BPC 7.5 - Domain User Group Not Work - Configuration Server Manager
Hi Guys,
I install BPC 7.5 from NW. From the PC client only work ok with the same user OWNER the BPC .NET. In Server Manger -> Option
-> Define Systems User Group, add the follow data:
- System user group name= Domain Users
- Domain Type=Active Directory
- Domain Name = BAIRES
Is correct the Syntax? or need use the form OU=xxxx?
Thanks.
Ok, thanks, and So I have other problem. I need Add User from different Domains, How configure this?
Tks
Similar Messages
-
Batch Risk Analysis in Full Sync mode with special user groups not working
Dear All,
we start Batch Risk Analyse Job in Full Sync with special User groups (use Range). In the Joblog I can see, that he selecet lesser users as in jobs before. But after all is finished (also managment job) when I go in Informer, he shows me also this user groups I have no analysed in Backgroudjob... Also he shows me in the detailed anlayse the date from a run before.. And we have deactivated some Risk - these are still in the analysis.
Have some one a information for me what here is wrong..
Best Regards
Gabriele Herrto old..
-
Primary Domain Controller Time not working (Windows Server 2008)
Hi there, I'm trying to set up my PDC with an external
before you say anything I have checked other thread and none of them helped and please do not suggest OS upgrades, we don't have the budget for that
we have 4 DC servers (not the real names)
DC1-Site1 (PDC), DC2-Site1, DC1-Site2 & DC2-Site2
All the other DCs and all the machines pick up the time from DC1-Site1, but this is out of sync with NTP
I've set DC1-Site1 to look at 0.uk.pool.ntp.org, 1.uk.pool.ntp.org, 2.uk.pool.ntp.org and 3.uk.pool.ntp.org using w32tm (yes i was running command prompt as administrator)
I am using a physical server not a virtual server
I have checked all the registry keys and they are correct, but when i do w32tm /mointor it is pointing to itself
I have tired creating a GPO for the PDC and this is being applied when I check with gpresult /r but this still doesn't sync the time with the NTP server
when i do w32tm /stripchart my PDU is +53.4 seconds out of sync with 0.uk.pool.ntp.org
it's not the firewall as the PDU can connect to 0.uk.pool.ntp.org on the correct port
C:\Windows\system32>w32tm /stripchart /computer:0.uk.pool.ntp.org /samples:10 /dataonly
Tracking 0.uk.pool.ntp.org [130.159.196.118:123].
Collecting 10 samples.
The current time is 16/05/2014 14:18:39.
14:18:39, +53.4132568s
14:18:41, +53.4028126s
14:18:43, +53.4034405s
14:18:45, +53.4033245s
14:18:47, +53.4026014s
14:18:49, +53.4091998s
14:18:51, +53.4024996s
14:18:53, +53.3945750s
14:18:55, +53.4022851s
14:18:57, +53.4021697sThe PDC Emulator in the forest root is the only one that you sync with an outside source, and the source can be your own interna,, 3rd party time service not running on a joined machine, or an external source such as US Navy servers, etc. All other
DCs in the entire forest, no matter what domain or tree, are set to sync from the hierarchy.
For the most part, just following the steps in my blog should help for the PDC and all other DCs. I thought I layed out the steps pretty clearly, since I put it together for someone else to follow at a major, enterprise environment, and they've found it
successul.
So I'm not sure what you mean by "...primary DC time server service information not save or it will save then revert back to looking at itself?"
If the PDC or any other DC, have problems with the time service and the steps in my blog don't help, or any other service, the cause may be rooted elsewhere. To determine that, would require config info including an ipconfig /all from each DC,
event log errors in the various AD logs and System logs, site design, number of domains in the forest, and more.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
basically when i run the command it says it ran successfully, but when i do w32tm /mointor it says the server is pointing to local, and it is still 53 seconds
out of sinc with the specified time servers when i do w32tm /stripchart /computer:0.uk.pool.ntp.org -
SCCM Compliance Targeted to User Group Not Working
Due to the limitation in SCCM on working directly with DLs, I have found a work around that is posted in following blog
http://myitforum.com/myitforumwp/2012/02/11/collection-based-on-distribution-lists-2/
I tried to take this approach to deploy a compliance base line setting but it does not seem like doing anything. Its been nearly 2 days but the users in DL are not getting any settings. The DCM baseline is targeted to an AD security group that has DL as
its member.
Does anyone know if its never going to work or its now just waiting game? I have been waiting over 24 hours and logged on and off several times with user account but with no luck.** Resolved **
I used following query which populated collection with users from desired DL and finally users got their DCM policy.
select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName like "%ConfigMgr_Compliance%"
Note: the DL is member of ConfigMgr_Compliance Security group. -
Hi
I have an SCCM 2012 SP1 CU3 installation on a Server 2008 R2 + SQL 2008 R2.
I'm having trouble delegating Reporting Services Web Access to a standard domain user.
I have followed the instructions from these blogs:
http://blog.coretech.dk/kea/creating-the-reporting-user-role-in-configmgr-2012/
http://www.wolffhaven45.com/blog/sccm/assigning-users-to-configmgr-reportusers-group-in-sccm-2012/
No matter how I try, I cannot get the reports to show for a standard domain user. In the console no reports are showing and in the web access I get
"User domain\user does not have required permissions........"
The only thing that is consistenly working when I test is to put the AD Group on the Security Role "Full Administrator".
Then everything will show up.
Any ideas on how to troubleshoot this?Thanks everyone for helping me with tips. I have now solved the problem. It was the permissions from SCCM that did not replicate to the Reporting Server.
In srsrp.log I got these error messages:
Could not retrieve the reporting service name for instance 'MSSQLSERVER'
Invalid class
Could not stop the reporting serviceAfter googling a litte I found these 2 sites with similiar problems:http://social.technet.microsoft.com/Forums/en-US/d4a7f93a-506f-4e3f-b5fc-bd2b087277da/ssrs-permissions-do-not-add?forum=configmanagergeneral
http://www.microtom.net/microsoft-system-center/software-distribution/sccm-2012-reporting-services-do-not-install
So I ran the command for SQL 2008 R2: mofcomp.exe C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqlmgmproviderxpsp2up.mof
and BAAM, everything started to work =)
/ALX -
"Domain Users" group in Active Directory does not belong to any Group Membership in LC
Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
Any way to correct this issue, without changing group membership on AD side?
If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
Thanks.If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed. -
Active Directory Groups - Domain Users Group
Using the AD resource adpater, I am able to assign groups and remove groups, but I noticed that the Domain Users group does not appear in the list of groups the user belongs to. Looking AD the user does belong, but in IDM it does not list this group membership. Is this normal ?
Thanks for the reply. I noticed there are quite a few issues with trying to UNC map to any share outside of the local MXE3500. I'm also seeing some issues with FTP watches on an EMC NAS, that has been FTP enabled. The problem I'm seeing now is that the watch will only work, if the watch is at the root level. If I add a file path, its accepted as valid when I save the directory watch, but looking at the fa.log its appending the last directory on twice.
So if my watch is looking at FTP Directory Path of: lifelink
The fa.log shows: .../lifelink/lifelink/
the word lifelink is displayed twice, causing an error, stating: "Error checking file size delay"
thanks,
Dave -
Can I get the members of Domain Users group (AD specific) with JNDI?
Hi All,
I've found these forums very helpful and full of great information, I've been able to retrieve all members of groups that I search for (from the information on this forum), and get the member's attributes such as email addresses through that.
The question I have is, is there a way to query the Domain Users group, since it's a special group in Active Directory, and retrieve the members of it? So far I have been unsuccessful. Here's a query I found that works on .Net:
(|(&({ClassFilter})(memberOf={GroupDistinguishedName}))(distinguishedName={G
roupDistinguishedName}))
I haven't been able to get it to work with JNDI however. Can anyone point me in the right direction?
thanks,
MattIt's not so much that the Domain Users is a special group, it's more that because by default, all users have their Primary Group set to Domain Users, that it appears to behave differently.
So the query that you're trying to execute via JNDI, would be something like:String searchFilter = "(&(objectClass=user)(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com))";And of course if everything has been left to defaults, it doesn't return any results.
Similarly if you look at the member attribute of Domain Users, it will be empty.
Assuming the defaults, and every user's Primary Group is set to Domain Users, the following query would return all the user's whose primary group is Domain Users:String searchFilter = "(&(objectClass=user)(PrimaryGroupID=513))";Note that 513 is the Relative ID (RID) for Domain Users.
Now if you set a user's Primary Group to be something other than Domain Users, then the Domain Users group would now have a value
for it's member attribute and conversely the respective user would now have Domain Users as one of the values of their memberOf attribute.
So then your query would be something like:
String searchFilter = "(&(objectClass=User)(|(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com)(PrimaryGroupID=513))){code}
I guess the fundamental question, is why do you need to determine whuch users are members of Domain Users ?
If this is for usie in an application, where the user has authenticated and you are using group membership to make authorisation decisions, perhaps the constructed tokenGroups attribute may be more useful as it contains the Security Identifiers (SID) for all the groups the user is a member of ? -
Domain Users are not able to log in to Domain Computers - Administrators are able to do so
I have Primary Domain Controller and Secondary one, The users can log in to both as I have changed the locally Policy to allow Domain users to log in.
But I am having problem with users who can not log in to computers joined the domain. I noticed that ONLY Administrators allowed to log in locally in the Policy and if want to add users, i will not be able to do so as Adding Users or Group is Disabled.
Advise is appreciated.Hi,
Please follow the below steps for checking whether either "Allow Logon Locally" or "Deny Logon Locally" is enabled in the default policy,
1. Go to start -> run -> tupe GPMC.MSC, to open Group Policy Management Console.
2. In the Group Policy Management Console,right click and edit the default policy and navigate to the node "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment".
3. In the "User Rights Assignment" node, check whether the options "Deny log on locally" or "Allow Logon Locally" are
defined and groups added to those options to confirm the logon problem of domain users.
NOTE: Also check the local policy, as you have mentioned "I have Primary Domain
Controller and Secondary one, The users can log in to both as I have changed the locally Policy to allow Domain users to log in."
Regards,
Gopi
www.jijitechnologies.com -
Domain Users Group is a Protected Group on the Domain
I'm having an issue where I set some permissions for a particular users mailbox, but when I come back later the permissions later they have been removed. I have done some digging around and I believe the issue is a result of the Domain Users group being
protected, which has led me to the AdminSDHolder object in the System OU. Does anyone know if it possible to amend the the security permissions, so that the group is no longer protected as it is causing some major issues for me.
Any suggestions would be appreciated
Thanks in AdvanceI just want to add to make sure that the user is not part of another group that may be nested in another group that is protected.
I had that issue with a customer, a police dept, after I migrated them to Exchange 2010 when some, but not all users, had issues with their mobile devices accessing Exchange ActiveSync. I found it was previously created users and
not new users, that had the problem. They had a number of users in administrative groups when they had one server that was a DC (previously SBS), and everyone in the organization had access to it, which required users to have administrative
rights, at least that's how they did it back then by the previous administrator, to provide them local logon rights.
With the help of a tool from Joe Richards, I had to hunt down each nested administrative group the users were in to remove them or change the AdminCount attribute to 0 before setting to allow inheritance otherwise it would set itself back when
AdminSDHolder runs every hour.
This was all discussed in the following TechNet thread:
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/269e0ab2-6e65-4001-abcb-3c89f6f938fd/issues-with-adminsdholder?forum=winserverDS
Also, take a look at this PW script that is supposed to look for all of that, at least that was my last discussion with the author mentioning that each group that a user is part of must be checked, when he posted the script to the ADDS group
in FB (https://www.facebook.com/groups/ADDSForum/):
Exchange Checkbox of Doom
http://www.dexterposh.com/2014/12/powershell-exchange-checkbox-of-doom.html
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Allowing the domain users Group to SCCM 2012 Remote Control
Hi There,
been working on this issue for the last few days now and its frustrating the crap out of me. My company has requested for all Domain users to be allowed to Remote Control to everyone's computer. This is so that users will be able to show each other how to
use in house application. In SCCM 2012 console, I've added the Domain users to the Premitted viewer tab. I've also added the domain user group to the administrative user section, added the Remote operator role and assigned the
ALL security scope to it. On another machine, i run the CMRCviewer to this machine and it prompts for username advising me the one i provided isn't authorized. when i check on the targeted machine, i can see domain users populated in the ConfigMgr
remote control user group
It seems only domain admins have rights to Remote control in. i've only got one client setting defined (default policy).
the interesting thing is the following layout
WINDOWS XP ---> WINDOWS 7 prompts for username
WINDOWS 7 -----> WINDOWS XP works
WINDOWS XP -----> WINDOWS XP works
WINDOWS 7 ------> WINDOWS 7 prompts for usernameHi Dave,
1) yes domain users is part of the configMgr remote control users". CMRCSERVICE.log shows the following
=== Starting security handshake ===
CmRcService
11/03/2013 10:44:29 AM
4808 (0x12C8)
HandshakeWorker failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Security filter server: DoHandshake failed..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
m_pSecFilter DoHandshake() failed. CmRcService
11/03/2013 10:44:29 AM 4808 (0x12C8)
DoHandshake failed on server side.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to do Handshake in Server.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to create security context.. Security Handshake failed.
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to validate Security requirement..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
Failed to complete the RDP connection..
The logon attempt failed (Error: 8009030C; Source: Windows)
CmRcService 11/03/2013 10:44:29 AM
4808 (0x12C8)
i've confirmed this user is part of domain users as well. -
Hi there
My environment is a single Lync 2013 Front End Server installed on Server 2012.
It works since a year and now we want to use some response groups. I created 2 of them and everything seems fine but i cant call these groups. Not from internal and also not from external.
The clients shows an 500 internal server error with ID 26017.
So i traced the whole thing on the Front End Server. It seems the Response Group Service cant work with the local SQL Server. I see three error messages.
1. TL_ERROR(TF_COMPONENT) [2]0B90.37A8::07/23/2014-06:38:39.119.000002fb (RgsClientsLib,MatchMakingLocator.GetActiveInstanceFromDB:683.idx(479))
(0000000000150BA8)No instance registered as the active instance!
2. TL_ERROR(TF_COMPONENT) [1]1E08.2910::07/23/2014-06:38:42.462.00000a34 (RgsHostingFramework,CallControlManager.HandleAudioVideoCall:2049.idx(619))
(000000000362D054)Call is declined because Call Control is not started.
3. TL_WARN(TF_COMPONENT) [1]0B90.0B7C::07/23/2014-06:38:48.053.00000f2d (RgsClientsLib,MatchMakingLocator.GetActiveMatchMakingInstance:683.idx(301))
(0000000000150BA8)There is currently no active MatchMaking instance in the pool.
The Lync Server Event Log shows this error when the Response Group Service starts:
LS Response Group Service ID 31067
Lync Server 2013, Response Group Service Match Making could not find the Contact object used for subscribing to agents' presence.
Cause: The application has not been properly activated or the Contact object was deleted.
Resolution:
Deactivate and then activate the application for this pool.
Is there a way to reinstall / reconfigure the whole response group service incl. the active directory objects?
I hope somebody could help
Regards
AndreasHave you seen this thread:
http://social.technet.microsoft.com/Forums/lync/en-US/cd25ddec-6e1e-4d58-9a9a-a530abfa82e3/response-groups-not-working?forum=ocsclients ?
He ran Get-CsApplicationEndpoint and received a warning that let him to a resolution.
Short of that, I'd rerun step 2 in the deployment wizard and restart services when you can to see if I could jog anything loose.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
The Notification Center Yosemite primary user does not work in my Macbook pro and the other users if it works. How can I fix it?
The Notification Center Yosemite primary user does not work in my Macbook pro and the other users if it works. How can I fix it?
-
SLD connection user/password not working.
Hello friends,
I am new bee in SAP Netweaver.
I installed SAP Netweaver for java.
Now I want to connect it with BAPI from SAP.
so, some where i am sucked with SLD. I opened Visula Administrator and nothing there to connect.
I also tried http://localhost:50000/sld but my user/password not working.
1. What to do to see/get username/password for SLD?
2. How to connect netweaver to access SAP ZBAPI?
Regards,
RHHello friends,
I am new bee in SAP Netweaver.
I installed SAP Netweaver for java.
Now I want to connect it with BAPI from SAP.
so, some where i am sucked with SLD. I opened Visula Administrator and nothing there to connect.
I also tried http://localhost:50000/sld but my user/password not working.
1. What to do to see/get username/password for SLD?
2. How to connect netweaver to access SAP ZBAPI?
Regards,
RH
Hi Ronny.
Where is your UME running? On the java engine, on an ABAP system or at a LDAP?
What i want to say is that your user has to gain the rights to connect to the SLD. Easiest way is to give you admin rights - to do that you have to know where your userstore is running....
I am not sure if this is correct http://localhost:50000/sld
Normally it should look like http://my.sap.com/56600/sld where my.sap.com is a fqdn and 56600 is the port of the java engine. 66 ist the system number of the as java.
ZBAPI? I do not really know but i think you have to use a jco to connect...
regards,
Martin -
ESSO - Default Domain Credentials Sharing group not working
Hello people!
Problem Description:
Customer is not able to get the default domain sharing group
working after enable the feature through global agent settings
Desired Behavior: Once the AD password changed through Control
Alt Del or a forced password change through AD admin console.
Steps to Duplicate:
1) Install ESSO
2) Create one or two app template and put them into the "Domain
Credentials sharing group.(Make sure "Enable" the feature of
Credentials sharing group feature from the global agent settings
3) on the client side, let the user logons to the workstation
4) Add that created one or two templates with credentials(username and
password)
5) Change the user AD password through Control Alt Del
6) After password changed, go to reveal the one or two apps
7) Password not updated.
Thanks!More information about this problems in IBM forums.
http://www-01.ibm.com/support/docview.wss?rs=3049&context=SS9JLE&dc=DB550&uid=swg1IZ05678&loc=en_US&cs=UTF-8&lang=en&rss=ct3049tivoli
someone had this problem?
There is a patch to fix this?
Thanks!
Maybe you are looking for
-
My ipod wont let me swipe it open to unlock or turn off
hello im haveing trouble opening my ipod it wont let me swipe to unlock or turn off please help
-
Getting error while running TutWD_FlightBooking_Init sample application
Hello, I have downloaded TutWD_FlightBooking_Init.zip and Handling Transactions with BAPIs in Web Dynpro.pdf document and created a WebDynpro sample application. I have deployed it in WAS6.40 SP9 and created appropriate JCo connections and these JCo
-
I have a problem with my java program! I have a xml file that looks like this: <command type="Hello"> <name id="Peter"> </name> </command> Now I want to get just the Hello and Peter out of the file. The other stuff I don't need. Haven't found anythin
-
We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager). Part of our existing system uses OID (Oracle Internet Directory). All users have an entry in OID. Some of our systems use OID for auth
-
Best practice - converting to 8 bit?
I'm am working on a project using Corel Painter X which is limited to 24 bit (8 x 3 RGB) color. Some of my source photographs are Nikon Raw (shot with a D200) which is 12 bit. Aperture will of course export versions as 8 bit tif. My question for thos