Active directory change question regarding affects on exchange 2013

Similar Messages

• ACS 5.2 does not check Active directory changes

  Hi all,
  I am working with ACS 5.2 and using Radius authentication for vpn client.
  The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.
  My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:
  15039 Selected Authorization Profile is DenyAccess
  The message is because match the default policy.
  Another user in the same AD group works fine.
  All domain in the forest have trust relation each other.
  I am using universal groups to include users from all domain belongs this forest.
  Can anyone help me?
  Regards

  Dear all,
  Hope you can help me with a similar issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40
  and testing Radius authentication for vpn client users.
  The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:
  "15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.
  Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the  concerned users.
  Looking at the detail report for the user, confirms  that no attributes  are returned to the Radius(under the other  attributes field) from the  external server. The Radius also returns the  following messages:
  "24412 User not  found in Active Directory"
  "22056 Subject not found in the applicable  identity store(s)"
  Within the ACS Identity sequence in the ID store, the  sequence is set to match on AD first and then Internal user.         The  Identity for the default network profile(for Radius users) is  configured to General sequence. The same user/s seem to work fine when  swithced to ACS4.
  We are also looking at possible NTP sync issue with the ACS/AD or  any NTLM/Kerberos auth issues or any issues related to applying the  latest ACS patch to the box.Please let me know if there is any AD related configs to be modified.
  Any help will be appreciated.
  Thanks and Regards.

• Migrate Active Directory 2003 to 2012 R2 and Exchange Server 2007 to 2013.

  My question is which one need to migration first. Active Directory 2003 to 2012 R2 and FFL & DFL or Exchange Server 2007 to 2013.
  Md. Ramin Hossain

  My question is which one need to migration first. Active Directory 2003 to 2012 R2 and FFL & DFL or Exchange Server 2007 to 2013.
  Domain. For Exchange installation and upgrading to 2013, you need to make sure that your domain controllers can understand attributes of exchange 2013. Besides if you have DC/Exch on the same server which is 2003 is not supported. Because Windows Server
  2003 is not supported.
  Migrate your domain to at least 2008 R2 and then proceed with Exchange 2013.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Active Directory Connector Questions in 11.1.2.1

  Hello All.  I am new to this version of IDM and I am trying to get through the setup and config.  I just installed a single instance of 11.1.2.1 with OUD, OAM, OIM.  I installed the Active Directory connector for User Management and I believe I have it configured. 
  I followed the post at Weblogic Corner: Oracle Identity Manager: The Active Directory Connector Tutorial and got a lot of questions answered with that.  First, note that I was able to follow the guide and run the lookup recon jobs as well as the user and group recon in trusted mode, then target mode to create all of the users and groups.  I am also able to create a user in OIM, add an account and have that provisioned to AD. 
  Here are my questions if you would be so kind:
  1) When I create a user in AD and I run the user recon(target), the event says "No User Match Found".  I was kind of expecting it to create a new user for me.  I was also expecting to schedule the recon job in target mode and not have to ever switch back to trusted mode after the first full sync.  What did I miss here?
  2) When I add an account to the user in OIM, the AD User form comes up with all the fields empty.  Is that the way it should work?  I was hoping that it would prepopulate some of the stuff from the OIM profile.
  3) When I modify a field in OIM, say middle name, will that sync in the next recon run, or will the admin need to open the account, update the AD form also and submit the middle name in two places?
  Thanks in advance!

  1. Identity gets created in Oracle Identity Manager from an authoritative source. in case of target recon, it will just sync with the matched account in oim.
  please have a look in the below link seccion 12.1.12
  Managing Reconciliation - 11g Release 2 (11.1.2)
  2.u can very well prepopulate filed in the process definition, even u can automate the provisioning process using  role based when provissioning process.
  3.there should be some tasks available for each field. no need run the recon task or modify the account in AD. it will be updated in AD using the tasks. check the connector process definition.

• Best practice for Active Directory User Templates regarding Distribution Lists

  Hello All
  I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
  this has led to problems with new employees being added to groups which they should not be a part of.
  I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
  but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
  When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
  What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
  for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
  of.
  Has anyone come up with a better method of doing this?
  Thank you

  You can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
  If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
  and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
  Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
  the factors you predefine for them.

• Active Directory Structure Questions

  I recently started working for a company that offers cloud services for our clients where we host our software as a service and we also migrate any other applications the client is using onto the servers that we host for them.
  My concern is that every client we have is in our domain. The structure of our servers is that our domain is the top of the organization and each client has their own dc and that dc is listed as an organizational unit in our AD. I have never seen anything
  like it. Most of the clients have their own domains and web sites but we do not migrate that portion of their IT into our cloud. We do however bring everything else over and we offer O365 to many of them.
  Imagine if you will opening ad users and computers and under the root all the OU's are named after clients and actually represent their servers all of which are dc's.
  I was wondering what if any precedent would support this type of configuration? I am just asking.
  Thanks
  Richard Tamboli

  No Special hardware is required for Active Directory
  Active Directory is builtin feature for most of the Windows Servers such as Windows Server 2003, 2008,2008R2,2012.
  It is a feature and part of Windows Server.
  Hope this may answer your questions.
  http://en.wikipedia.org/wiki/Active_Directory

• OIM 11.1.1.3 - Active Directory ADGroup question

  All,
  I have used MSFT_AD_Base_9.1.1.7.0 to install active directory connector and synchronized (provision and reconciliation) oim users with the AD. I can't seem to find documentation on how to sync oim roles with with AD groups. Can you provide me some pointers for this. the deployment documetnation (MS_ActiveDirectory_Guide.pdf) indicates that i cannot run ADGroupRecon if i am on 11.1.1... version (bug Bug 9799541).
  It also appears that a resource cannot be assigned at the role level in oim 11.1.1. is there something missing from our environment, i was able to add AD User reosource to user profiles.
  Basically i cannot provision or recon group at this time.
  any help with this is much appreciated. Please let me know if you need additional information.
  Best Regards,
  Prasad.
  Edited by: Prasad on Aug 5, 2011 6:12 AM

  I don't believe there has ever been code to create OIM Groups based on AD Groups and then add the OIM Users to those groups accordingly. You would need to create a custom scheduled task that creates for a group for every entry in the lookup for the AD Groups. Then you would also need to read every user's child table entry for their AD Groups and adds the user to each one of those groups. You could also have code the runs on every Add User to Group event, that adds the user to the OIM group as well as in AD. And you can do the same for removal.
  There are lots of options, but this is not part of the OOTB Connector. This would be your own customization.
  -Kevin

• Lync trial and Active Directory changes

  Hi,
  I want to install a trial of  Lync server and when I install it says I need to prepare Active Directory
  I only want to test Lync but I do not want to make unnecessary permanant changes to Active Directory.
  Should I proceed with preparing Active Directory? What happens to active directory if I later uninstall the Lync server? 
  Thank you.
  http://peteroy.blogspot.com/

  If you don't have a test environment and have to make the changes to production then they will be permanent.
  You cannot remove changes applied to an Active Directory Schema.  The only option there would be to perform an Active Directory Restore to a backup saved prior top the Schema extension. Very messy!
  If you decide not to proceed with Lync there will be no harm to the system other than unused schema extensions.

• Active Directory Changes have causes users to loose access to Projects they are set as contributor too.

  Hello,
  We recently had an employee of our helpdesk delete (by accident) and recreate a number of Active Directory user profiles.  The profiles were created exactly like they were before, but now those users are not able to access the projects in TFS that they
  have contributor permissions too.  Some of these users can see a minimal set of objects in the Source Control Explorer, but each item has a (+) plus sign next to it as if the object does not exist in the repository.  The users and windows groups
  that are concerned are still listed inside of TFS's group memberships for each project.  I have confirmed that the sync from AD with TFSJobAgent.exe is completing with out errors as well.
  Is this a SID issue where TFS actually thinks that these are new users, and if so how can I best fix it for those users?
  Doug Dayley

  Hi Doug, 
  Thanks for your reply.
  Ok, let’s check whether TFS Server can identify this user and its groups which this user belonged to. Please execute below command for this one user, then view command result, check if the user name and SID both show correctly in result, and whether this
  user belonged to groups all listed in command result.
  Tfssecurity /imx “domain\username” /collection:URL
  If this user’s all information show correctly in command result. Please try to remove this user from your TFS server, then clean the TFS Cache, re-add this user back to TFS Server, then check if this user can access your team project as expect.
  Clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
  Clean the Cache folder on Server machine. The folder path is:
  C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.  
  After cleaned, on Server machine, click Start and select
  Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Can I change system e-mail of exchange 2013 server

  Dear All
     I finished implement exchange 2013 in out office, but my boss is don't like when he receive e-mail form system when his mail can not send out or etc, can I change e-mail address from
  Microsoft Outlook <[email protected] 
  to system admin or etc, please guide me to complete it
  Thank you for your support

  Sorry  not clear a question, my problem,  like me send mail to  [email protected]   but user1 is never create on our exchange system, so when I send e-mail I must get return e-mail from system about these user is not in our system, and
  e-mail address that notify to me is "Microsoft Outlook <[email protected]>"
   I need to change it,  now I try with your guide, I create one user name [email protected], and userd command 
  Set-OrganizationConfig -MicrosoftExchangeReciepientReplyRecipient change to [email protected] but I test send tto wrong address again about return message is still come from "Microsoft Outlook <[email protected]>"please help me to complete it 

• Outlook 2013 connection status 'Exchange Directory' disconnected randomly for random users (Exchange 2013)

  We have been encountering an issue where upon random Outlook 2013 users are unable to open the address book, or add a room to a meeting (using 'Add Rooms...' button), and an error message is displayed that the server is unavailable. Mail flow and
  everything else functions normally.
  If I look at the Outlook connection status of an affected user, I will see that all connections are established except for the 'Exchange Directory' connections which show disconnected. If I click the 'Reconnect' button the Exchange Directory connections
  are re-established, and the user can now access the address book/meeting rooms as normal.
  Are there any ideas what I would check, logs I could look at, events or anything I can check on the server side that might lead me to an answer what could cause this?

  Outlook 2013 gets that data from Exchange 2013 by connecting to Exchange Web Services.  That's where you should look.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Basic question regarding Contract data exchange between CRM and ERP

  Hi,
  1) At a very general level, can somebody tell me via what technology are contract documents exchanged between CRM and ERP? IDocs, RFC modules or proxies?
  2) Is it possible to sychronise changes in a contract, e.g. if the contract is changes in the ERP system, those changes are auotomatically updated in the CRM contract?
  3) Can somebody point me to any documentation on this?
  Kind Regards,
  Tony.

  contracts are exchanged between CRM ans ERP ssytem ny RFC and FM , you use object SALESCONTRACT for this,it is possible to synchronize changes between both the systems

• Directory change question

  Before I did a clean install of leopard i exported my iphoto library to an external drive (where the original photos reside). After the leopard install i opened up iphoto (while holding down OPTION) and changed to my exported iphoto library. the thumbnails are there and fine but every time i click on a photo iphoto asks me to locate the original file.
  is there a way i can just direct iphoto to the appropriate folder(s) and let it just figure out where all the images are, the filing structure is exactly the same as it was when i exported the library from tiger.
  i have thousands and thousands of photos and individually pointing them out for iphoto is too tedious and time consuming, please help.
  i am using the new ilife'08
  thanks

  If disk space is an issue, you can run an entire iPhoto Library from an external disk:
  1. Quit iPhoto
  2. Copy the iPhoto Library as an entity from your Pictures Folder to the External Disk.
  3. Hold down the option (or alt) key while launching iPhoto. From the resulting menu select 'Choose Library' and navigate to the new location. From that point on this will be the default location of your library.
  4. Test the library and when you're sure all is well, trash the one on your internal HD to free up space.
  If you're concerned about finding the files, that can be easily done from the iPhoto Window or a Media browser.
  There are three ways (at least) to get files from the iPhoto Window.
  1. *Drag and Drop*: Drag a photo from the iPhoto Window to the desktop, there iPhoto will make a full-sized copy of the pic.
  2. *File -> Export*: Select the files in the iPhoto Window and go File -> Export. The dialogue will give you various options, including altering the format, naming the files and changing the size. Again, producing a copy.
  3. *Show File*: Right- (or Control-) Click on a pic and in the resulting dialogue choose 'Show File'. A Finder window will pop open with the file already selected.
  To upload to MySpace or any site that does not have an iPhoto Export Plug-in the recommended way is to Select the Pic in the iPhoto Window and go File -> Export and export the pic to the desktop, then upload from there. After the upload you can trash the pic on the desktop. It's only a copy and your original is safe in iPhoto.
  This is also true for emailing with Web-based services. If you're using Gmail you can use THIS
  If you use Apple's Mail, Entourage, AOL or Eudora you can email from within iPhoto.
  If you use a Cocoa-based Browser such as Safari, you can drag the pics from the iPhoto Window to the Attach window in the browser. Or, if you want to access the files with iPhoto not running, then create a Media Browser using Automator (takes about 10 seconds) or use THIS
  Also, for 10.5 users: If you use the extended Open or Attach dialogue (with Column View) you can scroll to the bottom of the Shortcuts and find the Media browser there. Select any pic you want from there.
  Regards
  TD

• I am getting a Changing Password Failed error when I try to join an active directory

  I had a working AD configuration under Snow Leopard. When I upgraded to Mountain Lion, my account was no longer in sync with the domain. I got the red dot on the login screen and my domain password was out of sync. I unhooked from the domain at that point. This was several months ago.
  However, over the last few weeks, I keep finding myself locked out of the domain. I suspect it's something on my Mac that is trying to use my old credentials. I was hoping to rejoin the domain and see if I could get my account back in sync. When I get a domain admin to enter his password on the Directory Utility join screen, it first notes that the computer account already exists in the domain. I tell it to continue, but I can't get past this point:
  2013-06-24 14:21:20.729935 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
  2013-06-24 14:21:20.732774 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - existing record found 'CN=MYMACHINE,OU=Default,OU=Workstations,OU=MyCity,OU=North America,DC=GLOBAL,DC=OURCORP,DC=NET'
  2013-06-24 14:21:20.732822 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x7faef36ed770'
  2013-06-24 14:21:20.733141 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service kdc for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.734196 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.734221 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741380 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741416 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.741619 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password
  2013-06-24 14:21:20.741637 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password using: MS set password in realm GLOBAL.OURCORP.NET
  2013-06-24 14:21:20.741648 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - using TCP since the ticket is large: 1560
  2013-06-24 14:21:20.741665 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service change_password for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.742867 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.742908 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745231 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745250 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.745398 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - set password using MS set password returned: 0 result_code 3
  2013-06-24 14:21:20.745417 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for '[email protected]' with error '' (3)
  2013-06-24 14:21:20.745426 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - setting Computer Password FAILED for existing record - 5103
  2013-06-24 14:21:20.745818 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

  Reggierror,
  Had the same issue and discovered that I made my AD object name too long (16 instead of 15 character which is the limit) You might want to try making the computer object name shorter if you can.

• How to handle SQL connection if password Active directory always change? (Connection using Active directory via network SQL 2012 )

  I have 3 server (Web server, database sql 2012 server and Active directory). I'm using sqlsvr version 3.0,  PHP version 5.3 ,IIS version 7 and windows server 2008.
  Right now my php connection to SQL 2012 using AD id, so How to handle if password on active directory change?

  Solved : Using Kaberos