Active Directory Trusted Recon ends with NullPointerException

Similar Messages

• Exporting Active directory users to excel with conditions

  I'm trying to export AD users with selected fields out to a spreadsheet, with the condition that the employeeid field is greater than 99999.    I found a VBScript elsewhere on this site that does everything i need, even filtering on the employeeid
  field except that when it export to the spreadsheet the employeeid field comes back as if it's blank.  But i know it's not as it will do the filtering correctly.  Below is the script i've been using.   As i said it will correctly list all users
  with employeeid greated than 5 digits but it just won't export the actual employeeid field
  Dim ObjWb 
  Dim ObjExcel 
  Dim x, zz 
  Set objRoot = GetObject("LDAP://RootDSE") 
  strDNC = objRoot.Get("DefaultNamingContext") 
  Set objDomain = GetObject("LDAP://" & strDNC) ' Bind to the top of the Domain using LDAP using ROotDSE 
  Call ExcelSetup("Sheet1") ' Sub to make Excel Document 
  x = 1 
  Call enummembers(objDomain) 
  Sub enumMembers(objDomain) 
  On Error Resume Next 
  Dim Secondary(20) ' Variable to store the Array of 2ndary email alias's 
  For Each objMember In objDomain ' go through the collection 
  if ObjMember.EmployeeID > 199999 Then  'if employee id greater than 199999 then add to spreadsheet (meaning physician)
  x = x +1 ' counter used to increment the cells in Excel 
  ' I set AD properties to variables so if needed you could do Null checks or add if/then's to this code 
  ' this was done so the script could be modified easier. 
  SamAccountName = ObjMember.samAccountName 
  FirstName = objMember.GivenName 
  LastName = objMember.sn 
  EmployeeID = ojbMember.employeeID
  EmailAddr = objMember.mail 
  Addr1 = objMember.streetAddress 
  Title = ObjMember.Title 
  Department = objMember.Department
  ' Write the values to Excel, using the X counter to increment the rows. 
  objwb.Cells(x, 1).Value = EmployeeID
  objwb.Cells(x, 2).Value = SamAccountName 
  objwb.Cells(x, 3).Value = FirstName 
  objwb.Cells(x, 4).Value = LastName 
  objwb.Cells(x, 5).Value = EmailAddr
  objwb.Cells(x, 6).Value = Addr1 
  objwb.Cells(x, 7).Value = Title 
  objwb.Cells(x, 8).Value = Department 
  ' Write out the Array for the 2ndary email addresses. 
  For ll = 1 To 20 
  objwb.Cells(x,26+ll).Value = Secondary(ll) 
  Next 
  ' Blank out Variables in case the next object doesn't have a value for the property 
  EmployeeID = "-"
  SamAccountName = "-" 
  FirstName = "-" 
  LastName = "-" 
  EmailAddr = "-" 
  Addr1 = "-" 
  Title = "-" 
  Department = "-" 
  For ll = 1 To 20 
  Secondary(ll) = "" 
  Next 
  End If 
  ' If the AD enumeration runs into an OU object, call the Sub again to itinerate 
  If objMember.Class = "organizationalUnit" or OBjMember.Class = "container" Then 
  enumMembers (objMember) 
  End If 
  Next 
  End Sub 
  Sub ExcelSetup(shtName) ' This sub creates an Excel worksheet and adds Column heads to the 1st row 
  Set objExcel = CreateObject("Excel.Application") 
  Set objwb = objExcel.Workbooks.Add 
  Set objwb = objExcel.ActiveWorkbook.Worksheets(shtName) 
  Objwb.Name = "Active Directory Users" ' name the sheet 
  objwb.Activate 
  objExcel.Visible = True 
  objwb.Cells(1, 1).Value = "EmployeeID"
  objwb.Cells(1, 2).Value = "SAMAccountName"
  objwb.Cells(1, 3).Value = "FirstName" 
  objwb.Cells(1, 4).Value = "LastName"  
  objwb.Cells(1, 5).Value = "Email" 
  objwb.Cells(1, 6).Value = "Addr1" 
  objwb.Cells(1, 7).Value = "Title" 
  objwb.Cells(1, 8).Value = "Department" 
  End Sub 
  MsgBox "User dump has completed.", 64, "AD Dump" ' show that script is complete

  Here is a test version
  Set xl = CreateObject("Excel.Application")
  xl.Visible = True
  Set wb = xl.Workbooks.Add()
  Set sheet = wb.Worksheets("sheet1")
  sheet.Name = "Active Directory Users"
  i = 1
  With sheet
  .Cells(i, 1).Value = "EmployeeID"
  .Cells(i, 2).Value = "SAMAccountName"
  .Cells(i, 3).Value = "FirstName"
  .Cells(i, 4).Value = "LastName"
  .Cells(i, 5).Value = "Email"
  .Cells(i, 6).Value = "Addr1"
  .Cells(i, 7).Value = "Title"
  .Cells(i, 8).Value = "Department"
  End With
  Set users = GetADUsers()
  While Not users.EOF
  i = i + 1
  With sheet
  .Cells(i, 1).Value = users("employeeID")
  .Cells(i, 2).Value = users("samAccountName")
  .Cells(i, 3).Value = users("GivenName")
  .Cells(i, 4).Value = users("sn")
  .Cells(i, 5).Value = users("mail")
  .Cells(i, 6).Value = users("streetAddress")
  .Cells(i, 7).Value = users("Title")
  .Cells(i, 8).Value = users("Department")
  End With
  users.MoveNext
  Wend
  Function GetADUsers()
  Set rootDSE = GetObject("LDAP://RootDSE")
  base = "<LDAP://" & rootDSE.Get("defaultNamingContext") & ">"
  filt = "(&(objectClass=user)(objectCategory=Person))"
  attr = "employeeid,SAMAccountName,mail,GivenName,sn,streetAddress,Title,Department"
  scope = "subtree"
  Set conn = CreateObject("ADODB.Connection")
  conn.Provider = "ADsDSOObject"
  conn.Open "Active Directory Provider"
  Set cmd = CreateObject("ADODB.Command")
  Set cmd.ActiveConnection = conn
  cmd.CommandText = base & ";" & filt & ";" & attr & ";" & scope
  Set GetADUsers = cmd.Execute()
  End Function
  ¯\_(ツ)_/¯

• Active Directory Access and Synchronization with R/3

  Dear All,
  What I have understood till now about users being maintained in Active Directory is: there are no Roles in Active Directory, users are to be assigned to Groups in the Active Directory.
  My requirement is: I have to maintain the users in Active Directory, and ensure they are in sync with my BW system CUA.
  First question is: Can we maintain users and roles in CUA?
  If I want to synchronize between Active Directory and CUA, do I always need the EP to play a part? If not, what are my alternatives?
  My second requirement is: I have to get the users and roles ( partly from Active Directory  via LDAP Connector, and partly from BW CUA ), the challenge being, I am getting users from the Active Directory, how will I determine the role it is assigned to in CUA?
  I will have the group of the user from Active Directory, where and how do I determine what is the role assigned to this user?
  Please suggest.
  Regards,
  Prosenjit.

  Prosenjit,
  My apologies, I didnt really understand your scenario.
  For your query -- I have to fetch the users from AD, check their roles, and display some relevant data.
  You create the role in portal as assign it to the group (group can be anything either AD Groups, CUA Roles which would be groups on the portal or simple portal groups). Now the role will display the reports as links in the TLN and Detail level navigation however it would only be the authorizations which control what data will be visible to the end user.
  Syncronization between AD - ABAP (CUA) would allow you to sync the user details between both the data sources roles dont come into the pitcure as far as I know and have seen (might be wrong also)
  How will I conclude to which role the user is entitles in the BW side, just by getting the group?
  I suppose you must have developed and then published reports on the portal. You will have to create a user - report matrix and then assign users to approproate groups.
  Do clarify the requirement in further detail if this doesnt solve your issue.

• Windows Server 2008 Active Directory Trust

  Hi ,
  Can anyone help with the answer to the following questions please?
  a) Whether Microsoft Windows Server 2008 SP2 Standard Edition support AD trust relationships (one-way; two-way)
  b) Whether we can create trust between Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 Standard Edition AD servers?
  Thanks in advance.
  India1947

  Hello,
  First of all, please confirm the firewall on the Windows Server 2008, the TCP/IP filter or any 3 party firewall is not blocking the RPC and ICMP traffic between two domain controllers.
  1.    Have a test of creating and verifying trust while all firewalls are all disabled. Then re-create and verify the trust to check how it works.
  Allowing Inbound Network Traffic that Uses Dynamic RPC
  http://207.46.196.114/windowsserver2008/en/library/d37f96c6-c729-4b29-80a9-88db3d97b8631033.mspx
  2.    If it still fails, please try to collect the following information for our further investigation:
  -      Run "Netdiag /v >>netdiag.txt" on both DCs
  -      Network Monitor trace when verifying the trust:
  Download the NetMon3.1 from the following link:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&DisplayLang=en
  1.    Install the NetMon on Windows Server 2008.
  2.    In the Microsoft Network Monitor 3.1 window, click Create a new capture tab….
  3.    In the new tab, select all the Network Adapter in the Select Networks window.
  4.    After that, press F10 to start NetMon.
  5.    In the Active Directory Domains and Trusts, try to verify the trust to reproduce the issue.
  6.    After that, go back to the Netmon window and press F11 to stop the Netmon on the Windows Vista machine.
  7.    Press Ctrl+S to save the Netmon files.
  Please send files to [email protected]
  Note:
  a. Please include the following three lines for this issue in the email body:
  Trust Windows Server 2008 and Windows 2000
  http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3210801&SiteID=17
  Miles Li - MSFT
  b. We will continue to discuss the issue here in the newsgroup and will NOT reply via emails.
  c. Pease post a quick note in the current thread to inform me after sending the email.
  Thanks.
   

• ACTIVE DIRECTORY TRUST CONFLICT AND INTERDOMAIN MAIL FLOW

  Old AD Forest: abc.com Win 2003 R2
  Existing Exchange: Exch 2007 SP3
  Exchange Server contains the domains like aaa.com, bbb.com, ccc.com so on and so forth
  Created new AD Domain ccc.com
  Deployed Exchange 2013 SP1
  Trust created with conflict. the conflicting object is ccc.com in both ADs
  I can send emails from new exchange organization to aaa.com, bbb.com, etc except to ccc.com user in abc.com
  Kindly suggest how to enable mail flow
  Regards

  Exchange e-mail domains don't have to be the same as active directory domains.  Exchange processes mail based on accepted domains, connector address spaces, and recipient addresses.  Just creating a domain doesn't do anything to create recipients
  in Exchange with the domain's address.  It sounds like you need to add ccc.com as an accepted domain, and maybe create an e-mail address policy for the recipients in that domain and/or manually add ccc.com addresses to recipients.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Active Directory - SharePoint Replication Problem with User Information

  Hi, we have a implementation of SharePoint 2010 stand alone server, when we start to work in this server, we add the users from Active Directory services implemented in our company. This users had information like the email and department. When i add one
  user to SharePoint, sharepoint import all information user.
  The problem is when i change the email information from the user in Active Directory, this information didnt replicate to SharePoint.  The user have the new email In Active Directory and the old email in SharePoint.
  How can i replicate new one all information from the user to SharePoint?
  I hope someone can help me..
  thanks. 

  Standalone installations of SharePoint do not support the User Profile Sync Service. You'll want to use a farm installation for that functionality.
  Are you using SharePoint Foundation, Standard, or Enterprise? The UPSS only comes with Standard and Enterprise.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Active Directory login soooo slow with 10.4.11 client upgrades

  Hi All,
  I have a problem and hopefully someone will be able to help me.
  We have around 30 Macs in and a golden triangle set up with Mac OS X Server 10.3 on Xserves and a Windows Server 2003 as the PDC and primary DNS server.
  Basically, after upgrading the clients to 10.4.11 the log in process takes an extra 90 seconds to connect. The login window will appear but you are not able to log in until after 90 seconds. During the 90 seconds there are "Some Network Accounts Available" but this is just the Open Directory accounts in the background.
  I have tested with 10.4.4 up to 10.4.10 and this problem does not appear but once I upgrade to 10.4.11 then the problem comes back so I don't believe it is a server orientated problem.
  I also attempted using the old Active Directory plug-in within Directory Access from 10.4.8 and 10.4.10 in place of the one installed with 10.4.11 and this did not help with the matter.
  Does anyone know what has changed with 10.4.11 and what I could possibly do to resolve this problem?
  I probably haven't covered all the bases so let me know if you need more information.
  Dehsinotsa

  Answered at http://discussions.apple.com/message.jspa?messageID=13129261

• Developping custom trusted recon connector with ICF - 11g Release 2

  Hi all,
  We need to develop a custom connector for trusted source reconciliation (trusted source is HR system). We need to implement custom logging mechanizm (catch the comming data from HR and log it to db). Also in our HR system user deletion is not flaged but directly the record is deleted from the db, can we handle this with ICF? I mean can we search both HR and IDM for all records on the connector side? Any guide is strongly appreciated...
  Thanks in advance..
  Aliye

  Thank you for your response Gyanprakash...
  From what I understand at all, when I develop custom connector bundle using ICF (implementig the interfaces for Connector and ConnectorConfiguration) :
  The implemented methods
  SchemaOp, CreateOp, DeleteOp, UpdateOp, SearchOp<Map<String, String>>, GetApiOp, is all for the target system, I mean our searches are always on the target system(in my case HR system), if I want to make search for users on IDM(to get all users on IDM) we must use OIM API, am I right?
  Thank you for your help
  BR

• Active Directory and Mobile computer with 10.8.4

  I've managed to get our Power Book (first mac on network) on AD domain, it was a labor of love,
  I have gotten every thing working smooth, Volumes mounted with and without Alias, but the last thing I am trying to configure is Mobile Computing,
  so a user can work off the Network and have it Sync when he logs back in. Mobile computer pulls the UNC from AD fine and mounts his home directory, however it does not sync to his home directory on the network...
  I am sure I am missing something silly, but right now my brain is fried... Any help please?

  Got it, thanks guys works pretty well too... I don't know why it wasn't working before, AD integration is still strange.

• OIM Integration with Active Directory Federation Services (ADFS)

  Hello friends
  I have a question about the integration of Oracle Identity Manager with Active Directory which is federated with another external directory for ADFS. My question is:
  What considerations should be to contemplate if I have an active directory federated environment when carrying out the integration with Identity Manager?
  I use version 9.1.0.2 of Oracle Identity Manager with Microsoft Active Directory Connector User Management 9.1.1.7
  Thanks for the support.

  First consideration is that the OIM's target ADFS - in the federated scenario, will that participate as a Service provider or identity provider. I would think identity provider.
  Next consideration: What all attributes are required to be played in the SAML assertion to the other end-point? All these attributes must be present and should be provisioned to the AD in this case.
  So, OIM should be set up (UDF etc) to provision all those attributes needed in the SAML.
  Next consideration: What all scenario to support? IdP initiated or SP initiated? If SP initiated, then process will hv to be defined if a user id does not exist in the AD of the OIM target. Will the request be failed or a in-time provisioning should happen.
  Hope this helps.

• Error While Configuring the Shared Service with Active Directory

  Hi All,
  I am getting a error while configuring MSAD with Shared Service, when entering the User Id and password and clicking next, the following error is displayed:
  "EPMCSS-05180:Failed to validate Security configuration. Failed to connect. Invalid values for Base DN, User DN or Password. Enter valid value(s). Root Cause : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]"
  The AD user has the read access to the all users and group in Active Directory. If I use an Active Directory user with Admin privilege, It is getting connected.
  But client is not ready to provide the Admin Access due to their internal policy and I also don't have any document which says admin privilege is required. According to the document,the user should have the following privileges only.
  "The distinguished name of the user that Shared Services should use to bind with the user directory. This user must have search privilege on the RDN attribute within the DN. For example, in the dn: cn=John Doe, ou=people, dc=myCompany, dc=com, the bind user should have search access to the cn attribute.Special characters in User DN must be specified using escape characters. See “Using Special Characters” on page 46 for restrictions.
  Example: cn=admin,dc=myCompany,dc=com
  But I am getting confused with the statement "This user must have search privilege on the RDN attribute within the DN". Is it not search privillege?
  Can anybody help me with required privilege for Active Directory user to configure with Shared Service.
  Thanks in Advance,
  Sunil

  Thank you All,
  i tried connecting using AD Browser from Microsoft, and it went in properly. then i found out that the AD Team here were giving a Wrong Credentials to connect, they Gave me HYP_OID which infact turned out to be a Principal name instead of a 'cn'.
  after searching in the AD Browser i found the correct cn which is "Hyperion OID", then it went to the second Screen where now i am trying to search for the Users based on thier Job Nature.
  Thank you for all the Support Guys, you both "Celvin" and "John" are the Top Guys under my Search list for any technical Assistance.
  Thank you once again Friends....
  Regards,
  Sunil...
  Shantan....

• Integrating Active directory  with oracle EBS 12.1.3 with 11g R2 database

  Hi,
  can any one let me know Integrating Active directory windows 2009 R2 with oracle EBS 12.1.3 with 11g R2 database software requirements and document ids for integrating.
  Is windows 2008 active directory is cerfied with 10g OID??
  regards,
  chandrasekhar.

  Hi
  I found exact note
  Is OID 10g/11g DIP Compatible / Certified With Microsoft Active Directory 2008 / Windows 2008 R1/R2? [ID 944298.1]
  From note:
  DIP 10g latest version (10.1.4.3) and DIP 11g up to PS4 / 11.1.1.5 Patchset releases integrations are certified with MS AD 2008 R1 only.
  DIP 11g certification with AD 2008 R2 is supported only with DIP 11g PS5 / 11.1.1.6 Patchset or higher.
  Note: Although DIP below 11.1.1.6 integration (synchronization, external authentication, etc.) with MS Windows / AD 2008 R2 may work, it is not officially compatible / certified. See also Note 1076018.1.
  Regard
  Helios

• Problems using native query in Active Directory connector v 9.1

  Hello,
  Has anyone ran into a problem when trying to do a query with a not operator?
  I want to import all users, but not computers.. so I tried the query (&(objectClass=user)(!objectclass=computer))
  I tried this query directly in the active directory and it worked.
  The problem is when I apply it to OIM it gives out the following error:
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::performReconciliation() Enter
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::setTaskSchedulerObjectName() Enter
  INFO,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],Starting Active Directory Trusted Reconciliation
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::setTaskSchedulerObjectName() Exit
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ADLookupMaps::getADFieldsArray() Enter
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ADLookupMaps::getADFieldsArray() Exit
  DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
  DEBUG,29 Oct 2008 19:48:06,350,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
  DEBUG,29 Oct 2008 19:48:06,350,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
  DEBUG,29 Oct 2008 19:48:06,363,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
  DEBUG,29 Oct 2008 19:48:06,363,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ADReconTaskAttrs::parseAndSetMultiValAttrs() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ADReconTaskAttrs::parseAndSetMultiValAttrs() Exit
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ActiveDirectoryRecon/performReconciliation :query (&(&(objectClass=user)(!objectclass=computer))(whenChanged>=19000101000000.0Z))
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::searchResultPageEnum() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::connectToAvailableAD() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForDirContext() Enter
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForDirContext() Exit
  DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForLDAPContext() Enter
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForLDAPContext() Exit
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::validateCertificates() Enter
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::validateCertificates() Exit
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],Critical Extensions Supported
  DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::invalidateSSLSession() Enter
  DEBUG,29 Oct 2008 19:48:06,549,[OIMCP.ADCS],tcADUtilLDAPController::invalidateSSLSession() Exit
  DEBUG,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],tcADUtilLDAPController::connectToAvailableAD() Exit
  ERROR,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],The error occured in tcADUtilLDAPController::searchResultPageEnum():Unbalanced parenthesis
  DEBUG,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],tcADUtilLDAPController::disconnect() Enter
  DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],tcADUtilLDAPController::disconnect() Exit
  DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],tcADUtilLDAPController::searchResultPageEnum() Exit
  DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],ActiveDirectoryRecon::performReconciliation() Exit
  INFO,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],End of Active Directory Reconciliation....
  DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],ActiveDirectoryReconTask/execute End
  Thanks in advance,
  Tomic

  Hi,
  Try this and it will work.I am using it.
  (&(objectClass=user)(!(objectClass=computer)))
  Regards
  Nitesh

• Project Server 2010 Active Directory Synchronization - duplicate Windows Name - Event ID 7734

  Environment: SharePoint Server 2010, Project Server 2010, SP2, DEC 2013 CU (Farm Build number: 14.0.7113.5001)
  Scenario: 
  Domain user has been added to the Active Directory group being synchronized with Project Server for the Team Members group.
  That user has participated as a team member in numerous projects, added documents, been assigned tasks, typical project stuff...
  Employee quits.
  AD account is deleted. (NOT deactivated or moved into another OU)
  Time passes...
  Employee gets rehired.  NEW AD account is set up: same display name, SamAccountName, email address, different GUID of course.
  Daily Active Directory job runs again and throws event ID 7734 and the sync ends with a partial fail.
  I understand why this is happening.  Solutions I've found point me to deleting the Enterprise Object resource in Project Server and then rerunning the sync.  Sure, this works BUT won't all of the previous documents, tasks,
  etc. be disassociated from that user?  If so, this is not ideal.
  2 questions:
  Is there a better way to deal with the fixing of the resource in Project Server to somehow link the old resource to the new resource allowing the sync to run successfully while still leaving the association to all old content intact?
  How are other organizations dealing with rehires when they have been added as resources in Project Server?  What is the best practice guidance from Microsoft on this?  Are other companies not actually deleting AD accounts when users leave organizations
  or are they putting them into a "ARCHIVE" OU or something like that? This happens at least half a dozen times a year at my company. We would like to keep our AD as clean as possible, but this appears to change our approach.
  Any suggestion/guidance is appreciated.

  For the question to relink the new account to the account which is already available in Project Server. You will have to update the WRES_AD_GUID to Null for the the Resource in MSP_RESOURCES table in the published database.
  Whenever a users gets synchronized to the PWA his ADGUID, SAMAccountName, Display Name, Email Address and DepartmentName is Synchronized from AD to Project Server. When the user was deleted and recreated the ADGUID got changed. During the next sync, project
  found the user with similar properties but different ADGUID which was updated in WRES_AD_GUID column in MSP_RESOURCES table. Hence it says that there is a duplicate account in the table with the same properties but a different ADGUID
  Nullifying the WRES_AD_GUID column value in MSP_RESOURCES table should get the user synchronized to Project server in the next sync.
  Cheers! Happy troubleshooting !!! Dinesh S. Rai - MSFT Enterprise Project Management Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you. This can be beneficial to other community members reading
  the thread.

• Windows ... preventing activation, 0xc004d302, trusted data store ... rearmed

  Dear all
  We're using a Windows Server 2012 R2 (DC of a Domain) and WDS (Windows Deployment Services) to deploy a Windows 8.1 edition with a MAK (Multiple activation key).
  Deployment works by PXE booting and deploying the original install.wim (from the .iso) from the WDS Server.
  If we try to activate the deployed Windows on the client PC we experience the following:
  1. Activation in the GUI ends with error "Windows has detected a change to the system files that is preventing activation."
  2. Command line, slmgr /dli ends with "Error: 0xc004d302 on a Computer running Microsoft Windows non-core edition, run slui.exe 0x2a 0xc004d302 to display the error text"
  3. Command line slui.exe 0x2a 0xc004d302 ends with the error "The security processor has reported that the trusted data store was rearmed.
  Hence we cannot activate Windows.
  Our Windows copy and our licenses (MAK key) were purchased thru official channels.
  We urgently need this to work.
  Any help is much appreciated.
  Dominique, Zurich, Switzerland.

  Hello,
  Are we running slmgr /rearm?  You may see this error if slmgr /rearm was run and the machine was not rebooted after that and then activation queries or attempts were made.
  Also check the permissions on the \Crypto\RSA\MachineKeys
  cacls %systemdrive%\ProgramData\Microsoft\Crypto\RSA\MachineKeys
  post the results.
  Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.