A2 which will have only the currency type 40.
  3. Run FAGL_FC_VAL twice for these area.
  Issue with this work around:
  1. The valuation area is assigned to one accounting principle (which is in turn assigned to a specific ledger).
  2. Thus, if I have different accounting FOREX process to be followed in different ledgers (say IFRS ledger, Local Ledger, Tax ledger) then I need to create 2 valuation area (as per above workaround) for each ledgers and run FAGL_FC_VAL for each of these valuation areas.
  Thanks & Regards
  Nikhil Kothari

  Hi Experts,
  Any views on the above issue?
  Thanks & Regards
  Nikhil Kothari

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• How to add first log on user to local administrator group

  Hi All,
  When first time user log in to system, i need to add that particular user to local administrator group?
  How to achieve it using vbscript?
  Thanks
  Divakar

  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯
  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯

• UCCX Redirect Step and Local Route Groups

  Hello,
  CUCM 9.1.2
  UCCX 9.0
  I have come across a situation in one of our UCCX scripts with the call redirect step where it is forwarded to a local cell phone for after hours calls. The number in the Call Redirect step is 9, followed by the 10-digit number of the cell.
  While the call does redirect successfully from the UCCX script, the call always uses the local route group of the original calling party's device. So, if the call from an IP Phone to the cell is going out the gateway where the cell number is a local call, the 9 followed by the 10 digit number works fine.
  If it's a site across the WAN, the call redirect to the cell fails because it's using LRG of the calling party's phone and thus it needs to be a long distance call.
  I kind of thought the Service Parameter Local route group for redirected calls being set to "Local route group of last redirecting party" might have addressed this, like it did for call forward all situations, but it does not seem to be the case.
  Would the recommendation be to use Call Consult Transfer instead of the Call Redirect step? This seems to work, but was wondering if there were other ways to approach it.
  Thanks for your help,
  Frank

  Hi Anthony,
  Thanks for the reply. The Call Consult Transfer step did resolve my issue, so now the call is always coming from the local site and using the LRG of the DP of the CTI ports. I previously had it set up using the Call Redirect step in the script with 9 followed by the 10-digit number, and thus it was kind of not working when calling over the WAN from remote sites.
  I should have mentioned that we recently did an CUCM / CCX upgrade. In CUCM, all call restrictions were previously done at the device level, nothing on the line. Now we have the line doing the call restrictions. So the Call Redirect step worked fine in the old environment with the 10-digit number, not so much in the new.
  But I like your suggestion about +E164 even better, since we rolled that into the upgrade as well. I tried putting the full +E164 number in the script using the Call Redirect step. Works perfectly from all sites.
  Thanks for your help.
  Frank

• TEHO with Local Routing Group

  Hi,
  I was watching an online training video of setting TEHO using Local Routing Group on CUCM 8.6. However somehow I think he configured it wrong.
  In his example,
  He used a centralized call processing infrastructure for NY (hosts the CUCM) and CA offices. NY and CA router groups are created to contain local gateways respecitively and also assigned to corresponding device pool. When configuring Route List for the remote patterns (Pattern to reach CA numbers from NY, vice versa), he only created one RL for both patterns and only added the Standard Local Route Group to the RL… Then wrap up the configure.
  To me, in order to make TEHO work, there should be one RL for each location (one for NY and one for CA) and the NY route group needs to be added into the CA RL and CA Route group needs to be added into NY RL and both RL has SLRG as secondary option.
  Am I crazy or the video did it wrong...

  Good catch, with what is described here, when someone in CA calls a number in CA, the CA route list would be matched and the route list would be selected which contains Standard Local Route Group (SLRG) and the device pool for CA would be checked and the CA route group would be selected.  That works as expected.  Now if a CA phone calls a NY number, the route pattern would be matched, the route list the route pattern points to would be SLRG, so the device pool of the originating device would be checked.  The CA device pool being that a CA phone placed the call would be checked for the local route group and that would be set for a CA route group, so the call would go out of a CA gateway.
  What usually is done is that the route list for TEHO for the CA phone would contain, the NY route group and then SLRG in that order.  That way the call would be extended to NY first out their local gateway for TEHO and then extended to the CA local gateway if the NY gateway fails.  For NY to CA TEHO, the CA route group would be added to another route list, this time with the CA gateway first in the list followed by SLRG.

• Adding a domain user to Local Admin Groups using MDT 2012

  I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
  But the administrators accounts page will only appear if you choose to join a domain. 

  Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
  <Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
  <Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
  </Pane>
  Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
  instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
  Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
  Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
  If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
  Story :^).
  Keith Garner - keithga.wordpress.com

• Find workstations with specific group in local administrators group

  Hello,
  Is there a simple script that will search the workstations in a domain looking for the existence of a specific domain group nested in the local administrators group ?  Our desktop group can up with the idea of using domain groups nested in the local
  admin group to grant administrator privileges to specific computers.  They can list the members of the domain group easily but they have no easy way to know on what workstations they have added the group to.  Output I am looking for is simply a list
  of computers that have the specific group in the administrators group.   Any advice would be appreciated.
  Bobby

  Thisis donethrough Group Policy.  It is a special aspect of gP to set and mamintain groups on local machines.  You can protect a machine fromchanges and allow users to be added and removed.
  If you are just look ing to list tehcontents o a local group then get the module "Local Administration" in the Repository. It has all of the tools you need.
  You can also use WMI to retrieve Group memmbership.
  ¯\_(ツ)_/¯