Attribute group for user?
Hi all,
We're trying to migrate user data from an LDAP server to Active Directory running on Windows Server 2012. Besides users objects, there are multi-value attribute "groups" objects in the LDAP server and I've no idea how to migrate to
AD, e.g.
For user uid=123456 who is a student with double major, there exists 3 objects for this user:
1. the user object, contains: uid: 123456, name, contact, etc...
2. 1st major object, contains: uid: 123456, major: Mathematics, year of attention (2010), faculty: Science
3. 2nd major object, contains: uid: 123456, major: English, year of attention (2011), faculty, Arts
Would anyone please help? Thanks a lot.
Regards
/ST Wong
So group objects can be a bear, primarily because a group can contain other groups in the AD world not sure about the LDAP server you are migrating from.
So the first thing I would do is map all attributes that are in use on the ldap server to a corresponding AD attribute, once that's done a script could be built to populate those.
This would also be true from the groups.
Groups need a User or Group distinguished name to add to the members attribute.
So in your migration steps before the first user is migrated, I would create a corresponding group that matches the LDAP servers group. Then as you migrate them in what ever script or third part product you use would just add as a member to the pre-created
group. FIM can do this but can be cumbersome to use.
Another thing that needs to go into the planning in respect to groups is that security groups are only useful when they are used to apply permissions to something.
So looking at your example
UID does that correspond to the logon name in Active Directory - if so then the corresponding attribute would be sAMAccountName
Name could correspond to displayName in Active Directory
Contact would be dependent on the data that the field held
The Major objects seem like groups to me
So Group Name,cn, and sAMAccountAttribute would be something like Mathematics2010
Another attribute on the group object, maybe department would hold Science
A lot of this is dependent on what consumes the data and whether an attribute already exists, You can create attributes if they are needed but would recommend first mapping out between the 2 systems to see which ones fit and which ones do not.
I know that is vague but here is some links that will let you know which attributes are defined by default in Active Directory
User Objects (Broken up by DC OS version)
http://msdn.microsoft.com/en-us/library/ms683980(VS.85).aspx
Group Objects (Broken up by DC OS Version)
http://msdn.microsoft.com/en-us/library/ms682251(v=vs.85).aspx
As you do the mappings between systems it important to have the final picture in mind of how everything will work once the migration is complete. That way it will allow you to focus on the important things and leave the not so important things till later.
Hopefully that helps!
Similar Messages
-
OBA4 FI tolerance groups for users - GL account
Dear All,
May I know where is the gl account defined for the permitted payment differences? If in FBKP, then which group to define?
ThanksHi
Please use the below mentioned path to define tolerance groups for users and also refer to follow the below link
For normal price difference clearing use the Tcode:OBXL
http://www.scribd.com/doc/51496069/17/Assign-User-Tolerance-Groups
for details please go through the below mentioned points
SPRO>Financial Accounting>General Ledger Accounting>Business Transactions>Open Item Clearing>Clearing Differences>Define Tolerance Groups for G/L Accounts/Define Tolerance Groups for Employees
Upper limit for posting procedure
Maximum Amount Posted per Document
Maximum permitted posting amount per document for this user group.
The posting amount is the total of all debit items or, similarly, the total of all credit items.
Maximum Posting Amount per Line Item
Maximum posting amount permitted per customer or vendor item for this user group.
Maximum Cash Discount Percentage Rate
Maximum cash discount percentage rate which may be assigned by an employee of the user group.
Use
The percentage rate is checked during the entry, change and clearing of open items.
Note
The restriction does not apply to automatically created line items, for example, during payment settlements.
Permitted payment difference
Maximum Payment Difference for Revenue
Payment differences to our advantage are allowed up to the amount entered here.
The amount always refers to the local currency. Payment differences up to the amount entered here are posted automatically by the system as increasing the profit. The system creates line items to show this.
Note
In addition to the amount, you also enter a percentage rate in the Percent field. The lower limit is valid. If you only want to use absolute amounts or percentage specifications, then you must enter the maximum value in every other field.
Note that you define these limits for your customers/vendors and your employees. The lower limit is valid.
Example
The local currency is USD. You have entered 30 USD in the Revenue field and 1 in the Percent field. For incoming payments up to 3000 USD, you accept an overpayment of a maximum of 1 percent. That means, amounts of 0 to a maximum of 30 USD are tolerated, depending on the incoming payment amount. For incoming payments over 3000 USD, you accept an overpayment of up to a maximum of 30 USD.
Maximum Allowable Revenues from Payment Differences
Differences when settling payments are accepted and posted automatically by the system up to the percentage rate entered here. The percentage rate is only valid if the difference is posted as a gain.
The percentage rate is used for the maximum of the debit and credit totals of the items to be cleared.
Note
In addition to the percentage rate, you also enter an amount in the Revenue field. The lower limit is valid. If you only want to use absolute amounts or percentage specifications, you must enter the maximum value in every other field.
Note: You define these limits for your customer/vendor and your employees. The lower limit is valid.
Example
The local currency is USD. You have entered 30 USD in the Revenue field and 1 in the Percent field. For incoming payments of up to 3000 USD, you accept an overpayment of a maximum of 1 percent. That means, amounts of 0 to a maximum of 30 USD are tolerated, depending on the incoming payment amount. For incoming payments over 3000 USD, you accept an overpayment of up to a maximum of 30 USD.
Maximum Discount Adjust. for Gain from Payment Differences
When clearing payments, any payment differences up to the amount specified here are corrected with the cash discount posting as long as the cash discount amount is large enough for the adjustment. The value you specify here is used for differences that represent a gain.
Regards
Praveen PC
Edited by: Praveen Chirakkel on Apr 12, 2011 6:46 AM -
ISE: create rules with AD groups for Users and Computers
Hello,
We've just begun to work with ISE.
Is it the good place to post on ISE, or there is a dedicated forum in another place?
We'd like to create some rule depending of Computer member groups AND Users member groups from AD, but we meet some difficulties.
We've created AD groups for Computers and Users depending of their Department:
Users_1
Users_2
Computers_1
Computers_2
When we create some basics rules regarding one group only:
- with a group Computers_x to attribute a specific VLAN to a computer (when no Windows session is opened), it runs correctly.
- with a group Users_x to attribute a specific VLAN to an user (when Windows session is opened), it runs correctly.
But when we create a rule regarding a group from Computers and one from Users, to attribute a specific VLAN to an user on a specific computer, this rule is not applied.
Is it possible to use ISE on this way?
Thanks for help.
Regards,
ChrisEnable EAP Chaining— if you want Cisco ISE to allow authentication of both machine and user in the same EAP-FAST authentication.
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf -
OBA3 (Customer / Vendor Tolerance) and OBA4 (FI Tolerancde Group for User)
Hi Expert,
With reference to the subject of this post, could anyone can highlight to me the actual difference between these 2 tolerance settings?
I use OBA4 to set the payment different for cash discount and payment differences, and it works.
Therefore, I wonder what is the main functions for OBA3? Any inter-relation between this 2 tolerance settings?
Both settings also have the section of "Permitted payment difference"...
In OBA3, the help files says that ... "In this step, you specify the tolerances for vendors. These tolerances are used for dealing with differences in payment and residual items which can occur during payment settlement..."
Kindly advise.
Thanks and regards,
SbmelThanks for the fast reply.
Therefore, technically to say that if I want to limit the cash discount given or received, from vendor/customer, I can just create "OBA4 setup user wise, and you assign this group to user" ... and from this settings, I just need to create:
Group: <Blank>
Company Code: My desired company code
Currency: company code currency (defaulted per company code)
Cash Discount per line item to: 0
and at the permitted payment difference section:
Revenue: Cash discount adj to: 0
Expense: Cash discount adj to: 0
Right?
Thanks
Sbmel -
Restriction of sales group for users
Hello,
I need to restrict the sales group to different user using VA05,I tried so many ways but i am able
to see the others data.
We already created one authorization object and assigned in role.But we are not able to restrict
the users.
In our scenario the user named like dealers. one dealer can see the other dealers data.
Please guide how to restrict the users at sales group.
Thanks,
SivaprasadHello,
What I understand from your post is that you want to restrict the users to view the list of sales order - report using VA05 just for their sales group and not for others, as in your case your dealers are your end users and you want each dealer to be able to view for only his sales orders and not that have been issued to other dealers. Is that correct?
You have created a custom object using field VKGRP on the basis of which you want to restrict the report. The object has to be defined in the standard program for VA05 for authority check and then included in the role. In this case you may have to create one role for each user or group of users for each sales group. -
Need attribute list for User object
Hi All,
Where can I find the attribute list for the object "User"? I need this for silent mode domian configuration.
Thanks!Hi All,
Where can I find the attribute list for the object "User"? I need this for silent mode domian configuration.
Thanks! -
[SOLVED] Problems changing primary group for user
Hello,
I used the following command to add a new user
# sudo useradd -m -g users -G audio,lp,optical,storage,video,wheel,games,power,scanner -s /bin/bash mel
I think did
#cat /etc/group
and everything looked like it should apart from the user mel was not on the users group line
e.g.
storage:x:95:john,mel
scanner:x:96:john,mel
power:x:98:john,mel
nobody:x:99:
users:x:100:john
so I tried
# sudo usermod -g users mel
still no effect
is this normal?
Last edited by mrLogan (2012-04-05 08:36:32)Gcool wrote:Try using "adduser" (interactive version) instead and see if the behaviour remains the same.
I used
#sudo userdel -r mel
to remove the account
and then used
#sudo adduser
and went through the prompts
by default it wanted to add the users group as primary and I accepted it
everything went fine , no errors but yet again the
cat /etc/group shows
storage:x:95:john,mel
scanner:x:96:john,mel
power:x:98:john,mel
nobody:x:99:
users:x:100:john
dbus:x:81:
interestingly if I do
#sudo id mel
I get
uid=1001(mel) gid=100(users) groups=100(users),7(lp),10(wheel),50(games),91(video),92(audio),93(optical),95(storage),96(scanner),98(power)
I am officially freaked ! -
Umw attribute responsible for user ID in SAP Logon Ticket
In a typical portal login using the login module stack "ticket", I understand that j_user and j_password are used to login at the BasicPasswordLoginModule.
With our UME running against an LDAP server, what attribute is responsible for the user ID of the generated SAP Logon Ticket at the CreateTicketLoginModule? It could be j_user or userid of the principal type account or the uniquename or loginid of the principal type user.
Thanks,
Floriani think it is by default but if you are using qoutes then you have to give it in upper case.
select matnr into mara-matnr from mara where matnr = 'abc'.
will not fetch any value here you have to give 'ABC'.
regards
shiba dutta -
Consistency error for user in PPOSA_BBP , no error in HRALXSYNC
Hi Experts,
For the same user when we run the report HRALXSYNC in SE38 , everything is green but when we check the same user in PPOSA_BBP it gives error "Attribute check for USER failed" .
I have two queries,
1)Why is the mismatch between the two checks i.e. in HRALXSYNC report and PPOSA_BBP
1)How can we see what is the exact error.
Regards,
AnubhavHello Anubhav,
What version of SRM?
Execute the transaction:bbp_bp_om_integrate for the user,
after the result comes,whith some data in red,right?
Now scroll towards right..
select the User's consistency row and there is an optiion at the end of tool bar,
with 2 arrows shoWing downwards(Start Repair),just select the user and click on it.
see what happenS
ArshaD
Edited by: arshad ahmed on Jul 23, 2009 3:52 PM
Edited by: arshad ahmed on Jul 23, 2009 3:54 PM
Edited by: arshad ahmed on Jul 23, 2009 3:55 PM -
Different groups for different syncing rights possible?
Hi,
is it possible to configure datasync for one group syncing all mail and appointments and for an other group only syncing appointments?
Do I have to setup two datasync servers, or could this be solved by an additional connector?
MarkusOriginally Posted by markus
Hi,
is it possible to configure datasync for one group syncing all mail and appointments and for an other group only syncing appointments?
Do I have to setup two datasync servers, or could this be solved by an additional connector?
Markus
When i used Data Sync 2 years ago, i created two edirectory groups:
1 for users only to sync Appointments and 1 group for users to syncing all things
this worked fine for us, but now with the new GW Mobility 2.0 this works not anymore. I have no option to configure rights with groups.
Would Novell bring back this option or is there a way to define default-sync settings for all users newly added to the system ? -
Problem with LDAP authentication for users in a group
I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
[6707] memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707] mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] msNPAllowDialin: value = TRUE
I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
ldap attribute-map AuthUsers
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
ldap-base-dn DC=COMPANY,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
server-type microsoft
ldap-attribute-map AuthUsers
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
wins-server none
dns-server value 10.10.100.102
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value net.COMPANY.com
webvpn
anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
address-pool COMPANY-SSL-VPN-POOL
authentication-server-group LDAP
authorization-server-group LDAP
authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
ikev1 pre-shared-key *****I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.
-
Change Reference Attribute - "Manager" for multiple users
Hi,
I have a scenario in which I have to create a workflow to change a reference value attribute - "Manager" for multiple users in one go. Is it possible to achieve this with workflow. If yes, then how?
Regards,
Manuj KhuranaHello,
not out of the box, since in workflows and custom activities you can only access the reqestor and target object direcly.
But you can develop your own custom activity that fits you need, or do it with powershell custom activity.
I did a very similar thing, to be able to change users group membership from the user UI, so I have also edit objects other then requestor and target in a workflow.
Since both (manager and member) are reference attributes you maybe find this article helpful:
http://social.technet.microsoft.com/wiki/contents/articles/19615.fim-2010-r2-how-to-manage-group-membership-from-the-user-ui.aspx
I used this powershell activity in my solution:
http://fimpowershellwf.codeplex.com/
Regards
Peter
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com -
Could we have same name's for User and Groups in Active directory
When iam trying to create a user name " Logistics " under a OU, I am getting a error
"The pre-windows 2000 logon name you have chosen is already in use in this domain. Choose aother pre-windows logon name, and then try again"
We already have a group by the name " Logistics "
Could we have same name's for User and Groups in Active directory?
Thanks in AdvancesAMaccountName attribute is unique. So, the short answer is you cannot.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
How to change the groupType attribute of a user group object?
I'm trying to change the "groupType" attribute, of a user group object, from 'Distribution' to 'Security' (and the group scope is set to 'Global').
The CAD bit mask value needed would be: 0x80000002 (Decimal -2147483646).
How to change/modify the "groupType" attribute for this user group object?
Thanks,
UDAttribute attr= new BasicAttribute("groupType", "-2147483646");
items[0]=new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attr);
ctx.modifyAttributes(dn, items);
--does not work.
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002141: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM)
Is it possible to modify it?
Thanks,
UD. -
Hello,
I am facing a weird issue during the export of a group to a log file (xml).
I have configured my ADLDS management agent such as the export run profile exports data into a XML Ffile:
Everything is fine in the XML, I see my new accounts, the attributes updated for accounts but for an unknown reason the group which should contains accounts does
not contain the DN values.
It contains the tags <dn-value> and <dn> but <dn> is empty
e.g:
<delta operation="update" dn="CN=GroupX,OU=Users,DC=ZZZZ">
<anchor encoding="base64">XDSQDQDQ</anchor>
<dn-attr name="member" operation="add" multivalued="true">
<dn-value>
<dn/>
</dn-value>
<dn-value>
<dn/>
</dn-value>
</dn-attr>
During the export, FIM updates the attribute "member" of the group:
Member attribute seems to be caught by FIM during synchro profile and export profil bt not translates correctly in the final xml file.
Any ideas?
Thanks for your reply.Thinking the same thing as David - sounds like a bug - but that's curious because I've never had a problem with the AD MA doing exactly the same thing, albeit with FIM R1 most recently. What version of FIM are you using, and have you checked the
release notes of any subsequent versions to see if any such issue is mentioned?
Bob Bradley (FIMBob @
TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM
Maybe you are looking for
-
Hey everyone, I was chosen as one of the top 4 designs to compete in Lenovo's Mod Contest! I've been working on this project for a few weeks now, so let's get you up to speed. (@ moderators, if there is a more appropriate place for this log, please
-
When I try to download/install an app on my two day old iPod touch a message pops up saying cant connect to iTunes store and it won't download the app. Please help!!!
-
I have a function module that receives a table name, in a character variable. How do I create a variable, within the function, of the type of the parameter-passed table ? I've been trying with field-symbols and create data, but without success. Could
-
HT202297 How to sort reminders in OSX Moutain Lion?
on the iCloud calendar, I can sort reminders by date, description, importance, etc. How can I do that on my desktop in OSX Mountain Lion's Reminders?
-
How to modify my profile to get Apple in french
Hi I would Like to make changes to my profile (pût m'y keyboard. In english) Thank. You