Active Directory Provisioning : CheckForGroupAssigments not working

Hi All,
I am using SAP IDM 7.1 SP5 Patch 2. When i try to provision Active Directory with a small number of users, the standard framework works perfect.
As soon as the list of users becomes long(more than 100), the task  CheckForGroupAssigments gives a false result even if there groups to add the user to. I am trying to investigate this and i do not know where this variable  "%AUDITID%" is defined.
The check used is : SELECT count(userid) FROM mxpv_audit WHERE auditid = %AUDITID%
I know what auditid is used for, but i do not know what value "%AUDITID%" holds and where it is defined.
Any ideas are appreciated.
Thanks

Hi Thomas,
I came across the same problem with that view. We simply changed the SQL command to use mxp_audit instead of mxpv_audit. I also opened a support case at SAP and they told me they will fix this in a future version of the provisioning framwork.
Best regards
Holger
Edited by: Holger Flocken on Nov 30, 2010 4:02 PM

Similar Messages

  • Active Directory Mobile Account not working

    Hello all. I've successfully joined a few macs to an Active Directory domain. However, I have a laptop that needs to be able to authenticate even when away from the network. The "Create Mobile Account" checkbox seems perfect for the job. From my reading, it seems that it is supposed to cache login authentication info from network login users. Then when the computer doesn't have a network connection, it uses the cached credentials. Upon 1st login it asks if I want to create a mobile account, and I say yes. However, it doesn't work accross a reboot.
    If I reboot the computer without an network connection, and then try to authenticate at the login screen with my network user, the password field "shakes" as if I got it wrong.
    However, I know it is sorta working because if I type >console into the user field, I get dumped to the console, where I can successfully login using the network user's credentials. Even without a network connection. But not from the gui login screen.
    Any ideas?
    Thanks!

    Abbas,
    You can find active directory synchronization option under PWA settings >> Operation Policies
    1.In Project Web App, click the Settings icon, and then click Project Web App Settings.
    2.On the Project Web App Server Settings page, in the Operational Policies section, click Active Directory Resource Pool Synchronization
    3. On this page, you need to enter the Active directory Group which contains the users you want to sync and then click on save and synchronize.
    You can check the status of the Enterprise Resource Pool synchronization by returning to the Active Directory Enterprise Resource Pool Synchronization page and reviewing the information in the
    Synchronization Status section. It contains information such as when the last successful synchronization occurred.  If last synchronization failed for any reason, it will also post a timestamp of when it occurred if you wanted to search
    for more information in the ULS logs.
    Let us know the results.
    You can find more information on AD sync at
    http://technet.microsoft.com/en-us/library/gg982985(v=office.15).aspx
    Thank you,
    Kiran K.

  • 'Public' Active Directory account no longer works w/Tiger?

    We have approx 20 public Macs that all log onto our Windows 2003 server using the same Active Directory account - 'Public'
    This has worked fine until Tiger - Now when we attempt to log onto one of our network drives with this account name I'm told by a pop-up window that the account is either disabled or I've put the password in incorrectly.
    Can anyone confirm if 'Public' cannot be used by a user on Tiger? Is it exclusively for the OS?

    Ran accross this in help file...
    "Mac OS X 10.3 or later: "Invalid user name and password combination" Message When Using Active Directory
    When binding a Mac OS X client computer to Active Directory, the account entered is not validated (resolved) at that time. It is used as entered. If entered incorrectly, you will see an alert message later.
    Symptom
    After configuring the Active Directory Directory Access plug-in, an alert message appears at the client computer that says "invalid user name and password combination."
    Products affected
    Mac OS X 10.3 or later
    Solution
    This happens when an incorrect name and/or password is entered, including a username entered with incorrect syntax.
    The user's login name (also known as "PrincipalName") is required when binding a computer to Active Directory.
    The user can also use the short part of the login name (such as "virginia"). The typical syntax of a login name is similar to "[email protected]".
    Note: If the user's login name has been modified from the default "[email protected]", then the default login name must be used. The modified login name (such as "[email protected]") cannot be used."

  • Active Directory server is not available

    i have just setup and started testing a new exchange 2007 on my network. we did not have a exchange before, so this is a new install.
    my domain, xxx.com is a windows 2000 native AD. the exchange 2007 is a win 2003 sp1 x64, it is also a DC and has all roles assigned to it
    in my network i have
    dc01 win2000 sp4  dc (gc)
    dc02 win2000 sp4 dc (gc)
    exch01 win 2003 sp1 dc, rid, pdc, fmso, gc, infrastucture and naming
    the install went well, and i have been testing it for the past 2 weeks this dummy accounts. test smtp connectors, etc. all was working fine. to the point that i have started planing the migration of the users
     today i did some mods to IIS for a owa free SSL from startcom (as well as the root CAs). i have remove it since.
    i now get the following errors when i start the console, or shell. :
    Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
    It was running command 'get-ExchangeAdministrator'.
    The following error(s) were reported while loading topology information:
    get-ExchangeServer
    Failed
    Error:
    Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
    A local error occurred.
    get-UMServer
    Failed
    Error:
    Active Directory server exch01.xxx.com is not available. Error message: A local error occurred.
    A local error occurred.
    HELP.. i have no idea what it does not like.
     exbpa does not report anything, i even get it to connect to the exch01 for it AD access.
    Any ideas??
    Thanks
    Paul Gartner
    (over all i like what i have been seeing in ex2007) 

    i think that you might be confusing "AD user account" and "profile". you DO NOT delete administrator from your AD Users and Computers. you only delete the Profile (\documents and settings\administrator folder). you can NOT do this while you are logged on using the administrator account.
    be sure to backup any data in your my documents and any favorites
    create another user that is in the domain admin group of your active directory, log on with that account and verify that the exchange tools works. then follow this to remove the profile.
    >1). Logon the Exchange server by using another admin account.
    >2). Open Control Panel, select System.
    >3). Select Advanced tab and click the Settings button of User Profile.
    >4). Delete the Profile of user which encounters this issue.
    >5). Click OK.
    >6). Restart the server and logon it by using Administrator account.

    once this is done, logon with your administrator account and try the tools again, they should work.tn
    Paul Gartner

  • DNS The Zone cannot be deleted - the active directory service is not available

    Hello TechNet Members,
    As you can see from the Summery, I got this message when I'm trying to delete DNS Zone.
    It's not matter if the DNS Zone newly created or its an Old One.
    After this message the computer is telling you "The Computer is about to make Restart".
    It's so strange and i really don't know what to check first.
    More Information:
    5 Servers that Replicate together.
    The Operation System is Windows Server 2012R2 for all the entire DC's
    1 Domain In the Forest.
    Thanks,

    Hi Jesper,
     DCdiag /fix and no errors in there everything marked as PASSED.
     I did Demotion for one of the DC to troubleshoot, but with no luck i'm back to the same point i started
     I tried to delete the brand new Zone from the commandline using DNScmd it's still not working and the  computer is reboot himslef.
    I've checked the permissions from the ADSIEdit.msc:
    Inherit from MicrosoftDNS section to the ROOT
    DNSAdmins > Full Control
    Domain Admins > Full Control
    From "DNS Server" section at the EventViewer
    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS
    data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet
    Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
    "The DNS server was unable to complete directory service enumeration of zone TestZone1.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active
    Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error. "
    The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
    Thanks,

  • Active Directory cn field not updated from sap HR using ldap.

    Hi,
    Apologies if this is in the wrong forum area.
    I am using the LDAP facility to create and modify Active Directory records from sap HR. Initially, the name field cn that was coming across into AD was in the format of the logical system and employee number, eg, RD4CLNT22000000711.
    I then implemented the BADI HRLDAP_ATTRIBUTES which then changed this name field cn in the active directory listing to the format; surname, forename.
    It works fine when I create a new user, however the problem comes when I update the persons name in the sap hr module. The data that comes across into Active Directory shows the change to the persons surname sn, forename and displayname fields is there but the cn field is still showing as the previous name.
    In short, when a new user is created, the cn field in active directory is correct
    (surname, forename) but when the employee’s name is modified, that change is not brought across to the cn field even though the surname, forename and displayname fields are updated correctlyon AD.
    We are on release 4.70.
    Anyway, if anyone could help I would be very grateful.
    Thanks
    David

    Hi
    The problem it is causing us is that the cn field is incorrect and does not mirror the change in sap HR, therefore the Active Directory entry for the employee is not totally accurate.
    When an employee changes their name in SAP HR - usually their surname, we would then want to update the employee’s active directory account to show this change and this includes the cn field also. At the moment the firstname, lastname fields do get updated with the change so we would want the cn field to show this as well otherwise the cn field would be incorrect and not match up with the employee's AD firstname & lastname fields.
    Dave

  • ISE upgrade 1.2: Self-provisioning portal not working

    Hi all,
    I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
    Screenshot of page is attached:
    I've checked ise-console.log application log file and found two errors correponding to the first page:
    [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
    [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
    and the second (not working) one:
    [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
    [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
    Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
    Can somebody please help?
    Thanks,
    L

    Errors When Adding Devices to My Devices Portal
    Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
    If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
    If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
    For more information on self-provisioning.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
    Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
    If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
    If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
    For more information on self-provisioning.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

  • I've received a message on my iphone 4s that it needs to be activated and it is not working

    I have recieved a message on my iphone 4s that it needs to be activated. I have tried doing this multiple times with strong wifi connection and it is not working. I connected it to iTunes as my phone suggested and i still could not activate it. This is quite frustrating as this does not allow me to use my cell phone for anything and I need it for many things.

    It would have saved to your camera roll.  Connect the phone to your Air via a USB cable and then run Image Capture which is located either in your Utilities folder or Other folder, depending on what version of Mac OS X your are running.  You will then see all the photos and videos stored on your iPhone and can then download them.

  • Active Directory credentials will not update

    <p>When updateing the Active Directory credentials, no update occurs. BOXI R2 does not appear to talk to the Active Directory server and eventually times out.</p><p>the time out has been set to 1200 (Default 120) but still no response from teh active directory server.</p>

    There is a fairly detailed section in the Admin guide for setting up AD (p250). Â
    Make sure you have set up the IIS server as detailed in that section
    Thanks
    Kevin

  • Active Directory OU is not reflected on Client PC

    Hi Everyone,
    I facing some issue on adding new user account for remote access. After i found that the OU in my client PC is different from AD.Can you all tell me how to troubleshoot on this issue.
    AD: Windows Server 2008
    Client : Windows 7
    Reference Image:
    1. AD OU:
    2. Client OU:
    Thank You.
    Regards,
    Sam

    This might be a replication issue.
    On both ADUC consoles, check which DC are used to connect. You can change the DC in use by doing a right click on
    Active Directory Users and Computers within ADUC and choosing
    Change Domain Controller... option.
    I would recommend that you check your AD replication status using repadmin. It would be good also to check your DCs health status using
    dcdiag.
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • Active Directory, created users not showing up in list of all users

    I created a user name "test".  However, when I look at a list of all users I only have the 4 users that were created on installation.  When I search for "test"
    it shows up.  Why isn't my user showing up in the list of users?
    I am looking in Active Directory Administrative Center:
     <my Domain> (local) -> Users
    Global Search
    Sorry I cannot provide pictures; I am waiting for my account to be activated.

    You need to look to your search criteria to understand what might be wrong.
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • Active Directory Replication, have not been performed for a long time

    Good afternoon, 
    Situation: in the organization with a lot of domain controllers, with one of the sites lost contact. From the period of 18.07.2014 - for the present time, the replication of the two domain controllers did not happen. Now, the connection is reestablished in
    magazines replication errors occurred. Replication is performed using DFS. 
    errors: 
    The journal replication DFS: 
    The DFS Replication service has detected an error in the connection to the partner for replication group Domain System Volume. 
    For more information: 
    Error 1825 (Error in the security package.) 
    Connection ID: F29C3738-AF90-4CE8-BFC0-48C1B36A5819 
    The ID of the replication group: 72D953C6-FD0A-4DA0-8D91-2C0B144E45A1 
    In the system log: 
    The Kerberos client received an error from the server KRB_AP_ERR_MODIFIED SERVERNAME $. Used the final name DNS \ SERVERNAME $. This means that the target server failed to decrypt the ticket provided by the client. This may be due to the fact that the SPN
    is the destination server (SPN) is registered on an account other than the account used by the ultimate service. Make sure that the final SPN is registered only on the account that is used by the server. This error may also be that the final service is using
    a different password for the account of finite life that is different from the password key distribution center Kerberos (KDC) for the account of finite life. Make sure that the service on the server and the KDC are updated to use the current password. If
    the server name is not fully defined, and the target domain is different from the client's domain, check for server accounts with the same name in these two domains, or use the full name to identify the server. 
    This error occurs when you try to access any network resource problem servers. 
    Storage of deleted AD objects installed by default 180 days. 
    Solutions found, can someone faced with similar circumstances. I would not want to lower the domain controllers on the problematic servers and deploy them again. After all objects created will be lost during this period, they are the whole domain is not much,
    but they are
    The result of repadmin / showrepl - this error, on all servers: 
       SITE \ SERVER via RPC 
             DSA - GUID of the object: 5f01bea8-b74b-4876-b475-be712a191431 
             Last attempt @ 15/10/2014 13:00:35 completed with an error, the result - 
    2146893022 (0x80090322): 
                 Principal Name is incorrect. 
             7579 consecutive errors. 
             Last success @ 07/28/2014 14:15:41. 
            SITE \ SERVER via RPC 
             DSA - GUID of the object: 436c1016-4363-47b5-a34d-2e5b3e2b0038 
             Last attempt @ 15/10/2014 13:00:35 completed with an error, the result of 5 
      (0x5): 
                 Access is denied. 
             7579 consecutive errors. 
             Last success @ 07/28/2014 14:15:42. 
            SITE \ SERVER via RPC 
             DSA - GUID of the object: b677e990-f7cb-4daf-8f87-16602bc119e0 
             Last attempt @ 15/10/2014 13:00:35 completed with an error, the result - 
    2146893022 (0x80090322): 
                 Principal Name is incorrect. 
             7579 consecutive errors. 
             Last success @ 07/28/2014 14:15:43. 
            SITE \ SERVER via RPC 
             DSA - GUID of the object: 5afbb9b1-7558-4f97-b941-84e1845b48ce 
             Last attempt @ 15/10/2014 13:00:35 completed with an error, the result - 
    2146893022 (0x80090322): 
                 Principal Name is incorrect. 
             7579 consecutive errors. 
             Last success @ 07/28/2014 14:15:43.
    netdom resetpwd / s: NameWorkDC / ud: domain \ administrator_domen / pd: password 
    Failed to reset the password for the local computer account. 
    Login failure: The target account name is incorrect. 
    Failed to execute the command. 
    If I execute the command, and as a server pointing, use the second server of the same site (which have not replicated on the same site). The command is executed successfully. 
    If I specify as the /server - IP address of work DC, operating a server running KDC - the command is executed successfully. 
    Generally, the problem with the controller, I can not get access to any of the listed on the main market, produces an error. You might not have permission to use this resource. 
    BUT if we turn on the IP, - let without the need to enter login and password.
    Please help, what Microsoft's recommendations in this regard. Thanks in advance.

    To get a better idea of the DCs' config, let's see an unedited ipconfig /all from the DCs, please.
    Is there are third party AV on the DCs?
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • Why my activated CTS BADI is not working ?

    Hello,
    I'm using the BADi  CTS_EXPORT_FEEDBACK. To do this, I used the transaction SE19, created a new implementation, add my own code and activated implementation, class and method.
    The problem is that when I export an order, the code I've written is not run.
    My BADI is activated and I noticed that in the transport protocol new lines appears :
    DEV        Developpement
           Checks at Operating System Level         03.09.2010 16:39:00    (0) Successfully Completed
           Pre-Export Methods                       03.09.2010 16:39:06    (0) Successfully Completed
           Export                                   03.09.2010 16:39:12    (0) Successfully Completed
         Import steps not specific to transport request  
               Feedback after export or import          03.09.2010 16:39:13    (0) Successfully Completed
    INFORM SAP-SYSTEM OF TP TERMINATION                                                 
    Transport request   : ALL                                                           
    Start: Executing method FEEDBACK_AFTER_EXPORT for business add-on CTS_EXPORT_FEEDBACK
    End: Executing method FEEDBACK_AFTER_EXPORT for business add-on CTS_EXPORT_FEEDBACK 
    INFORM SAP-SYSTEM OF TP TERMINATION                                                 
    End date and time : 20100903163913                                                  
    Ended with return code:  ===> 0 <===                                                
    I tried in my code to write in DB for example but no lines are added. My code works fine when I'me testing the BADI.
    So it's very strange, everything seems to be activated and running but nothings done.
    Another info, the BADI is launched from the program RDDFDBCK (l.348) and when I test this part of the code (call function...) everythings working fine...
    Any idea ?
    Thanks in advance.
    Simon

    Ok, I solved the problem Myself.
    If anybody has the same problem.. here is the solution.
    The job RDDFDBCK is running in backgroung. I ran a DEBUG thanks to the tip in this page : [SDN|http://wihttp//wiki.sdn.sap.com/wiki/display/ABAP/ABAP%20Debugger#ABAPDebugger-HowdoIdebugrunningbackgroundprocessesorasynchronousprocesses%3F]
    I created a block While l_int = 0. Endwhile. In my BADI implementation in order to make the job duration long enough to enter in debug with SM50.
    Here I saw that my SELECT didn't returning lines.
    Finally, I found in SM37 that the main job was launched with the mandant 000 => and my tables contained a field MDNT.
    So the BADI was launched but nothing was done cause to the mandant. I just removed the field MDNT of my customs tables to solve the problem.
    Simon

  • How can I contact Adobe to reset activations.  Chat does not work neither on OS X Mavericks Firefox nor Safari

    Recently upgraded to Mavericks OS with fresh hard drive and deactivated prior to the new install.
    Still says that my activations are exceeded even though they were deactivated on both laptop and desktop Mac.
    Now, cannot get to Adobe chat because it doesn't work on either Safari or Firefox.
    What happened to the call-in line for this?
    Cheers,
    Monica

    I'm using chrome and it said not available at this time.  My hard drive crashed so nothing was deactivated. I am able to install so far but it's using my second try and I can't get to Adobe to have reset. What's up

  • Phone Provisioning service not working

    When I goto services > phone provisioning all I get is Host Not Found. I have confirmed this on two new phones that I'm trying to register and a few working phones as well. I have reset the phone and confirmed it is pulling IP information along with the correct TFTP servers.

    I have also reset the TFTP service in the call manager, but still am unable to register any phones.

Maybe you are looking for

  • I'm trying to load my newspaper and I keep getting the error message Failed to Load Kiosk, I've done a restore but no joy - any ideas?

    I keep getting the error message Failed to load kiosk when trying to upload my copy of the Times, I have done a restore but that hasn't worked - any ideas how to get the kiosk back and functioning again? All software is up to date. many thanks

  • Due Date in FB60 - Table Name

    Hi Expert, I am developing FI Voucher, in this voucher, I will be print vendor invoice created through FB60, I want to print due date on voucher which is stored in document but i can't get field name and table name for due date. Please tell me in whi

  • Time stamp not recognized by Excel

    I am working on a VI to collect data from 16 load cells. I am using FieldPoint. The VI saves this data to Excel and puts a timestamp along with the data. The problem is this. The number in the timestamp cannot be converted by Excel into a useable tim

  • Windows 8.1 - Wischen deaktivieren

    Hallo zusammen, ich habe ein N581 und möchte beim eingebauten Synaptis Touchpad V7.5 die Wischfunktion deaktivieren. Die Charmbar soll beim Wischen des Touchpads nicht mehr erscheinen. Hat jemand einen Tipp für mich? Danke!

  • Query ID for HP8562A Spectrum Analyzer

    Hi, I'm just having some trouble communicating with my HP8562A Spectrum Analyzer. I tried sending the query "*IDN?" but it cannot read it (probably due to the age of the analyzer). I'm looking around for the query that the analyzer can understand but