Active Directory Disabled

Similar Messages

• OS X Lion in Active Directory - disable default shares?

  I have an iMac running Lion (10.7.3) which is joined to my Active Directory domain. If I enable SMB file sharing then even with no users explicitly enabled for sharing and no shares explicitly defined domain users can access the Mac via Windows file sharing. Depending on the type of user (administrator or not) who is accessing the Mac they will see either just their Mac home directory exposed via SMB sharing, if they are a non admin user, or their home directory plus all attached hard drives (Macintosh HD, Time Machine Backup) exposed if they are an admin user.
  This is very insecure and prevents me properly exploiting SMB sharing.
  Is there any way to 'disable' these default shares leaving just shares I create explicitly?
  Thanks,
  Chris

  Thanks David, that pretty much did the trick! Even though the article refers to Lion Server it seems the same holds true for Lion desktop. Also, the VirtualAdminShares flag is not present ther by default so it seems in its absence it defaults to Enabled. I disabled it (set flag to NO), rebooted and now admins do not see all attached disks as shares.
  However, any user who connects still sees their home directory as shared even though those are not explicitly shared. it would be nice to be able to control that too but it is much better than previously so I am not too concerned.
  Thanks again for that useful pointer.

• Integrating OEDQ with Active Directory - Disabling SSL

  Hi fellows,
  I've just installed OEDQ (latest release) on a Unix machine (deployed on WebLogic Server 10.3.6) but I've a couple of concerns:
  SSL Communication --> is it mandatory? I mean, I've tried to expose the dndirector admin page through an OHS Apache Web server. I'm able to access the admin page in plain mode but whenever I try to access a specific functionality (dashboard, user management, server configuration, etc) I'm being redirected to https://<web-server-hostname>:<wls-server-ssl-port>/dndirector, so this is not what I'm expecting. What's wrong? By the way, If SSL is mandatory, is there a way to expose the console via apache (avoiding any redirection)?
  OEDQ with Active Directory --> the following documentation -- Integrating OEDQ with Active Directory -- covers just the Single Sign-on configuration (on both Windows/Unix os). What about a simple configuration pointing to an external ldap? The documentation reports the following statement:
            It is also possible to configure OEDQ to work with different directory servers for user authentication and user identification. For information on alternative configurations, "see "Contact Us"
  So, how can I achieve that?
  Any pointers?
  Thanks in advance,
  Marco

  Hi Marco
  Was out of the office a bit - apologies for the delay.
  It looks like you removed these lines from the configuration:
  cdpad.auth  
  = ldap
  cdpad.auth.bindmethod
  = digest-md5
  cdpad.auth.binddn
  = search: sAMAccountName
  If these are not present, the user name is combined with @cdpsede.cassaddpp.it and used to login into AD.  Depending on how user names are setup, this may or may not work.
  If you replace the lines above, then the user account is searched for against the AD UserPrincipalName or the sAMAccountName attributes.  The value of the latter attributre is then used as the login attempt.
  So for example, if you enter the user name if marco.bonadonna, EDQ would search for an AD entry with userPrincipalName = [email protected] or with sAMAccountName = marco.bonadonna and then it would use the value of the sAMAccountName attribute to connect to AD (using digest-md5 for encryption) along with the password.
  If you use
  cdpad.auth.binddn = search: dn
  then EDQ will use the full distiinguished name (DN) of the entry in the bind attempt.
  It is sometimes easier to test connections using a LDAP browser - Apache Directory Studio (see http://directory.apache.org/studio/) is one I use.  You can then check user name and password combination outside EDQ.
  You can also get additional server logging on LDAP interactions in EDQ by adding the line:
  userauth.level = all
  to the logging.properties file in the EDQ config directory.  Then where will be lots of diagnostics in the EDQ main0,log file.
  By the way, there is some documentation for this in the on-line help for EDQ.
  Richard

• How to create a disabled account in Active Directory?

  Hi all,
  I got the assignment to create AD accounts as soon as a new employee is entered into the hr system, which might be several weeks before their contract actually starts. Therefore the account should be disabled until the start of their contract and be enabled then.
  Now, I tried a very simple approach and set accounts[Active Directory].disable=true during active sync when creating the account. According to the audit-entries, the value is set correctly, but my AD just doesn't bother. The account is created but not disabled. :-(
  What can I do? The workflow so far was just "start -> provision -> end" and I tried to change it to "start -> provision -> disable ->end" with a new action like this:
  <Activity id='4' name='Disable AD'>
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='checkoutView'/>
  <Argument name='type' value='Disable'/>
  <Argument name='id' value='$(user.waveset.accountId)'/>
  <Argument name='authorized' value='true'/>
  </Action>
  <Action id='1'>
  <setvar name='view.resourceAccounts.currentResourceAccounts[AD].selected'>
  <Boolean>true</Boolean>
  </setvar>
  <setvar name='view.resourceAccounts.currentResourceAccounts[AD].disabled'>
  <Boolean>true</Boolean>
  </setvar>
  </Action>
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='commitView'/>
  <Argument name='view' value='$(view)'/>
  </Action>
  <Action id='2' process='Provision'>
  <Argument name='op' value='provision'/>
  </Action>
  <Transition to='end'/>
  <WorkflowEditor x='736' y='192'/>
  </Activity>
  However, there is no success. Probably I got some basic misunderstanding, since provision does not seem to complete when the workflow changes from provision to disable?
  Any help woud be greatly appreciated.
  CU,
  Patrick.

  You need to use DisableViewer view.
  Check following code.
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='checkoutView'/>
  <Argument name='type' value='DisableViewer'/>
  <Argument name='id' value='$(userId)'/>
  <Argument name='Form' value='Empty Form'/>
  <Return from='view' to='disableView'/>
  </Action>
  Regards,
  MK

• How can I authenticate a User In Windows Active Directory?

  I need to authenticate a user in Windows Active Directory, but I found use the code below will return true if the user name and password are both correct and false if one of them is wrong. But when I input a user name which is not exist in Active Driectory with a blank password, it will also return true. What shall I do? Ask every user must input a password withnot blank?
  Please give me some help to solve this problem. Thanks a lot.
  Code:
  private Context ctx = null;
  Hashtable env = new Hashtable ();
  boolean isValid = false;
  try {
  this.setEnvironmentProperties();
  String domainName = AuthenticateResources.getString("mydomain.com");
  //set the name of domain with the user name
  String fullName = name + "@" + domainName;
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL,"ldap://mydomain:389");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  //set user related information
  env.put(Context.SECURITY_PRINCIPAL, fullName);
  //set user password
  env.put(Context.SECURITY_CREDENTIALS, password);
  //validate user
  ctx = new InitialDirContext(env);
  isValid = true;
  }catch (AuthenticationException ex){
  isValid = false;
  catch (NamingException ex) {
  throw ex;
  }finally{
  this.freeContext();
  return isValid;

  This is usually a problem if Anonymous Binding is enabled. I have faced this in other Directory Servers, but I am not familiar with Active Directory.
  I think by default Active Directory disables Anonymous Binding, but you may want to check.

• Active Directory Open Directory Disable Users

  Can you make an Active Directory Account disabled in the Open Directory, but still have it function in Active Directory?
  We are trying to disable a generic lab account in Active Directory from being able to comment on our Blog Pages.

  Hi
  Did you read what you typed before you posted? Because the question does not make sense and contradicts itself.
  Users that exist in the AD node do not as such exist in the OD node. In the OD node you are simply looking at them as they are presented to you from AD. Neither can you disable AD accounts from the OD node. You have to do that on the AD itself.
  If you have enabled augmented records for AD users then disable them using the reverse process you used to enable them. That way AD users are stopped from commenting Blog Pages but are still active in AD.
  Tony

• Account Disabled on Active Directory while provisioning

  While provisioning to Active Directory resource,it should Account Disabled on Active Directory.
  I have added userAccountControl in the attributes.
  I am able to read the userAccountControl value where the last digit in the hexadecimal value of it corresponds to accountDisabled.
  How to achieve this? Any ideas or suggestions are welcome

  Hi idmguru,
  Below is the requirement, i found from other thread in the forum :
  Scenarios:
  1). User already exists in IDM and has the resources assigned to the. Their status is then set to disabled on the database, ActiveSync runs & picks up the change, our form iterates through disabling the resources (or we've also tried setting global.disable which also worked) - result is a success. The user is flagged as disabled in IDM Lighthouse, AD account is disabled and LDAP account has been disabled via a password change (the default behaviour).
  2). User does NOT already exist in IDM. ActiveSync is run, the user is created in IDM and resource accounts assigned and created, user is marked as disabled in IDM Lighthouse but is NOT disabled in AD or LDAP.
  Is there a mechanism to both create AND disable a resource account at the same time? If so can this be done from an ActiveSync form or would it be customised workflow? I've tried the following in my ActiveSync which I found in the forums but this doesn't create the "disabled" accounts on AD or LDAP - it only marks the IDM account as disabled.
  <Field>
  <Disable>
  <neq>
  <ref>activeSync.accountstatus</ref>
  <s>D</s>
  </neq>
  </Disable>
  <Field name='waveset.disabled'>
  <Expansion>
  <s>true</s>
  </Expansion>
  </Field>
  <FieldLoop for='name' in='waveset.accounts[*].name'>
  <Field name='accounts[$(name)].disable'>
  <Expansion>
  <s>true</s>
  </Expansion>
  </Field>
  </FieldLoop>
  <FieldLoop for='name' in='waveset.accounts[*].name'>
  <Field name='update.accounts[$(name)].disable'>
  <Expansion>
  <s>true</s>
  </Expansion>
  </Field>
  </FieldLoop>
  </Field>
  The code works fine for Scenario 1 but NOT Scenario 2. I am not sure why the code does not work for Scenario 2
  Any idea on how to achieve Scenario 2 requirement?
  Regards and thanks
  idm6x

• Disabling computer account in Active Directory will still allows the workstation to login

  I have a special scenario. A Widows 7 workstation was in lock mode (waiting for CTRL+ALT+DEL). As an administrator, I disabled the computer account, user account and even reset the password for that user and the workstation. My requirement
  is that the user can not login to the workstation again.
  However, the user able to login to the workstation.
  What AD registry parameter could lock down the computer completely? or is there any parameter in GPO that could lock down the computer?
  Thanks in advance.
  Pingala
  SP

  Hello Karen,
  I am testing with the DOMAIN Account, not local account. With your instructions,
  Control Panel\All Control Panel Items\User Accounts\Manage your credentials
  Select the corresponding credential and click Remove.
  I am able to see local accounts and not the DOMAIN account locally cached.
  BTW, I am not seeing "Manage your credentials", instead, I am seeing "Manage Your Accounts" in User Accounts.
  Secondly, I am looking for a setup with AD GPO so that,  for most of the Enterprise Windows 7 workstations, I would like to apply the policy across the board - "Once a workstation is disabled by the administrator, the domain
  user for that workstation can not login again - especially when the workstation is in lock mode.
  The article you cited did not give any technical details that could help me to clean both local and domain credential caching.
  Please help me with the steps how I can disable the caching for local and domain credentials on the workstation to check this manually first.
  Eventually, I would like to disable a "computer" in Active Directory that should lockdown the targeted workstation for further use. Or let me know what steps are needed to lockdown a workstation immediately when a user is fired before further
  damage occurs to the enterprise resources.
  Thanks,
  Pingala
  SP

• Building a Basic Runbook to disable a Active Directory User who has not logged in for 90 days.

  I am new to Orchestrator.  I am using Orchestrator 2012 R2 on a Hyper-V running Server 2008.  I have been trying to set up a Runbook to sweep AD for user accounts that have not logged in for 90 days and have those accounts automatically disabled
  and moved to another OU.  However, I would be happy just to have the account just be disabled.  If you need any more info or I have posted in the wrong forum, please let me know.  
  Thanks

  Hi,
  there is no SCO Activity to do this.
  Problem with this is, the LastLogedOn Times are not synced between DomainControllers.
  Best will be you take a look at this PowerShell Script
  http://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  and change it to your needs
  Seidl Michael | http://www.techguy.at |
  twitter.com/techguyat | facebook.com/techguyat

• Active Directory User which can Create a User but not Allowed to Enable Disabled Users

  Hi Guys, we have a requirement to create a User Group in Active Directory which will grant its members permission to 'Create Users' but not be allowed to 'Enable' 'Disabled Users'.
  We have tried delegating control and assigning permissions by going to 'Security Tab>Advanced'.
  It seems like when a group is granted permission to create users, it will also be allowed to enable, disabled users.
  Kindly advise if it is possible to create a user group with permissions to 'Create Users' but not be allowed to 'Enable', 'Disabled Users'.

  Hi,
  According to my experience, you can assign permission with create/delete user objects. If you want to disable/enbale
  a user, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.
  In general, if you just give a user group the permission to create user objects, it cannot disable or enable user accounts. Please make sure that the permission you assigned is correct and the
  user group are not the member of Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory.
  Best regards,
  Susie

• Disable user account on Active Directory??

  I sync user account from iPlanet DS to Active Directory through Meta Directory. If I disable user account on iPlanet DS, can meta directory disable the user account on Active Directory Server?

  AD has an attribute called userAccountControl. This attribute has a value of 512 when an AD account is active and 546 when it has been disabled. I flow a constructed attribute called userAccountControl with two rules, one for enable and one for disable. The selection criteria for the enable/disable rule is based upon a change in employee status. For example, (%mv.employeestatus%==T). Another way to do this would be a single attribute constructrion rule that calls an external script (written in Perl) that accounts for multiple conditions and then enables/disables the AD account accordingly. In the attribute flow rule, you flow the constructed attribute userAccountControl to mdsAdUserAccountControl (assuming an AD-Specific schema setting in the AD connector).

• Active Directory accounts no longer connect to Server

  I administrate a small office network.
  We have a Windows 2000 Server with active directory and a Windows 2003 Storage Server Appliance. (From Iomega)
  After upgrading to 10.4.8 (it seems), our Mac integrated to the Active Directory has had problems connecting to the storage server.
  When attempt to connect to smb://storage (the 2003 server appliance) we get a Error code -36 -- could not be read or written.
  This only happens when logged into an AD account. Local accounts on the machine access the server as normal.
  Also of note, the AD accounts have no problems accessing shares on the 2000 server.
  Any ideas why this is only effecting AD accounts and a solution?

  There are a couple of things you can check...
  1. Check to make sure that the SMB signing option is disabled for the Windows 2003 Storage appliance. This can be done in the local group policy on the Server.
  2. If it is a storage appliance, you should be able to run Microsoft's Services for Macintosh. This would give you AFP on the file server - a potential way to eliminate the need for using SMB on the Macs.
  3. Use a 3rd party software on the Windows 2003 Storace Server called ExtremeZ-IP by Group Logic. It is a full featured AFP/IP file server for Windows (replacing SFM). We have an HP DL380 NAS device on our network (running Windows 2003 Storage Edition) that has 1.5 TB of storage for our MAc users. We use ExtremeZ-IP... I have nothing bu great things to say for it...

• SSO using Windows Active Directory but without EP or Java stack

  Good morning and thank you in advance for your help.
  The question is:
  our environment includes windows domain with Active Directory, ECC 6.0 ABAP (DEV, QAS, PROD), BW 7.0 (DEV, QAS, PROD) only ABAP stack.
  I would like to know if we can enable SSO using only this configuration without introducing EP or Java stack.
  Best regards
  Max

  Hi Willi,
  It won't be that easy to understand each other... as my english is not that good either
  Most of the points introduced in the SAP help link are automatically performed by sapinst.
  Almost all my customers running on MS are not using an AV, and neither get into troubles...
  but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...
  Internet explorer should not be used on a sever, MS itself says it should be uninstalled...
  Best regards
  SAP on SQL General Update for Customers & Partners April 2014
  10. Do Not Install SAPGUI on SAP Servers
  Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.
  To improve reliability of an operating system it is recommended to install as few software packages as possible.  This will not only improve reliability and performance, but will also make debugging any issues considerably simpler
  “A server is a server, a PC is a PC”.  Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure. 
  SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely
  SAP on SQL General Update for Customers & Partners September 2013
  Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server. 
  The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:
  Open command prompt as an Administrator ->  dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

• Query Active Directory + Problem with thumbnailPhoto

  Hi<o:p></o:p>
  I have a problem and I don’t know if it is my SQL Query, so here goes
  <o:p></o:p>
  I have a view on my SQL server that Queries our Active Directory. I can see that there is data in the table.<o:p></o:p>
  But when I try to use the Image in some C# code I get an error on 60% of the images with the exception header missing or corrupted.
  My view is built with this Query:
  select
  * from
  openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName,  department, thumbnailPhoto
  FROM ''LDAP:[REMOVED]''
  WHERE objectCategory = ''Person''
  Do you have any idea where the problem is? The photos shows up fine in Outlook, SharePoint, lync etc. I’m pretty sure that the C# code works correctly. Hope you can help.
  Regards
  If only I had time to learn everything I wanted ...

  Hi Latheesh
  I've tried with this script:
  SELECT ISNULL(ROW_NUMBER() OVER ( ORDER BY department ), -999) 'id' ,
  CONVERT(NVARCHAR(25), givenName) AS Fornavn ,
  CONVERT (NVARCHAR(50), sn) AS Efternavn ,
  CONVERT(CHAR(5), UPPER(SUBSTRING(mail, CHARINDEX(mail, N'@'),
  CHARINDEX(N'@', mail)))) AS 'initialer' ,
  CONVERT(NVARCHAR(255), mail) AS Mail ,
  CONVERT(NVARCHAR(75), title) AS Stilling ,
  CONVERT(NVARCHAR(120), department) AS Afdeling ,
  CONVERT(NVARCHAR(13), telephoneNumber) AS Fastnet ,
  CONVERT(NVARCHAR(13), mobile) AS Mobil ,
  CASE WHEN userAccountControl = 2 THEN 'Account is Disabled'
  WHEN userAccountControl = 16 THEN 'Account Locked Out'
  WHEN userAccountControl = 17
  THEN CONVERT (VARCHAR(48), 'Entered Bad Password')
  WHEN userAccountControl = 32
  THEN CONVERT (VARCHAR(48), 'No Password is Required')
  WHEN userAccountControl = 64
  THEN CONVERT (VARCHAR(48), 'Password CANNOT Change')
  WHEN userAccountControl = 512 THEN 'Normal'
  WHEN userAccountControl = 514 THEN 'Disabled Account'
  WHEN userAccountControl = 544
  THEN 'Account Enabled - Require user to change password at first logon'
  WHEN userAccountControl = 8192
  THEN 'Server Trusted Account for Delegation'
  WHEN userAccountControl = 524288
  THEN 'Trusted Account for Delegation'
  WHEN userAccountControl = 590336
  THEN 'Enabled, User Cannot Change Password, Password Never Expires'
  WHEN userAccountControl = 65536
  THEN CONVERT (VARCHAR(48), 'Account will Never Expire')
  WHEN userAccountControl = 66048
  THEN 'Enabled and Does NOT expire Paswword'
  WHEN userAccountControl = 66050
  THEN 'Normal Account, Password will not expire and Currently Disabled'
  WHEN userAccountControl = 66064
  THEN 'Account Enabled, Password does not expire, currently Locked out'
  WHEN userAccountControl = 8388608
  THEN CONVERT (VARCHAR(48), 'Password has Expired')
  ELSE CONVERT (VARCHAR(248), userAccountControl)
  END AS 'Disabled' ,
  CONVERT(NVARCHAR(75), givenName + ' ' + sn) AS 'DisplayName' ,
  CONVERT (VARBINARY(MAX), thumbnailPhoto) AS 'Photo'
  INTO ##adTemptable
  FROM openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName, department, thumbnailPhoto,userAccountControl
  FROM ''[REMOVED]''
  WHERE objectCategory = ''Person''
  WHERE department IS NOT NULL
  But i still gets the same error on MANY rows
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6846 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 7006 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6496 and truncated data length is 4000.
  If only I had time to learn everything I wanted ...

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"