Active Directory users not made member of Local Network group
Hi all,
I've just done a clean install from 10.6 Server to 10.8.4.
The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
The Setup:
In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
Members in that group are:
- AD-Domain User Group (so should be all users in the domain)
- MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
- AD User 1
- AD User 2
- AD User 3
The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
The Behaviour:
AD User 1 can access AFP and other services as expected.
AD User 2 and 3 cannot.
Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
Yet other users within AD-Domain User Group or netaccounts cannot
Furthermore:
If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group. I can still login with that account!
Diagnosis:
I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
>dseditgroup -o checkmember -m ADUser1 accessserver
yes ADUser1 is a member of accessserver
>dseditgroup -o checkmember -m ADUser2 accessserver
no ADUser2 is NOT member of accessserver
>dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
yes ADDomainUser/netacc is a member of accessserver
>dseditgroup -o checkmember -m n accessserver
no ADUser2 is NOT member of accessserver
When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
I get the same results even after removing the user from the Groups screen!
Failed Solutions
- As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
- I've let the system just sit, in hopes delayed replication would solve the problem overnight.
- I've deleted and recreated the groups.
Upon further investigation we have discovered:
a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
b) This is NOT limited only to MacOS X Server 10.8. The same behaviour is occuring on a long-running 10.6 server as well.
c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually. If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
d) Which users are allowed and which are not is unclear and appears generally random. We have found 3 'classes' of users:
1 - those that are successfully becoming members every time.
2 - those that are intermittent members. Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
3 - those that are never successfully admitted as a member.
So the problem is both Apple's and Windows in that:
Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
Windows: Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
Really hoping people have some ideas on this. This system of nested groups or individual user access is something we have of course being using for many years. So this is a major setback.
Similar Messages
-
Win7 PC w/ new Active Directory user not able to logon to Win 2K Domain
Hello Friends,
I'm having an issue where our Windows 2000 domain controller does not seem to be on speaking terms with a newly created user on a Windows 7 pro machine.
Here's what I know:
User & Computer are both in AD and work! I've logged in with the new user (Donna) on several machines and other users can log into the computer.
DNS appears to be configured properly on the Win7 workstation (pointed to DC)
DNS is running on the DC and doesn't appear to have any issues.
DCDIAG looks good, all passes except BASC, that failed.
Locally, I've added the domain account to the machine in the users control panel
Removing the account and the computer from the domain didn't work (I've also renamed the computer)
I thought about just renaming the current account that is working to the new user, however, I've always had issues after doing so.
Any thoughts?Did you get any of these logs ?
529
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530
Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.
531
Logon failure. A logon attempt was made using a disabled account.
532
Logon failure. A logon attempt was made using an expired account.
533
Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.
534
Logon failure. The user attempted to log on with a type that is not allowed.
535
Logon failure. The password for the specified account has expired.
536
Logon failure. The Net Logon service is not active.
537
Logon failure. The logon attempt failed for other reasons.
Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
the thread. -
Not able to open active directory user and computer in windows server 2008r2
Hi All techies,
i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
Please let me know the cause of it and really appreciate it .
Thanks
AtulYou need to ensure that
1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
2. DNS record exists for all DCs in DNS
3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
- Sarvesh Goel - Enterprise Messaging Administrator -
Have an existing ex2010 sp3 organization.
Could not run ex2013cu1 setup from my newly built 2012 server, getting the error in the subject line. I used the command line to run the AD preparation steps successfully from my 2012 DC/GC, then tried to run setup again from the new 2012 server and
still get the same error. The error itself in the log is pretty useless:
[05/07/2013 01:19:13.0137] [0] **********************************************
[05/07/2013 01:19:13.0137] [0] Starting Microsoft Exchange Server 2013 Cumulative Update 1 Setup
[05/07/2013 01:19:13.0137] [0] **********************************************
[05/07/2013 01:19:13.0152] [0] Local time zone: (UTC-08:00) Pacific Time (US & Canada).
[05/07/2013 01:19:13.0152] [0] Operating system version: Microsoft Windows NT 6.2.9200.0.
[05/07/2013 01:19:13.0152] [0] Setup version: 15.0.620.29.
[05/07/2013 01:19:13.0152] [0] Logged on user: DOMAIN\ADMINISTRATOR.
[05/07/2013 01:19:13.0168] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05/07/2013 01:19:13.0168] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05/07/2013 01:19:13.0215] [0] Command Line Parameter Name='sourcedir', Value='\\h1\f$\junk\installers\server\Exchange\2013cu1'.
[05/07/2013 01:19:13.0215] [0] Command Line Parameter Name='mode', Value='Install'.
[05/07/2013 01:19:13.0215] [0] RuntimeAssembly was started with the following command: '/sourcedir:\\SERVER\f$\junk\installers\server\Exchange\2013cu1 /mode:Install'.
[05/07/2013 01:19:13.0215] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05/07/2013 01:19:13.0793] [0] Finished loading screen CheckForUpdatesPage.
[05/07/2013 01:19:38.0762] [0] Finished loading screen UpdatesDownloadsPage.
[05/07/2013 01:19:40.0496] [0] Starting file's copying...
[05/07/2013 01:19:40.0496] [0] Setup copy files from '\\SERVER\f$\junk\installers\server\Exchange\2013cu1\Setup\ServerRoles\Common' to 'C:\Windows\Temp\ExchangeSetup'
[05/07/2013 01:19:40.0700] [0] Finished loading screen CopyFilesPage.
[05/07/2013 01:19:40.0840] [0] Disk space required: 1292445007 bytes.
[05/07/2013 01:19:40.0840] [0] Disk space available: 23767240704 bytes.
[05/07/2013 01:19:59.0762] [0] File's copying finished.
[05/07/2013 01:19:59.0965] [0] Finished loading screen InitializingSetupPage.
[05/07/2013 01:20:02.0934] [0] Setup is choosing the domain controller to use
[05/07/2013 01:20:09.0325] [0] Setup is choosing a local domain controller...
[05/07/2013 01:20:11.0794] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
See the Exchange setup log for more information on this error.
[05/07/2013 01:20:11.0794] [0] [ERROR] Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
[05/07/2013 01:20:11.0809] [0] Setup will use the domain controller ''.
[05/07/2013 01:20:11.0809] [0] Setup will use the global catalog ''.
[05/07/2013 01:20:11.0825] [0] Exchange configuration container for the organization is 'CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local'.
[05/07/2013 01:20:11.0919] [0] Exchange organization container for the organization is 'CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local'.
[05/07/2013 01:20:11.0966] [0] Setup will search for an Exchange Server object for the local machine with name 'WEX1'.
[05/07/2013 01:20:12.0028] [0] No Exchange Server with identity 'WEX1' was found.
[05/07/2013 01:20:12.0044] [0] The following roles have been unpacked:
[05/07/2013 01:20:12.0044] [0] The following datacenter roles are unpacked:
[05/07/2013 01:20:12.0044] [0] The following roles are installed:
[05/07/2013 01:20:12.0059] [0] The local server does not have any Exchange files installed.
[05/07/2013 01:20:12.0075] [0] Server Name=WEX1
[05/07/2013 01:20:12.0137] [0] Setup will use the path '\\SERVER\f$\junk\installers\server\Exchange\2013cu1' for installing Exchange.
[05/07/2013 01:20:12.0137] [0] The installation mode is set to: 'Install'.
[05/07/2013 01:20:27.0591] [0] An Exchange organization with name 'DOMAIN' was found in this forest.
[05/07/2013 01:20:27.0591] [0] Active Directory Initialization status : 'False'.
[05/07/2013 01:20:27.0591] [0] Schema Update Required Status : 'False'.
[05/07/2013 01:20:27.0591] [0] Organization Configuration Update Required Status : 'False'.
[05/07/2013 01:20:27.0591] [0] Domain Configuration Update Required Status : 'False'.
[05/07/2013 01:20:27.0841] [0] Applying default role selection state
[05/07/2013 01:20:27.0872] [0] Setup is determining what organization-level operations to perform.
[05/07/2013 01:20:27.0872] [0] Because the value was specified, setup is setting the argument OrganizationName to the value DOMAIN.
[05/07/2013 01:20:27.0872] [0] Setup will run from path 'C:\Windows\Temp\ExchangeSetup'.
[05/07/2013 01:20:27.0888] [0] InstallModeDataHandler has 0 DataHandlers
[05/07/2013 01:20:27.0888] [0] RootDataHandler has 1 DataHandlers
[05/07/2013 01:20:27.0903] [0] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. See
the Exchange setup log for more information on this error.
[05/07/2013 01:20:27.0935] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
See the Exchange setup log for more information on this error.
[05/07/2013 01:21:04.0154] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
[05/07/2013 01:21:04.0154] [0] End of Setup
[05/07/2013 01:21:04.0154] [0] **********************************************Hi,
The cause is clearly described in the log:
[05/07/2013 01:20:11.0794] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
See the Exchange setup log for more information on this error.
[05/07/2013 01:20:11.0794] [0] [ERROR] Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
I'd suggest you check NIC settings and AD configuration.
Hope it is helpful.
Fiona Liao
TechNet Community Support -
"Domain Users" group in Active Directory does not belong to any Group Membership in LC
Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
Any way to correct this issue, without changing group membership on AD side?
If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
Thanks.If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed. -
Active Directory User which can Create a User but not Allowed to Enable Disabled Users
Hi Guys, we have a requirement to create a User Group in Active Directory which will grant its members permission to 'Create Users' but not be allowed to 'Enable' 'Disabled Users'.
We have tried delegating control and assigning permissions by going to 'Security Tab>Advanced'.
It seems like when a group is granted permission to create users, it will also be allowed to enable, disabled users.
Kindly advise if it is possible to create a user group with permissions to 'Create Users' but not be allowed to 'Enable', 'Disabled Users'.Hi,
According to my experience, you can assign permission with create/delete user objects. If you want to disable/enbale
a user, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.
In general, if you just give a user group the permission to create user objects, it cannot disable or enable user accounts. Please make sure that the permission you assigned is correct and the
user group are not the member of Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory.
Best regards,
Susie -
Active directory users and computers wont start on a dc, "the server is not operational"
In our environment, we have 3 dc's
two which run server 2008 (they work perfectly)
and one never off branch dc that runs server 2008 r2.
We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
We have a third party DNS solution.
How do i troubleshoot this issue?dc01 (which replicates perfectly with dc02, and vise versa)
dcdiag /test:dns
C:\Users\adminuser>dcdiag /test:dns
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Hostingpartner\ourdc01
Starting test: Connectivity
......................... ourDC01 passed test Connectivity
Doing primary tests
Testing server: Hostingpartner\ourdc01
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : int
Running enterprise tests on : int.domain.com
Starting test: DNS
Test results for domain controllers:
DC: ourdc01.int.domain.com
Domain: int.domain.com
TEST: Delegations (Del)
Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
Summary of test results for DNS servers used by the above domain controllers:
DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
2 test failures on this DNS server
Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: int.domain.com
ourdc01 PASS PASS PASS FAIL n/a PASS n/a
......................... int.domain.com failed test DNS
dcdiag on dc01(which can replicate with dc02)
C:\Users\adminuser>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: hostingpartner\ourdc01
Starting test: Connectivity
......................... OURDC01 passed test Connectivity
Doing primary tests
Testing server: hostingpartner\ourdc01
Starting test: Replications
[Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
Win32 Error 8453.
......................... OURDC01 failed test Replications
Starting test: NCSecDesc
......................... OURDC01 passed test NCSecDesc
Starting test: NetLogons
[OURDC01] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... OURDC01 failed test NetLogons
Starting test: Advertising
......................... OURDC01 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... OURDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... OURDC01 passed test RidManager
Starting test: MachineAccount
......................... OURDC01 passed test MachineAccount
Starting test: Services
......................... OURDC01 passed test Services
Starting test: ObjectsReplicated
......................... OURDC01 passed test ObjectsReplicated
Starting test: frssysvol
......................... OURDC01 passed test frssysvol
Starting test: frsevent
......................... OURDC01 passed test frsevent
Starting test: kccevent
......................... OURDC01 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:04:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:04:50
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:10:56
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:11:17
(Event String could not be retrieved)
......................... OURDC01 failed test systemlog
Starting test: VerifyReferences
......................... OURDC01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : int
Starting test: CrossRefValidation
......................... int passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... int passed test CheckSDRefDom
Running enterprise tests on : int.domain.com
Starting test: Intersite
......................... int.domain.com passed test Intersite
Starting test: FsmoCheck
......................... int.domain.com passed test FsmoCheck
The problematic dc03:
Dcdiag gives the same output as dcdiag /test:dns
C:\Users\adminuser>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = OURDC03
Ldap search capabality attribute search failed on server NTSDC03, return
value = 81
We have an infoblox dns server on ip address xxx.y.y.251.
first error in event logs on dc03:
error 1863
This is the replication status for the following directory partition on this directory server.
Directory partition:
CN=Configuration,DC=int,DC=domain,DC=com
This directory server has not received replication information from a number of directory servers within the configured latency interval.
Latency Interval (Hours):
24
Number of directory servers in all sites:
2
Number of directory servers in this site:
2
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
i have also go several warning 2088, 2093, 2087.
And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones -
Active Directory Users and Computer not displaying column data?
I am running Windows 8.1 Enterprise with RSAT installed. My Domain controllers are Server 2008 R2.
I am having and issue with Active Directory Users and Computers. Typically I will turn on Advanced Features and then add Columns for Email address and Display Name. This for example allows me to easily export lists of users and there email
addresses among other things.
The issue is that on my Windows 8.1 client, the columns for Email and Display Name are empty. It simply will not display this information. It only displays Name, TYpe and Description.
If I use a Windows 7 client, the information displays correctly.
Has anyone run into this issue or heard of this problem when using ADUC on Windows 8.1?ADUC is an AD tool that is no longer being improved, with Microsoft now focusing on ADAC (Administrative Center). In 8.1, it has improved quite a bit since 7. You can also just try using the
ActiveDirectory PowerShell Module, which is easy to use and fairly powerful. It can be simple to export lists, and the module for AD is included with RSAT tools.
Example:
Import-Module ActiveDirectory
Get-ADUser -Filter {Manager -eq "John.Smith"} -Properties DisplayName,Mail | Export-Csv dump.csv -NoTypeInformation
So, recommendation: either use ADAC, or PowerShell -- ADUC is part of the wave of deprecation. -
I am new to Orchestrator. I am using Orchestrator 2012 R2 on a Hyper-V running Server 2008. I have been trying to set up a Runbook to sweep AD for user accounts that have not logged in for 90 days and have those accounts automatically disabled
and moved to another OU. However, I would be happy just to have the account just be disabled. If you need any more info or I have posted in the wrong forum, please let me know.
ThanksHi,
there is no SCO Activity to do this.
Problem with this is, the LastLogedOn Times are not synced between DomainControllers.
Best will be you take a look at this PowerShell Script
http://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
and change it to your needs
Seidl Michael | http://www.techguy.at |
twitter.com/techguyat | facebook.com/techguyat -
Can not open Active Directory Users and Computers
Problem Reported:
Out of the blue this has started happening:
When I go to "Active Directory Users and Computers" I get this message.
"MMC cannot open the file C:\WINDOWS\system32\dsa.msc.
This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.
Additional information:
This is a server that has been in use for 2+ years with active directory users that can and do login everyday.
As far as I know the system has no backup.
dsa.msc IS located in the system32 folder
I am using the administrator account.
OS:
Microsoft Windows Server 2003 R2
Standard x64 Edition
Service Pack 2
Please help with detail. Thank you.Have you tried to uninstall ADUC administrative tool and re-install it again? If no, please give a try.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
How to import your MS Active Directory users in an Oracle table
Hello,
I first tried to get a Heterogenous Connection to my MS Active Directory to get information on my Active Directory users.
This doesn't work so I used an alternative solution:
How to import your MS Active Directory users in an Oracle table
- a Visual Basic script for export from Active Directory
- a table in my database
- a SQL*Loader Control-file
- a command-file to start the SQL*Loader
Now I can schedule the vsb-script and the command-file to get my information in an Oracle table. This works fine for me.
Just to share my scripts:
I made a Visual Basic script to make an export from my Active Directory to a CSV-file.
'Export_ActiveDir_users.vbs 26-10-2006
'Script to export info from MS Active Directory to a CSV-file
' Accountname, employeeid, Name, Function, Department etc.
' Richard de Boer - Wetterskip Fryslan, the Nethterlands
' samaccountname Logon Name / Account
' employeeid Employee ID
' name name
' displayname Display Name / Full Name
' sn Last Name
' description Description / Function
' department Department / Organisation
' physicaldeliveryofficename Office Location Wetterskip Fryslan
' streetaddress Street Address Harlingerstraatweg 113
' l City / Location Leeuwarden
' mail E-mail adress
' wwwhomepage Web Page Address
' distinguishedName Full unique name with cn, ou's, dc's
'Global variables
Dim oContainer
Dim OutPutFile
Dim FileSystem
'Initialize global variables
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FileSystem.CreateTextFile("ActiveDir_users.csv", True)
Set oContainer=GetObject("LDAP://OU=WFgebruikers,DC=Wetterskip,DC=Fryslan,DC=Local")
'Enumerate Container
EnumerateUsers oContainer
'Clean up
OutPutFile.Close
Set FileSystem = Nothing
Set oContainer = Nothing
WScript.Echo "Finished"
WScript.Quit(0)
Sub EnumerateUsers(oCont)
Dim oUser
For Each oUser In oCont
Select Case LCase(oUser.Class)
Case "user"
If Not IsEmpty(oUser.distinguishedName) Then
OutPutFile.WriteLine _
oUser.samaccountname & ";" & _
oUser.employeeid & ";" & _
oUser.Get ("name") & ";" & _
oUser.displayname & ";" & _
oUser.sn & ";" & _
oUser.description & ";" & _
oUser.department & ";" & _
oUser.physicaldeliveryofficename & ";" & _
oUser.streetaddress & ";" & _
oUser.l & ";" & _
oUser.mail & ";" & _
oUser.wwwhomepage & ";" & _
oUser.distinguishedName & ";"
End If
Case "organizationalunit", "container"
EnumerateUsers oUser
End Select
Next
End SubThis give's output like this:
rdeboer;2988;Richard de Boer;Richard de Boer;de Boer;Database Administrator;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Richard de Boer,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;
tbronkhorst;201;Tjitske Bronkhorst;Tjitske Bronkhorst;Bronkhorst;Configuratiebeheerder;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Tjitske Bronkhorst,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;I made a table in my Oracle database:
CREATE TABLE PG4WF.ACTD_USERS
samaccountname VARCHAR2(64)
, employeeid VARCHAR2(16)
, name VARCHAR2(64)
, displayname VARCHAR2(64)
, sn VARCHAR2(64)
, description VARCHAR2(100)
, department VARCHAR2(64)
, physicaldeliveryofficename VARCHAR2(64)
, streetaddress VARCHAR2(128)
, l VARCHAR2(64)
, mail VARCHAR2(100)
, wwwhomepage VARCHAR2(128)
, distinguishedName VARCHAR2(256)
)I made SQL*Loader Control-file:
LOAD DATA
INFILE 'ActiveDir_users.csv'
BADFILE 'ActiveDir_users.bad'
DISCARDFILE 'ActiveDir_users.dsc'
TRUNCATE
INTO TABLE PG4WF.ACTD_USERS
FIELDS TERMINATED BY ';'
( samaccountname
, employeeid
, name
, displayname
, sn
, description
, department
, physicaldeliveryofficename
, streetaddress
, l
, mail
, wwwhomepage
, distinguishedName
)I made a cmd-file to start SQL*Loader
: Import the Active Directory users in Oracle by SQL*Loader
D:\Oracle\ora92\bin\sqlldr userid=pg4wf/<password>@<database> control=sqlldr_ActiveDir_users.ctl log=sqlldr_ActiveDir_users.logI used this for a good list of active directory fields:
http://www.kouti.com/tables/userattributes.htm
Greetings,
Richard de BoerI have a table with about 50,000 records in my Oracle database and there is a date column which shows the date that each record get inserted to the table, for example 04-Aug-13.
Is there any way that I can find out what time each record has been inserted?
For example: 04-Aug-13 4:20:00 PM. (For my existing records not future ones)
First you need to clarify what you mean by 'the date that each record get inserted'. A row is not permanent and visible to other sessions until it has been COMMITTED and that commit may happen seconds, minutes, hours or even days AFTER a user actually creates the row and puts a date in your 'date column'.
Second - your date column, and ALL date columns, includes a time component. So just query your date column for the time.
The only way that time value will be incorrect is if you did something silly like TRUNC(myDate) when you inserted the value. That would use a time component of 00:00:00 and destroy the actual time. -
Can OS X 10.9 Authenticate An Active Directory User From A Different Trusted Forest
I am able to authenticate with an AD account from a different trusted domain in the same forest as the domain the client is bound to on OS X 10.9. An AD account from a trusted domain in a separate forest cannot authenticate on the same client. The same AD account from the same external trusted domain in the same external forest can authenticate to a Windows 7 client bound to the same domain as the Mac client. It seems that OS X is incapable of cross forest authentication. It seems as though the directory services search path only includes the forest of the domain the client is bound to. Windows clients seem to be able to handle the referral process to a different forest, but a Mac client does not. Am I correct in this assumption? Has anyone accomplished cross forest authentication on an OS X client? If so, how? If not, what is the reason this can't be done?
Well, I’ve made some encouraging progress.
I’ve managed to log on!
I deleted /var/db/.AppleSetupDone while booted into the recovery volume. I then created a new local admin user and, after a much longer than usual delay, got through the account creation stuff and arrived at last in the Finder, which was sluggish as heck.
Checked user accounts, and according to system prefs they’re all there. Fired up Activity monitor and found that opendirectoryd was consuming 365%-405% CPU.
I unbound the system from our Active Directory domain, not really expecting it to work but it did. cpu load dropped to nothing.
I rebooted, was able to log in as the original local admin user (woohoo! Progress!)
Re-bound it to AD and boom CPU shot right back up.
I unbound it again and am currently backing up the drive with CCC (conversation with professor yesterday “Time Machine? What’s Time Machine?”)
If CCC dies, I’ll run DW on the original, but I’m now pretty sure my issue is a borked opendirectory database.
Plan going forward:
I’ll nuke&pave the iMac, restore the apps, but NOT users and computer settings from the CCC during the re-install, create a new local admin, re-bind to AD see what happens.
If it doesn’t go nutz again, I’ll have him log on so it creates the local directory, copy over his original user directory from the backup drive, make it his actual home on the disk again and in theory he should be ok.
It’s amazing how often just laying my problem out in public makes my brain think of new things to try :-)
I don't know if this is directly applicable to an OpenDirectory-bound system rather than Active Directory, but it might work for you. -
10.7.4 Web Access for Active Directory Users
Does anyone know how to permantly set the AuthType in Web Services to Basic ?
The reason I ask is I have a web site I want to protect and allow active directory users access to it.
I have added the users to a local group, added the group to the Who Can Access option.
Local users can log in but not Active Directory. If I edit the conf file for the site in /etc/apache2/sites and change the AuthType from Digist to Basic it works fine until I change something in the server app then the conf file gets rewritten.
DanI am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
[2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
[2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
Not feeling the Mac OS X love tonight.
Bill
System is bound to active directory - green light in Directory Utility -
We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory. We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides. In 10.6, this worked beautifully. Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch. In 10.8 server, this is not working. Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share. When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password. Please try again." On a 10.7 client, the window shakes.
What confuses me even more is that no local users can mount the share as well. I try as our admin account, I receive the following error message on our 10.6 clients:
Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
This was the error message we were receiving on 10.7 clients before it magically started working:
In any case, authenticating as an AD user is still no go. Any ideas?I had something similar to this. In the name field put in DOMAIN\username rather than just the name.
-
Best practice for Active Directory User Templates regarding Distribution Lists
Hello All
I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
this has led to problems with new employees being added to groups which they should not be a part of.
I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
of.
Has anyone come up with a better method of doing this?
Thank youYou can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
the factors you predefine for them.
Maybe you are looking for
-
How do I delete Apple e-mail aliases from iOS 8?
I have e-mail aliases from iCloud stuck in my iPad/iPhone that I have already deleted in iCloud. I cannot see any way of deleting them in iOS 8. Am I missing something here? Thanks. Shawn
-
Time Machine getting stuck on random hourly backups?? Please help!
I set up Time Machine the yesterday, it compleated it's initial backup fine, and performed about 10 or so hourly backups, then randomly on one of it's hourly backups it got stuck. It never actually started the backup. The preferences said it was back
-
BSOD After Installing Boot Camp 5640 Drivers on Win7 x64
I get a BSOD after installing the Boot Camp 5640 drivers on Windows 7 x64 Professional due to "CACHE_MANAGER". If install the drivers individually, this does not happen (provided I don't run bootcamp.exe). This wouldn't be a problem except that I can
-
Going to the Project library garrentees that it will freeze up. I trashed preferences and it worked for about15 minutes. I actually got to rename a project and add a folder to organize but alas the ball stated spinning and I had to force quit. I only
-
How to disable ATP when changing pricing date
When header pricing date in a sales order is changed, system triggers ATP. How can this be disabled? Edited by: Jennifer Lua on Feb 22, 2010 10:10 AM