Blog ACLs

Similar Messages

• ACL migration Error : 1210 could not find a domain controller for domain "Test Domain" (Old Domain)

  Hi
  We are migrating from old domain to new domain. Before live migration, we are trying to check the ACE/ACL migration through SubInACL. We are running the SubInACL on a cluster, which is a member of the Old Domain (Test Domain). We are able to resolve and
  ping both Old Domain and the New domain from this cluster machine. We have created a network share on this cluster, which is accessible to all Domain Users of the Old Domain. Both Domains have two way forest level trust. we are trying to migrate
  the ACL of this share (\\ClusterMachine\testshare$) to the new domain using SubInACL. We are trying to run the below command to get it done.  
  subinacl /outputlog=C:\Users\Administrator\Desktop\Migrationlog.txt /subdirectories
  \\ClusterMachine\testshare$\*.* /migratetodomain=OldDomain=NewDomain=mappingfile.txt
  Mapping file contains : Domain Users=NewDomain_Users
  But we are geeting the Error that "1210 could not find a domain controller for domain "Test Domain". Error finding domain name : 1210 the format of the specified computer name is invalid. Current Object "\\ClusterMachine\testshare$"
  will not be processed."

  Hello,
  how in detail is DNS set up in each domain?
  Any problems when using nslookup to verify?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Trying to change the ACL of a domain user

  I am using the Set-Acl cmdlet to add a user to another user's domain account so that the second user will be able to read the permissions available to the first user.  I get an error on the very last line "this security id may not be assigned as
  the owner of this object".  I suspect that perhaps the error is caused because I am not permitted to change the owner of the account and the code is trying to do a wholesale rewrite of the ACL.  I am allowed to add the entry to the account through
  the UI and that is all I want to do via powershell.  Any ideas?
  $name1 = "someuser" #this is the user whose acl I want to edit
  $name2 = "someotheruser"  #this is the user that I want to add to the first user's acl
  $objUser = Get-ADUser -LDAPFilter "(sAMAccountName=$Name1)"
  $objDelegate = New-Object System.Security.Principal.NTAccount("$name2")
  Set-Location AD:
  $dn = $objUser.DistinguishedName
  $Acl = (Get-Acl $dn)
  $Ar = New-Object system.DirectoryServices.ActiveDirectoryAccessRule ($objDelegate,"GenericRead","Allow",$objUser.ObjectGUID)
  $Acl.AddAccessRule($Ar)
  Set-Acl -Path $dn -AclObject $Acl

  Hi Jay,
  To change the AD user permission with powershell, the script below is for your reference:
  Import-Module ActiveDirectory
  # Figure out our domain
  $root = (Get-ADRootDSE).defaultNamingContext
  # Get or create the System Management container
  $ou = $null
  try
  $ou = Get-ADObject "CN=System Management,CN=System,$root"
  catch
  Write-Verbose "System Management container does not currently exist."
  if ($ou -eq $null)
  $ou = New-ADObject -Type Container -name "System Management" -Path "CN=System,$root" -Passthru
  # Get the current ACL for the OU
  $acl = get-acl "ad:CN=System Management,CN=System,$root"
  # Get the computer's SID
  $computer = get-adcomputer $env:ComputerName
  $sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
  # Create a new access control entry to allow access to the OU
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "All"
  # Add the ACE to the ACL, then set the ACL to save the changes
  $acl.AddAccessRule($ace)
  Set-acl -aclobject $acl "ad:CN=System Management,CN=System,$root"
  I think you need to add the line to get user2's SID "$sid".
  Refer to:
  http://blogs.technet.com/b/mniehaus/archive/2012/01/05/creating-the-configmgr-system-management-container-with-powershell.aspx
  If there is anything else regarding this matter, please feel free to let me know.
  Best Regards,
  Anna Wang

• Oracle 11g XE not working with oracle BI publisher 10g after enabling ACL

  Hello,
  I previously work with oracle 10gXE and Oracle BI publisher 10g and it work fine. now i install oracle 11g XE and try to configure it with oracle Bi Publlisher, it show this error
  "ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1324 ORA-12570: TNS:packet reader failure" after runing the ACL package to neable network service.
  on the database.
  Please can any body tell be why this is not working. Tanx.

  You'll need to add the apex engine owner to the ACL (Access Control List). Depending on your version of apex the user name varies. i.e. 4.0 is APEX_040000
  See Joel's blog for info about the ACL and APEX.
  [http://joelkallman.blogspot.com/2010/10/application-express-network-acls-and.html]

• Cannot prevent authenticated users from creating a blog on "My Page"

  I have a brand new Snow Leopard (10.6.1) 2.26 Ghz quad core Xserve with 12Gb RAM that will be used for web collaboration services. I've currently set up Wiki and Blog services with a group membership to allow creating wikis/blogs. The reason for this is for staff development purposes with the plan to add people into the group as they are trained. The process to set it all up was very simple, however, I'm having an issue preventing authenticated users from creating a personal blog. Although I can prevent the creation of wiki's to members of a group easily, any authenticated user on the server can log into "My Page" and will be able to create a blog. I've gone to server admin>choose the server>choose the "access" icon and set the column "for selected services below" (blog) to "allow only users and groups below" (the group) and it still doesn't prevent them from making a blog page. In WGM for the group on the "Basic" tab, the "enable the following services for this group" has only the choice of "none" and therefore since the site isn't showing as a choice, the Wiki, Blog, Calendar and Mailing List is grayed out. I've seen another thread that states in 10.6 that option for setting the service acl in the group settings of WGM is unavailable. Does anyone know a fix for my problem of security access for a "My Page" blog or is it a possible bug in Snow Leopard? Right now my only workaround is to remove the users access and enable it as they are trained. This isn't an ideal fix, however, because we have some users who want to limit their wiki or blog to authenticated users only, not public access. Any help will be greatly appreciated.
  Message was edited by: dstrollo.il

  Ran into this same issue.... Talked with a field engineer who confirmed the behavior. The question now is this a defect or "feature that does not work as as the audience desires". As I far can tell, the security setting for blogs in server admin does nothing at all. This has the potential to cause a few issues as you cannot limit who can have a blog.
  Message was edited by: jlindler

• 10.6.1 Server - cannot prevent authenticated users from creating a blog

  I have a brand new Snow Leopard (10.6.1) 2.26 Ghz quad core Xserve with 12Gb RAM that will be used for web collaboration services. I've currently set up Wiki and Blog services with a group membership to allow creating wikis/blogs. The reason for this is for staff development purposes with the plan to add people into the group as they are trained. The process to set it all up was very simple, however, I'm having an issue preventing authenticated users from creating a personal blog. Although I can prevent the creation of wiki's to members of a group easily, any authenticated user on the server can log into "My Page" and will be able to create a blog. I've gone to server admin>choose the server>choose the "access" icon and set the column "for selected services below" (blog) to "allow only users and groups below" (the group) and it still doesn't prevent them from making a blog page. In WGM for the group on the "Basic" tab, the "enable the following services for this group" has only the choice of "none" and therefore since the site isn't showing as a choice, the Wiki, Blog, Calendar and Mailing List is grayed out. I've seen another thread that states in 10.6 that option for setting the service acl in the group settings of WGM is unavailable. Does anyone know a fix for my problem of security access for a "My Page" blog or is it a possible bug in Snow Leopard? Right now my only workaround is to remove the users access and enable it as they are trained. This isn't an ideal fix, however, because we have some users who want to limit their wiki or blog to authenticated users only, not public access. Any help will be greatly appreciated.

  Thanks for the suggestion, but that would prevent all users from creating personal blogs. I was hoping to be able to have a group of users that can create a personal blog outside of the blog attached to a wiki.

• Query: Setting ACL for Roles and Programmatic Approach

  Hi All
  I'm trying to setup ACL for Roles on WCC(11.1.1.8) server by following the blog https://blogs.oracle.com/kyle/entry/access_control_lists_for_roles using Framework folder and have few queries
  Query 1:
  Created new folder and associate enterprise roles under Role access list
  1. Created a new folder 'MyFolder' with Security group 'Secure', owner 'weblogic'.
  2. Assigned Role 'Deployers' under Role Access List with RW permissions.
  3. In Admin console, associated user 'jcooper' with 'Deployers' group and 'jausten' with no group.
  4. Logged in using 'jcooper' and able to assess 'Myfolder'.
  5. Logged in using 'jausten' and also able to assess 'MyFolder'
  Observation
  Since user 'jausten' is not associated with 'Deployers' group, how can 'jausten' assess the folder? Am I missing some configurations here. Please let me know setup steps to achieve this functionality in desired manner.
  Query 2:
  Created a prototype using RIDC to create a folder programmatically and assigning RAL to the created folder
          DataBinder requestData = client.createBinder();
          requestData.putLocal("IdcService", "FLD_CREATE_FOLDER");
         requestData.putLocal("fParentGUID", getFolderGUID("/"));
          requestData.putLocal("fFolderName", "TestFolder");
          requestData.putLocal("xClbraRoleList", ":Deployers(RW)");
          ServiceResponse  updateResponse = client.sendRequest(connectionContext, requestData);
  Observation
  Folder got created successfully, but 'Deployers' Role not assigned under Role access list.
  Query 3:
  Created a prototype using RIDC to assign enterprise roles to the existing folder
          DataBinder requestData = client.createBinder();
          requestData.putLocal("IdcService", "FLD_EDIT_FOLDER");
          requestData.putLocal("fFolderGUID", getFolderGUID("/TestFolder"));
          requestData.putLocal("path", "/TestFolder");
          requestData.putLocal("xClbraRoleList", ":Deployers(RW)");
          ServiceResponse  updateResponse = client.sendRequest(connectionContext, requestData);
  Observation
  Role got associated with folder under Metadata section, whereas folder information section does not contain the reference of updated role e.g. Edit Folder Information section on WCC UI not showing the added role, whereas Edit Metadata values section of UI showing this role.
  Please suggest what I'm missing in configuration/code and appropriate way to achieve the functionality.
  Thanks.

  Thanks Jonathan!!
  Query 2 and 3 answered by this setting and it worked fine.
  Could you please also assist on Q.1
  Query 1:
  Created new folder and associate enterprise roles under Role access list
  1. Created a new folder 'MyFolder' with Security group 'Secure', owner 'weblogic'.
  2. Assigned Role 'Deployers' under Role Access List with RW permissions.
  3. In Admin console, associated user 'jcooper' with 'Deployers' group and 'jausten' with no group.
  4. Logged in using 'jcooper' and able to assess 'Myfolder'.
  5. Logged in using 'jausten' and also able to assess 'MyFolder'
  Observation
  Since user 'jausten' is not associated with 'Deployers' group, how can 'jausten' access the folder?
  Am I missing some config?

• Moving ACL from a 3700 to 6509

  I have a 3700 router connected to 3 partner networks. One of the interfaces on the 3700 is connected to my core network. I have an ACL on this interface to block all unnecessary traffic. I am giving this router to a partner so I need to apply this ACL to all traffic heading to this router. The problem is the router and core network on the 6500 are the same. So if I apply it to the core network VLAN it won't work. Is there anything I can do beside creating a VLAN for the link between the 3700 and 6509. I would have to change all my route statements plus this would involve downtime and this is a production network.
  Any help would be appreciated.
  Thanks,
  Wayne

  you can always copy them to the sim in the 9500 then insert it in the 6233 and transfer it from the sim to the phone's memory, or you can use pcsuite.
  everything happens for a reason
  check out my blog @ http://mycellife.blogspot.com/

• Finder's Nasty Inherited ACL Bug (aka Error -41)

  CNET, MacFixit, and a few other technical blogs recently reported on an apparent ACL issue which seems to have existed in OS X Snow Leopard since OS X 10.6.0, but has gotten particularly bad in OS X 10.6.5, 10.6.6, and 10.6.7 (both client and server versions). The symptom is that when inherited ACLs are present in an OS X 10.6.x system, it's possible to overflow the ACLs with "crud" (unwarranted extraneous ACEs) by performing simply copy / clone operations in the Finder, AppleScript and other "Finder-like" programs that can eventually overflow the 128 entry limit per ACL.
  In reading the original posters postings (www.brunerd.com/blog/2011/03/22/finders-nasty-inherited-acl-bug-aka-error-41/ and openradar.appspot.com/9160099) I got really worried about our production OS X servers, but after some experimentation discovered a happy accident: it’s quite easy to overflow ACLs when performing repeated copy or duplicate operations on folder hierarchies on locally attached filesystems (whether attached on a client or server), but in actually it's much harder to make that happen with AFP-mounted filesystems having to do with a slower growth curve of the "crud" that develops as users copy / duplicate folders.
  Since ACLs tend to be fairly rarely deployed on OS X client systems, you also don't tend to run into the problem (I point out Drop Boxes as a possible exception), but IT administrators can run into this problem quite easily when cloning fairly deep server-side folder hierarchies in the Finder on an OS X Server.
  If your users are encountering "Finder -41" errors when performing seemingly simple operations in the Finder, this type of ACL overflow may be explanation. You might want to read up on the thread developing at www.brunerd.com/blog/2011/03/22/finders-nasty-inherited-acl-bug-aka-error-41/ for further details.

  This has been an ongoing issue since 10.6.5. See this thread: http://discussions.apple.com/thread.jspa?threadID=2686643&tstart=0
  The only real fix is to downgrade the clients to 10.6.4. What I've been doing is reapplying the ACL's from the server admin tool after each tape rotation. That way I'm not using up extra tapes since NetVault will back up the files again if the ACL has changed. The other thing I have some users doing is opening up the file they want to copy and doing a save as to the destination. That way doesn't seem to duplicate the permissions.

• Windows azure paas acls

  I am following  http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx  to add acls to my web and worker roles.
  Quetions
  1. If add only few IP address as allowed for end point then accos to that end point is blocked for rest of the world, correct ?
  2. How access controls I can add? I have list of 200+ different IP address for permit list.

  Hi,
  >>1. If add only few IP address as allowed for end point then accos to that end point is blocked for rest of the world, correct ?
  I agree with you, if you set the acls, the users out of your rules will not access the endpoint.
  >>2. How access controls I can add? I have list of 200+ different IP address for permit list.
  Please read this snippet from the article you provided.
  As with IaaS ACLs, PaaS ACLs allow you to do the following:
  Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint
  Blacklist IP addresses
  Create multiple rules per virtual machine endpoint
  Specify up to 50 ACL rules per virtual machine endpoint
  Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
  Specify an ACL for a specific remote subnet IPv4 address
  As far as I know, we only could set 50 acl rules, 200+ different is too more, so it is not suitable for this scenario.
  Best Regards,
  Jambor
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• ACL change report

  Hi Everyone,
   I'm trying to create powershell script which would alert when ACL changes are made to shares, folders and subfolders running on multiple servers   
  What I have so far kind of works, I'm getting ACL report fine but how would I correctly diff ACL report from previous day withe current ACL report? When I do compare-object I'm getting permissions changed listed value without path.  Here is what I have:
  $shares = "C:\scripts\dirs.txt"
  $ref = "C:\scripts\ref.csv"
  $refchanged = "C:\scripts\ref.txt_$date"
  $curracl = "C:\scripts\curracl.csv"
  $date = get-date -uformat "%y%m%d.%H%M%S"
  $output = "C:\scripts\result.txt"
  gc $shares | % {
          $folder = $_
          $folders = Get-ChildItem -path $folder -force -recurse | Where {$_.PSIsContainer}
     $dirs = $folders
              ForEach ($d in $dirs)
  get-acl -path $d.FullName | format-list -Property  path, accesstostring |  | Out-file -Append $curracl
  $diff = compare-object -referenceobject $(get-content $ref) -differenceobject $(get-content $curracl) | fl | Out-file "C:\scripts\diff.txt"
  $result = (gc C:\scripts\diff.txt)
  Also, when I export to csv I'm getting permissions listed only for one user, the user listed first in directory ACL.  
  What am I missing here?

  Hi,
  When open the CSV, what it looks like? There should be two colum, one is path, another is accesstostring.
  I run below command, got two colums:
  get-acl e:\test | select path, accesstostring | export-csv e:\result.csv
  Please also go through the below article to audit permissions using powershell:
  Audit File Server Permissions Using PowerShell
  http://blogs.technet.com/b/zarkatech/archive/2012/01/14/audit-file-server-permissions-using-powershell.aspx
  Hope this helps.
  Regards,
  Regards, Yan Li

• LDAP Authintication invalid ACL

  Dear All,
  i am using apex 4.2 with latest apex listner,oracle database 11g R2 64 bit, windows 7, internet explorer 9.
  i want to configure ldap authintication.
  i am following the following blog
  http://ruepprich.wordpress.com/2012/11/02/ldap-authentication-with-apex/
  i am stuck with the following line
  l_principal VARCHAR2(30) := 'APEX_040100'; -- upper case
  i have created the same trigger like below
  DECLARE
  l_acl VARCHAR2(100) := 'ldapacl2.xml';
  l_desc VARCHAR2(100) := 'LDAP Authentication for ldap.hctsrvpdc01.hct.org';
  l_principal VARCHAR2(30) := 'APEX_040100'; -- upper case
  l_host VARCHAR2(100) := 'ldap.hctsrvpdc01.hct.org';
  BEGIN -- Create the new ACL. -- Also, provide one starter privilege, granting the schema the privilege to connect.
  dbms_network_acl_admin.create_acl(l_acl, l_desc, l_principal, TRUE, 'connect'); 
  -- Now grant privilege to resolve DNS names. 
  dbms_network_acl_admin.add_privilege(l_acl, l_principal, TRUE, 'resolve'); 
  -- Specify which hosts this ACL applies to.
  dbms_network_acl_admin.assign_acl(l_acl, l_host); 
  COMMIT;
  END;
  but when i run it from sysdba, it give the following error
  ERROR at line 1:
  ORA-44416: Invalid ACL: Unresolved principal 'APEX_040100'
  ORA-06512: at "SYS.DBMS_NETWORK_ACL_ADMIN", line 252
  ORA-06512: at line 7
  how to fix this issue? what is the   l_principal VARCHAR2(30) := 'APEX_040100';??? how could i sure it is  APEX_040100?
  Regards.

  thank you christian,
  but it give a new error now, actually i have configured ldap long before on this dataabse.
  the error is below.
  ERROR at line 1:
  ORA-31003: Parent /sys/acls/ already contains child entry ldapacl.xml
  ORA-06512: at "SYS.DBMS_NETWORK_ACL_ADMIN", line 252
  ORA-06512: at line 7
  kindly guide for workaround.
  regards.

• Blog alias corrupting metadata.plist

  Has anyone encountered an issue with the blog engine incorrectly redirecting from a user's alias to their account name? When someone tries to read a blog from an alternate alias, it does not redirect but instead it removes the weblog string in the metadata.plist in /Collaboration/Users/~ which renders the blog unavailable. I either have to manually edit the plist or have the user "create my blog" to correct this.
  This only affects users with multiple aliases and the users ACLs are enabled in server admin for the blog service.

  Hi,
  we have the problem of disappearing blogs as well - till now I had no idea whats going on. I can confirm, that logging on to the wiki with an alternate username (alias) removes the weblog string and the blog becomes invisible.
  We do not have to define any ACLs for blog service to see this behavior.
  Regards,
  Matthias

• Hyper-V port ACLs not accepted from VMM

  I am trying to centrally manage all my port ACLs for VM net adapters from VMM but I am not able to run the command.
  I try to run the command from"Add-VMNetworkAdapterExtendedAcl"SCVMM
  PowerShell terminal:
  PS C:\Users\Administrator> Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Direction "Outbound"
  80 "TCP" -Weight 1 -Stateful $true
  And get the following:
  Add-VMNetworkAdapterExtendedAcl : The cmdlet cannot find a specified class. Verify that the relevant feature is
  enabled on the operating system.
  At line:1 char:1
  + Add-VMNetworkAdapterExtendedAcl -VMName "Web-VM1" -Action "allow" -Directio ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : NotSpecified: (:) [Add-VMNetworkAdapterExtendedAcl], VirtualizationOperationFailedExcept
     ion
      + FullyQualifiedErrorId : Microsoft.HyperV.PowerShell.Commands.AddVMNetworkAdapterExtendedAclCommand
  Any ideas?
  SamG

  Hi SamG,
  Agree with the others .
  Also you can use powershell "Enable-PSRemoting -force" on destination hyper-v server (The system will prompt you to confirm some settings during
  the setup. Select A for Yes to All to confirm all of them.).
  Then on your local computer run the follow powershell :
  $cred = Get-Credential -Credential xxxxxx\administrator
  (you need to enter the user name and password of the remote computer)
  Enter-PSSession -ComputerName xxxxxx -Credential $cred
  After that , maybe you can remote use powershell .
  For details please refer to following links:
  http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/17/learn-how-to-manage-remote-powershell-sessions.aspx
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ACLs keep coming up in repair permissions

  I run disk utility regularly - now in Lion there keep hundred of messages coming up "ACL was found but not expected", from iChat.app to CoreServices to AppleHDA.kext - Disk Utility reports fixes but obviously does not because the next time the same happens again....
  Any ideas - thanks in advance!

  Has anyone found a more permanent fix than reinstalling OSX?   Reinstalling 7.1 from the USB stick/Internet solved these permission problems for me for about three or four days, but they've started coming back.  I tried PathFinder but according to these it shares the same problem with the Finder: 
  http://openradar.appspot.com/9160099
  http://www.brunerd.com/blog/2011/03/22/finders-nasty-inherited-acl-bug-aka-error -41/