SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

Hi
I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have  access to the library and list, except for
a few additional folk who I have made individual members. 
My PROBLEM:
I  have created a SharePoint 2013 Workflow using SPD 2013 associated with the  Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
the form and go to different Stages depending on that status.
The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
Here's a print of the info from the Workflow Status page (I don't have access to server logs):
RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor 
Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
user who started the workflow, unlike 2010 which used System Account).
All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
Does anyone have any ideas why this is happening and what I can try to fix it?
Mark

Hi Lars,
I'm afraid not so far but we are trying a few things today so I will post back with results.
First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
http://social.msdn.microsoft.com/Forums/sharepoint/en-US/27a547da-5cc0-49d7-8056-6eb40b4c3242/failed-to-start-workflow-access-is-denied-exception-from-hresult-0x80070005-eaccessdenied
This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
"If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
I'll update when we try these ideas. If you have any luck please do the same.
Mark
(sorry about formatting - using my phone....)
Mark

Similar Messages

  • Outlook 2003 mail delivery failed for Active Directory user

    Server 2003/Exchange2003
    We are using an outside company (Integra) to handle our email and only use Exchange for shared archived email.
    When configuring active directory users the wizard automatically sets up email entries in the format: [email protected]
    When responding to a meeting invite from outlook to a local AD user, all users receive undeliverable messages for the accounts in the format [email protected] as below...
    The example below was a bounce back when I accepted the invite.  The invite shows up on my calendar just fine.
    This message was created automatically by mail delivery software.
    A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
      [email protected]
        Unrouteable address
    ------ This is a copy of the message, including all the headers. ------
    Return-path: <[email protected]>
    Received: from wsip-70-166-120-183.ph.ph.cox.net ([70.166.120.183] helo=PK01)
        by arelay1 with esmtpa (Exim 4.72)
        (envelope-from <[email protected]>)
        id 1W8D9b-0001kB-24
        for [email protected]; Tue, 28 Jan 2014 10:12:56 -0800
    From: "Kevin Simmons" <[email protected]>
    To: "miguel saucedo" <[email protected]>
    Subject: Accepted: Miguel Chaperone School
    Date: Tue, 28 Jan 2014 11:13:05 -0700
    Message-ID: <398EA47278F54C9FA9CFFB725FD6C079@PK01>
    MIME-Version: 1.0
    Content-Type: text/calendar; method=REPLY;
        charset="utf-8"
    Content-Transfer-Encoding: 7bit
    X-Mailer: Microsoft Office Outlook 11
    Thread-Index: Ac8cSpjUhKBGTbBKQt+PScNbb6MWwAABfTJgAABJyYAAALiiEA==
    X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.16384
    BEGIN:VCALENDAR
    PRODID:-//Microsoft Corporation//Outlook 11.0 MIMEDIR//EN VERSION:2.0 METHOD:REPLY BEGIN:VEVENT ORGANIZER:MAILTO:/o=PKArchitects/ou=First Administrative
      Group/cn=Recipients/cn=miguel
    DTSTART:20140206T070000Z
    DTEND:20140208T070000Z
    LOCATION:Flagstaff
    TRANSP:OPAQUE
    SEQUENCE:3
    UID:040000008200E00074C5B7101A82E00800000000102573EC0F1CCF010000000000000000100
     0000037C3D09157000340AA5D3F23F6A60078
    DTSTAMP:20140128T181305Z
    SUMMARY:Accepted: Miguel Chaperone School
    PRIORITY:5
    X-MICROSOFT-CDO-IMPORTANCE:1
    CLASS:PUBLIC
    ATTENDEE;PARTSTAT=ACCEPTED:MAILTO:[email protected]
    END:VEVENT
    END:VCALENDAR

    Well it looks like none of our outlook installations actually are accessing the exchange email, nor are we able to send to those email addresses even though they exist.  I have 2 email inboxes in Outlook, 1 is the Integra inbox - works fine.  The
    other is called Mailbox - UserName - populated with folder that are and always have been empty.  If I send an email to myself at [email protected]  I get the following bounce back.
    This message was created automatically by mail delivery software.
    A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
      [email protected]
        Unrouteable address
    ------ This is a copy of the message, including all the headers. ------
    Return-path: <[email protected]>
    Received: from wsip-70-166-120-183.ph.ph.cox.net ([70.166.120.183] helo=PK01)
        by arelay2.integra.engr with esmtpa (Exim 4.72)
        (envelope-from <[email protected]>)
        id 1WBtMM-0005N1-Gr
        for [email protected]; Fri, 07 Feb 2014 13:53:18 -0800
    Reply-To: <[email protected]>
    From: "Kevin Simmons" <[email protected]>
    To: <[email protected]>
    Subject: test
    Date: Fri, 7 Feb 2014 14:53:18 -0700
    Message-ID: <F708D49EB6A64BE69891BF9C7B528529@PK01>
    MIME-Version: 1.0
    Content-Type: multipart/related;
        boundary="----=_NextPart_000_0050_01CF2414.572804A0"
    X-Mailer: Microsoft Office Outlook 11
    Thread-Index: Ac8kTwKRc8hlRKNXSlye9E4r5UyfJQ==
    X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.16384
    This is a multi-part message in MIME format.
    ------=_NextPart_000_0050_01CF2414.572804A0
    Content-Type: multipart/alternative;
        boundary="----=_NextPart_001_0051_01CF2414.572804A0"
    ------=_NextPart_001_0051_01CF2414.572804A0
    Content-Type: text/plain;
        charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    test
    Thanks!
    Kevin Simmons
    Project Manager
    4515 S McClintock Dr. Suite 206
    Tempe, Arizona 85282
    p 602 283 1620
    f 602 283 1621
    c 480 702 9687
    [email protected]
    ------=_NextPart_001_0051_01CF2414.572804A0
    Content-Type: text/html;
        charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Dus-ascii" = http-equiv=3DContent-Type> <META name=3DGENERATOR content=3D"MSHTML 11.00.9600.16476"></HEAD> <BODY>
    <DIV><FONT size=3D2 face=3DArial><SPAN=20 class=3D831025321-07022014>test</SPAN></FONT></DIV>
    <DIV>&nbsp;</DIV><?xml:namespace prefix =3D "o" ns =3D=20 "urn:schemas-microsoft-com:office:office" /><o:SmartTagType=20 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"=20
    name=3D"PostalCode"></o:SmartTagType><o:SmartTagType=20
    namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"=20
    name=3D"State"></o:SmartTagType><o:SmartTagType=20
    namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"=20
    name=3D"City"></o:SmartTagType><o:SmartTagType=20
    namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"=20
    name=3D"place"></o:SmartTagType><o:SmartTagType=20
    namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"=20
    name=3D"Street"></o:SmartTagType><o:SmartTagType=20
    namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"=20
    name=3D"address"></o:SmartTagType>
    <STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in = 1.25in; mso-header-margin: .5in; mso-footer-margin: .5in; =
    mso-paper-source: 0; }
    P.MsoNormal {
        FONT-SIZE: 12pt; FONT-FAMILY: "Times New Roman"; MARGIN: 0in 0in 0pt; =
    mso-style-parent: ""; mso-pagination: widow-orphan; =
    mso-fareast-font-family: "Times New Roman"
    LI.MsoNormal {
        FONT-SIZE: 12pt; FONT-FAMILY: "Times New Roman"; MARGIN: 0in 0in 0pt; =
    mso-style-parent: ""; mso-pagination: widow-orphan; =
    mso-fareast-font-family: "Times New Roman"
    DIV.MsoNormal {
        FONT-SIZE: 12pt; FONT-FAMILY: "Times New Roman"; MARGIN: 0in 0in 0pt; =
    mso-style-parent: ""; mso-pagination: widow-orphan; =
    mso-fareast-font-family: "Times New Roman"
    SPAN.GramE {
        mso-style-name: ""; mso-gram-e: yes
    DIV.Section1 {
        page: Section1
    </STYLE>
    <DIV class=3DSection1>
    <P class=3DMsoNormal align=3Dleft><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thanks!</SPAN></P> <P class=3DMsoNormal>&nbsp;</P> <P class=3DMsoNormal><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial">Kevin=20 Simmons</SPAN></P> <P
    class=3DMsoNormal><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial">Project=20 Manager</SPAN></P> <P class=3DMsoNormal><o:p>&nbsp;</o:p></P>
    <P class=3DMsoNormal><IMG src=3D"cid:831025321@07022014-2937" = width=3D130 height=3D130=20 v:shapes=3D"_x0000_i1025"></P> <P class=3DMsoNormal><?xml:namespace prefix =3D "st1" ns =3D=20 "urn:schemas-microsoft-com:office:smarttags"
    /><st1:Street=20 w:st=3D"on"><st1:address w:st=3D"on"><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">4515 S McClintock Dr. = Suite=20 206</SPAN></st1:address></st1:Street></P>
    <P class=3DMsoNormal><st1:place w:st=3D"on"><st1:City w:st=3D"on"><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial">Tempe</SPAN></st1:City><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">, <st1:State=20 w:st=3D"on">Arizona</st1:State> <st1:PostalCode=20 w:st=3D"on">85282</st1:PostalCode></SPAN></st1:place></P>
    <P class=3DMsoNormal><SPAN class=3DGramE><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">p</SPAN></SPAN><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"> 602 283 1620</SPAN></P> <P class=3DMsoNormal><SPAN class=3DGramE><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">f</SPAN></SPAN><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"> 602 283 1621</SPAN></P> <P class=3DMsoNormal><SPAN class=3DGramE><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">c</SPAN></SPAN><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"> 480 702 9687</SPAN></P> <P class=3DMsoNormal><SPAN=20
    style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Arial">[email protected]</SPAN></P></DIV>
    <DIV>&nbsp;</DIV></BODY></HTML>
    ------=_NextPart_001_0051_01CF2414.572804A0--
    ------=_NextPart_000_0050_01CF2414.572804A0
    Content-Type: image/jpeg;
        name="image002.jpg"
    Content-Transfer-Encoding: base64
    Content-ID: <831025321@07022014-2937>
    /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0a
    HBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIy
    MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCACCAIIDASIA
    AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
    AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
    ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
    p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QA
    p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+HwEA
    AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
    BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
    U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
    uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3
    uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3++iii
    gAooooAKKKKACq97dGzg81bae4O4DZAoLfXkjirFFAHltr8ZNKtPtNteadrU00V1OhZbdCABIwA+
    +OgwPwqf/hdmg/8AQI13/wABk/8Ai68juv8AkL6t/wBhG5/9GtTKxdVp2PKqY+cJuKS0PfvB
    +Xiwe
    JdNFylnqHlyXE4WaeNVVVEjYU4bqBgdO1dZXA/Bz/knsP/X5c/8Ao1q76tkepF3SYUUUUDCiiigA
    ooooAKKy9S1yz017ZZJ4B5twIWLzKuzIJyc/T9ak/t3R/wDoK2P/AIEJ/jQBoUVjXfibTLc2yxX1
    nM006Q4W4XKhu/XtWvHIkqB43V1PdTkUAOoqhqWqRad9nDFC0s6QkFwpUMcZq6jpIu5GVh6g5oAd
    RRRQB8sXX/IX1b/sI3P/AKNamU+6/wCQvq3/AGEbn/0a1Mrkl8TPnK/8WXqz2z4Of8k9h/6/Ln/0
    a1d9XA/Bz/knsP8A1+XP/o1q76upbH0MPhQUUUEgDJOAKZQUVU0/UYNTt2uLUs0O8qshXAkx/Evq
    voe+OKG1G3GqLpysz3JjMjKi5Ea9ix7Z7euD6GgC3RRRQB5X8atNsF8N2EosbYSy6pH5jiJd
    voe+z5R8
    5OOa8g/s2x/58rf/AL9L/hXtPxs/5FXS/wDsKRf+gSV4vPMfMECZyeWK9ceg9/ft+VYVdzyce5e0
    ST6EKCHT9Rsbuy06zlmtrlJNskYEZx/C2Oo9q3L7Xtd1NDHdarNFbEki0sP9GgXPbamCfxJrHkiY
    JEC21RIoCJwB+PWtbQfDq+I9Ua0zJFaRY+0SwjdK7HlYogf4yASSeFHJ7VMXJ6IypTqztTgz
    JEC21RIoCJwB+PWtbQfDq+I9Ua0zJFaRY+nbyD
    SYHQTi3Ehdc+Y2Wx+JzV6yjht2FxplxLav2ls7hoz+amvZZfh/aaZZWRtlXSzLdQx+TaHd/F
    SYHQTi3Ehdc+Y2Wx+JzV6yjht2FxplxLav2ls7hoz+96R2
    yXb3GB9etUPFPw2sLiALa2NppusAn7NdQKVt7xv+ecqnO1j2Jzz0J6Vp7N9Gdbwc0rxm7nPa
    yXb3GB9etUPFPw2sLiALa2NppusAn7NdQKVt7xv+F8Tv
    E2hsqXzjW7MdVmwlwo/2XAw30YfjXsvhvxRpXivTftulXBdVO2WJxtkhb+669j/PtmvmaONWVsxy
    W8qMUkjPDRupwykeoIIq3pesal4a1ePV9OkC3CYVweEuE/55yD09G7GlGo07MzoYyUZclUS6/wCQ
    vq3/AGEbn/0a1MqG3vV1GS7vVjaIXF3PL5b9U3SMcH3GamrKXxM4K/8AFl6s9s+Dn/JPYf8Ar8uf
    /RrV31cD8HP+Sew/9flz/wCjWrvWZUUsxCqBkknAArqWx9DD4UDMqKWYhVAySTgAV8/eNvFv9uX0
    1hoWo6iukgss9x9sc/aieqoCeIx69+3HW98QPiA/ieSXR9HlZNEUlZ7hDg3hHVVP/PP1P8X068no
    +j6h4i1aPR9HjUzkAyysP3dtH/eb+i96zlN35YnFiMRJy9lR3J9Gi8U+INVi0bRtd1nztoMk
    +hv5P
    LtY+m5sH8l7/AEr3bRPB1pokMQTUNUuJwyyTTTXjkzuMfM4zg5wOOmOKn8K+FdO8I6OthYKW
    LtY+Zjvn
    uH5knfuzH+nQDgVuVcVZanVSpuEbSd2FFFFUanmfxvcR+EdOdui6nGT/AN8SV4zaRMkW+Ufv
    uH5knfuzH+nQDgVuVcVZanVSpuEbSd2FFFFUanmfxvcR+pPmf
    2J7fhXsnxvCS+E9MTcP+QrETg+ivXkeR6isKu55OYv30vIr3sqwQCZ/uowY/QV7r8KfDDaL4
    2J7fhXsnxvCS+E9MTcP+QrETg+Ttb2
    9jxqN6puHDDmMPg7frjbn6Adq8JvIBdi2te091DEfozgH+dfUt1fpZ3FhAqqVuZjDndjYAjN
    9jxqN6puHDDmMPg7frjbn6Adq8JvIBdi2te091DEfozgH+n/x3
    H41VJaXNcuguRyK3iD/V6d/2EIP/AEKtK5toby2kt7iMSQyLtZT3FZfiB0MenfOv/H/B3/2quajq
    K2MEcoCvvnihxuxje4XP4ZzWp6J4B4+06TR/HMsUuSbuISFz/wAtSvAf6suAfVkY96wSARgj
    K2MEcoCvvnihxuxje4XP4ZzWp6J4B4+Ir0z
    44WUZTw7qiFfMju2tmweSroT+hX9a8zyPUVz1V7x4mPhy1brqZcGbLWXt+fJuU8xP95eo/LH
    44WUZTw7qiFfMju2tmweSroT+hX9a8zyPUVz1V7x4mPhy1brqZcGbLWXt+5VqV
    Q1PC/ZJ/4orhOfZvlP8AOrryLGAzfdzgn0+tQ9Tmn7yUj234PMqfDuNmIVRd3JJJwAPNauJ+IHxA
    bxNJJo+kTFNFVik9wpwbwjqqn/nn6n+L6deStPE2oXPg1PDcG6200XE73Mit811ukYhBjomO
    bxNJJo+vr06
    daNxGWg8qNQCcBT2T0P4VrKelkejXxfLFU4PXq+xoaPo+oeItWj0fR41M5AMsrD93bR/3m/o
    daNxGWg8qNQCcBT2T0P4VrKelkejXxfLFU4PXq+xoaPo+vevo
    Twr4V07wjo62FgpZmO+e4fmSd+7Mf6dAOBXL/By50h/CLWtlAIdSt5MakGO55JT0kJ7qw6en
    Twr4V07wjo62FgpZmO+e4fmSd+I7V6
    JVwikjqw1CNKGmrfUKKKKs6QooooA8n+M+laZZ+G9PuYrC2ilk1WMPIkQDNlXzk98mvKPs0H
    JVwikjqw1CNKGmrfUKKKKs6QooooA8n+M+laZZ+/PGP
    /vkV7F8cE8zwjpyZxnU4xn0+SSvHLaYzQgtgSL8rj0Ydawq7nk5hfnTXYjljtoJ7KV4YvLS8gL5U
    Y2+Yuc+2K+k73wlpM11p8kOk6eEhnLyjyFG5fLdcdOeSp/CvmzUYRc2hgPHmELn0zX0J8N/E
    Y2+Yuc+2K+x8Q+
    EbE3T/6fDEEmB6vtO0t+YIPuPpVUnpY2y+d4OJNrvh3RY47DZpNku6+hU4gUZBbp0qzqnhLSrm2i
    S20iwV1uIXb9yo+VZFLdvQGrXiD/AFenf9hCD/0KtZ3WNGd2CqoyWJwAPWtT0Dxr4z2Ok2Nt
    S20iwV1uIXb9yo+4fs7
    SxtIJ571pG8uJVJRIznoOmWFebfZoP8AnjH/AN8iul+Imqtr3jwT5PkWdsEhQjoHOQT7sPm+jLXP
    1z1X7x4uPnerZdDM1OGER20SxIGluEUYXsDk/oKvPbxPEYtoEZPzKvAPsaoA/bdcRwcw2qEj0LNw
    D+Wf8mtSoZzTbikvmUtPFxDAi3ETJFM8ptZD0lVXKsM+qnqPQg1dr0fwp4Th8X/B1bPcsV7D
    D+Wf8mtSoZzTbikvmUtPFxDAi3ETJFM8ptZD0lVXKsM+e3Mt
    ncEf6uUStjP+yehHoa83AmjklguYWguoHMU8LdY3HUf4HuMVU421N8VQ5LTWz/MvaHrl34X1
    ncEf6uUStjP+6DWr
    NWfyxsuYFP8Ar4SeV/3h1X3HvX0npuo2ur6bb6hYzLNa3EYkjkXoQa+X67b4YeLf+Ef1caHeyY0v
    UJM27MeILg/w+yv+jfWqpz6M3wOIt+6l8j3Siiitz1QooooA81+Nn/Iq6X/2FIv/AECSvF5YzHJ5
    yHbnhj2+p9q9o+Nn/Iq6X/2FIv8A0CSvH6wq7nkZg7VF6FWaYARCQGM+YvXofoa6Pwj4ki8N
    yHbnhj2+p9q9o+6o32
    qd4dOuH3/aYvmazlxjeV/ijYAB19ge1c89tcyXFpbWMPnyz3CRxwbgu5j0AJ4H48U65VLG6NtqNo
    9hdA8xXcXlt+GeD9QTUxutUY0XOnapBaHuur+LrNbfTRevGWN3DKk1mfPimUHOV25I+jD6E1
    9hdA8xXcXlt+GeD9QTUxutUY0XOnapBaHuur+LrNbfTRevGWN3DKk1mfPimUHOV25I+R8Ye
    OLO004PcPFI8mfsukxzK0lw3ZpypwkY6kd+5P3a8UWJbbDWM89qHlUsLWdowxzwcKQM+9NMW
    OLO004PcPFI8mfsukxzK0lw3ZpypwkY6kd+5P3a8UWJbbDWM89qHlUsLWdowxzwcKQM+n2YZ
    pPIQsdzvKwLMfUk8k1o6qtodkswjy+6ncsPdNJPNcXlyJ7y5kaadxyXduuAO3YDsAKakN5qN
    pPIQsdzvKwLMfUk8k1o6qtodkswjy+1BY2
    ls8tzcvsht1+9Kff+6o6k+laug+Gtc8TOq6JpjC3Y4N7cIYoFHqCRl/oor2/wX4C0/whA0oc
    ls8tzcvsht1+9Kff+6o6k+laug+3mqT
    DE97IoDEf3UH8K+w/HNTGDbuzGjhZ1Jc9TT8z53srOWx+1W1wyPcRXMscrp0Zlcrx7cce1Wq
    DE97IoDEf3UH8K+fdf8
    hfVv+wjc/wDo1qZWct2cdf8Aiy9T2z4Of8k9h/6/Ln/0a1Y3xa8IEqfFmnREywoF1GJBzJEO
    hfVv+kgH9
    5O/qv0FbPwc/5J7D/wBflz/6Nau9ZQ6lWAKkYII4IrptdWPe5FOnyy2aPlUEMoZSCpGQR3FNliSe
    JopBlWGDXR+N/CZ8HeIPKgQ/2RfMz2Tdom6tCfp1X247Vz9c0k4ux4NWnKjPlZ7Z8MPGT+IN
    JopBlWGDXR+LbSt
    Sl3avYKA7HrcRdFl+vZvf6iu+r5bsr+80fVLXVtOYLe2jbkBOFkU/ejb2Yce3B7V9IeHdes/
    Sl3avYKA7HrcRdFl+vZvf6iu+r5bsr+Euh2
    2q2LHypl5RvvRsOGRvQg5FdEJcyPZwuI9tDXdGpRRRVnUea/Gz/kVdL/AOwpF/6BJXj9ewfGz/kV
    dL/7CkX/AKBJXj9YVdzx8x/iL0Lug/8AI4eHf+wpB/OvpW8sbTUIDBe2sFzCesc0YdT+Br5q0H/k
    cPDv/YUg/nX07V0vhOrL/wCF8ziNV+FvhO7MDW/h3T42FwjS7E8vKZ+YfLWvp/gXwppcgksvD2mx
    SDo/2dSw/EjNHh3xpovim/1Sy0u4eSbTZfKnDJtGckZX1GVPNc3qfxq8IaRqt5pt098J7SVoZdls
    SoZTg856Vodx6IAAMAYAqte2n22DyvtFxB8wO+B9jfTPpWLN478OQeEU8UPqSf2TIPklAOWb
    SoZTg856Vodx6IAAMAYAqte2n22DyvtFxB8wO+ONoX
    ruyCMexql4X+JnhvxdNc2+nTzpdW8Zle3uItjlB/EB3HT86AMG2+Dei3P2i4vbnWI55bqZyF
    ruyCMexql4X+JnhvxdNc2+vOCD
    IxB6dxg/jU//AApXw1/z/a1/4G//AFq6K08daLe+CpfFkLTnS4ldmJiw+Fbafl+oqtd/Ejw/Zm3E
    rXWZ9M/tVNsJP7jGf++valZEOnB6tIk8G+Eo/DVgIIri/Ecc85SGW43qVaRtrEY6kYP1rqq81tfj
    n4Nu7yK1ibUDLK6xqDanqTgZ5qfVPjT4R0jVrzTLlr/7RaTNDLstiwDKcHBzTLOh8SeDNO8U2k9v
    qE975cuGVUuGCxuPusq9AQea5Sw+DWgSWaG+/tSO5GVkCagxViDjcPY9cdRnFdDe/Efw5p3h
    qE975cuGVUuGCxuPusq9AQea5Sw+DWgSWaG+Oz8S
    XVzLFZXv/HvGYz5spyRgJ+H0qnY/FjwrqPh7UdZgnuPK07b9pgaEiZAzBQdvcZPUGlZEuMXuin/w
    pbwr/wA9tW/8Dnq3pXw+tvDN6i6Rdap9huWJuYvtzAq+OJPfptI+h7Gqel/Gvwjq+q2um2rX5uLm
    ZYYw1qQNzHAyc8danv8A4x+DtO1+TSJrycyRTCCa4SEmGJ84IZvY9SMiiyBRitkd9RSAhlDK
    ZYYw1qQNzHAyc8danv8A4x+DtO1+QQRk
    Ed6KZR5t8bP+RV0v/sKRf+gSV4/XsvxK0TXvENjYWEB02NDqSNC0jyZOFfG7C+npXH/8Kh8Y
    Ed6KZR5t8bP+f8/e
    hf8Afyb/AOJrKpByeh52Mw9SrNOC6HL6D/yOHh3/ALCkH86998ca8PDPgrVtW3ASQQN5We8jfKn/
    AI8RXlUPw28U6LrWjX9xcaM6xahCwWOSXJbPHVelem+JPCbeMtHtLDWbjyEhuluJY7Q5SYLn
    AI8RXlUPw28U6LrWjX9xcaM6xahCwWOSXJbPHVelem+CksM
    455qqaaVmb4SlKnT5Zb3PD/hdr+h6J458ORabePLJqdi1pqgdGUC5LF1OT15IXI9PerMniHxX4a1
    Lx/qGiaZp91pqatILuS4Qu0RJIBCgjK888GvafFHgjTPE2n21uf9BltrlLmG4to1Do6dO3TmjSfB
    Gn6Y3iHfLJdRa7O81zHKBtG4EFRjtyas6jyWDQrXSofhZpst3DqGm3N9NdSSqP3UkrbWQAHsM4wf
    f6V6pq1v4VXxfFNOLdfExsJBbDcQ7RYbPA4P8XXnrWbB8J9JXwR/wi11fXlzaxTm4tJ2KrLat/sE
    D1J6+pqTwt8MNP8ADmoXWp3Gp3+q6pPCYBd3sm5o4z2X/GgDxrSZPHQ+B90lpBpJ8M+VNvdy
    D1J6+pqTwt8MNP8ADmoXWp3Gp3+ftG3
    ed2OcZznHFdt4cAPxL8CgjI/4RJP5Gu4sfh5Y2Hw6m8GJe3LWkqSIZ2C+YN7Fj2x3qWw8B2Wn+IN
    H1dLy4aXS9MGmxowXa6D+I8daAOd8Hov/C7PHo2rgR2mOOnyVy3h0eOD4w8bf8IpForwf2vJ
    H1dLy4aXS9MGmxowXa6D+5x1D
    du3ZONu3tivV9L8J22leLta8RR3Mzz6qsQkibG1Ni4GO/wCdcjffBuC61rUdTtvFWuWDX9w1xLFa
    zBF3E57devegCldx3dx8ZPBcPiOO1NxHpMsgSIZh+0/Nu2A+gAI+grtrS28KJ48v3thbjxK9
    zBF3E57devegCldx3dx8ZPBcPiOO1NxHpMsgSIZh+qv2p
    VJ3mLIwSOn93nr0rM1L4Y6fq3hjTdKu9T1F7zTWZ7XVfN/0lGJyfm7jp+Qq14L+H2n+DZby7S7u9
    Q1O8x9ovbt90jAdB7D/PYUAYPw2Rf+E3+IXyjjVFxx04auM+y6p4e0rXLzRBpPinwJPdS3F7bsds
    0YyC4zwcqMc89M4r2DQPClt4f1fXNRguJpZNXuRcSq4GEIzwuO3PeuRv/grpF3qt1PBq+qWenXk3
    nXemQTbYZWzkjHYH9O2KAPQtLmtrjSbOazXbayQI8K4xhCoKj8sUVYhhjt4I4YUCRRqERR0UAYAo
    oAcVVsblBwcjI6GloooARlVsblBwcjI6GloooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP
    /9k=
    ------=_NextPart_000_0050_01CF2414.572804A0--
    beyond that - the Global Address Book does not update!

  • SharePoint 2013 Active Directory Groups represented as c:0+.w| SID in UserInformation list instead of c:0+.w|Domain\Groupname

    Hi
    We are running on SharePoint Server 2013.When we add AD groups as permissions, we see that the group name is being displayed properly in the permissions. Whereas when I click on the groupname I see the SID with the Sharepoint specific claims characters,
    instead of domain\groupname. I understand that the claims characters are because of claims mode. But I expected domain\groupname instead of SID. Is this the right behaviour.
    When I call SiteData.GetContent web service, I get the SID of the group name instead of the domain\groupname.
    Can someone please clarify?
    Thanks
    Naga

    Hi,
    Yes, the identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections:
    c:0+.w|<SID>
    •"c" for a claim other than identity
    •"+" for a group SID
    •"." for a string
    •"w" for a Windows claim
    More information:
    http://www.sharepointfire.com/MyBlog/2013/11/get-ad-group-identity-claim-in-sharepoint-2013/
    Thanks,
    Dennis Guo
    TechNet Community Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Dennis Guo
    TechNet Community Support

  • Verification of prerequisites for Active Directory preparation failed

    We currently have Windows Server 2003 SBS, SP2, Domain Controller. Would like to add Windows Server 2012, Standard, 64-bit as a backup domain controller.
    "Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain sxxxx.local.
    Exception: The RPC server is unavailable.
    Adprep could not retrieve data from the server name.xxxxx.local through Windows Managment Instrumentation (WMI).
    [User Action]
    Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130417103902-test directory for possible cause of failure."
    What the log says is really:
    "Adprep encountered a Win32 error. Error code: 0x6ba Error messa The RPC server is unavailable."
    Can anyone has similar experience shred some lights to troubleshoot this? Have reviewed
    other links that have similar probems but that doesn't help. 
    Many Thanks!

    Of course I CANNOT remove Symnatec as Meinolf suggests. That would be out of my mind!! I tried to stop all their services though which doesn't help. I know this has nothing to do with Symantec. Here comes another test, the final one:
    Test 8
    This article is really good as it concludes very thoroughly about the problems about "800706BA - RPC Server Is Unavailable" and other WMI query issues:
    http://goo dot gl/l2iha
    I started looking at he ISA 2004 on our SBS 2003.
    Tried to disable the RPF Filter:
    a. Open Microsoft Internet Security and Acceleration Server 2004
    b. Go to Configuration > Add-in and location RPC Filter on the right side, right-click on it and select Properties, uncheck 'Enable this filter'
    c. Hit Apply....
    d. Now I go back to Windows 7 and test the WMI query.
    The result: it WORKS! 
    e. Next, I tried that on the Windows Server 2012 like so:
    c:>wmic /node:sbs2003servername computersystem list brief /format:list
    It also works!
    f. Next also on Windows Server 2012, I continued on what was left over.  I did the "Rerun prerequisites check " and no surprise - "All prerequisite checks passed successfully. Click 'Install' to begin installation"!
    Well that concludes the problem of installing Windows Server 2012 (standard) as a backup domain controller to a Windows SBS 2003 domain controller and the  troubleshooting process that finally led to a solution that solves my problem. Thanks for all
    the discussions over the web. Every bit counts!
    Well if this helps you in some way, give me some points to buy beer! I am going to have a drink with Bill, Cheers! 

  • BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

    Dear all 
            In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
           " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
          Anyone has encountered similar issue?
       BO version: BO XI 3.1 SP5
       Authenticate: Windows AD
    Thanks and Regards

    Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
    Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
    http://service.sap.com/sap/support/notes/1323391
    http://service.sap.com/sap/support/notes/1199995
    -Ambarish-

  • Query on DNS setup for Active Directory for a new data center

    I have third party DNS appliances providing DNS Service for Active Directory (Windows 2008 R2) and there are also secondary DNS servers, which are MS DNS server with a secondary zone configured, for redundancy. I have to setup a new data center
    and move servers/services to this data center. In this scenario, can I install a new Microsoft DNS server with a secondary zone and use this as the primary DNS Server for all the member servers at this new location ? I am aware that this new DNS server will
    not be able to make any updates to the secondary zone and for that purpose, is there anyway to redirect such requests to the DNS appliances in my current data center across the WAN ? I am trying to avoid purchasing a new DNS appliance for the new data center
    and want to know what are the alternatives I have.
     

    im not entirely sure by your setup, as normally you would use AD integrated zones for DNS in an AD environment - although there are other options as you have already setup.
    the fact the zone is a secondary zone in DNS server terms doesn't mean you can't point your clients to it as their primary dns server. They will quite happily resolve names using a secondary server.
    so as long as your dns devices are correctly setup to support the additional secondary zone I see no reason why you couldn't do this.
    Regards,
    Denis Cooper
    MCITP EA - MCT
    Help keep the forums tidy, if this has helped please mark it as an answer
    My Blog
    LinkedIn:

  • MOBILE ACCOUNTS ARE BROKEN!!!  At least for Active directory.

    Thanks ben6073 for posting your link to the solution. It worked for me as well.
    I did a clean install of SL, joined the machine to the AD domain using Directory Utility. Restarted and when the other user option finally came up in the login screen it would just shake after entering my credentials. As if I was using the wrong password. I then logged in with the local admin account and using the Directory Utility disabled the mobile account option. I then restarted and was able to log in using my credentials.
    MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.
    Thanks ben6073 for the link to a fix. And thank you Rich for the post on google.
    http://groups.google.com/group/macenterprise/browse_thread/thread/2c2502b08bb84c 7a?pli=1
    G

    Greg Plassmeyer1 wrote:
    Thanks ben6073 for posting your link to the solution. It worked for me as well.
    MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.
    I had this problem this morning. It went away after I rebooted and ran applejack in "auto pilot" mode. The machine is a macbook pro running Snow Leopard. The account is a mobile account tied to a windows active directory server. Applejack is available from http://applejack.sourceforge.net/. The auto pilot mode cleans out the system caches is /Library and /System/Library - perhaps this is what provides the fix? Just a guess.

  • Syncing Active Directory Groups for Unity Distribution Groups

    We have multiple remote stores with managers that move around quite a bit. This poses an administration nightmare when trying to keep voicemail distribution lists up to date. Is there a way to syncronize an active directory group to a Unity voicemail distribution group? Therefore when we move a manager around in ADS the user automatically moves in Unity.

    Unfortunately this feature has not been re-implemented in Unity Connection. This is one of the few things from Unity that I miss. I suggest voicing your desire for this as a feature enhancement with your Cisco AM.
    If you are doing that many changes you may want to consider going through the Cisco Unity Connection Provisioning Interface. At least you could script the changes there using code that checked AD group membership and replicated the changes into CUC.

  • Connector for Active Directory Password Sync

    Friends,
    We have some questions about the Connector for Active Directory Password Sync:
    1. There is a need to extend the AD schema when using this connector.
    2. If I have 10 domain controllers and are not synchronized, the documentation tells us to install the dll in each domain controller. Is there any way to do this if necessary, to install this dll in a single domain controller?
    Thanks for your help.
    regards

    Definitely:
    For your Point-1 Look for the Preinstallation section in the AD Password Sync Connector Guide which talks nothing about extending AD schema which supports the validity of the statement.
    For your Point-2 Look for Metalink Article-432727.1 which confirms that the connector has to be installed on all the DC's
    Thanks
    SRS

  • Setting disk quota on Mac server for Active Directory users

    I'm having trouble setting disk quotas for Active Directory users with home folders on our Mac server.
    I've enabled disk quotas on the disk I'm putting home folders on, and I can set disk quotas for local users on the server just fine. But it doesn't seem to work for Active Directory users. I've tried setting disk quotas via Workgroup Manager and via the command line using edquota. But when I use the repquota command there is no quota entry for the AD user. I've run quotacheck and that didn't help either.
    I also understand there's a setquota command but there's no man page on how that works.
    Has anyone got disk quota for AD users working.
    Better still has someone got a shell or perl script for setting quotas they could post.
    Thanks
    - Cameron

    sorry.. I am soooooo stupid... I have to activate "File Sharing" as well.. for the user everything was already pre-activated, not for the AD users, I just saw the Time Machine checkbox grayed out ...

  • Search for single member in an Active Directory Group

    Hello all,
    I'm attempting to find a better method to search if a user is a member of a group in Active Directory. I currently retrieve the entire member attribute of the group.
    I need to reduce the time of the query. I would like to be able to search for a specific member (user) of the group instead of retrieving the entire member list of the group.
    I can post my current code if that would help.
    I believe the default Active Directory group object is the ldap group. I know that there are posixGroup and groupOfUniqueNames ldap classes available, but I'm not sure if Active Directory has access to those classes.
    Is my request possible using the group ldap object?

    Thanks for the reply.
    I have read the first post you gave, but not the second. I'm off to read that now.
    My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
    (&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
    If that's correct and I require a DN, is there any way around this?
    I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (http://msdn.microsoft.com/en-us/library/ms683908(VS.85).aspx).
    If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
    I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
    I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
    Thanks again.

  • Lion Server not reading Active Directory Groups reliably

    I am trying to upgrade one of our XServes from Snow Leopard Server to Lion Server and am running into a strange issue with our Active Directory based users and Groups.
    The current Snow Leopard Server serving files from a XSan volume is running fine, though we find a very long Lag time for Windows users to connect. Once a few users have connected the lag seems to go away, but it is still not nearly as fast as Mac users connecting or Windows connecting to a PC server.
    So I have connected a second Xserve to the SAN and performed a clean install of Lion Server. Initially while it would find my Active Directory Groups it would not import any of the users, so obvioulsly no one could connect. In a last ditch effort I installed the beta of 10.7.4, which seemed to resolve the issue for a small group of test users. However as I expanded the test I found that some users would get a message that the were no resources available to them, or they didn't have the correct permissions. This is very strange as everyone is in the same group so should have the same permissions. As a test I took one of the user accounts and created a new share and gave him R/W permission to that share and suddenly all of the shares that he should have had permission to in the first place popped up.
    The only thing that I can think of is that we have such a large Active Directory structure that the authentication is timing out or reaching some user limit and stops looking. (we have over 50,000 users and thousands of groups spread through multiple OUs in the AD structure)
    The new Server.app in Lion looks nice, but it does not seem to have nearly the robustness of the previous Server Admin tools. For instance, I never needed or wanted to setup a "Golden Triangle" but with Lion it is required. Perviously I could search for AD users or groups and drag them from the search window to the share to assign permission, now even though I've imported the groups and users it needs to search the entire directory when assigning permissions - why can't it see the groups that are already there? Why can I run a dscl search and find a user or group instantly, but the Server.app hangs for 5 minutes and shows 0 results?
    Has anyone found a way to make Lion Server work in an enterprise environment?

    Yesterday morning I bound a 10.7.4 server to our AD, and in the afternoon I eventually saw all the AD users, groups, etc show in Workgroup Manager. Now, with dscl, I can see all the AD user and group records, and with Workgroup Manager, I can search the groups, users, and computers, but with the Server.app, when trying to create new group of the type "Imported group from another directory", the searches returned nothing. Directory Utility can show all the AD information also. Our AD has thousands of user record, and so it is reasonable that it may take some time for the Mac server to get all the info. But from the add users or groups interface, I just could not get any search results. What could be wrong then? 

  • Add a mac to an active directory group using a script?

    I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
    Thanks in advance...

    I think I misunderstood your question.  If you are trying to add the computer record to a location other than the Computers container, then just change your binding script to target the folder you want.  Remember that the user account you are using to bind must have access rights to this folder.
    For example, the sample command from the man page shows you how.  Say you have a subfolder inside Computers called Macs.  You would do this in your binding script.  Note the notation of an organizational unit within the Computers container.
    dsconfigad -a ThisComputer -u "administrator"
    - ou "CN=Computers,OU=Macs,DC=ads,DC=demo,DC=com" -domain domain.ads.apple.com
    Is that what you are looking to do?

  • FCS 1.5 Not all Active Directory groups visible in list

    Hi,
    We just upgraded Final Cut Server to 1.5 and want to make use of Active Directory groups to set permissions in FCS. I've created a few groups in AD which do not appear in the list when I want to add these to Group Permissions. I do see many AD groups but some are not in the list. I can find the group in the Directory application and also with dscl (dscl /Active Directory/domain.tld -read /Groups/fcs-editor).
    Please advice.
    Thanks in advance,
    Martin

    I found a solution, though it might be still temporary. See if you can narrow down your Directory Search Policy. In your AD forest, you might need just one domain for your department, location, etc.
    So, in Directory Utility, click on Search Policy, delete "/Active Directory/All Domains", don't apply yet, but click on the plus sign, and see what specific domains you can choose from there. Do the same to contacts.
    Though still I can see now 1.592 records of groups or users when I run dscl but at least I know that AD administrators can really clean up our groups listings ( some of those groups are not being used) , and try to keep the number under 2,000.
    It has to be a way to increase the default number of 2,000 in Search Policy, but I haven't had time to do that

  • Cannot Retrieve Active Directory Groups

    Hi All
    I recently connected my ACS deployment to Active Directory 2003. However when I try to add the active directory groups for group mapping, i.e. navigating to Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups Tab and click select.
    My GUI on IE just loops and does not display anything(it does not freeze). On Firefox I receive "The connection was reset" error.
    Any ideas?
    Thanks in Advance

    Do you have the proper AD permissions set for the AD account used to join ACS to the domain?
    Note: AD account required for domain access in ACS should have either of these:
    Add workstations to domain user right in corresponding domain.
    Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is created before joining ACS machine to the domain.
    Thank you for rating helpful posts!

Maybe you are looking for

  • XPath Exception on Bursting Control File Template Filter Expression

    I am getting the following exception for this bursting control file in EBS 11.5.10.2 on the template filter expression: oracle.xml.parser.v2.XPathException: Unknown expression at EOF: (./XXCUS_DIST_CODE='P')[1]. <?xml version="1.0" encoding="UTF-8"?>

  • Adobe Sizing issue

    So the facts and then a picture.  I am using Windows 7, 64-bit.  I have two monitors set up.  When I open Adobe Acrobat (8 Professional) the window is maximized, but somehow the window is off-center.  It doesn't fill one monitor and when I hit the Re

  • How to make a copy of photos taken on iPad camera?

    I've only just got an iPad so forgive me if this is really basic but I want to make a copy of a photo I have taken with the camera on the iPad so I can edit one but still have the original. I've tried copy image but it doesn't seem to do anything, I'

  • ADjust and activate table

    hi i have done some changes to a table adding few fields i need to know 1) what is the tcode to adjust and activate the table again if we do some changes to the primary key 2) since tehre is a view maintainence which exist for the table so what steps

  • Where is the dvd ripper thing?

    I have videora and i want to put movies on my ipod but I cant find the right dvd ripper tool. I dont know where to find it. Can someone give me a link so i can download it?