AD group nesting in OD groups failing

So here is my setup. Lab with 10.5.4 clients. Xserve running 10.5.4. All users in AD. Xserve and clients bound to OD and AD. On clients AD is first in auth order. AD auth works fine.
What works: I can control access to OD computer groups via login | access peferences for that user group and adding an AD group to that listing. That works fine, but isn't what I need since it doesn't allow me to manager user group preferences, only computer group preferences. In my case I need to have three different levels of user groups each with varying levels of managed preferences.
So on to what doesn't work. I am able to add the AD user group to an OD user group via the WGM, but if I add that OD user group to the OD computer group via the same login | access under the preferences for that computer group login fails on the client. Boo-hiss.
Is there an incantation I am forgetting here?
Cheers,
Sean

if you look at the user in workgroup manager, shouldnt you be able to see which group (AD and OD) they're in when you click on the "groups" tab? thats how i can look them up.

Similar Messages

  • Shared Services Mixed Native-MSAD group nesting

    Is anyone doing this?
    I am trying to make an MSAD group a member of a native group using shared services and after adding the MSAD group, the console errors out for the group i just made whenever trying to view the group members. This is repeatable and happens before i have even provisioned the parent group when i am trying to view the group members.
    When i nest a native group inside another native group, it works fine.
    In the SharedServices_Security.log found in Oracle/Middleware/user_projects/domains/EPMSystem/servers/FoundationServices0/logs
    I see the following stack trace:
    [2010-12-14T09:09:22.156-06:00] [FoundationServices0] [ERROR] [EPMCSS-7019] [oracle.EPMCSS.CSS] [tid: 7] [userId: <anonymous>] [ecid: 0000In_RR_eDKeoLwUg8yW1D1Yoh00001G,0] [APP: SHARE
    DSERVICES#11.1.2.0] [SRC_METHOD: execute:129] [SRC_CLASS: com.hyperion.css.web.action.CSSStatefulAction] Failed to process the request.
    [2010-12-14T09:16:16.365-06:00] [FoundationServices0] [NOTIFICATION] [EPMCSS-17306] [oracle.EPMCSS.CSS] [tid: 7] [userId: <anonymous>] [ecid: 0000In_T0hhDKeoLwUg8yW1D1Yoh00001J,0] [AP
    P: SHAREDSERVICES#11.1.2.0] [SRC_METHOD: ] [SRC_CLASS: ] [arg: native://nvid=af1814bfd20d7272:58ecdd0:12ce020823f:-7f66?GROUP] x
    [2010-12-14T09:16:17.473-06:00] [FoundationServices0] [ERROR] [EPMCSS-37000] [oracle.EPMCSS.CSS] [tid: 8] [userId: <anonymous>] [ecid: 0000In_T0z1DKeoLwUg8yW1D1Yoh00001K,0] [APP: SHAR
    EDSERVICES#11.1.2.0] [SRC_METHOD: execute:128] [SRC_CLASS: com.hyperion.css.web.action.CSSStatefulAction] Error while processing the request.[[
    java.lang.NullPointerException
    at com.hyperion.css.web.util.DTOFactory.createGroupDTO(DTOFactory.java:49)
    at com.hyperion.css.web.util.DTOFactory.createGroupDTOEscDoubleQuote(DTOFactory.java:75)
    at com.hyperion.css.web.action.EditGroupAssignGroupsFormAction.executeAction(EditGroupAssignGroupsFormAction.java:109)
    at com.hyperion.css.web.action.CSSStatefulAction.execute(CSSStatefulAction.java:119)
    at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:226)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
    at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:415)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3594)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    I think its a bug and have opened an SR with oracle, but i'm curious what others out there are doing.
    Edited by: Javanator on Dec 14, 2010 10:25 AM

    Hi Dear
    Is this issue resolved? i too get the similar error in the log file . Please let me know if it is reolsved for you

  • Nested AD User Groups in Workgroup Manager not working in Mavericks

    The setup is the traditional Golden Triangle, so Active Directory for users and groups, Open Directory for Managed Preferences. Both Apple clients and server are running 10.9.0
    While I can successfully manage the Mac's via OD computer groups, the OD user groups with nested AD groups no longer appear to work. If I nest an AD user it works fine, but not the AD users group.
    This is a new AD and new OD, no migrations. This is a setup I've done countless times over the years, but since Mavericks has been introduced, I can no longer make this work.
    Any help would be greatly appreaciated.
    Thanks,
    Alex Price

    Hello
    I have been having the same problem, when adding an AD Group to an OD group the users in the AD group are not managed, but if i add the user to the OD group it works fine, (with about 5000 active users this is not an option) this has been a problem with 10.9 and has not been fixed with 10.9.1, i assume we need a update to Workgroup manager?
    Maverick server is useless at the moment, cant upgrade the clients to Maverick if i cant manage them, are Apple just tring to make my job more difficult than it needs to be, i was happy that they provided Workgroup Manager for Mavericks because Profile Manager is simple not an option, but it would be good if it worked properly, its not a small problem so you would think apple would make it a priority.

  • Cluster group on node B (app1) failed to start after applied win2003 SP2

    Hi,
    i followed microsoft kb174799 to apply SP2 on both ms-cluster nodes namely DB/APP1. SAP-R/3 cluster group on node B (APP1) failed to start after i did step 13
    Thanks & Regards,
    Kelvin

    Hello,
    Did you follow the procedures from note 985137 to apply the SP2
    Please check procedure in this note.
    985137    Service Pack Installation for SQL Server 2005
    regards,
    John Feely

  • "Group Policy Registry" (CSE) is failing with EventID 7016

    Hi,
    I'm stuck at troubleshooting the group policy processing on a W2k8 R2 Terminal Server. On this machine the CSE Group Policy Registry Component is failing with ErrorCode 11. (I'm sorry but the editor does not allow me to insert xml yet)
    I was not able to find any source in technet or msdn regarding Group Policy Registry ErrorCode 11 nor able to get any further debugging operable, that gives me more hands-on-details on this problem. Furthermore I was not able to determine the GPO causing
    the CSE failing, neither with RSOP nor Eventlogs.... With the group policy modeling wizard i just get "GP Registry failed" listed in Component State Overview with the subtle message "An attempt was made to load a file with an incorrect format."
    How can i get to the bottom of this?

    Hi,
    As far as I know, Event ID 7016 can be caused by the fact that there is issue with the gpprefcl.dll build installed on the client machines.
    To fix the issue, we can try applying the following hotfix to update the build of gpprefcl.dll.
    Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2 may stop responding at the Welcome screen after you enter the user credentials to log on to the computer
    http://support.microsoft.com/kb/2526870/en-us
    In addition, the following hotfix can also be worth taking a look.
    Some Group Policy preferences are not applied successfully on computers that are running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2
    http://support.microsoft.com/kb/979731/en-us
    Hope it helps.
    Best regards,
    Frank Shen

  • Nested groups ,multi-valued groups,nested roles ,multi-valued roles

    Does OID support
    1)groups, nested groups and multi-valued groups
    2)nested roles and multi-valued roles
    Thanks in advance

    You will typically see problems when multi-valued attributes are in the range of 10k-20k values. 10 values in a multi-valued attribute should not have much impact at all.

  • Accoutning Groups and Profit centre groups

    Hi All,
    Please help me in this issues..
    1) Is there any way to get all accounts in accounting group by specifying controll area and accounting group.
    2) Is there any database table which stores accounting group and profit center group together.. or is there any way to pick accounting group for particular profit center group and vice versa..
    please help me

    Hi,
    SETNODE and SETLEAF are the tables which contains All groups like Cost center, Profit Center and accounting groups etc and their related Cost center, profit center and Accounts.
    By writing the Nested selects for this we can retrive all the accounts, CC's and Profit centers from it.
    CC Group = '101' and PC Group = '0106' etc
    Or you can use the following fun modules:
    G_SET_TREE_IMPORT
    G_SET_GET_ALL VALUES
    Regards,
    Anji

  • Domain Users Group is a Protected Group on the Domain

    I'm having an issue where I set some permissions for a particular users mailbox, but when I come back later the permissions later they have been removed. I have done some digging around and I believe the issue is a result of the Domain Users group being
    protected, which has led me to the AdminSDHolder object in the System OU. Does anyone know if it possible to amend the the security permissions, so that the group is no longer protected as it is causing some major issues for me.
    Any suggestions would be appreciated
    Thanks in Advance

    I just want to add to make sure that the user is not part of another group that may be nested in another group that is protected.
    I had that issue with a customer, a police dept, after I migrated them to Exchange 2010 when some, but not all users, had issues with their mobile devices accessing Exchange ActiveSync. I found it was previously created users and
    not new users, that had the problem. They had a number of users in administrative groups when they had one server that was a DC (previously SBS), and everyone in the organization had access to it, which required users to have administrative
    rights, at least that's how they did it back then by the previous administrator, to provide them local logon rights. 
    With the help of a tool from Joe Richards, I had to hunt down each nested administrative group the users were in to remove them or change the AdminCount attribute to 0 before setting to allow  inheritance otherwise it would set itself back when
    AdminSDHolder runs every hour.
    This was all discussed in the following TechNet thread:
    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/269e0ab2-6e65-4001-abcb-3c89f6f938fd/issues-with-adminsdholder?forum=winserverDS
    Also, take a look at this PW script that is supposed to look for all of that, at least that was my last discussion with the author mentioning that each group that a user is part of must be checked, when he posted the script to the ADDS group
    in FB (https://www.facebook.com/groups/ADDSForum/):
    Exchange Checkbox of Doom
    http://www.dexterposh.com/2014/12/powershell-exchange-checkbox-of-doom.html
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • Find workstations with specific group in local administrators group

    Hello,
    Is there a simple script that will search the workstations in a domain looking for the existence of a specific domain group nested in the local administrators group ?  Our desktop group can up with the idea of using domain groups nested in the local
    admin group to grant administrator privileges to specific computers.  They can list the members of the domain group easily but they have no easy way to know on what workstations they have added the group to.  Output I am looking for is simply a list
    of computers that have the specific group in the administrators group.   Any advice would be appreciated.
    Bobby

    Thisis donethrough Group Policy.  It is a special aspect of gP to set and mamintain groups on local machines.  You can protect a machine fromchanges and allow users to be added and removed.
    If you are just look ing to list tehcontents o a local group then get the module "Local Administration" in the Repository. It has all of the tools you need.
    You can also use WMI to retrieve Group memmbership.
    ¯\_(ツ)_/¯

  • Add Windows 7 local administrators group to another local group

    So I have the local group MyLocalGroup and I need to add the local Administrators group as member of MyLocalGroup
    I'm working with Windows 7 Professional with Windows Management 4
    I have tried:
    [ADSI]$LocalAdmonistratorGroup="WinNT://$Env:COMPUTERNAME/Administrators,Group"
    [ADSI]$MyUsersGroup="WinNT://$Env:COMPUTERNAME/MYLOCALGROUP,Group"
    $MyUsersGroup.Add($LocalAdmonistratorGroup.Path)
    Exception calling "Add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist."
    BUT:
    $LocalAdmonistratorGroup.Add($MyUsersGroup.Path)
    It's work! And MyLocalGroup is member of administrator.
    I have made some test and:
    1. A user can be added to any local group (ok)
    2. A local group can be member of any local group (ok)
    3. A group or a user can be added to local Administrators group
    4. If I try to add local administrators group as member of any other local group I receive the error!
    How I can add the Local Administrators group as member of another local group using PowerShell (with interface work)?
    Thanks,
    Lorenzo Soncini
    LSo Lorenzo Soncini Trento TN - Italy

    Hi Lorenzo,
    Nesting local groups (add a local group to the group membership of another local group on the same client )is not recommended.
    Refer to:
    Nesting of local groups is not supported on workstations or member servers
    If we execute this operation via Computer Management Interface, it will produce error.
    Some group authoring tools can add local Group To local Built-in Groups, however, our suggestion is to never nest local groups even when it is allowed by a group authoring tool like “net local group” because such nesting doesn’t reflect the group expansion
    constraints and the end results would be different from the expected results.”
    Refer to:
    Nested User Groups (Groups in Groups) / Built-in Local Groups Issue
    If there is anything else regarding this issue, please feel free to post back.
    If you have any feedback on our support, please click here.
    Best Regards,
    Anna Wang
    TechNet Community Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Moderated group inside another moderated group

    We are about to move our internal distribution list inside of Exchange 2013 from an old ezmlm setup.  I have setup a static moderated group.  Inside of that group are dynamic regional groups which are moderated as well.
    When a user sends email to the static group, I know they will or should be moderated.  However, will the nested groups also send moderation messages?  Or, is Exchange smart enough to know what we are doing?
    I suppose I could hide the nested groups if that doesn't mean that those will not be able to receive email.

    The goal is to be able to moderate each list, with one additional global list which includes the rest.  If the behavior is actually to require moderation at every point, perhaps I could create parallel hidden groups that do not require mod and include
    those in the top level group instead.
    I need someone to be able to send mail to all users or only to all users in one city, etc.  It may or may not be acceptable to have to mod 4-5 times for messages sent to all.
    The main reason I created the top level list as static is because it was the only way I saw to include dynamic lists of users and contacts in 6-8 OUs.

  • Free Goods from One Material Group to Another Material Group

    Salute Masters!! 
    I need your valuble suggestion, please provide.
    I need to configure Free Goods of Material Group to Material Group.
    User want:
    1) Free Goods from one Material Group to another Material Group, like F010 to F040
    2) User should have option to change from one Material Group to Other Material Group, which He / She want, like F010 or F020, F030, F040 any one of them.
    Suppose;
    Line Item Material Belongs to One Group Quantity in Gallons Free Goods from Any Material Group Quantity in Gallons
          1            A                                              3                                    F010                                             4
          2            B                                              3                                     F020
          3            C                                              4                                     F040
    Any No. of Line Item Any No. of Material
                                       from One Group      Total 10                   From Any Material Group
    (Comprising of 3-4 Different Material from 1 Group, they should be able to choose/provide Free Goods from other Material Group)
    3) While creating Sales Order what Quantity (Gallons/No./Ltr) to be put?
    How I can configure this scenario?
    Please suggest, is it  possible through KEY COMBINATION?
    Rgds.
    Srivastav
    +91 7829755109
    Skype ID: sanjai.srivastav1

    Hi,
    if you want to give free goods from other group it can be possible only for EXCLUSIVE free good type
    In exclusive free goods, a material different from the orignal material can be specified as the free goods.
    Example: A customer who buys 200 crates of beer, gets 5 boxes of glasses free.
    In VBN1 >> Exclusive
    See column ADD FREE MATERIAL
    While creating Sales Order what Quantity (Gallons/No./Ltr) to be put?
    Maintain alternative units in material master >> Additional data >> Material master,BUT it is only main item
    Those item u want to give free that items unit is derived from free goods condition record and it CANNOT be change in order

  • What  is difference between user group and reference user group?

    hi
    guys,
            what  is difference between user group and reference user group? 
    your regards
      p.suresh

    Hi ,
    Chk the link below for your clarifiacation.
    http://help.sap.com/erp2005_ehp_03/helpdata/EN/5c/c1c81c445f11d189f00000e81ddfac/frameset.htm
    Hope it helps.
    Regards,
    Amit
    Edited by: Amit Kotwani on Sep 2, 2008 2:15 PM

  • Problem adding some user or active directory group to sharepoint 2010 group

    Hi All
    I have a problem in a specific site collection in a web Application (but not on other site collection in that webApp).
    whenever I add a user like some system account to a sharepoint group or create a new sharepoint group or add an ActiveDirectory group to a sharepoint group I get an error and the user / group are not added :
    System.Runtime.InteropServices.COMException: [Work Email Address] - [Wrong Email Format]    at Microsoft.SharePoint.Library.SPRequestInternalClass.EnsureUserExists(String bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String
    bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId)     at Microsoft.SharePoint.Library.SPRequest.EnsureUserExists(String
    bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId)
    when I add a regular user - all goes well.
    10x for any help
    Shlomy

    Hi Shlomy,
    i was thinking, perhaps there is an application that use this checking method on your specific site collection, and perhaps it is using a hard-coded command to request it, but seems it got some issue.
    as the other site collections, may not have the issue, so perhaps other site collections don't have this application, and you may check that as lead investigation process.
    you may try to capture fiddler tool, it may come in handy on tracing the http requests.
    http://fiddler2.com/
    usually when i trace the application, i would like to create new site, and add the webpart or application one by one, then i may know which application/webpart that have the issue.
    as other regular user may not have the issue, perhaps its because system account is by design to not have an email address properties, so when the application/webpart request for it, it become failure.
    Regards,
    Aries
    Microsoft Online Community Support
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Populating the user group instead of the group ID in MFA

    Hello all,
    I am trying to Populate the user group instead of the group ID in MFA. I want to use this to create authorization permissions, after authentication. I am running into the problem of not getting any info after authentication in the attribute dump.  Are
    there settings that I can change in order to Populate the attribute dump? are there settings that I can change to get all of the groups that each user is in?
    Thanks,
    Levi Williams
    IT professonial
    Intern

    Hi Levi Williams,
    Thanks for posting here!
    Refer to the solution in this  thread link:
    https://social.msdn.microsoft.com/Forums/en-US/df060757-8190-4083-a162-0876cd4b8d15/group-based-radius-return-attributes?forum=windowsazureactiveauthentication
    Additional reference:
    http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
    Hope this helps!
    Regards,
    Sadiqh

Maybe you are looking for