713060: Tunnel Rejected: User (user) not member of group (group_name), group-lock check failed.

Hi,
I just configure VPN for end users in PIX515e with IOS 8 and get stuck with "Tunnel Rejected: User (msveden) not member of group (VPN-shared), group-lock check failed.". Can someone please help me and tell me how I add user to my VPN group?
Regards
Mikael

May be you are looking for this-
ASA1(config)# username msveden attributes
ASA1(config-username)# group-lock value mygroup
Thanks
Ajay

Similar Messages

Canot send email Error SMTP: [554] 5.7.1 END-OF-MESSAGE : End-of-data rejected: user not permitted to relay

please help me with this error

Experiencing same event "<END-OF-MESSAGE>: End-of-data rejected: user not permitted to relay" on newest email account. Had not seen for first 3 days, now suddenly, every attempt. Account has sent less than 30 emails total in it's lifetime.
Account is [email protected]
Please advise, and thank you.

End-of-data rejected: user not permitted to relay

I get this error whenever I try to respond to an email from an employee using our company email. I don't get the message when responding using other email programs, just when responding using email addresses with same url.
How do I fix this?

Hi Sidney
I have an email account experiencing the same issue: [email protected]
Incoming mail is fine, but outgoing mail has suddenly stopped working always getting the same error: "adobe bc email, the server response was: <END OF MESSAGE>: End-of-data rejected: user not permitted to relay"
Can you advise or correct for me please?
Regards
David

Node connectivity,user existence:oracle and group existence:oinstall fail

hi all
i am trying to install Oracle Grid Infrastructure 11g R2 on Oracle Linux Enterprise edition
but while installing the following 3 errors are displaying.
1. node connectivity,
2. user existence:oracle
3. group existence:oinstall fail.
plz can anyone help me out how to resolve the above error?

1. check connectivity to ALL nodes is OK, test ping, test ssh (should be passwordless) ,etc
2. check if the software owner is consistent across all nodes, check the owner id
3. check if the software group is consistent across all nodes, check the group id too
Cheers
FZheng
Edited by: FZheng on May 16, 2011 9:57 AM

How to stop users not in any group and users from other groups accessing sites they have no permission to access on top link bar?

Hello Community
    Using SharePoint 2010 Server and UI, a web application
was created with subsites.
    The subsites have unique permissions and Owner, Member
and Visitor groups.
    The problem is however even if a user does not exist
in a group that user can access the top link bar/navigation
bar and its sub sites.
    Also any user in any group can access any top link bar/navigation bar and its subsites.
    How do you enforce that if a user is not in a group
they are denied access the top link bar/navigation bar and its
subsites?
    Thank you
    Shabeaut

If you are using the built in SharePoint navigation links, SharePoint will automatically hide links to sites that a given user doesn't have access to.
The problem is, it sounds to me like you have a fixed top link bar that lists the content and if a user doesn't have access, the link still shows up.
You may want to look at how the top link bar was encapsulated in the design of the page. If it isn't wrapped in the permissions provider code, that could be the problem.
I trust that answers your question...
Thanks
C
|
RSS |
http://crayveon.com/blog |
SharePoint Scripts | Twitter |
Google+ | LinkedIn |
Facebook | Quix Utilities for SharePoint

SMTP Error: [554] 5.7.1 END-OF-MESSAGE : End-of-data rejected: user not permitted to relay

HI
I am getting the following error on 3 of my clients accounts when trying to send out messages. We had a spam on the email address about a month ago and this has effected the emails now not working.
Please could someone urgently assist the client did not send the spam it looked like his email address was used by someone else. We have reset all the passwords but now we cant use it.
the email addresses are:
[email protected]
[email protected]
[email protected]
Please can someone assist me urgently as the client cannot send and the info account cannot send or receive.
thanks Marelise

Hi Marelise,
For now, I have enabled these accounts, but in such cases, it is recommended to reach out to chat support or submit a ticket to get faster resolution.
Do let me know if you have any question.

Getting current user's member of group

Hi expert(s),
I have developed web application using jsp, now i need to know whether the current user logged in at client PC, is member of certain group available in the database, i can get current user using System.getProperty(), but i have to get the list of groups, he/she belongs to. So that i can check his group to authenticate...
What is the workaround?
Waiting for your kind reply.
Thanks & Regards,
Sri.

Experts, i give you .net code for done my need, i need to convert/use it in java platform, please give me some useful tips.
If G_sSecurityMode = "ADSL" Then
                GUser = System.Environment.UserName
                ReDim sGroup(6)
                'Default NT user groups which will be created at every system during installation
                sGroup(0) = "CPMSDOMAINADMIN"
                sGroup(1) = "CPMSCLIENTADMIN"
                sGroup(2) = "CPMSDATAPREPADMIN"
                sGroup(3) = "CPMSDATAPREPUSER"
                sGroup(4) = "CPMSINVENTORYADMIN"
                sGroup(5) = "CPMSINVENTORYUSER"
                G_sUserGroup = " " 'Global variable defined in GLbdecleration module
                'Loop defined to identify the group(s) associated with the current NT user
                For i = 0 To 5
                    objGroup = GetObject("WinNT://" & sMachine _
                     & "/" & sGroup(i) & ",group")
                    For Each objUser In objGroup.Members
                        If UCase(GUser) = UCase(objUser.Name) Then
                            G_sUserGroup += "'" + sGroup(i) + "'" + ","
                        End If
                    Next
                Next
                G_sUserGroup = G_sUserGroup.TrimEnd(",") 'To truncate the last "," in a g_susergroup string
                If Len(Trim(G_sUserGroup)) = 0 Then
                    MsgBox("No group(s) defined for the user " + GUser, MsgBoxStyle.Information)
                    Me.Close()
                End If
            Else
                MsgBox("Invalid Security Definition", MsgBoxStyle.Information)
                Me.Close()
            End If

Deploy applications/app-v packges: uninstall when not member of group/collection?

Hi,
Howto make sure an application/app-v package gets uninstalled when a user isn't member of the target group/pc isn't member of the targetted collection?
J.
Jan Hoedt

Let's say you create these two collections with the deployments as described:
Resource ... MyComputer1
Collection ... 7-Zip Install Collection
Deployment ... Action: Install
Application ... 7-Zip
Resource ... MyComputer1
Collection ... 7-Zip Uninstall Collection
Deployment ... Action: Uninstall
Application ... 7-Zip
Since MyComputer1 has both an Install and an Uninstall deployment, the Application will get Installed (uninstall deployments lose if there are both). However, if you were to remove MyComputer from the 7-Zip Install Collection, there would only be an
Uninstall deployment left.
While you would never want to micromanage 7-Zip this much, technically it would achieve what you are looking for with an application that needed this level of management.
Nash Pherson, Senior Systems Consultant
Now Micro -
My Blog Posts
If you found a bug or want the product to work differently,
share your feedback.
<-- If this post was helpful, please click the up arrow or propose as answer.

Start a Task Process Action in SPD 2013 does not expand SharePoint Groups

I created a site workflow in SPD 2013, and added a "start a task process". I specified that the participants would be a group, the tasks would be created in parallel and "Assign a task to each member with groups" is checked.
I did check after the fact that "ExpandGroup" is "Yes" in the properties.
However, when executed, the group gets assigned a task, not individual users within the group.
I have seen other postings where others have the same issue, but no resolutions besides MS is investigating. Is this some issue with my setup? I have tried this in multiple environments with the same results.

Hi wangsy101,
According to your description, you create a workflow with “Start a task process” in SharePoint 2013 Designer, and the participants was a group, and you had make sure that the “ExpandGroup” was “Yes”. However, when executed, the workflow didn’t assign
the task to individual users within the group.
I reproduced the process, and in my testing , everything worked well.
When you start the workflow and view the workflow, you will see the Assigned to field is the group. And when you open the related tasks, you will note that there are some new tasks related to individual users within the group. It means that the “ExpandGroup”
works correctly.
If the issue still exists, please create an approval workflow with SharePoint 2010 Designer platform, and set the same configuration to test.
I hope this helps.
Thanks,
Wendy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Groups are not displaying in the user's member of tab

Hi ,
We have a issue,
After mapping any AD group in CMC,the groups and users are displaying in the cmc list. but when we go to the properties of the user and member of option ,the groups are not displaying .
After restarting the CMS every thing works fine.
Every time after adding a new user we should restart the CMS, it is very difficult for us as number of users are working on this .
We are using number of AD groups.
Is there any resolution for this with out restarting the CMS.
Thank you in advance.
Environment -
BO XI3.1,
LDAP authentication.
Thanks & Regards,
Collin.

The LDAP graph is responsible for showing the membership when viewing the user properties, an issue like this would indicate the graph is not auto updating. It normally builds when starting the CMS then every 15 minutes or so for new users (depending on system activity). It shouldn't lose any info (if it does this indicates a caching or communication problem with AD). There is a graphtimeout setting in the registry (search SAP notes) if this were disabled then it may cause similar symptoms.
I'm not aware of any bugs in 3.1 causing this behavior so you may need to open a case with support (authentication team) to help troubleshoot.
Regards,
Tim

Active Directory users not made member of Local Network group

Hi all,
I've just done a clean install from 10.6 Server to 10.8.4.
The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
The Setup:
In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
Members in that group are:
     - AD-Domain User Group (so should be all users in the domain)
     - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
     - AD User 1
     - AD User 2
     - AD User 3
The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
The Behaviour:
AD User 1 can access AFP and other services as expected.
AD User 2 and 3 cannot.
Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
Yet other users within AD-Domain User Group or netaccounts cannot
Furthermore:
If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group. I can still login with that account!
Diagnosis:
I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
>dseditgroup -o checkmember -m ADUser1 accessserver
yes ADUser1 is a member of accessserver
>dseditgroup -o checkmember -m ADUser2 accessserver
no ADUser2 is NOT member of accessserver
>dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
yes ADDomainUser/netacc is a member of accessserver
>dseditgroup -o checkmember -m n accessserver
no ADUser2 is NOT member of accessserver
When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
I get the same results even after removing the user from the Groups screen!
Failed Solutions
- As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
- I've let the system just sit, in hopes delayed replication would solve the problem overnight.
- I've deleted and recreated the groups.

Upon further investigation we have discovered:
a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
b) This is NOT limited only to MacOS X Server 10.8. The same behaviour is occuring on a long-running 10.6 server as well.
c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually. If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
d) Which users are allowed and which are not is unclear and appears generally random. We have found 3 'classes' of users:
          1 - those that are successfully becoming members every time.
          2 - those that are intermittent members. Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
          3 - those that are never successfully admitted as a member.
So the problem is both Apple's and Windows in that:
Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
Windows: Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
Really hoping people have some ideas on this. This system of nested groups or individual user access is something we have of course being using for many years. So this is a major setback.

AnyConnect error " User not authorized for AnyConnect Client access, contact your administrator"

Hi everyone,
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ... encrypted
names
name 10.0.1.0 LAN-10-0-1-x
dns-guard
ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif Internal
security-level 100
ip address 10.0.1.254 255.255.255.0
interface Vlan2
nameif External
security-level 0
ip address dhcp setroute
regex BlockFacebook "facebook.com"
banner login This is a monitored system. Unauthorized access is prohibited.
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Internal
dns domain-lookup External
dns server-group DefaultDNS
name-server 10.0.1.11
name-server 75.153.176.1
name-server 75.153.176.9
domain-name ingo.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-10-0-1-x
subnet 10.0.1.0 255.255.255.0
object network Company-IP1
host xxx.xxx.xxx.xxx
object network Company-IP2
host xxx.xxx.xxx.xxx
object network HYPER-V-DUAL-IP
range 10.0.1.1 10.0.1.2
object network LAN-10-0-1-X
access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive
access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389
access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389
tcp-map Normalizer
check-retransmission
checksum-verification
no pager
logging enable
logging timestamp
logging list Threats message 106023
logging list Threats message 106100
logging list Threats message 106015
logging list Threats message 106021
logging list Threats message 401004
logging buffered errors
logging trap Threats
logging asdm debugging
logging device-id hostname
logging host Internal 10.0.1.11 format emblem
logging ftp-bufferwrap
logging ftp-server 10.0.1.11 / asa *****
logging permit-hostdown
mtu Internal 1500
mtu External 1500
ip verify reverse-path interface Internal
ip verify reverse-path interface External
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo External
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (Internal,External) dynamic interface
object network LAN-10-0-1-x
nat (Internal,External) dynamic interface
object network HYPER-V-DUAL-IP
nat (Internal,External) static interface service tcp 3389 3389
access-group 100 in interface External
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (Internal) host 10.0.1.11
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console radius LOCAL
http server enable
http LAN-10-0-1-x 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto ca trustpoint srv01_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint asa_cert_trustpoint
keypair asa_cert_trustpoint
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpool policy
crypto ca server
cdp-url http://.../+CSCOCA+/asa_ca.crl:44435
issuer-name CN=...
database path disk0:/LOCAL_CA_SERVER/
smtp from-address ...
publish-crl External 44436
crypto ca certificate chain srv01_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain asa_cert_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate <output omitted>
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External client-services port 44455
crypto ikev2 remote-access trustpoint asa_cert_trustpoint
telnet timeout 5
ssh LAN-10-0-1-x 255.255.255.0 Internal
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd dns 75.153.176.9 75.153.176.1
dhcpd domain ingo.local
dhcpd option 3 ip 10.0.1.254
dhcpd address 10.0.1.50-10.0.1.81 Internal
dhcpd enable Internal
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter use-database
dynamic-filter enable interface Internal
dynamic-filter enable interface External
dynamic-filter drop blacklist interface Internal
dynamic-filter drop blacklist interface External
ntp server 128.233.3.101 source External
ntp server 128.233.3.100 source External prefer
ntp server 204.152.184.72 source External
ntp server 192.6.38.127 source External
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point asa_cert_trustpoint External
webvpn
port 44433
enable External
dtls port 44433
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
anyconnect profiles profile1 disk0:/profile1.xml
anyconnect enable
smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows
smart-tunnel list SmartTunnelList1 putty putty.exe platform windows
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect profiles value profile1 type user
username write.ingo password ... encrypted
username ingo password ... encrypted privilege 15
username tom.tucker password ... encrypted
class-map TCP
match port tcp range 1 65535
class-map type regex match-any BlockFacebook
match regex BlockFacebook
class-map type inspect http match-all BlockDomains
match request header host regex class BlockFacebook
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1500
id-randomization
policy-map TCP
class TCP
set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250
set connection timeout dcd
set connection advanced-options Normalizer
set connection decrement-ttl
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class BlockDomains
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map dynamic-filter-snoop
inspect http HTTP
service-policy global_policy global
service-policy TCP interface External
smtp-server 199.185.220.249
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:41a021a28f73c647a2f550ba932bed1a
: end
Many thanks,
Ingo

Hi Jose,
here is what I got now:
ASA(config)# sh run | begin tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authorization-required
and DAP debugging still the same:
ASA(config)# DAP_TRACE: DAP_open: CDC45080
DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =
DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: tom.tucker, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.02026";
endpoint.anyconnect.platform="win";
DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080
Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?
Thanks,
Ingo

How to get repitative group a user is member of

Hi,
i have a user in our domain who is member of number of groups. This means in MemberOF tab of the user there are larg number of groups. Now i want to remove some groups which are repitated.
Example -
1. In MemberOf Tab - properties tab -- of John, there are 3 DL/SG "Group_1" and "Group_2" and "Group_3".
2. Now "Group_3" is a member of "group_1". So i want to remove "Group_3" from the MemberOf Tab of John properties. This will reduce the MemberOf List.
3. how to do i find this repetative Groups using powershell ?
Please let me know if my query is not clear.
Thanks for your help.

The following PowerShell script worked well in my test domain. I did not use the AD Module cmdlets, as they are generally slower when you deal with large resultsets (all groups and all users in the domain). This script simply outputs all cases where any
user is a member of both a group, and a nested member of the group. This will reveal the extent of issue, and whether you want to "correct" all such cases. In place of the statement that outputs the cases, you can add code to "correct"
it (remove membership in $Member, the child group, for the user).
# UserNestedGroups.ps1
# Script to find cases where users are members of both a group and a
# nested group member of the group.
# Hash table of groups and their direct group members.
$GroupMembers = @{}
# Search entire domain.
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Root =
$Domain.GetDirectoryEntry()
$Searcher = [System.DirectoryServices.DirectorySearcher]$Root
$Searcher.PageSize
= 200
$Searcher.SearchScope
= "subtree"
$Searcher.PropertiesToLoad.Add("distinguishedName") >
$Null
$Searcher.PropertiesToLoad.Add("member") >
$Null
# Filter on all group objects.
$Searcher.Filter =
"(objectCategory=group)"
$Results =
$Searcher.FindAll()
# Enumerate groups and populate Hash table. The key value will be
# the Distinguished Name of the group. The item value will be an array
# of the Distinguished Names of all members of the group that are groups.
# The item value starts out as an empty array, since we don't know yet
# which members are groups.
ForEach ($Group
In $Results)
    $DN
= [string]$Group.properties.Item("distinguishedName")
    $Script:GroupMembers.Add($DN, @())
# Enumerate the groups again to populate the item value arrays.
# Now we can check each member to see if it is a group.
ForEach ($Group
In $Results)
    $DN
= [string]$Group.properties.Item("distinguishedName")
    $Members
= @($Group.properties.Item("member"))
    # Enumerate the members of the group.
    ForEach ($Member
In $Members)
        # Check if the member is a group.
        If ($Script:GroupMembers.ContainsKey($Member))
            # Add the Distinguished Name of this member to the item value array.
            $Script:GroupMembers[$DN] +=
$Member
# Retrieve all user objects and their direct group memberships (except primary).
$Searcher2 = [System.DirectoryServices.DirectorySearcher]$Root
$Searcher2.PageSize
= 200
$Searcher2.SearchScope
= "subtree"
$Searcher2.PropertiesToLoad.Add("distinguishedName") >
$Null
$Searcher2.PropertiesToLoad.Add("memberOf") >
$Null
# Filter on all user objects.
$Searcher2.Filter =
"(&(objectCategory=person)(objectClass=user))"
$Results =
$Searcher2.FindAll()
# Enumerate users and their direct group memberships.
ForEach ($User
In $Results)
    $DN
= [string]$User.properties.Item("distinguishedName")
    $Groups
= @($User.properties.Item("memberOf"))
    ForEach ($Group
In $Groups)
        # Enumerate all group members of $Group.
        ForEach ($Member
In $Script:GroupMembers[$Group])
            # Check if user is also a member of $Member.
            If ($Groups
-Contains $Member)
                "User $DN is a member of:`n  Parent: $Group`n  Child: $Member"
Note, if you copy the script above you will need to correct the cases of word wrapping. I try to avoid using scroll bars, even for code.
Richard Mueller - MVP Directory Services

11.1.3 - Reporting - User Defined Member Lists

I exported a report from our production environment which is version 9.3.1 and imported into our development environment which is version 11.1.3 via Workspace and the user defined member list was not imported. Is there a way to have them included when reports are exported or do they have to recreated after they are imported?
Edited by: DPA1101 on Apr 8, 2010 11:55 AM

I'm running 11.1.1.3 and just ran into some problems with user-defined lists and found out that, for reports using Essbase as the source, the lists are stored as txt files in the database directory. So exporting the reports will never include the lists. You would need to copy the files from one server to the other. There are at least 3 files. Two of them are like indexes. The third contains XML with the actual list.
We're just starting to play with user lists so I haven't figured out if the naming convention I'm seeing is consistent everywhere. In my case, I have a file named ADMDir.txt. This has a single entry that points to another file. That file contains the list names and references to the files that contains the list (in xml).
I hope this helps.
Jerry

Ical user not visible as attendee

maybe somebody can help me here:
we have set up leopard server to manage our calendars - 8 users. at the beginning i had the problem, that we use email accounts hosted by our provider ([email protected]) whereas our server (servername.domain.com) hosts the user and ical accounts. if you add a user, the server adds an account named [email protected]. i managed to get the first seven users to be recognised as users having their main email address as being [email protected] and ical would be fine.
except for one person. let us call her susan. susan can't add her account via ical with her user name, password and entering the server's full qualified domain name (servername.domain.com). she has to use the full serverside-url (http://servername.domain.com:8008/principals/_uids_/5C73D3F0-E478-47F6-8AA.....) to be able to see her calendar.
the odd thing then is, that
1. she can't add any of us as attendees
2. if we try to add her to an event she does not appear to be a member on the server
3. but i managed to add as delegate to view my calendar!
here is an excerpt of the server's error log:
2008-04-14 22:36:05+0200 [-] [caldav-8009] [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
2008-04-14 22:36:05+0200 [-] [caldav-8009] [AMP,client] PROPFIND /principals/_uids_/5C73D3F0-E478-47F6-8AA6-32D33D0C9FF5/ HTTP/1.1
2008-04-14 22:36:05+0200 [-] [caldav-8009] [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
2008-04-14 22:36:05+0200 [-] [caldav-8009] [AMP,client] PROPFIND /calendars/users/philip/inbox/ HTTP/1.1
2008-04-14 22:36:05+0200 [-] [caldav-8009] [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
2008-04-14 22:36:05+0200 [-] [caldav-8009] [AMP,client] PROPFIND /principals/_uids_/5C73D3F0-E478-47F6-8AA6-32D33D0C9FF5/ HTTP/1.1
2008-04-14 22:36:06+0200 [-] [caldav-8009] [AMP,client] PROPFIND /calendars/users/bdrentwett/ HTTP/1.1
2008-04-14 22:36:06+0200 [-] [caldav-8009] [AMP,client] PROPFIND /calendars/users/bdrentwett/calendar/ HTTP/1.1
2008-04-14 22:36:06+0200 [-] [caldav-8009] [AMP,client] PROPFIND /calendars/users/bdrentwett/calendar/ HTTP/1.1
2008-04-14 22:36:06+0200 [-] [caldav-8009] [AMP,client] REPORT /calendars/users/bdrentwett/calendar/ HTTP/1.1
2008-04-14 22:36:06+0200 [-] [caldav-8009] [AMP,client] PROPFIND /calendars/users/bdrentwett/inbox/ HTTP/1.1
2008-04-14 22:36:07+0200 [-] [caldav-8009] [AMP,client] PROPFIND /calendars/users/bdrentwett/inbox/ HTTP/1.1
2008-04-14 22:36:07+0200 [-] [caldav-8010] [AMP,client] PROPFIND /calendars/users/bdrentwett/inbox/ HTTP/1.1
2008-04-14 22:36:07+0200 [-] [caldav-8009] [AMP,client] REPORT /calendars/users/bdrentwett/inbox/ HTTP/1.1
2008-04-14 22:36:07+0200 [-] [caldav-8009] [AMP,client] PUT /calendars/users/bdrentwett/calendar/B82E9A53-98B4-4FE1-8938-540FC41414B1.ics HTTP/1.1
2008-04-14 22:36:07+0200 [-] [caldav-8010] [AMP,client] POST /calendars/users/philip/outbox/ HTTP/1.1
2008-04-14 22:36:07+0200 [-] [caldav-8009] [-] Writing to file /Library/CalendarServer/Documents/calendars/users/bdrentwett/calendar/B82E9A53- 98B4-4FE1-8938-540FC41414B1.ics
2008-04-14 22:36:08+0200 [-] [caldav-8009] [AMP,client] PUT /calendars/users/bdrentwett/calendar/33CEA7CA-962C-4369-A638-E99B61D6092E.ics HTTP/1.1
2008-04-14 22:36:08+0200 [-] [caldav-8009] [-] Writing to file /Library/CalendarServer/Documents/calendars/users/bdrentwett/calendar/33CEA7CA- 962C-4369-A638-E99B61D6092E.ics
2008-04-14 22:36:08+0200 [-] [caldav-8010] [-] 'No principal for calendar user address: invalid:nomail'
2008-04-14 22:36:08+0200 [-] [caldav-8010] [-] 'Error during POST for invalid:nomail: None'
2008-04-14 22:36:38+0200 [-] [caldav-8009] [AMP,client] POST /calendars/users/bdrentwett/outbox/ HTTP/1.1
2008-04-14 22:36:38+0200 [-] [caldav-8009] [-] 'No principal for calendar user address: invalid:nomail'
2008-04-14 22:36:38+0200 [-] [caldav-8009] [-] 'Error during POST for invalid:nomail: None'
2008-04-14 22:36:39+0200 [-] [caldav-8009] [AMP,client] POST /calendars/users/bdrentwett/outbox/ HTTP/1.1
2008-04-14 22:36:39+0200 [-] [caldav-8009] [-] 'No principal for calendar user address: invalid:nomail'
2008-04-14 22:36:39+0200 [-] [caldav-8009] [-] 'Error during POST for invalid:nomail: None'
is there a way to fix this?
thank you
philip

Make sure "susan's" computer is bound to the same OD directory as everyone else.
Make sure "susan's" account in OD is properly enabled for calendaring on the server.
Restart the calendar server.

713060: Tunnel Rejected: User (user) not member of group (group_name), group-lock check failed.

Similar Messages

Maybe you are looking for