AD security group memberships not coming over to SP2013.

Similar Messages

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• BOXI 3.0 Units of Measure not coming over to universe based on Infoset

  We are noticing that the Unit of Measure for Infoset based query objects are not coming over with the base install of the SAP integration Kit. However, it does seem to work after fixpack 2. Can anyone confirm this?

  Hi Mark,
  we had a separate thread on this already - or ?
  for Universes on top of Web Intelligence it has been identified as an issue.
  For Universes on top of InfoCubes it works fine.
  Ingo

• SAML 2.0 and AD Security Group Membership

  In ADFS 2.0, as a part of the token, I can pass the AD
  security groups the user is in. Does SAP SSO have the ability to send and
  receive SAML 2.0 tokens with AD security group membership?

  Hi Jeff,
  SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
  These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
  So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
  Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
  Regarding the receiving part:
  In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
  Regards,
  Stefan

• What does it mean if I get blank text messages from someone but they are not coming from number they appear and disappear they are not coming over the network also emails have been moved around, has my phone been hacked?

  I Have been getting blank texts from a number, but the person who owns the niumber is not sending them, they appear then disappear, they are not coming over the network, they come even though number has been black listed, also emails have been moved, I believe by someone who is cyberstalking me but don't know how to prove it, what can I do ?

  Hi,
  When a Mac is "registered" for iMessages account with an Apple ID the Serial Number of the Mac is used to create an Auth Token as it is called for the Messages app that allows that Mac to work.
  I would guess a similar process of linking the Number of the iPhone to a Hardware fact about the device is also in place.
  I would contact Apple Support and check with them.  (you might need to speak to a Level 2 person as Level 1 people are script led and try to fit everything into Software or Hardware categories where as sorting and Apple ID (which the Number is in this case) is normally Free).
  I did find this iOS: Troubleshooting Messages - Apple Support
  It starts off about sorting SMS that is not working.
  This one has a bit on Unlinking an iPhone Number (with or without the iPhone) iOS and OS X: Link your phone number and Apple ID for use with FaceTime and iMessage - Apple Support
  7:55 pm      Tuesday; January 6, 2015
  ​  iMac 2.5Ghz i5 2011 (Mavericks 10.9)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
   Couple of iPhones and an iPad

• HT4910 I just upgraded to 4s and when i backup my iCloud my apps and pics are not coming over?

  I just upgraded to 4s and when i backup my iCloud my apps and pics are not coming over?

  I'm assuming you have performed a restore from an icloud backup...
  Many users have lost photos while preforming a restore from backup or upgrading the iOS.   Recall, only photos in the camera roll are backed up to iCloud.  There is a way to turn backups for camera roll on/off, perhaps these users had camera roll turned off.
  See:
  Settings>icloud>Storage & Backups>Manage Storage,  tap the device's name and on the next screen, be sure Camera Roll is turned on.
  IMPORTANT...
  Photos should be regularly synced to a computer (like you store photos from a digital camera) using either USB via iTunes (on a mac use iPhoto or Aperture to move them to an album) or using photo stream.  If you have been doing that, then you can sync those photos back to your device.
  If you haven't been saving photos except relying on iCloud to store them in a backup, then that is risky, as many users have discovered.  I'm afraid I have no advice in this case - there is no "cure".
  As for apps, you could always download them again from the itunes store, without charge.  Look for the link to purchased apps, there you'll have a list of the ones you can download free.

• Catalog group membership not updating

  Hi,
  I am experiencing a problem with my catalog groups. I have just created a new catalog group and added a user account as a member and also removed that user account from another group by logging in as administrator in answers and using settings - manage presentation catalog groups and users.
  If i now log in as that user the membership hasn't updated and when I click on My Account for that user it still shows as a member of the old group and not the new one.
  My security for users is done through LDAP and in Tools - Options in Admin console on the repository tab I have the LDAP Cache refresh interval set to 1 minutes.
  I know if I restart the presentation services that it will work ok but I don't want to have to do that as I have users using the system.
  Any advice would be appreciated.
  Thanks
  Patricia

  hi,
  you can try to set in the instanceconfig.xml
  the tags
  --->
  <CacheMaxExpireMinutes>2</CacheMaxExpireMinutes>
  <CacheMinExpireMinutes>1</CacheMinExpireMinutes>
  <CacheMinUserExpireMinutes>1</CacheMinUserExpireMinutes>
  <ClientSessionExpireMinutes>10</ClientSessionExpireMinutes>
  <SearchIDExpireMinutes>9</SearchIDExpireMinutes>
  <---
  they control the cache of the browser
  check administrator guide for more informations
  --check in other pc or check with an other browser at the same
  i hope i helped....
  http://greekoraclebi.blogspot.com/
  Edited by: eejimkos on Jul 15, 2009 4:52 AM
  Edited by: eejimkos on Jul 15, 2009 5:01 AM

• Group Memberships not Flowing into Metaverse

  Hello,
  I'm trying to figure out why the group member attributes in the CS are not flowing into the MV.  Here's what I have:
  An HR system running on SQL Server
  A staging database that extract data from the HR system
  The staging database has a table representing person object
  The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
  The staging database has a table representing group objects
  The staging database has a table representing group memberships (mult-valued)
  A SQLMA connected to the person and person multi tables
  A SQLMA connected to the group and group membership tables
  All group memberships are based on job codes and locations.  There are no approval process in place.  If they have this job code, they get certain groups.  That's all calculated in the staging database and the memberships are in the group membership
  table
  This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
  I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense.  The flow from the database into the CS works well.  No issues there.
  But, a search of the metaverse for the group shows an empty member attribute.  The sync process is not throwing any errors.  At least they're not showing up in the sync service app or the event logs.
  Where allowed, I'm using rules extensions for everything.  I can't use a rules extension to set the member attribute because it's an rdn.
  I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object.  Then, I'll modify my existing MA to use that attribute instead of the member attribute. 
  I'm not sure what kind of issues I'm going to run into when exporting that to AD.  I'll cross that bridge when I come to it.  I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
  group functions and person types (bascially, I don't care about the MV rdn).
  Anyway, I'm looking for some real world insight on this.  This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
  Thanks,
  Greg Wilkerson

  Hey Cameron,
  I have total control of all the DB tables FIM is accessing.  I build them up as part of IDM process.
  I've read this article, along the many others that address the "manager" scenario.  This really doesn't apply in this case as the user and group objects are loaded in separate MAs.  Getting reference values to flow with both object live in the
  same CS shouldn't be an issue. 
  I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group).  That solution solved the issue of the groups and user being in the same CS.  As I grow tired of my daily
  FIM beatdown, that solution is growing more attractive.  That's a major DB redesign, and seems quite inefficient.
  The multi-value table for group memberships already exists in the DB.  For FIM purposes, I transferred that data into the user object multi-value table.  See screen shot.  I can certainly configure the group MA to access that multi-value table
  and load the group members as references.  But, because the group MA CS will not contain the user objects, I don't see how the references will be set.  If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
  figured out a way to set the an reference value for an object in the MV - my problem all along.
  This whole "setting a reference value" encompasses much more than just group memberships in my implementation.  Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system.  These objects exist
  in our current IDM system and are associated with users based on rules.  So, the reference value process is something I need to figure out, if I'm going to use this product.
  Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact.  I'm not sure that would get me where I want to go, and
  it seems like a lot of extra "stuff" to solve what should be a simple problem.  Hmmmmmm.  Or, connect the ECMA2 directly to my group membership multi-value table in the DB.  Hmmmmmm.  I'd still have to export the groups and users into that
  CS, but the import might be much more straight forward.  Hmmmmmm.
  The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
  EmployeeGroups
      GroupName varchar(50) not null,
      EmployeeID nvarchar(50) not null,
      ID int identity(1,1) not null

• AD Group membership not updating in Sharepoint Foundation when adding Active Directory group to Sharepoint group

  I have Sharepoint Foundation installed with the latest CU updates.  It is running on a VMware box (Windows Server 2008 R2 Standard) with its backend on a SQL Server 2008 R2 vmware box.  The farm account is a domain user and has been given all appropriate
  replication rights, etc to active directory.
  Everything seems to be working fine except for security integrated with AD groups.  When I go to edit permissions I can add individual AD users just fine and remove them just fine and their access is taken away right away or given to them right away.
   I can also find AD groups in the people picker and add them to the site. When I add new groups to AD, they are found immediately within Sharepoint, and when I delete groups from AD, they are taken out of the people picker right away.  Now comes
  the weird part.  When I add an AD group to the site, all users currently within that AD group are given access to the Sharepoint Site.  This works for the first time only.  Now when I add or remove users from the AD groups, it does not update
  in SharePoint.  For example, I have an AD testuser1 in the AD Group "All Users".  testuser1 does not have access to SharePoint.  So I add  the AD group to the Sharepoint group "Visitors".  testuser1 now has read access to the sharepoint
  site.  Now, I remove testuser1 from the AD group, but testuser 1 still has access to the site even though he is not part of the AD group, nor does he have any individual permissions to the site.  Now, I add testuser2 to the ad group.  testuser2
  does not have access to the site, even though he is part of the ad group.
  It seems that the only time AD group security is working for me is when I first initially add the AD group to the site.  From then on, it's like sharepoint is caching the members of the group and not updating any new adds or deletes from the groups.
   Any ideas?  I am lost on where to go from here as I have tried everything from clearing cache files, rebooting servers, iisresets....

  I think I have at least cornered the problem, but am not 100% sure yet that it is the correct answer.  I think it could be 1 of the following 2 scenarios.
  Scenario 1:  We have 3 web applications setup on our web server ports 80 - Our sharepoint Web app, 2020 - Our My Site Web App, 2040 - Our Search Web app.  We are using host headers (http://sharepoint.***.com) instead of a server name.  So
  we setup our access mappings (Central Admin -> Application Management -> Configure Alternate access mappings) to use the host header (http://sharepoint.***.com) as the default mapping and the server name as the intranet access mapping.  By
  setting the default access mapping to host headers, i noticed that Sharepoint automatically assumes that all web apps are on port 80.  You can see this by going to (Central Admin -> Manage Web Applications).  The port listed all 3 web apps on
  port 80.  So I think when I was doing a profile sync and using mysites, it was messing with my AD security because of this.  What I did was the following.  I went to Central Admin -> Manage Service Applications -> [Name of your user profile
  service] -> Setup my sites.  I made sure that my preferred search center had the correct port number on it (mine originally had no port number), that my my site host had a port (again no port number originally), as well as the personal site location.
   I then saved this.
  Scenario 2:  Our user profile sync had 2 BDC connections that were corrupt and throwing errors.  I rebuilt the connections, remapped them to the proper user profile property.
  I did both of these scenarios above around the same time.  I then restarted all my servers, and at last the AD Group security is now functioning appropriately.  I have done multiple IIS resets and server restarts.  The issue has only reappeared
  once.  After restarting the machine again, we were back to the AD groups functioning correctly.  Because we had the issue reappear once after doing the above, I still do not feel 100% sure that either one of the above corrected the issue completely.
  As long as we are up and running currently, I am moving on to other tasks with this project.  My only concern that it will break again and I will have to revisit it is when we restart the servers....which is never fun.  I will update as I find
  a "true" answer to this issue....  Let me know if any of the above helped you or if you find something I may not have thought of.

• Populate the EmployeeID attribute of a user, based on their security group membership in Active Directory

  Hey guys, I need to create a script that assigns a value to the EmployeeID of every user that is a member of a particular AD security group.
  For example, there are the following groups - Accounting_01, Accounting_02, Accounting_03. The script has to read what members there are in these groups and assign to the people of Accounting_01 an EmployeeID of 01, to the people of Accounting_02 an EmployeeID
  of 02, and to the people of Accounting_03 an EmployeeID of 03.
  I have a script that adds a user to a security group, based on the value of a certain attribute, but not the other way around. Have you written such a script? Thanks in advance

  I haven't tried the code, because I don't have AD cmdlets.
  But I see some discrepancies between the documentation and your code.
  Looking at http://technet.microsoft.com/en-us/library/hh852287.aspx (Set-ADUser cmdlet) we can read for the
  -Replace<Hashtable> parameter: ... Use this parameter
  to replace one or more values of a property that cannot be modified using a cmdlet parameter ...
  But the OP referred to EmployeeID, which is a Set-ADUser cmdlet parameter (look for -EmployeeID),
  thus, cannot be used with -Replace<Hashtable> parameter (as per the documentation).
  Also, the documentation states for this same
  -Replace<Hashtable> parameter: ... To modify
  an object property, you must use the LDAP display name ...
  And the LDAP display name for EmployeeID is employeeID, and not employeeid as in your code (although I'm
  not sure if LDAP display name
  is case sensitive).
  As you say your code works correctly, I
  suspect that you created a new property named employeeid, which is not the same referenced by the parameter
  -EmployeeID.
  The documentation merely says that it can be used to modify attributes that do not have their own parameter. If they were to include a parameter for every AD attribute the list would be huge. It doesn't imply that -replace cannot be used instead of the defined
  parameters.
  I must admit that I didn't realise that -EmployeeID could be used as I didn't consult the documentation before I wrote the code but I can confirm that using the method I posted the employeeID attribute was modified. It didn't create a second attribute with
  different letter casing.

• Global security group permissions not propogating

  I have a single flat domain that has migrated from NT to 2003 to 2008. A number of the global groups go back to the mid ninties.
  I recently purchased a EMC VNXe 3300 for addition storage, joined it to the domain, migrated a bunch of folders with permissions using robocopy no problem. 
  Now I have one shared folder and the global security permission applied to the top level folder but did not decend the tree. I tried applying it from the advanced security tab and choose apply to this folder and all child objects and folder or some such
  verbiage. I could not get that permission on anything below the top level unless I went to the object explictly and applied it.
  I created a new global security group and applied it to the folder and it descended the tree with no problems.
  I have hundreds of folders and hundreds of groups I need to move to this new storage, I have no idea what is wrong here?

  Hi,
  Please help collect the current permission setting of the parent folder and a subfolder (which the original global security group cannot be applied with "inheriting"). 
  Meanwhile have a try with icacls instead of GUI to see if it will work. For example:
  icacls x:\folder /grant <group>:(OI)(CI)F 
  If you have any feedback on our support, please send to [email protected]

• GPO Security Group filtering not working

  Hello all,
  DC: 2008R2 w SP1
  Client: W7 SP1
  Objective: Disable Removable Storage
  I can filter by individual user but not a security group (global). (linked to both users and computers OU). I check and make sure the user (me) belong to the group using the command whoami /groups. I check the Delegation setting and make sure that the security
  group has the read and "apply" gpo checked. Also the Authenticated Users group has "read" allow.
  Any clues?
  Thanks

  Glad to hear this.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• AD groups membership not working for target Audience

  Hiya,
  Got a peculiar problem here. Trying to set audience on a link it doesnt work as we want it to. We have the following behavior:
  If adding users directly on SharePoint Group no problems. However if adding AD group to SP group, it doesnt work. Member count for AD Group is 0
  AD Group is created as Global, however tried placing it in a Domain Local group to see if that changed anything. SP synchs the AD groups fine, however it seems like it doesnt read the members, thus not granting any users access based on AD group membership.
  Not sure if this is default behavior or?

  Hi,
  It seems a known issue, but there is no workaround for this.
  It worth to reading these threads
  http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/8ede2f40-2b11-416b-b426-51c1b6479c33
  http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/586494b9-d259-4abf-a857-26137fa30460
  Hope this helps
  Thanks!
  Stanfford
  Everything will be fine.

• How to restrict an infopath custom view based on SharePoint group or security group membership?

  Hi,
  I have created a custom view in InfoPath Designer 2013 based on a SharePoint online - custom list.
  Right now the custom view is available for all users in the "View:" dropdown under the "PAGE DESIGN" tab in InfoPath.
  I would like to make this view available only to a set of users. (i.e., users of a SharePoint group / Security group).
  Please let me know how I can do this..
  Thanks,
  Thanan

  Hi Thanan,
  We can use check the current user permission using REST API in SharePoint 2013, then hide the dropdown the "View" base on the permission.
  The following articles for your reference:
  SP2013 REST API – Find if user is member of SharePoint group
  http://simonovens.wordpress.com/2014/08/13/sp2013-rest-api-find-if-user-is-member-of-sharepoint-group/
  Quick Tip: Using JQuery to hide options in a select
  https://formidablepro.com/help-desk/quick-tip-using-jquery-to-hide-options-in-a-select/
  Best Regards
  Patrick Liang
  TechNet Community Support

• Media/Stock name from an XMPie uStore product not coming over

  Hi, I'm having some issues with a print file coming over from uStore to FreeFlow Core workflow to print to a 6180 Docuprint. The job is set to have page 1-2 on thick stock and 3-6 on thin stock all 2 sided. When it arrives at the 6180 it is recognizing sides printed and that there are 2 blocks of exception pages (1-2 and 3-6) unfortunately the stock for both show up as unspecified. I've made sure that the printer's stock library is matching the descriptive name in the JDF node setup in uStore. Nodes in uStore@DescriptiveName="Media Type Thick"@DescriptiveName="Media Type Thin" Names in the printer's stock library:Media Type ThickMedia Type Thin Should the uStore JDF node set have more entries so the the 6180 can properly ID the stock? Or is there a specific naming convention I should be using? Like say no spaces or capital letters?

  By default, uStore includes JDF nodes for several paper types, folding and colour settings. These nodes are available when you set up JDF requirements in the Product Properties page. If your job includes additional requirements, such as printing on named stock, you need to create additional JDF node sets. To ensure that your product is printed according to the JDF specifications, make sure that you follow these steps:Create the required property in the Product Properties page.Create the new JDF Node Set. The JDF Node Set that you create is added to the list of options available when you set up JDF requirements in the Product Properties page. See To add new JDF node sets below.Create the new JDF Node. See Setting Up JDF Nodes below.Assign the required JDF Node set to the property options in the Product Properties pageTo add new JDF node sets:Select Presets>System Setup>JDF Node Set.On the JDF Node Set page, click Add New.In the Display Name box, enter a name for the node set. For example, if your product needs printing on SRFRed Stock, enter PrintOnSRFRedStock.Click Save.The Node Set is added to the list and is available in the Product Properties page when you set up customer input controls of the following types: Drop-down lists, radio buttons, and gallery/grid view lists. To make sure that uStore sends the correct information when it creates the JDF file, you need to set up the JDF Node with the required XML code.To add a new JDF node:Select Presets>System Setup>JDF Node.On the JDF Node page, click Add New.In the JDF Node Set ID list, select the JDF Node Set that you want to set up. For example, if you create a JDF Node Set for printing on SRFRed Stock, select the PrintOnSRFRedStock node set.In the Node XML box, enter the XML code for the new JDF node. For example, enter @ProductID="SRFRED".In the Node Target Xpath box, enter the location of node in the JDF file. For example, the Media attribute should be located at //ns:ResourcePool/ns:Media.Click Save.The new node set is added to the list. Every time a product includes this property option, the XML code will be added to the JDF file. For your reference, uStore saves all JDF files at \\[ServerName]\App\JDF. (Thanks to Steve F and Per F for validating this information.)