Azure RMS Group user with Ad-hoc policy

Similar Messages

• New users with Global Password Policy requiring password "reset on first user login" are still prompted to reset password after entering incorrect password

  The setup:
  We have the option "Password must: be reset on first user login" enabled in the Global Password Policy on our 10.9 / Mavericks server. We import new user accounts into Open Directory via a delimited text file and include a default password for each user.
  What I've observed and tested:
  When a user attempts to log into a computer that's bound to our Open Directory for the first time, they can enter anything in the password field and still receive the prompt to reset their password. They are never notified that they entered their default password incorrectly. The password reset will then fail (as it should), but they still aren't notified that this is the reason for the password reset failure. To put it another way: Seeing the prompt to reset your password would reasonably imply that you entered the default password correctly, but that's not the case at all.
  The question:
  Is this expected behavior? If it is, it doesn't seem logical. If this was the case in OS X Server 10.3 through 10.7 I never noticed it. Can anyone corroborate this with their own setup? Thanks in advance.
  -- Steve

  Some follow up questions:
  - How did you migrate (dsmig ldif or binary import)
  - Did the accounts in .x have any custom password policies set?
  For a "new" and a migrated entry, can you check if a passwordpolicysubentry is configured?
  (search as directory manager and fetch the attribute)

• New group/user

  Whats the best way to create a new group/user with the same (or nearly the same) access priviledge as root.
  I am trying to install Oracle (freebie that came with 2.8), I created a group and user called TAC but i have run into all sorts of install issues.
  TIA

  you can specify initial group as 14 and other groups as 10.
  group 14 is sysadmins.
  You do not want to let oracle have access to any privileges. Give it it's own group and let it play in it's own specified dir.

• The user '*' preference item in the 'User - 6th Form Students Policy {E03166E7-A848-48B5-AA93-97B848AA9C13}' Group Policy object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppres

  I am looking at an issue with users not getting specific group policies. 
  After searching a number of client computers I found that the following error
  The user '*' preference item in the 'User - 6th Form Students Policy {E03166E7-A848-48B5-AA93-97B848AA9C13}' Group Policy object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppressed.
  I can find the folder in the Sysvol folder on all of the domain controllers. 
  The issue with end users seems to be that the proxy settings for internet explorer is not being applied. 
  Potential problems?
  one folder in sysvol entry is empty 
  \\<server>\SYSVOL\<domain.name>\Policies\{E03166E7-A848-48B5-AA93-97B848AA9C13}\User\microsoft\IEAK\LOCK
  or is this our issue
  The old method of configuring proxy settings  to Internet Explorer 9 has changed?
  https://support2.microsoft.com/kb/2530309?wa=wsignin1.0 
  http://thommck.wordpress.com/2013/11/08/the-new-way-to-configure-internet-explorer-proxy-settings-with-group-policy/

  Hi all 
  In administering this policy I am a little confused. 
  We have a policy that distributes proxy settings in the internet explorer maintenance settings section - however when opening this policy up in GPO editor the internet explorer maintenance section is not present.
  I plan to apply the settings via User/preferences/control panel settings/ internet settings (or registry settings from article) however I am unable to edit the settings for internet explorer maintenance and these will persist. Ideas????

• Azure RMS user licensing

  Hi,
  Im struggling with finding clear information on licensing surrounding Azure RMS, in particular protecting files on on-premise file servers.
  To begin with we only want to use Azure RMS to protect content stored within on-premise Windows 2012 servers using FCI and the Azure RMS Connector.
  In terms of licensing the users do we need to
  A) License each user that will be consuming protected content on premise?
  or
  B) License the users that will be applying the protection to content.
  i.e. does a user need a RMS license to consume on premise protected documents.
  A previous engagement with Microsoft Partner PreSales Advisory stated that we do not need to license users that are purely consuming content and only need to license uses putting the protection and policys in place but we wanted to confirm this.
  We are aware that with Applications such as Exchange Online and SharePoint Online all users need an RMS license but we need the clarification on on-premise file servers.
  Can anyone help?
  Many Thanks

  Hi Carol,
  Thank you for the further explanation this certainly does help clear things up.
  Thinking about this scenario more and more it does seem like it could be quite cumbersome to license with a high potential to not license correctly certainly in a large environment.
  Depending on how you have you NTFS permissions setup it strikes me that you would need to license any user that has the potential to save / create a file in a location as by default they would be the owner of that new file.
  Would it be a sensible suggestion to have a license in place for all members of the security group that has the ability to create files in the location you are protecting? Further on from that if a we did this and a member of that security group didn't have
  a license would we breach licensing regulations or would they simply not have the relevant functionality available to them? Taking this even further if the protection gets put in place by a policy / FCI rule surely they wouldn't need any different level
  of functionality as FCI will be assisting in putting the protection in place not the user creating the files.
  Sorry to bombard you with my questions / ramblings!
  Thanks

• Seggregate Automated User provisioning using Access Policy-Diff Groups/Org

  Hello there,
  By default, the users that are created in OIM - via GTC/via self registration/via Administrator - they all get assigned to "All Users" group. Can we assign these users to a different User Defined group for e.g. "trialgroup", by default and Unassign the "All Users" group. If yes, how can we do that?
  This question is related to another question of mine:
  I want to avoid all the users that are being created in OIM system - to be all together provisioned to a single IT Resource in my case OID directly via Access policy which can be applied on individual group. I want to keep the system extensible for future purposes. And the only way to seggregate direct resource provisioning via access policy is by means of different "groups". So the solution that I could think of was to assign all the users that are being created currently (via GTC and via Bulk Load into OIM) to a separate group and assign an access policy to the group so that in future if any other resource comes into picture then the system can be extended by creating more groups and designing individual separate access policies for the same.
  Does this makes sense?
  Please provide your inputs! Any hints/suggestions/ideas are welcomed.
  TIA,
  - oidm.

  I am actually not very sure, what you want to achieve form the content of that post. If you mean that you would not want every user in OIM to be provisioned to OID automatically through access policy, then I am assuming that in that case you will aplly the access policy to the ALL_USERS group.
  Well I may be missing the flow of your question, but here is what you can do based on my understanding:
  1) Just forget ALL_USERS group. We can no nothing about it. Any User created will be a part of this group and you cannot remove a user from this group.
  2) In place of this what you can do is create another group, for instance trialgroup and make all users a member of this group as well. This would be simple to do. See next step. Use addMemberUser() API of addMemberUser interface.
  3) Create an Entity adapter with a javatask added, which takes an input of UserID, and assigns that user to this group (trialgroup) in OIM using above API. Attach this adapter to the post-insert trigger of the "Users" data object manager. (It also have another ootb Entity adapter which adds all the users to ALL_USERS group).
  4) Attach your access policy to this group.
  5) Now also you are free to extend your system by creating more groups and access policies. It shouldn't be a problem.
  Thanks
  Sunny

• User with 2 permissions assigned via groups, not able to utilize the higher privilege

  User has been assigned Publishing Editor, this was assigned by being a member of a group, where group's permission is publishing editor. 
  In addition, the user has been assigned Reviewer, this also was assigned by being a member of a group, where group's permission is Reviewer. 
  The issue: The user can only perform functions related to the Reviewer role, and can't perform functions available via the Publishing Editor.
  Any Ideas what is going on? 
  *Removing the user from the Reviewer group is not an option. 

  Hi,
  The easiest way is to grant the single user Publishing Editor permission of that folder directly, check if the issue persists.
  Right click on the folder, Properties -> Permissions -> Add the user with Publishing Editor permission.
  Regards,
  Melon Chen
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Same user with administrative rights on all the servers in single domain versus domainadmin as a part of administrator group in all the servers

  same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
  same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
  How this is technically different?
  If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
  dhomya

  If the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing  accounts,
  groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
  I think that is a pretty big difference.
  In fact, it is bad practice to perform you daily server management with an AD privileged account.
  In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
  privileges. Always be carefull when assuming resulting privileges will be the same.
  MCP/MCSA/MCTS/MCITP

• OIM 10g Event Handler : Integrated with User Groups.User Members

  I have created custom event handler and integrated it with User Groups.User Members data object.
  here is my code od event handler class:
  public class GroupEventHandler extends tcBaseEvent {
       public GroupEventHandler() {
            this.setEventName("Event Handler Sample");
       protected void implementation() throws Exception {
            System.out.println("============@@@@@@@@ IN EVENT HANDLER ");
            try
            String groupKey = this.getDataObject().getString("Groups.Key");
            writeToFile(groupKey);
            catch (Exception e)
                 e.printStackTrace();
  But I am getting this exception :
  ERROR [ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)' XELLERATE.SERVER - Class/Method: tcTableDataObj/getString encounter some problems: Column 'GROUPS.KEY' not found
  com.thortech.xl.dataaccess.tcDataSetException: Column 'GROUPS.KEY' not found
       at com.thortech.xl.dataaccess.tcDataSet.getColumnIndex(Unknown Source)
       at com.thortech.xl.dataaccess.tcDataSet.getString(Unknown Source)
       at com.thortech.xl.dataobj.tcTableDataObj.getString(Unknown Source)
       at oim.GroupEventHandler.implementation(GroupEventHandler.java:19)
       at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.eventPostInsert(Unknown Source)
       at com.thortech.xl.dataobj.tcUSG.eventPostInsert(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
       at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
       at com.thortech.xl.ejb.beansimpl.tcGroupOperationsBean.addMemberUsers(Unknown Source)
       at com.thortech.xl.ejb.beans.tcGroupOperationsSession.addMemberUsers(Unknown Source)
       at com.thortech.xl.ejb.beans.tcGroupOperations_ejm77u_EOImpl.addMemberUsers(tcGroupOperations_ejm77u_EOImpl.java:1671)
       at Thor.API.Operations.tcGroupOperationsClient.addMemberUsers(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.security.Security.runAs(Security.java:41)
       at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
       at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
       at $Proxy66.addMemberUsers(Unknown Source)
       at com.thortech.xl.webclient.actions.UserGroupMembersAction.assignMemberUsers(Unknown Source)
       at com.thortech.xl.webclient.actions.UserGroupMembersAction.assignGroupMembers(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
       at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
       at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
       at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
       at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
       at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3592)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)

  Anyone have idea about why "Groups.Key" not found exception thrown here..
  I have assigned this event handler at postinsert event of User Groups.User Members Data Object.

• Set "peoples or groups" field with current user "login name" in sharepoint list form using javascript

  hi friends
  i am trying to set peoples or groups field in sharepoint  list form with current user login name
  here my code
  <script src="http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.9.0.js"></script>
  <script type="text/javascript">
  $(document).ready(function NewItemView () {
  var currentUser;
      if (SP.ClientContext != null) {
        SP.SOD.executeOrDelayUntilScriptLoaded(getCurrentUser, 'SP.js');
      else {
        SP.SOD.executeFunc('sp.js', null, getCurrentUser);
      function getCurrentUser() {
        var context = new SP.ClientContext.get_current();
        var web = context.get_web();
        currentUser = web.get_currentUser();
        context.load(currentUser);
        context.executeQueryAsync(onSuccessMethod, onRequestFail);
      function onSuccessMethod(sender, args) {
        var account = currentUser.get_loginName();
        var accountEmail = currentUser.get_email();
        var currentUserAccount = account.substring(account.indexOf("|") + 1);
      SetAndResolvePeoplePicker("requester",account);
  // This function runs if the executeQueryAsync call fails.
      function onRequestFail(sender, args) {
        alert('request failed' + args.get_message() + '\n' + args.get_stackTrace());
   function SetAndResolvePeoplePicker(fieldName, userAccountName) {
     var controlName = fieldName;
      var peoplePickerDiv = $("[id$='ClientPeoplePicker'][title='" + controlName + "']");
      var peoplePickerEditor = peoplePickerDiv.find("[title='" + controlName + "']");
      var spPeoplePicker = SPClientPeoplePicker.SPClientPeoplePickerDict[peoplePickerDiv[0].id];
      peoplePickerEditor.val(userAccountName);
      spPeoplePicker.AddUnresolvedUserFromEditor(true);
  </script>
  but it is not working
  please help me

  Hi,
  According to your post, my understanding is that you wanted to set "peoples or groups" field with current user "login name" in SharePoint list form using JavaScript.
  To set "peoples or groups" field with current user "login name”,  you can use the below code:
  <script src="http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.9.0.js"></script>
  <script type="text/javascript">
  function SetPickerValue(pickerid, key, dispval) {
  var xml = '<Entities Append="False" Error="" Separator=";" MaxHeight="3">';
  xml = xml + PreparePickerEntityXml(key, dispval);
  xml = xml + '</Entities>';
  EntityEditorCallback(xml, pickerid, true);
  function PreparePickerEntityXml(key, dispval) {
  return '<Entity Key="' + key + '" DisplayText="' + dispval + '" IsResolved="True" Description="' + key + '"><MultipleMatches /></Entity>';
  function GetCurrentUserAndInsertIntoUserField() {
  var context = new SP.ClientContext.get_current();
  var web = context.get_web();
  this._currentUser = web.get_currentUser();
  context.load(this._currentUser);
  context.executeQueryAsync(Function.createDelegate(this, this.onSuccess),
  Function.createDelegate(this, this.onFailure));
  function onSuccess(sender, args) {
  SetPickerValue('ctl00_m_g_99f3303a_dffa_4436_8bfa_3511d9ffddc0_ctl00_ctl05_ctl01_ctl00_ctl00_ctl04_ctl00_ctl00_UserField', this._currentUser.get_loginName(),
  this._currentUser.get_title());
  function onFaiure(sender, args) {
  alert(args.get_message() + ' ' + args.get_stackTrace());
  ExecuteOrDelayUntilScriptLoaded(GetCurrentUserAndInsertIntoUserField, "sp.js");
  </script>
  More information:
  http://alexeybbb.blogspot.com/2012/10/sharepoint-set-peoplepicker-via-js.html
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support

• Why can't I be in a group chat with an android user?

  I have the iphone 5 and I am not able to participant in group chats if there is an android user involved. I will not even see the messages that are sent. For example, there is a group chat with another iphone 5 user, an iphone 4s user, and an android user. I am in the chat, as other parties can see my number, but I do not receive any texts from the group.

  Because you are using lightroom, whether cs5 supports that camera model or not is irrelevent, unless you open or place the raw file itself into photoshop.
  Lightroom does not send a raw file, it sends a tiff or psd (Jpg is also an option if you use a secondary editor) file to photoshop. Odds are greater that lightroom 4 does not support your camera.
  Adobe has a list of camera models that each version of lightroom and camera raw support. It will tell you whether you are up to date, need to do an update. If they are not an option then you can use the dng converter or purchase a newer version of lightroom.

• Analytical Services failed to get user's parent group tree with Error

  Hi,
  We have a frequent errror during our weekly batch for an application.
  The context:
  - Essbase Administration Services we are using is version is 9.3.1.
  - 8 applications are calculated during the week-end. The scripts executed are exactly the same for the 8 applications.
  - For example let's say that 5 scripts are launched during the night in the batch for each application (script 1, script 2 ... script 5)
  - App1 and App2 are launched alone and before the 6 others applications as these applications database are 3 x bigger (App1 is calculated alone, then app2 is calculated alone, then app3 to app8 scripts are launched in the same time).
  The issue :
  - We don't see any issue for app3 to app8, the calculation are executed without any problem from script1 to script5.
  - But we have an error in App1 and App2 log when the bath execute script 4 and we see the following error in the server log **
  "Analytical Services failed to get user's parent group tree with Error".
  (** : we don't see any log for script 4 in the application log - it's like the server bypass script 4 to go directly from script 3 to script 5 )
  Nothing special is done in script 4 but just an aggregation of the Year dimension (using a @SUM(@RELATIVE(Year,0)) calculation.
  I think that there is may be a synchronization error with Shared Services but what is strange is that it's always for the same script 4 and the batch is launched at different time every week-end.
  Can the issue be linked to the size of the database of applications (8 Gb) and difficulties for the processor to executes aggregation in a large database volume ?

  Hi,
  According to your description, my understanding is that the error occurred when sending an email to the user in workflow.
  Did you delete the existing Connections before setting NetBiosDomainNamesEnabled?
  If not, I recommend to delete and recreate your AD connections, then set NetBiosDomainNamesEnabled to true.
  Or you can delete the original User Profile Service Application and create a new one, then set the NetBiosDomainNamesEnabled to true and start the User Profile Service Application
   synchronization.
  More reference:
  http://social.technet.microsoft.com/wiki/contents/articles/18060.sharepoint-20xx-what-if-the-domain-netbios-name-is-different-than-the-fqdn-of-the-domain-with-user-profile.aspx
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Where do I see Sharepoint user with no group or permission in the UI ?

  Hello All -
  The powershell cmdlet 'New-SPUser' has only 2 mandatory parameters UserAlias and Web. Group and PermissionLevel are not required.
  This means I can create a user with no group or no permission level. However UI does not allow this to happen, it forces you to select either one (group or permission level).
  My question is where do I see the user in UI which was created using powershell without any group or permission level ? The reason I ask is UI when it displays user, a group is always selected.
  Thanks!

  You should be putting the "_catalogs/users/detail.aspx" section into your url. For example if you were to go into your site settings page your url might start as:
  "http://manju.sharepoint.domain.com/sites/manjuTest/_layouts/settings.aspx"
  and it should become:
  http://manju.sharepoint.domain.com/sites/manjuTest/_catalogs/users/detail.aspx

• Initial Load - AS ABAP - getting only user with a group

  Hi,
  when i start initial load, i just get users with groups. Is that standard?
  Br,
  Philip

  First of all - you'll need to familiarize yourself with the database for effective learning and debugging. I'm talking about the MS-SQL or Oracle-DB where you installed the IC-schema. It often helps me to understand whats going on behind the scenes.
  Secondly - I read some of your posts - I would advise you to install the dispatcher and everything on the server where the DB is hosted - at least as long as you're in development. The MMC can still be on your local pc/laptop, although some things won't work well there (Import, Dispatcher-Status, ...). This'll ease things a lot I suppose.
  About the service-user... SAP delivers a role you can import into PFCG (SAP_BC_SEC_IDM_.SAP-File in misc-folder of installation media). This role should be sufficient for your communication user, is updated every now and then and contains only the necessary permissions. Maybe you'll have to extend it (Z_SAP_) in case you want to read special tables not supported by the SAP framework (e.g. license data).
  I can hardly believe that the current role assigned to your user only has permissions to users with groups != empty
  By now I have no clue why you only see users in IdM with groups assigned in SU01... look up the SQL-table I mentioned if there are more users.
  BR
  Michael

• I am currently an iPhone user, and I am planning to upgrade to a galaxy s5. Will I still be able to group message with iPhone users even thought I have a galaxy

  I am currently an iPhone user, and I am planning to upgrade to a galaxy s5. Will I still be able to group message with iPhone users even thought I have a galaxy

  Hi
  Yes you should be able too, this depends on the features on the phone but i would imagine something as new as the s5 would have this feature. However this would obviously be over standard sms rather than imessage.
  Hope this helps