AD Resource forest access with user from different forest

Similar Messages

• Grant access to users from different Domains

  Hi,
  Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
  in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
  The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
  Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
  suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
  Please suggest how we can resolve audience targeting issue?
  Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

  My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
  Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• How to grant access to sharepoint for the user from different Domain

  Hi All
      I need to grant access to user from different domain. 
      Where I can able to view the users in people picker (different domain).
  Thanks in Advance.
  Raj

   Hi
  Trevor Seward
  Sorry to disturb
  you again.
    I am trying to restrict user from search from other domain, say we have domain A and Domain B, where I am trying to restrict all the user from domain B (Search users)for a site collection. I have found couple of stsadmin command to do so. but none
  of them works. Below are the commands I have tried
  STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:<Name>.domain" -url "http://Site URL"
  stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv “(canonicalName=<Name>.domain*)” -url "Site URL"
  we have two way trust.
  Can you suggest any solution.
  Thanks 
  Raj

• How to access form objects from different class?

  Hello, I am new to java and i started with netbeans 6 beta,
  when i create java form application from template i get 2 classes one ends with APP and one with VIEW,
  i put for example jTextField1 with the form designer to the form and i can manipulate it's contents easily from within it's class (let's say it is MyAppView).
  Question>
  How can i access jTextField1 value from different class that i created in the same project?
  please help. and sorry for such newbie question.
  Thanks Mike

  hmm now it says
  non static variable jTree1 can not be referenced from static context
  My code in ClasWithFormObjects is
  public static void setTreeModel (DefaultMutableTreeNode treemodel){
  jTree1.setModel(new DefaultTreeModel(treemodel));
  and in Class2 it is
  ClasWithFormObjects.setTreeModel(model);

• Place one order with Products from different sales orgs

  Hello,
  We are in CRM 7.0 EHP2 connected to ECC 6.0. We have Internet
  sales/Webchannel Application.
  We are rolling out Internet sales for a new country but they want the option to
  place one single order with products from different sales
  organizations.
  Currently Customers send fax/email to customer
  representative(CR) with list of products. The CR identifies and places
  multiple orders if products belong to different sales orgs.
  Currently customers don't have idea about sales orgs and they don't
  have a clue which product belongs to which sales orgs. So, for them to
  use Internet sales, we have to provide them an option to place one
  order with products from different sales orgs.
  I understand SAP doesn't support this. But, is there any way we can achieve this through some custom/out of the box solutions?
  Thanks,
  Ravi

  Hi Ravi,
  Please have a below help link, it may help you to explain the role of Distribution Channel and if it fits to your requirement.
  Organizational Data Determination in CRM E-Commerce - E-Commerce - SAP Library
  Thanks,
  Hamendra

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Re:Can't able to access shared folders from different VLANs in SG300 series switches

  Hi All,
  I supplied 3 numbers of SG300 series switches for the sole reason to have inter-vlan routing. I created 4 VLANs in the switches and made one switch as Layer 3 switch and other 2 as Layer 2 switch. Inter-Vlan routing is working fine. I am able to ping PCs from different VLANs. But I am not to access shared folders. Customer has installed Window 2003 server installed and it is in VLAN 1. There are some folders created in this server and it is very important for users to have access to the folders.Also, I am not able to access shared folders in other VLANs. I have created a case with Cisco small business and I got a reply saying that the switches will not support shared folder feature, which I think is not real. I am getting a very time to implement this solution in the network. I have a Sonicwall firewall after Core switch which is connected to ISP.
  ISP<----->Sonicwall FW<----->Core Switch<------>Layer 2 switch<------>Layer 2 switch
  Kindly help me out to resolve this issue.
  Regards,
  Prashant K

  Hi Prashant,
  I think you're running into a Windows firewall issue. SMB file sharing, by default I believe, is only allowed on your local subnet. Please try disabling windows firewall on the computer hosting the shared folder, then see if you can access the shared file.
  Best,
  David
  PS: It looks like this post got published twice. You can delete the other one using the task bar on the right.
  Please remember to rate helpful resonses and identify correct answers.

• How to access Excel files from different locations?

  Hello,
  I have successfully tested the Excel sample on WLS 7, and trying to run it on
  the WLS 8.1.
  Anyways, the common question for both is, how to access an excel files from different
  locations (e.g. c:\path\1.xls, \\domain1\finance\fin.xls, \\domain1\marketing\customer.xls,
  \\domain2\accounts\vouchers.xls)?
  From example i can see that it picks from a specific path under repository.
  Thanks
  Ashok Gupta

  The custom function sets the MS-Excel default directory to System.getProperty("user.dir")+"/excel"
  (the domain directory), then opens the filename passed as a parameter. I assume
  that if you pass in the fully specified path for the excel file ( like d:\MyDir\data\test.xls),
  that it would open that file.
  - Mike
  "Ashok Gupta" <[email protected]> wrote:
  >
  Hello,
  I have successfully tested the Excel sample on WLS 7, and trying to run
  it on
  the WLS 8.1.
  Anyways, the common question for both is, how to access an excel files
  from different
  locations (e.g. c:\path\1.xls, \\domain1\finance\fin.xls, \\domain1\marketing\customer.xls,
  \\domain2\accounts\vouchers.xls)?
  From example i can see that it picks from a specific path under repository.
  Thanks
  Ashok Gupta

• Invalid Resource when accessing streaming video from PC

  When I File > SHARE > HTTP Streaming Video, FCP creates a number of files & folders to place on my Web site.  When I go to access the streaming video from my MAC, it works.  However, when I attempt to access it from a PC, I get the message "Invalid Resource".  What am I missing or doing wrong?

  I too am having serious problems with streaming from Apple TV2 to a newer quad core iMac running the most current version of Lion.  I am using Time Capsule as the wireless network device and have a high-speed DSL modem with 12/mbs download.
  I have my iMac directly connected to the Time Capsule with an ethernet cable, and an ethernet cable directly to the router (Actiontec Q1000).  With the Airport Utility on my iPhone, I can see the Time Capsule as well as the wireless devices connecting to it, including the Apple TV 2. BTW, I can't even see my wireless devices with the new Airport Utility, need to use 5.6 to even see the devices.
  The connection is listed as EXCELLENT, and when you check the speed of the connection, initially the Apple TV 2 shows a 65/mbs connection, but the minute you try to connect to Home Sharing, it drops to 1 mbs. So I don't think interference is an issue at all as no other device that connects wirelessly to my network has any problems. Very frustrating.  Went into Apple and they replaced the original Apple TV with a new one, same problem. I think the issue is somewhere between the Time Capsule and Apple TV2.  When I brought the new one home last week, it worked GREAT for like one day, then whenever you try to connect to your home library, it never loads, and with the 1 mbs speed, I can see why it's taking forever.  Anyone willing to help would be much appreciated.

• Accessing a variable from different application instance in fmis

  Hello everyone i like to know how to declare a global variable in FMS, so that i can access it from different application instance of a same application.
  Thank.

  Hi,
  In such a use case you can use persistent shared object to keep track of all connected users and the instances they are connected to. then when a user connects in application.xml you can check whether that user name and password is valid for a instance. This doc should help you get this achieved http://help.adobe.com/en_US/FlashMediaServer/3.5_Deving/WS5b3ccc516d4fbf351e63e3d11a0773d3 7a-7fff.html
  Thanks,
  Abhishek

• Copy few test assignment with User from one database instance to another

  Hi,
  I have OTL ,Payroll and HRMS system. I want to Copy few test assignment with User(Few FND Users) from one database instance to another .
  Source: DEV Instance
  OTL users to enter their Time sheet
  OTL is intergated with HRMS to pickup Employee information
  Existing business users are integrated with Employee assignment etc tables to pickup person_id
  Target: Want to copy few test OTL users from ONE instance to another. Bringing FND_User is easy but EMPLOYEE_ID, PERSON_PART_ID will not come during FNDLOADER .
  How to bring all information from one instance to another instance? Please advice.
  thanks .

  Dear,
     Try using HRMS configuration workbench. For this you might require support from your DBA for configuring the same. Once configured, you can move the items you want.
  Regards,
  Kathan

• Compare Merge Model problems with models from different connections

  Hi all,
  I've experienced a problem while using the compare/merge model funcion under tools.
  Just to put in place:
  I've 4 model, one for each enviroment that I have: DEV, INT, TEST, PROD(*each model imported from different connections*). Because I haven't found any reliable way to keep them sincronyzed, using DLL deltas. Is there a way to do that?
  Anyway, regarding the main subject problem. Whem I try to sync for example, from PROD, to TEST, using compare/merge model function under tools, the process find the differences. When I selecte those that I want, and click on merge, the destination model TEST, get the selected objects merged into.
  But now, the model Schema, when I select sincronyze model with data dictionary to get de DLL delta, things get crazy, and the merged objects doesn't get detected to be created.
  If it's help, I think that the is with the associated import connection than the merged objects have. They have the PROD connection name, instead of the TEST connection name. Also when I try to syncronize the relational model againts de data dictionary(database), datamodeler ask me wich connection to use, PROD or TEST. When, before, merging, model, data modeler did not ask me anything.
  Why is data modeler doing this?
  What I have seen is when you import in a model things from different connections/models, when you try to sincronyze agains a connection, all objects that are not from the selected connection doesn't get compared.
  Is there a bug or a problem?
  How can I can keep a schema in different enviroments, sync? What are the step that I shoulf follow?
  Thanks in advance.
  Edited by: morfeo8marc on 14-mar-2012 11:17

  I shall try to explain what is happening here.
  When you import objects from TEST data dictionary, their source information (see Summary info in Properties dialog) will refer to TEST.
  The relational model for TEST will contain source information (see Summary info in Properties dialog) for the connection to TEST.
  Similarly, imported objects from PROD will refer to the PROD data dictionary, and the PROD relational model will hold connection details for PROD.
  If you merge PROD objects into the TEST model, they will retain their source information (i.e. referring to PROD).
  The TEST model will be updated to include connection details to PROD.
  When you synchronize a model, if it only has one source connection, it uses that.
  If it has more than one, it will prompt you to decide to which data dictionary it should synchronize.
  In your case, for the TEST data dictionary, it will synchronize all objects that have source information for TEST (i.e. those imported from TEST).
  It will also compare any new objects (i.e. those not imported from a data dictionary).
  It will not compare objects that were imported from a different data dictionary (e.g. PROD).
  This supports the scenario where a model consists of objects imported from more than one data dictionary, and where the data dictionaries are maintained separately.
  We may need to review the above strategy in light of your experience and development process.
  In the meantime, may I suggest that from your updated TEST model, you Import from Data Dictionary using the TEST connection.
  The resulting Compare Models dialog should show all objects (i.e. those from TEST and PROD).
  You may need to set the Swap Models option to generate DDL with which to update your TEST data dictionary.
  Thank you for raising this matter.
  Regards,
  Tony Rose

• How do I access time machine from different user account

  Hi there.
  Last week I had to take my comupter into the local Apple Store because I was having problems with Boot Camp.  The genius at the store had to delete everything from my hard drive and reinstall it from my external hard drive.  As part of the process she created a "Apple" user account.  I now want to restore some files (unrelated to this Boot Camp story) from my time machine archive.  However, all the files prior to this Apple Store encounter are red -- and it says I do not have permission to view them.  When I click "get info" it says that the "Apple" account has the read/write access to them and the option to unlock them is greyed out.  How can I get these files from the archive and get them onto my main user account where they belong?  The "Apple" account does not have a password so I think I can easily log on as that account, but I don't know where to go from there.
  PS The files in question are iTunes libraries.
  Thanks for your help.

  Ok, I fixed it.  Here's what I did.
  I logged into my computer under the Apple account.  Then I went into Time Machine.  I found my old files under Users-->"my main account".  I was able to restore those files to Users-->Shared.  Then I was able to log back into "my main account" and retrieve the files from the shared folder.  It worked!  Hope this helps someone else some time!

• How can multiple users from different locations access my Muse website files to update them?

  We're a team, and we need to be able to work together remotely.
  How can I let another user (on the East Coast - I'm on the West coast) have access to my Muse website files so that they can work on them and make changes - but I can also work on them here?
  I've already made them an Admin in the Manage section of the live Muse website that is hosted on Business Catalyst.
  BTW, they also belong to Creative Cloud.
  Thanks!

  You need to share your .muse file with this other person.
  Muse does not currently support multiple users opening the same .muse file at the same time.
  There's lots of options for sharing a file - you could copy it up to a company network server, or email the file back and forth, or use a filesharing service like Dropbox, SendThisFile, Adobe SendNow, or Creative cloud sync, among others.
  Which one is right for you depends on the size of your file, how often you're sending the file back and forth, and personal preferences
  Whatever you choose, it's important that you DO NOT have 2 users working on the same .muse file at the same time. This can cause corruption of your .muse file. I'd also recommend frequent backups of your .muse file, as you might find that one of you clobbers a change made by the other and you want to be able to go back to your old copy of your .muse file to copy/paste some content to your latest copy of your .muse file.

• Analytic View with tables from different schema

  Hi,
  I'm curious if I make something wrong or if this is not possible:
  I want to use two tables each in a different schema. I can drop them into the DataFoundation, can connect them, assign them some measure. But activation fails due to insufficient privileges. When I use the tables from the same schema activation works well. With the insufficient privileges I would guess HANA cannot create a View (failed with the statement CREATE COLUMN_VIEW "_SYS_BIC"."USER/ANALYTIC_VIEW_NAME"....).
  Since I tried the same assignment with the System-User and failed I wonder what kind of permissions are required. Or is this generally not allowed (resp. prohibited)?
  If not allowed, could somebody give me a hint, why its not possible?
  If it is possible, what kind of rights are required to get it working?
  roland

  Hm', I have allowed SYS_REPO the rights to the table and was able to activate the view. But now I have the problem, that the DataPreview is not working (again insufficient privileges). What user has to have additional permissions for the JDBC-query?
  Do I have to take care more on the privileges for other things?